BUG: spamvertised link 'unresolvable'

[QuantumMechanic]

Hello,

I have found a bug with the spamcop reporting system.

I added an email to a two part form (header/body) for a spam item.

A message saying the link could not be resolved was shown.

The link _does_ resolve.

Here is the report in question:

http://www.spamcop.net/sc?id=z941672431z06...1bb6efeece2c75z

Which strangly now shows the link as resolvable (which is probably a bug in its self).

The spamvertised site has not been reported as a result of this bug.

Thank you.

[Wazoo]

I have found a bug with the spamcop reporting system.

Based on your choice of Subject Title, basic description ... hard to follow that you just discovered this .... SpamCop reporting of spamvertized sites - some philosophy was written a year ago ... and that was after the issue had been discussed for many moons. The Forum section you posted your discovery into has a number of recent other complaints about URLs resolving/not-resolving ...????

I added an email to a two part form (header/body) for a spam item.

I don't see where you added an e-mail to the submittal. Perhaps you're simply talking about pasting your spam into the (two-part) web-form?

A message saying the link could not be resolved was shown.

Which strangly now shows the link as resolvable (which is probably a bug in its self).

42764[/snapback]

http://www.dnsreport.com/tools/dnsreport.c...ain=dell-hp.com

many 'intersting' problems with DNS, including things like;

Fail: Open DNS servers

Fail: Mismatched glue

ERROR: Your nameservers report glue that is different from what the parent servers report. This will cause DNS servers to get confused; some may go to the IP provided by the parent servers, while others may get to the ones provided by your authoritative DNS servers. Problem record(s) are:

ns1.dell-hp.com.:

Parent server (m.gtld-servers.net) says A record is 85.186.29.249, but

authoritative DNS server (85.186.29.249) says it is 62.193.224.61

Bug Reporting is appreciatd, but ... spammers have been abusing DNS stuff for a few years now. In a similar vein, perhaps a look at another year+ old item Software Development Life Cycle principles for spam .... suggesting that it's not to hard to believe that some spammers have their own SpamCop.net reporting accounts to check out their craftiness ....

other links that may be of interest;

Steps taken by the parser, general overview

FAQ Entry: The Link Analysis Process

[btech]

Host bkoyba.dell-hp.com (checking ip) IP not found ; bkoyba.dell-hp.com discarded as fake.

ummm... that was the first clue, IMO. That's not a glitch, that's the parser doing its job.

[QuantumMechanic]

Well, upon noticing that the URL was not looked up by Spamcop successfully I went directly to the website which was functioning perfectly and was infact the site expected going from the conent of the spam email.

I also did a dns lookup which also worked perfectly.

This was all in within the space of a few minutes.

I clicked back on the browser and viewed the report page and spam cop had managed to lookup the DNS and had modified the report page.

I looked at the link to the forum thread about this problem, thankyou . The forum posting seems very relevant.

Persoannly I think there _is_ a bug, in that Spamcop failed to resolve a perfectly good URL for whatever reason, if there was a DNS problem then this situation should have been iterated as a time stamped technical message. To have the reports pages with live dynamic data serves a purpose that I do not understand. (since the this particular report page AFAIK has now had three different DNS lookup messages on it: error, success and no ip)

The DNS for the domain does not work _now_ (ie no ip address etc)- I imagine that either the spammers deactivated it or the host recieved complaints.

[StevenUnderwood]

The DNS for the domain does not work _now_ (ie no ip address etc)- I imagine that either the spammers deactivated it or the host recieved complaints.

More likely, it is the spammer playing DNS tricks (pointed out by Wazoo) which is what generally causes in changing results in the spamcop parser. If you try again at a later time, it is possible it will work again. Also, keep in mind that web browsers are designed to be more patient before giving up on a site because that is their primar function.

[QuantumMechanic]

More likely, it is the spammer playing DNS tricks (pointed out by Wazoo) which is what generally causes in changing results in the spamcop parser. If you try again at a later time, it is possible it will work again. Also, keep in mind that web browsers are designed to be more patient before giving up on a site because that is their primar function.

Spammers Tricks or not - there is a deficiency in the spamcop reporting system.

[StevenUnderwood]

Spammers Tricks or not - there is a deficiency in the spamcop reporting system.

Not really as I see it. They are careful not to report the wrong sites and reporting web sites has always been low on the radar screen of things to do. If the spammers are using multiple end user machines and moving from one to another quickly (as we have seen in the last year), spamcop does not want to be sending reports to all the major ISP's when by the time they get the report the site is not there any longer and is pointing somewhere else. THAT would make all spamcop spamvertized site reports useless because the ISP's would simply ignore them as not accurate.

You are always welcome to file manual reports.

[Farelf]

I agree with Steven and Wazoo though noting that dell-hp.com still does not resolve so has not yet moved to another IP, there is no evidence that it shall. Yes, the fact the parser could not initially resolve the domain when other tools could can be regarded as some sort of a defect but consider their "yabuts". Also, there will always be some variability in the reactivity of the various tools. Add to those factors the complaints from legitimate domain owners seen elsewhere in these fora that their legitimate domains have been maliciously added to spam by rivals or a miscellanary of vandals to get them closed down by pragmatic hosts and it is clear that the reporting of spamvertized domains is a whole different world and one which is much more in the spammers' own territory.

