mrmaxx Posted October 20, 2006 Share Posted October 20, 2006 Tracking URL: http://www.spamcop.net/sc?id=z1110604823ze...c831fad99bc71fz I manually looked it up using "host" on my linux box and got the following: [john[at]slave1 ~]$ host vbwjfa.creogas.com vbwjfa.creogas.com has address 200.56.242.35 Further whois gives the following info: [john[at]slave1 ~]$ whois 200.56.242.35 [Querying whois.lacnic.net] [whois.lacnic.net] % Joint Whois - whois.lacnic.net % This server accepts single ASN, IPv4 or IPv6 queries % Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2006-10-20 14:43:25 (BRT -03:00) inetnum: 200.56.240/20 status: reallocated owner: ADETEL ownerid: MX-ADET-LACNIC responsible: Administrador Optical address: Acueducto Rio Hondo Col. Lomas de Virreyes, 28, 205 address: 11000 - Mexico - DF country: MX phone: +52 55 50952300 [2335] owner-c: ADO tech-c: ADO created: 20000609 changed: 20031205 inetnum-up: 200.56/15 nic-hdl: ADO person: Administrador Optical e-mail: dominios[at]OPTICAL.NET.MX address: Acueducto Rio Hondo, 28, 205 address: 11000 - Mexico - DF country: MX phone: +52 55 50952300 [2335] created: 20031204 changed: 20031204 % whois.lacnic.net accepts only direct match queries. % Types of queries are: POCs, ownerid, CIDR blocks, IP % and AS numbers. Not sure it'll do much good, but I'm gonna file a manual complaint with the only contact for these folks. Link to comment Share on other sites More sharing options...
Wazoo Posted October 20, 2006 Share Posted October 20, 2006 And when I take a look, using tools from 'here' ..... Yes, I would say that the DNS configuration on this is definitely a spammer contrived set-up. Most 'tools' and look-up databases are based on working with the Domain itself, but in this case, only the sub-domain has been 'configured' to return results to things like "user browsers" .... 10/20/06 14:50:52 dns creogas.com No DNS for this address (host doesn't exist) 10/20/06 14:51:01 Slow traceroute creogas.com Trace creogas.com failed, no such host whois -h whois.gandi.net creogas.com ... domain: creogas.com owner-address: 8011 Hangar Loop Drive owner-address: 33621 owner-address: MacDill owner-address: United States of America admin-c: SJH8-GANDI tech-c: SJH8-GANDI bill-c: SJH8-GANDI nserver: ns1.timbreframe.info 211.139.168.75 nserver: ns2.goodiman.com 211.139.80.120 nserver: ns1.herecentral.info 213.226.169.168 nserver: ns2.witchcurrency.info 211.139.79.108 reg_created: 2006-10-17 14:03:02 expires: 2007-10-17 14:03:02 created: 2006-10-17 16:03:03 changed: 2006-10-17 16:03:03 On the other hand, the sub-domain you identified does track as you state .... 10/20/06 14:57:21 dns vbwjfa.creogas.com Canonical name: vbwjfa.creogas.com Addresses: 200.56.242.35 10/20/06 14:56:56 Slow traceroute vbwjfa.creogas.com Trace vbwjfa.creogas.com (200.56.242.35) ... 200.53.127.45 RTT: 88ms TTL:160 (host112045.metrored.net.mx bogus rDNS: host not found [authoritative]) 201.148.152.10 RTT: 75ms TTL:160 (Giga1-3.NMU-COR-R02.metrored.net.mx bogus rDNS: host not found [authoritative]) 201.148.150.33 RTT: 86ms TTL:160 (host150033.metrored.net.mx bogus rDNS: host not found [authoritative]) 201.148.150.35 RTT: 78ms TTL:160 (host150035.metrored.net.mx bogus rDNS: host not found [authoritative]) 200.56.242.35 RTT: 84ms TTL: 47 (vbwjfa.creogas.com ok) Link to comment Share on other sites More sharing options...
mrmaxx Posted October 21, 2006 Author Share Posted October 21, 2006 And when I take a look, using tools from 'here' ..... Yes, I would say that the DNS configuration on this is definitely a spammer contrived set-up. Most 'tools' and look-up databases are based on working with the Domain itself, but in this case, only the sub-domain has been 'configured' to return results to things like "user browsers" .... (Snip) Hmm... Interesting. Oh, well... so I reported Spammy to himself. :-) I was smart enough to take the specific page off the URL when manually reporting it. That should make it harder to identify me and spam me worse or list-wash me. :-) Link to comment Share on other sites More sharing options...
rooster Posted October 25, 2006 Share Posted October 25, 2006 Y'all; And when I take a look, using tools from 'here' ..... Yes, I would say that the DNS configuration on this is definitely a spammer contrived set-up. Most 'tools' and look-up databases are based on working with the Domain itself, but in this case, only the sub-domain has been 'configured' to return results to things like "user browsers" .... <snip> On the other hand, the sub-domain you identified does track as you state .... 10/20/06 14:57:21 dns vbwjfa.creogas.com Canonical name: vbwjfa.creogas.com Addresses: 200.56.242.35 <snip> 200.56.242.35 RTT: 84ms TTL: 47 (vbwjfa.creogas.com ok) Just a 'FYFiles'; from SORBS: Database of servers sending to spamtrap addresses Address: 200.56.242.35 Record Created: Tue Sep 26 21:06:21 2006 GMT Record Updated: Tue Sep 26 21:06:21 2006 GMT Additional Information: spamvertised www.templemon.com. 10M IN A 200.56.242.35 Currently active and flagged to be published in DNS Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.