Jump to content

Identifying upstream ISP

oldskoolflash

By oldskoolflash
in SpamCop Reporting Help

Recommended Posts

oldskoolflash Member

oldskoolflash

Posted
Posted

A few times I have parsed spam emails and hit a "whois" brick wall. The reporting address is clearly belongs to the spammer and there seems to be no way of finding the host's, host. Is this a very difficult process to do?

For example this morning I have received spam referencing the sites: http://delicateperformance.org/ AND http://www.cheerfultune.org (google redirectors removed)

Both resolve to: 200.79.160.7 = [ npm.vpnmexico.net ]

Reporting address carlos.vargas[at]VPNMEXICO.NET hmmmmm I don't think so!

Also vpnmexico.net does not have a website (pretty suspicious for an host i'd say).

inetnum: 200.79.160/20

status: reallocated

owner: Infraestructura de Telecomunicaciones Inalambrica

ownerid: MX-ITIN-LACNIC

responsible: Carlos Andres Vargas Salas

address: Paseo de la Reforma 2608 21 PISO

address: 11950 - Mexico - DF

country: MX

phone: 52 55 52164200 [4300]

owner-c: CAV

tech-c: CAV

created: 20021209

changed: 20021209

inetnum-up: 200.79/16

nic-hdl: CAV

person: Carlos Andres Vargas

e-mail: carlos.vargas[at]VPNMEXICO.NET

address: Paseo de la Reforma 2608 21 PISO

address: 11950 - Mexico - DF

country: MX

phone: 52 55 52164200 [4300]

created: 20021209

changed: 20041207

Link to comment
Share on other sites
turetzsr What Life?

turetzsr

Posted
Posted
A few times I have parsed spam emails and hit a "whois" brick wall. The reporting address is clearly belongs to the spammer and there seems to be no way of finding the host's, host. Is this a very difficult process to do?

For example this morning I have received spam referencing the sites: http://delicateperformance.org/ AND http://www.cheerfultune.org (google redirectors removed)

Both resolve to: 200.79.160.7 = [ npm.vpnmexico.net ]

<snip>

...Normally, performing a 'tracert' command for the ip address provides the path across which a message takes to get to that ip address but I am getting a bunch of timeouts right now. :(
Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted

08/24/06 20:11:25 Slow traceroute 200.79.160.7

Trace 200.79.160.7 ...

144.232.9.136 RTT: 41ms TTL:144 (sl-st20-dal-1-0.sprintlink.net ok)

144.223.244.154 RTT: 43ms TTL:144 (sl-mexic1-3-0.sprintlink.net bogus rDNS: host not found [authoritative])

200.53.127.45 RTT: 43ms TTL:144 (host112045.metrored.net.mx bogus rDNS: host not found [authoritative])

201.148.152.10 RTT: 90ms TTL:144 (Giga1-3.NMU-COR-R02.metrored.net.mx bogus rDNS: host not found [authoritative])

200.57.17.141 RTT: 73ms TTL:144 (unknown.bestel.com.mx bogus rDNS: host not found [authoritative])

200.79.160.7 RTT: 76ms TTL:111 (npm.vpnmexico.net ok)

08/24/06 20:17:17 Browsing http://npm.vpnmexico.net/

Fetching http://npm.vpnmexico.net/ ...

GET / HTTP/1.1

Host: npm.vpnmexico.net

HTTP/1.1 302 Object moved

Server: Microsoft-IIS/5.0

...

<body><h1>Object Moved</h1>This object may be found <a HREF="/Login.asp">here</a>.</body>

08/24/06 20:19:21 Browsing http://vpnmexico.net/

No such server as vpnmexico.net

08/24/06 20:21:37 Fetching http://npm.vpnmexico.net/Login.asp

Fetching http://npm.vpnmexico.net/Login.asp ...

GET /Login.asp HTTP/1.1

Host: npm.vpnmexico.net

<title>SolarWinds Network Management</title>

whois.lacnic.net is not offering up an AS number .. hmmmm ....

Link to comment
Share on other sites
oldskoolflash Member

oldskoolflash

Posted
  • Author
Posted

<title>SolarWinds Network Management</title>

whois.lacnic.net is not offering up an AS number .. hmmmm ....

Many thanks guys. Sorry for being a bit slow :blink: but presumably SolarWinds Network managemant is the upstream ISP? And what is an AS number?

Also, is traceroute a DOS command?

Many thanks.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...