Have a look at a domain blacklist (such as http://www.joewein.net/bl-log/bl-log.htm) and note the volume and turnover. You could certainly send a manual report to abuse[at]publicdomainregistry.com (from joewein) by all means if/when your browser resolved the site (not a wise thing to do) and it appears not to be innocent (you wouldn't "know" - subjective judgement - until you looked) - and/or to abuse[at]amenworld.com (62.193.224.61 - DNSreport at the time) and/or abuse[at]astral.ro (85.186.29.249 - also DNSreport). Not a course of action for the faint-hearted and I would be recommending the use of a "disposable" free email account and severe munging of any evidence to be doing it.

So - I take your point, have always thought if "they" go to such pains it is worth returing the compliment, but ...

HTH

[QuantumMechanic]

Persoannly I think there _is_ a bug, in that Spamcop failed to resolve a perfectly good URL for whatever reason, if there was a DNS problem then this situation should have been iterated as a time stamped technical message. To have the reports pages with live dynamic data serves a purpose that I do not understand. (since the this particular report page AFAIK has now had three different DNS lookup messages on it: error, success and no ip)The DNS for the domain does not work _now_ (ie no ip address etc)- I imagine that either the spammers deactivated it or the host recieved complaints.

Yes, crafty dns tricks are to be borne in mind - 'do no harm' would describe the cascade of priority and pertinance of the reporting options open to Spamcop.

The domain name should in my opinion be rescinded from the owner - however malicious usage must be guarded against.

Dynamic data in a 'static' report page - there is 'no need' for this.

Rigid collection of data yes.

[Wazoo]

Yes, crafty dns tricks are to be borne in mind - 'do no harm' would describe the cascade of priority and pertinance of the reporting options open to Spamcop.

yet another of my ancient posts, analyzing a specific issue ...

URLs not reported, SC finds, but does not offer to LART!

I thought about tracking down one or two of the specific cases where I was documenting DNS changes occurring every few minutes, but .... I am simply so far behind on doing a whole bunch of other things .. this link popped up while I was looking for something else ...

[QuantumMechanic]

[at]wazoo

you do not highlight the relevance of the thread, who's link you posted in regards to this thread.

There is no evidnece of DNS changing by the minute in reguard to this particular spam email.

[Wazoo]

you do not highlight the relevance of the thread, who's link you posted in regards to this thread.

There is no evidnece of DNS changing by the minute in reguard to this particular spam email.

your browser - written for the great user experience

SpamCop parser - handling hundreds of queries, lookups, packaging, sending of reports a minute

DNS exploits have been around for years

How much more relevance do you want.

An example of a scenario, with analysis results provided. There are others, with different scenrios existing.

As I stated, rebuilding this Forum is one of the prime focal points of my attention right now .. the invitation is for you to do some perusing of the knowledge and experiences that are already existing in previous discussions, before trying to make everyone involved start from scratch again ...

[QuantumMechanic]

your browser - written for the great user experience

SpamCop parser - handling hundreds of queries, lookups, packaging, sending of reports a minute

DNS exploits have been around for years

How much more relevance do you want.

An example of a scenario, with analysis results provided. There are others, with different scenrios existing.

As I stated, rebuilding this Forum is one of the prime focal points of my attention right now .. the invitation is for you to do some perusing of the knowledge and experiences that are already existing in previous discussions, before trying to make everyone involved start from scratch again ...

Dude, I am not asking for a revolution.

Just an explanation as to why there is dynamic data in reports pages. I asked this clearly several times now

[btech]

Spammers Tricks or not - there is a deficiency in the spamcop reporting system.

No, that's a spammer that has found a way to 'beat' the system... for now.

[StevenUnderwood]

Just an explanation as to why there is dynamic data in reports pages. I asked this clearly several times now

DNS values are dynamic, everything about the internet is dynamic...pages move between servers, sites move between ISP's...

I see your question posed several times but have yet to see you explain exactly which dynamic data you are talking about. The fact that spamcop had a page not resolve, and then resolve a bit later? If that is your question, I have one for you...have you ever had a site not come up, you hit refresh and it works? Same thing...Spamcop just is not going to sit there "hitting refresh" until a site (which may be shut down) is seen...waste of CPU cycles on a highly automated process.

[QuantumMechanic]

I see your question posed several times but have yet to see you explain exactly which dynamic data you are talking about. The fact that spamcop had a page not resolve, and then resolve a bit later? If that is your question, I have one for you...have you ever had a site not come up, you hit refresh and it works? Same thing...Spamcop just is not going to sit there "hitting refresh" until a site (which may be shut down) is seen...waste of CPU cycles on a highly automated process.

Yes, but for the report page not to record the time/date of the DNS lookup(s) it performed alongwith result code/technical error message seems a little weird.

Perhaps the spamcop system should do several DNS lookups - especially if there is an error - and record these attempts with their outcome.

As it is this data on the report page is redundant- since it is 'live' and does not reflect thesituation at the time of reporting.