Jump to content

"ISP has already taken action.....


KO132
 Share

Recommended Posts

This is the report about the strange behavior of the spamcop.net

regarding the following spamvertised web sites:

"5596.cc"

"5596.jp"

"kiss093.in" .

The situation is as follows:

1. When the spam report regarding "5596.cc","5596.jp","kiss093.in"

reported to spamcop.net, spamcop.net indicates

"ISP has already taken action against the account".

However, when I asked the ISP about this matter directly,

the ISP said "We did not have any contact with spamcop.

We have no information about the indication of the spamcop."

2. Recently, "5596.cc" moved to other ISPs. But the indication

of the spamcop is the same:

"ISP has already taken action against the account".

even immediately after the moving.

Those sites moved to 3 or 4 different ISPs, but the indication has not

changed. "ISP has already taken action" all the time.

3. "5596.cc", "5596.jp", "kiss093.in" use the identical name server.

Those sites appears to be operated by the same spammer.

Why does the spamcop say

"ISP has already taken action against the account" ?

I'm afraid that the spammer cracked ISP's mail account

and the send mails to spamcop, pretending ISP,

or the spammer cracked spamcop's database.

Please let me know the reason of the above

indication and I hope that those trouble of the spamcop's

indcation will be corrected.

Link to comment
Share on other sites

Please provide a Tracking URL for one of these parse result pages. The 'context' of the data really needs to be seen for any 'good' response.

One of the 'perqs' of a "paid" membership is that one can 'challenge' issues like this .....

Just looking at 5596.cc;

11/20/06 02:25:26 Slow traceroute 5596.cc

Trace 5596.cc (61.44.36.195) ...

If identified by IP address, reports would have gone to;

Cached whois for 61.44.36.195 : opinion[at]freebit.net

Using best contacts abuse[at]freebit.net

However, ....

host 61.44.36.195 = 195.36.44.61.ap.yournet.ne.jp

No recent reports, no history available

http://www.dnsreport.com/tools/dnsreport.ch?domain=5596.cc shws some issues with the registration/DNS data for this Domain ... could be intentional ....

http://mailsc.spamcop.net/sc?track=someone%405596.cc seems to show the (possibly) same data you are asking about ...

Parsing input: someone[at]5596.cc

cannot find an mx for 5596.cc

Host 5596.cc (checking ip) = 61.44.36.195

host 61.44.36.195 = 195.36.44.61.ap.yournet.ne.jp (cached)

chopping username "someone[at]" from URL: http://5596.cc/

Host 5596.cc (checking ip) = 61.44.36.195

host 61.44.36.195 = 195.36.44.61.ap.yournet.ne.jp (cached)

[report history]

ISP believes this issue is resolved http://5596.cc/

ISP believes this issue is resolved: http://5596.cc/ - no date available

Routing details for 61.44.36.195

Cached whois for 61.44.36.195 : opinion[at]freebit.net

Using best contacts abuse[at]freebit.net

But note the same abuse address ...

http://www.dnsstuff.com/tools/whois.ch?ip=...ff&email=on

Domain Name: 5596.cc

Created On: 2005-08-11 20:44:45.0

Last Updated On: 2005-08-11 21:51:14.0

Expiration Date: 2007-08-11 11:47:30.0

Status: ACTIVE

Registrant Name: naotaro inose

Registrant Organization: naotaro inose

Registrant Street1: 4-5-14 nakaizumi

Registrant Street2:

Registrant City: komae-shi

Registrant State: tokyo

Registrant Postal Code: 201-0014

Registrant Country: JP

Registrant Phone: 03-5497-5777

Registrant Fax: None

Registrant Email: ino_naotaro[at]yahoo.co.jp

Admin Name: inose naotaro

Admin Organization: naotaro inose

Admin Street1: 4-5-14 nakaizumi

Admin Street2:

Admin City: komae-shi

Admin State: Tokyo

Admin Postal Code: 201-0014

Admin Country: JP

Admin Phone: 03-5497-5777

Admin Fax: None

Admin Email: ino_naotaro[at]yahoo.co.jp

Name Server: dynamic1.v01.jp

Name Server: dynamic2.v01.jp

The parser would normally try to come up with an address other than a Yahoo address for reporting .. so I'm back to wanting to see one of your Tracking URLs to show how this bit of data was actually submitted/handled.

