KO132 Posted November 20, 2006 Posted November 20, 2006 This is the report about the strange behavior of the spamcop.net regarding the following spamvertised web sites: "5596.cc" "5596.jp" "kiss093.in" . The situation is as follows: 1. When the spam report regarding "5596.cc","5596.jp","kiss093.in" reported to spamcop.net, spamcop.net indicates "ISP has already taken action against the account". However, when I asked the ISP about this matter directly, the ISP said "We did not have any contact with spamcop. We have no information about the indication of the spamcop." 2. Recently, "5596.cc" moved to other ISPs. But the indication of the spamcop is the same: "ISP has already taken action against the account". even immediately after the moving. Those sites moved to 3 or 4 different ISPs, but the indication has not changed. "ISP has already taken action" all the time. 3. "5596.cc", "5596.jp", "kiss093.in" use the identical name server. Those sites appears to be operated by the same spammer. Why does the spamcop say "ISP has already taken action against the account" ? I'm afraid that the spammer cracked ISP's mail account and the send mails to spamcop, pretending ISP, or the spammer cracked spamcop's database. Please let me know the reason of the above indication and I hope that those trouble of the spamcop's indcation will be corrected.
Wazoo Posted November 20, 2006 Posted November 20, 2006 Please provide a Tracking URL for one of these parse result pages. The 'context' of the data really needs to be seen for any 'good' response. One of the 'perqs' of a "paid" membership is that one can 'challenge' issues like this ..... Just looking at 5596.cc; 11/20/06 02:25:26 Slow traceroute 5596.cc Trace 5596.cc (61.44.36.195) ... If identified by IP address, reports would have gone to; Cached whois for 61.44.36.195 : opinion[at]freebit.net Using best contacts abuse[at]freebit.net However, .... host 61.44.36.195 = 195.36.44.61.ap.yournet.ne.jp No recent reports, no history available http://www.dnsreport.com/tools/dnsreport.ch?domain=5596.cc shws some issues with the registration/DNS data for this Domain ... could be intentional .... http://mailsc.spamcop.net/sc?track=someone%405596.cc seems to show the (possibly) same data you are asking about ... Parsing input: someone[at]5596.cc cannot find an mx for 5596.cc Host 5596.cc (checking ip) = 61.44.36.195 host 61.44.36.195 = 195.36.44.61.ap.yournet.ne.jp (cached) chopping username "someone[at]" from URL: http://5596.cc/ Host 5596.cc (checking ip) = 61.44.36.195 host 61.44.36.195 = 195.36.44.61.ap.yournet.ne.jp (cached) [report history] ISP believes this issue is resolved http://5596.cc/ ISP believes this issue is resolved: http://5596.cc/ - no date available Routing details for 61.44.36.195 Cached whois for 61.44.36.195 : opinion[at]freebit.net Using best contacts abuse[at]freebit.net But note the same abuse address ... http://www.dnsstuff.com/tools/whois.ch?ip=...ff&email=on Domain Name: 5596.cc Created On: 2005-08-11 20:44:45.0 Last Updated On: 2005-08-11 21:51:14.0 Expiration Date: 2007-08-11 11:47:30.0 Status: ACTIVE Registrant Name: naotaro inose Registrant Organization: naotaro inose Registrant Street1: 4-5-14 nakaizumi Registrant Street2: Registrant City: komae-shi Registrant State: tokyo Registrant Postal Code: 201-0014 Registrant Country: JP Registrant Phone: 03-5497-5777 Registrant Fax: None Registrant Email: ino_naotaro[at]yahoo.co.jp Admin Name: inose naotaro Admin Organization: naotaro inose Admin Street1: 4-5-14 nakaizumi Admin Street2: Admin City: komae-shi Admin State: Tokyo Admin Postal Code: 201-0014 Admin Country: JP Admin Phone: 03-5497-5777 Admin Fax: None Admin Email: ino_naotaro[at]yahoo.co.jp Name Server: dynamic1.v01.jp Name Server: dynamic2.v01.jp The parser would normally try to come up with an address other than a Yahoo address for reporting .. so I'm back to wanting to see one of your Tracking URLs to show how this bit of data was actually submitted/handled. From: "WazoO" To: deputies Subject: 5596.cc - ISP has already taken action Date: Mon, 20 Nov 2006 02:59:21 -0600 http://forum.spamcop.net/forums/index.php?showtopic=7527 other Domains in the query; 5596.jp kiss093.in No reports available, yet .... ISP believes this issue is resolved http://5596.cc/ ISP believes this issue is resolved: http://5596.cc/ - no date available Expanded on by user's comments; //However, when I asked the ISP about this matter directly, the ISP said "We did not have any contact with spamcop. We have no information about the indication of the spamcop."// Can you provide a better answer than I offered?
