mrmaxx Posted October 20, 2006 Posted October 20, 2006 Tracking URL: http://www.spamcop.net/sc?id=z1110604823ze...c831fad99bc71fz I manually looked it up using "host" on my linux box and got the following: [john[at]slave1 ~]$ host vbwjfa.creogas.com vbwjfa.creogas.com has address 200.56.242.35 Further whois gives the following info: [john[at]slave1 ~]$ whois 200.56.242.35 [Querying whois.lacnic.net] [whois.lacnic.net] % Joint Whois - whois.lacnic.net % This server accepts single ASN, IPv4 or IPv6 queries % Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2006-10-20 14:43:25 (BRT -03:00) inetnum: 200.56.240/20 status: reallocated owner: ADETEL ownerid: MX-ADET-LACNIC responsible: Administrador Optical address: Acueducto Rio Hondo Col. Lomas de Virreyes, 28, 205 address: 11000 - Mexico - DF country: MX phone: +52 55 50952300 [2335] owner-c: ADO tech-c: ADO created: 20000609 changed: 20031205 inetnum-up: 200.56/15 nic-hdl: ADO person: Administrador Optical e-mail: dominios[at]OPTICAL.NET.MX address: Acueducto Rio Hondo, 28, 205 address: 11000 - Mexico - DF country: MX phone: +52 55 50952300 [2335] created: 20031204 changed: 20031204 % whois.lacnic.net accepts only direct match queries. % Types of queries are: POCs, ownerid, CIDR blocks, IP % and AS numbers. Not sure it'll do much good, but I'm gonna file a manual complaint with the only contact for these folks.
Wazoo Posted October 20, 2006 Posted October 20, 2006 And when I take a look, using tools from 'here' ..... Yes, I would say that the DNS configuration on this is definitely a spammer contrived set-up. Most 'tools' and look-up databases are based on working with the Domain itself, but in this case, only the sub-domain has been 'configured' to return results to things like "user browsers" .... 10/20/06 14:50:52 dns creogas.com No DNS for this address (host doesn't exist) 10/20/06 14:51:01 Slow traceroute creogas.com Trace creogas.com failed, no such host whois -h whois.gandi.net creogas.com ... domain: creogas.com owner-address: 8011 Hangar Loop Drive owner-address: 33621 owner-address: MacDill owner-address: United States of America admin-c: SJH8-GANDI tech-c: SJH8-GANDI bill-c: SJH8-GANDI nserver: ns1.timbreframe.info 211.139.168.75 nserver: ns2.goodiman.com 211.139.80.120 nserver: ns1.herecentral.info 213.226.169.168 nserver: ns2.witchcurrency.info 211.139.79.108 reg_created: 2006-10-17 14:03:02 expires: 2007-10-17 14:03:02 created: 2006-10-17 16:03:03 changed: 2006-10-17 16:03:03 On the other hand, the sub-domain you identified does track as you state .... 10/20/06 14:57:21 dns vbwjfa.creogas.com Canonical name: vbwjfa.creogas.com Addresses: 200.56.242.35 10/20/06 14:56:56 Slow traceroute vbwjfa.creogas.com Trace vbwjfa.creogas.com (200.56.242.35) ... 200.53.127.45 RTT: 88ms TTL:160 (host112045.metrored.net.mx bogus rDNS: host not found [authoritative]) 201.148.152.10 RTT: 75ms TTL:160 (Giga1-3.NMU-COR-R02.metrored.net.mx bogus rDNS: host not found [authoritative]) 201.148.150.33 RTT: 86ms TTL:160 (host150033.metrored.net.mx bogus rDNS: host not found [authoritative]) 201.148.150.35 RTT: 78ms TTL:160 (host150035.metrored.net.mx bogus rDNS: host not found [authoritative]) 200.56.242.35 RTT: 84ms TTL: 47 (vbwjfa.creogas.com ok)
mrmaxx Posted October 21, 2006 Author Posted October 21, 2006 And when I take a look, using tools from 'here' ..... Yes, I would say that the DNS configuration on this is definitely a spammer contrived set-up. Most 'tools' and look-up databases are based on working with the Domain itself, but in this case, only the sub-domain has been 'configured' to return results to things like "user browsers" .... (Snip) Hmm... Interesting. Oh, well... so I reported Spammy to himself. :-) I was smart enough to take the specific page off the URL when manually reporting it. That should make it harder to identify me and spam me worse or list-wash me. :-)
rooster Posted October 25, 2006 Posted October 25, 2006 Y'all; And when I take a look, using tools from 'here' ..... Yes, I would say that the DNS configuration on this is definitely a spammer contrived set-up. Most 'tools' and look-up databases are based on working with the Domain itself, but in this case, only the sub-domain has been 'configured' to return results to things like "user browsers" .... <snip> On the other hand, the sub-domain you identified does track as you state .... 10/20/06 14:57:21 dns vbwjfa.creogas.com Canonical name: vbwjfa.creogas.com Addresses: 200.56.242.35 <snip> 200.56.242.35 RTT: 84ms TTL: 47 (vbwjfa.creogas.com ok) Just a 'FYFiles'; from SORBS: Database of servers sending to spamtrap addresses Address: 200.56.242.35 Record Created: Tue Sep 26 21:06:21 2006 GMT Record Updated: Tue Sep 26 21:06:21 2006 GMT Additional Information: spamvertised www.templemon.com. 10M IN A 200.56.242.35 Currently active and flagged to be published in DNS
Recommended Posts
Archived
This topic is now archived and is closed to further replies.