From: "WazoO"

To: deputies

Subject: 5596.cc - ISP has already taken action

Date: Mon, 20 Nov 2006 02:59:21 -0600

http://forum.spamcop.net/forums/index.php?showtopic=7527

other Domains in the query;

5596.jp

kiss093.in

No reports available, yet ....

ISP believes this issue is resolved http://5596.cc/

ISP believes this issue is resolved: http://5596.cc/ - no date available

Expanded on by user's comments;

//However, when I asked the ISP about this matter directly,

the ISP said "We did not have any contact with spamcop.

We have no information about the indication of the spamcop."//

Can you provide a better answer than I offered?

Link to comment
Share on other sites

  • 2 weeks later...

I'm sorry for insufficient report.

The above phenomenon has once been improved, right after Nov 20 2006.

(for both "5596.cc" and "kiss093.in" ).

But now the same trouble occured again:

Tracking link: http://kiss093.in/?wa10us22

[report history]

ISP believes this issue is resolved http://kiss093.in/?wa10us22

Resolves to 219.97.27.192

Routing details for 219.97.27.192

[refresh/show] Cached whois for 219.97.27.192 : k-nakaniwa[at]web.ad.jp kjmtkhr[at]web.ad.jp

Using last resort contacts k-nakaniwa[at]web.ad.jp kjmtkhr[at]web.ad.jp

ISP has already taken action against the account: http://kiss093.in/?wa10us22

The "kiss093.in" appears to change the ISP recently.

The above ISP "web.ad.jp" is exactly the ISP which I mentioned in

my previous post ( Nov 20 2006 ).

Link to comment
Share on other sites

  • 1 month later...

The same trouble occurs.

http://www.spamcop.net/sc?id=z1193381521z6...e5256dd0bd4a75z

------------------------------------------------------------------------------

ISP believes this issue is resolved http://miki-boku.jp/?oa12ex03

Resolves to 219.97.27.192

Routing details for 219.97.27.192

[refresh/show] Cached whois for 219.97.27.192 : k-nakaniwa[at]web.ad.jp kjmtkhr[at]web.ad.jp

Using last resort contacts k-nakaniwa[at]web.ad.jp kjmtkhr[at]web.ad.jp

ISP has already taken action against the account: http://miki-boku.jp/?oa12ex03

------------------------------------------------------------------------------

This time, the spamversed site URL is "http://miki-boku.jp/", and the name server is

"dynamic1.v01.jp", "dynamic2.v01.jp", the same as 5596.jp.

------------------------------------------------------------------------------

miki-boku.jp

Registrant:

Kohei Nakamura

First Registered:

July 06, 2006

Last Updated:

July 28, 2006

Administrative Contact:

VALUE-DOMAIN.COM (info[at]value-domain.com)

Phone: 06-6241-6585

Fax: 06-6241-6586

Name Servers:

dynamic1.v01.jp

dynamic2.v01.jp

------------------------------------------------------------------------------

Link to comment
Share on other sites

ISP has already taken action against the account: http://miki-boku.jp/?oa12ex03

Please remember that it is up to the ISP's discretion what "action" should be taken. You and I may believe the site should be taken down, but it is not our decision to make. It is possible a simple warning was sent to their contact. That line (ISP has already taken action against the account) is a canned response provided by SpamCop as one of the options in reply to a report.

Link to comment
Share on other sites

I know that it is up to the ISP's discretion what "action" should be taken.

However, the problem is that the message appears even though the ISP

did not have any contact with spamcop, as I wrote in the

first post, Nov 20 2006, 02:09 AM.

Plural ISPs answered like this:

We did not contact with Spamcop. We do not know

why spamcop says "ISP has already taken action against the account".

On the other hand, this kind of trouble occurs for the

spamversed sites of

miki-boku.jp

5596.cc

5596.jp

kiss093.in

and all those sites above use the identical name sever :

DYNAMIC1.V01.JP

DYNAMIC2.V01.JP

which impies that those are the same spammer's sites.

I am afraid that the message " ISP has alredy..." for those sites

is not valid message but is showen by the spammer's trick.