KO132 Posted December 3, 2006 Author Posted December 3, 2006 I'm sorry for insufficient report. The above phenomenon has once been improved, right after Nov 20 2006. (for both "5596.cc" and "kiss093.in" ). But now the same trouble occured again: Tracking link: http://kiss093.in/?wa10us22 [report history] ISP believes this issue is resolved http://kiss093.in/?wa10us22 Resolves to 219.97.27.192 Routing details for 219.97.27.192 [refresh/show] Cached whois for 219.97.27.192 : k-nakaniwa[at]web.ad.jp kjmtkhr[at]web.ad.jp Using last resort contacts k-nakaniwa[at]web.ad.jp kjmtkhr[at]web.ad.jp ISP has already taken action against the account: http://kiss093.in/?wa10us22 The "kiss093.in" appears to change the ISP recently. The above ISP "web.ad.jp" is exactly the ISP which I mentioned in my previous post ( Nov 20 2006 ).
KO132 Posted December 4, 2006 Author Posted December 4, 2006 Sorry. Here's the tracking URL : http://www.spamcop.net/sc?id=z1153556688z5...b98822c6b05d96z
KO132 Posted January 15, 2007 Author Posted January 15, 2007 The same trouble occurs. http://www.spamcop.net/sc?id=z1193381521z6...e5256dd0bd4a75z ------------------------------------------------------------------------------ ISP believes this issue is resolved http://miki-boku.jp/?oa12ex03 Resolves to 219.97.27.192 Routing details for 219.97.27.192 [refresh/show] Cached whois for 219.97.27.192 : k-nakaniwa[at]web.ad.jp kjmtkhr[at]web.ad.jp Using last resort contacts k-nakaniwa[at]web.ad.jp kjmtkhr[at]web.ad.jp ISP has already taken action against the account: http://miki-boku.jp/?oa12ex03 ------------------------------------------------------------------------------ This time, the spamversed site URL is "http://miki-boku.jp/", and the name server is "dynamic1.v01.jp", "dynamic2.v01.jp", the same as 5596.jp. ------------------------------------------------------------------------------ miki-boku.jp Registrant: Kohei Nakamura First Registered: July 06, 2006 Last Updated: July 28, 2006 Administrative Contact: VALUE-DOMAIN.COM (info[at]value-domain.com) Phone: 06-6241-6585 Fax: 06-6241-6586 Name Servers: dynamic1.v01.jp dynamic2.v01.jp ------------------------------------------------------------------------------
StevenUnderwood Posted January 15, 2007 Posted January 15, 2007 ISP has already taken action against the account: http://miki-boku.jp/?oa12ex03 Please remember that it is up to the ISP's discretion what "action" should be taken. You and I may believe the site should be taken down, but it is not our decision to make. It is possible a simple warning was sent to their contact. That line (ISP has already taken action against the account) is a canned response provided by SpamCop as one of the options in reply to a report.
KO132 Posted January 16, 2007 Author Posted January 16, 2007 I know that it is up to the ISP's discretion what "action" should be taken. However, the problem is that the message appears even though the ISP did not have any contact with spamcop, as I wrote in the first post, Nov 20 2006, 02:09 AM. Plural ISPs answered like this: We did not contact with Spamcop. We do not know why spamcop says "ISP has already taken action against the account". On the other hand, this kind of trouble occurs for the spamversed sites of miki-boku.jp 5596.cc 5596.jp kiss093.in and all those sites above use the identical name sever : DYNAMIC1.V01.JP DYNAMIC2.V01.JP which impies that those are the same spammer's sites. I am afraid that the message " ISP has alredy..." for those sites is not valid message but is showen by the spammer's trick.
