Jump to content

Identifying upstream ISP


oldskoolflash
 Share

Recommended Posts

A few times I have parsed spam emails and hit a "whois" brick wall. The reporting address is clearly belongs to the spammer and there seems to be no way of finding the host's, host. Is this a very difficult process to do?

For example this morning I have received spam referencing the sites: http://delicateperformance.org/ AND http://www.cheerfultune.org (google redirectors removed)

Both resolve to: 200.79.160.7 = [ npm.vpnmexico.net ]

Reporting address carlos.vargas[at]VPNMEXICO.NET hmmmmm I don't think so!

Also vpnmexico.net does not have a website (pretty suspicious for an host i'd say).

inetnum: 200.79.160/20

status: reallocated

owner: Infraestructura de Telecomunicaciones Inalambrica

ownerid: MX-ITIN-LACNIC

responsible: Carlos Andres Vargas Salas

address: Paseo de la Reforma 2608 21 PISO

address: 11950 - Mexico - DF

country: MX

phone: 52 55 52164200 [4300]

owner-c: CAV

tech-c: CAV

created: 20021209

changed: 20021209

inetnum-up: 200.79/16

nic-hdl: CAV

person: Carlos Andres Vargas

e-mail: carlos.vargas[at]VPNMEXICO.NET

address: Paseo de la Reforma 2608 21 PISO

address: 11950 - Mexico - DF

country: MX

phone: 52 55 52164200 [4300]

created: 20021209

changed: 20041207

Link to comment
Share on other sites

A few times I have parsed spam emails and hit a "whois" brick wall. The reporting address is clearly belongs to the spammer and there seems to be no way of finding the host's, host. Is this a very difficult process to do?

For example this morning I have received spam referencing the sites: http://delicateperformance.org/ AND http://www.cheerfultune.org (google redirectors removed)

Both resolve to: 200.79.160.7 = [ npm.vpnmexico.net ]

<snip>

...Normally, performing a 'tracert' command for the ip address provides the path across which a message takes to get to that ip address but I am getting a bunch of timeouts right now. :(
Link to comment
Share on other sites

08/24/06 20:11:25 Slow traceroute 200.79.160.7

Trace 200.79.160.7 ...

144.232.9.136 RTT: 41ms TTL:144 (sl-st20-dal-1-0.sprintlink.net ok)

144.223.244.154 RTT: 43ms TTL:144 (sl-mexic1-3-0.sprintlink.net bogus rDNS: host not found [authoritative])

200.53.127.45 RTT: 43ms TTL:144 (host112045.metrored.net.mx bogus rDNS: host not found [authoritative])

201.148.152.10 RTT: 90ms TTL:144 (Giga1-3.NMU-COR-R02.metrored.net.mx bogus rDNS: host not found [authoritative])

200.57.17.141 RTT: 73ms TTL:144 (unknown.bestel.com.mx bogus rDNS: host not found [authoritative])

200.79.160.7 RTT: 76ms TTL:111 (npm.vpnmexico.net ok)

08/24/06 20:17:17 Browsing http://npm.vpnmexico.net/

Fetching http://npm.vpnmexico.net/ ...

GET / HTTP/1.1

Host: npm.vpnmexico.net

HTTP/1.1 302 Object moved

Server: Microsoft-IIS/5.0

...

<body><h1>Object Moved</h1>This object may be found <a HREF="/Login.asp">here</a>.</body>

08/24/06 20:19:21 Browsing http://vpnmexico.net/

No such server as vpnmexico.net

08/24/06 20:21:37 Fetching http://npm.vpnmexico.net/Login.asp

Fetching http://npm.vpnmexico.net/Login.asp ...

GET /Login.asp HTTP/1.1

Host: npm.vpnmexico.net

<title>SolarWinds Network Management</title>

whois.lacnic.net is not offering up an AS number .. hmmmm ....

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...