Link to comment
Share on other sites

Since spammers lie, I wouldn't rely on the word of the ISP that an action at spamcop was not taken.

Chasing down websites seems futile to me as well as the fact that I don't perfectly understand the structure of websites and IP addresses and hosts.

There is a newsgroup (and I don't know how active it is anymore) where you can present evidence of this sort for the deputies. spamcop.routing or you could email the deputies directly.

IIUC, though, no matter what the name servers are, the reports probably will not go there because the websites are not there, but probably moved around on other hosting sites.

I don't know if spamvertised sites that have the tag 'ISP has resolved..' are picked up by the list that uses spamvertised sites for blocking, but IMHO, if I were running the list, unless the website owner proved that the website was entirely innocent, once on the list, it wouldn't come off no matter what spamcop did.

Since spamcop doesn't 'do' anything except send reports and feed any list that uses spamvertised websites for blocking with spamvertised sites, IMHO, it doesn't matter much whether the parser does, or does not, send the report if it is a known spammer site. Obviously, the spammer either has an agreement with the hosts or knows how to evade shutdowns and still operate. Since sometimes spamcop comments don't mean exactly what they say, it may be that that is what the comment means or that what the parser can find is not the correct address for reports. Naturally the incorrect address would not want the reports.

IMHO, since spamcop isn't primarily concerned with getting websites shut down, the best thing to do if you are interested is to send manual reports to those ISPs you think are responsible and would do something.

Somebody who knows more, may come along and 'correct' my post, but all of us are guessing at why unless the post comes from SpamCop Admin who, sometimes, also reads the forum.

Miss Betsy

Link to comment
Share on other sites

Well, I believe that the ISP I mentioned is not a partner of the spammer.

That ISP (Nifty) is a major ISP managed by a major company of electronics.

However, Nifty have a tendency to leave the complaints against spamversed sites

unless the number of complaints become considerable extent.

Actually I sent spam reports manually to the corresponding ISP.

So, as far as for me, the message " ISP has alredy..." is not a great matter.

However, a lot of reports by spamcop users are not sent to the ISP.

I think that spamcop reports have a role of prompting the ISP to take some action,

even if the action is simply sending warning to spamversed sites.

If the indication of " ISP has alredy..." is not caused by a spammers trick but

simply based on the ISP's response, there is no problem.

However as far as I asked ISP, it seems that the message is not based on the ISP's response.

Link to comment
Share on other sites

However, the other point Mz B was making is that few of us even care about reporting spamadvertized content and only quick report.. with the amount of spam inceasing to the extent it did lately and slowdowns in parsing, we just don't have the time. If I were to guess, less than 10% of total reporting by SC members even touch on this issue, so it will never reach a critical mass.

Edited by dra007
Link to comment
Share on other sites

Well, I believe that the ISP I mentioned is not a partner of the spammer.

That ISP (Nifty) is a major ISP managed by a major company of electronics.

However, Nifty have a tendency to leave the complaints against spamversed sites

unless the number of complaints become considerable extent.

<snip>

If the indication of " ISP has alredy..." is not caused by a spammers trick but

simply based on the ISP's response, there is no problem.

However as far as I asked ISP, it seems that the message is not based on the ISP's response.

I don't know how the comment got there and if you think that Nifty would do something based on spamcop complaints and would not object to receiving them, then you should email the deputies with the information. The email address is deputies at admin.spamcop.net. When you do, be sure that your intiatial post includes a tracking url and a clear description of the problem. They get a lot of email and if they have the information, they can answer it quickly.

As I said, understanding about who is actually hosting a website gives me a headache, but it looked to me as though the website was being hosted by a number of different people, not just one. If Nifty is where the nameservers are, but not the website, Nifty may not be able to do anything. A long time ago, I found a website hosted by GoDaddy that belonged to a known spammer. Godaddy knew it, but couldn't do anything because somehow it was not directly related to spam. It may be that when Nifty was unresponsive, the reports started going to the upstream and they discovered that nothing could be done so they put the comment there.

However, OTOH, spamcop's purpose is not primarily to report websites and so may change the comment if you can show that it should be changed to their satisfaction while if it is not brought to their attention, will not do anything.

Miss Betsy

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...