Miss Betsy Posted January 16, 2007 Posted January 16, 2007 Since spammers lie, I wouldn't rely on the word of the ISP that an action at spamcop was not taken. Chasing down websites seems futile to me as well as the fact that I don't perfectly understand the structure of websites and IP addresses and hosts. There is a newsgroup (and I don't know how active it is anymore) where you can present evidence of this sort for the deputies. spamcop.routing or you could email the deputies directly. IIUC, though, no matter what the name servers are, the reports probably will not go there because the websites are not there, but probably moved around on other hosting sites. I don't know if spamvertised sites that have the tag 'ISP has resolved..' are picked up by the list that uses spamvertised sites for blocking, but IMHO, if I were running the list, unless the website owner proved that the website was entirely innocent, once on the list, it wouldn't come off no matter what spamcop did. Since spamcop doesn't 'do' anything except send reports and feed any list that uses spamvertised websites for blocking with spamvertised sites, IMHO, it doesn't matter much whether the parser does, or does not, send the report if it is a known spammer site. Obviously, the spammer either has an agreement with the hosts or knows how to evade shutdowns and still operate. Since sometimes spamcop comments don't mean exactly what they say, it may be that that is what the comment means or that what the parser can find is not the correct address for reports. Naturally the incorrect address would not want the reports. IMHO, since spamcop isn't primarily concerned with getting websites shut down, the best thing to do if you are interested is to send manual reports to those ISPs you think are responsible and would do something. Somebody who knows more, may come along and 'correct' my post, but all of us are guessing at why unless the post comes from SpamCop Admin who, sometimes, also reads the forum. Miss Betsy
KO132 Posted January 17, 2007 Author Posted January 17, 2007 Well, I believe that the ISP I mentioned is not a partner of the spammer. That ISP (Nifty) is a major ISP managed by a major company of electronics. However, Nifty have a tendency to leave the complaints against spamversed sites unless the number of complaints become considerable extent. Actually I sent spam reports manually to the corresponding ISP. So, as far as for me, the message " ISP has alredy..." is not a great matter. However, a lot of reports by spamcop users are not sent to the ISP. I think that spamcop reports have a role of prompting the ISP to take some action, even if the action is simply sending warning to spamversed sites. If the indication of " ISP has alredy..." is not caused by a spammers trick but simply based on the ISP's response, there is no problem. However as far as I asked ISP, it seems that the message is not based on the ISP's response.
dra007 Posted January 17, 2007 Posted January 17, 2007 However, the other point Mz B was making is that few of us even care about reporting spamadvertized content and only quick report.. with the amount of spam inceasing to the extent it did lately and slowdowns in parsing, we just don't have the time. If I were to guess, less than 10% of total reporting by SC members even touch on this issue, so it will never reach a critical mass.
Miss Betsy Posted January 17, 2007 Posted January 17, 2007 Well, I believe that the ISP I mentioned is not a partner of the spammer. That ISP (Nifty) is a major ISP managed by a major company of electronics. However, Nifty have a tendency to leave the complaints against spamversed sites unless the number of complaints become considerable extent. <snip> If the indication of " ISP has alredy..." is not caused by a spammers trick but simply based on the ISP's response, there is no problem. However as far as I asked ISP, it seems that the message is not based on the ISP's response. I don't know how the comment got there and if you think that Nifty would do something based on spamcop complaints and would not object to receiving them, then you should email the deputies with the information. The email address is deputies at admin.spamcop.net. When you do, be sure that your intiatial post includes a tracking url and a clear description of the problem. They get a lot of email and if they have the information, they can answer it quickly. As I said, understanding about who is actually hosting a website gives me a headache, but it looked to me as though the website was being hosted by a number of different people, not just one. If Nifty is where the nameservers are, but not the website, Nifty may not be able to do anything. A long time ago, I found a website hosted by GoDaddy that belonged to a known spammer. Godaddy knew it, but couldn't do anything because somehow it was not directly related to spam. It may be that when Nifty was unresponsive, the reports started going to the upstream and they discovered that nothing could be done so they put the comment there. However, OTOH, spamcop's purpose is not primarily to report websites and so may change the comment if you can show that it should be changed to their satisfaction while if it is not brought to their attention, will not do anything. Miss Betsy
Recommended Posts
Archived
This topic is now archived and is closed to further replies.