Double link trick and multiple IPs

[99clunk]

Almost clever this one. (Given that I'm still learning it may not seem almost clever to anyone else...)

The spam for 'OEM software' contained the link:

masterhostfatal.info

Lookup gives:

; <<>> DiG 9.2.2 <<>> masterhostfatal.info a

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39487

;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;masterhostfatal.info. IN A

;; ANSWER SECTION:

masterhostfatal.info. 180 IN A 64.110.224.168

masterhostfatal.info. 180 IN A 69.232.236.43

masterhostfatal.info. 180 IN A 70.225.182.52

masterhostfatal.info. 180 IN A 70.237.116.152

masterhostfatal.info. 180 IN A 69.213.205.186

OK, I have to make several reports to cover the IP range, spread over a range of different reporting addresses. I'm going to try to find out how they set up this spread of multiple IPs, but if anyone wants to chip in in the meantime. My guess is that they just duplicate the A records, substituting new IP addresses. I haven't a clue, I'm new to this and don't mind saying so, never having set up a web server.

The page residing at masterhostfatal.info contains a manual link to www.yoroem.com, the site where they really want the traffic.

As a means of frustrating default reporting via Spamcop, it seems to be a new twist, as a bit more work is required over the default automatic report generation I used to always use. So be it - I'll take the challenge.

[Moderator edit - links broken. I note re the yoroem one, linkscanner initially said it received a suspicious request and refused to have anything to do with that url. That behavior has changed with repeated scans but I wouldn't touch it with a bargepole. Farelf]

[Telarin]

If you want to really confuse yourself, dig a few more times. I'm willing to bet you get a different list of IP addresses each time.

This is a case where the spammer is most likely running their own DNS for their domain.

The site itself is most likely "hosted" by a number of trojanned computers all over the internet without their owners knowledge. The DNS simply picks a group of these to return in the hopes that one of them is working.

Reporting the website to the owners of those IPs is going to have an effect similar to banging your head against a brick wall repeatedly. Little effect on the wall, but you're going to have one hell of a headache.

My recomendation would be to report the domain name to the registrar, along with all the evidence you can put together. Making sure to note that most of the IPs involved resolve to dynamic IPs in DSL and cable pools. You might also try to figure out where the nameservers live and report those to their IP owners, though I'd put my money on "buletproof" hosting somewhere on those.

[jongrose]

I have been using this method for manual reporting of spamvertised links, but I am not sure it is the best (or correct) way, since, as mentioned, some hosts seem to resolve to different IPs through DNS poisoning or however they are doing that. It seems like SC falls victim to this trick occasionally too, so I don't know the best way to determine what the domain or hostname is resolving into.

But, this is the method I use. I've included screenshots, so let me know if I'm going about this in the right or wrong way.

If I submit a spam through the reporting system manually, it will sometimes resolve URLs embedded in the email, sometimes not. When it doesn't, I will normally try and look it up myself and forward a message to the owner of the IP block for review. Below is step-by-step how I go about doing it.

Firstly, after reporting, if a URL doesn't resolve, I will attempt to access it in my browser to see if it is live or dead. If the site is dead, it will come back telling me the page doesn't resolve most of the time. If it times out, I also do not report it. If the page does open, I go over to www.DNSStuff.com and begin the lookup process.

Here is an example of an email that contained a URL that didn't resolve.

SC Report - plain text of email

Resolving link obfuscation

http://advizehint.com/

Host advizehint.com (checking ip) IP not found ; advizehint.com discarded as fake.

Tracking link: http://advizehint.com/

[report history]

Cannot resolve http://advizehint.com/

However, when you access the site in your browser, it pulls up a pharmacy site.

So, I hop over to DNSStuff and ping the site, which gives me the IP address in turn. I am not sure this is the best way to lookup an IP address. DNSStuff has another function to lookup DNS records for the site, including ALL. When you search using this method, you get multiple IP addresses returned, some of them in the bogus (192.x.x.x) range.

So, instead, I use the ping function which gives me back a valid IP that I can then lookup. If DNSStuff won't resolve the site to ping it, I ping it myself from the DOS prompt.

DNSStuff Ping:

DOS Ping:

After that, I plug the IP into the IPWHOIS field on DNSStuff and it comes back with the ARIN records for the IP. I have to click to show the email addresses, so I can find the abuse contact to report the site to.

Then, I use a prewritten message that I've created to indicate to the abuse contact why they are receiving this email. I only use this on manual domain lookups and reporting.

Hello, you are listed as the IP block owner for the domain (insert domain name here) referenced in this UCE spam. This was determined through IPWHOIS lookup from ARIN. Could you please look into this matter and ensure it is not violating your acceptable use policy and/or terms of service and take the appropriate action against the offender. This email was sent unsolicited and I did not opt-in to receive this message. If you are not in charge of this domain, please forward this email to the proper party or disregard it. Thank you.

So, what are the thoughts on this method? Is the NOC a good place to report, or should you report to the registrar? Also, how do you determine the registrar? When you perform a WHOIS query on a domain, sometimes it will show the technical admin, and sometimes it will just show the nameservers. Would the abuse contacts at the nameservers be an appropriate place to report URLs?

Thanks for any input.

[rooster]

After that, I plug the IP into the IPWHOIS field on DNSStuff and it comes back with the ARIN records for the IP. I have to click to show the email addresses, so I can find the abuse contact to report the site to.

I guess we all develope our favorite strategies and shortcuts. I followed your regime and it does get about the same results. I have gotten used to using:

http://www.completewhois.com/whois.htm

You can decide for yourself if the format might save you some steps.

You can click on "Include abuse contact data" as you submit your initial search and they appear at the bottom of the page. CWI can be slow sometimes; esp. if you want the abuse contact info, but you'll see how it works over time if you decide to try it.

[bobbear]

Almost clever this one. (Given that I'm still learning it may not seem almost clever to anyone else...)

Welcome to the world of the 'bog-standard' botnet...

http://www.dnsstuff.com/tools/traversal.ch...info&type=A

It was down when I first tried it, but now it's back up again..... Note the rotating list of compromised machines. The nameserver domain, (updpit.org - Tucows), is certainly also owned by the crooks involved as it was only registered on Nov. 6th.

You can file an evidential report demonstrating the use of a botnet with Tucows for both the main domain and the nameserver domain, but they don't stick in my mind for being responsive.

Then there's the two nameserver host IP's:

ns1.updpit.org [75.68.89.66]

ns2.updpit.org [75.84.65.110]

Comcast & Roadrunner - the dynamic, (more like satanic....), duo......

A lot depends on how you report them - the registrars especially are not generally interested in spam, (even though they may have lots of fine words in their AUP about how responsible they are and how they deal with spam....), but if you can demonstrate criminal activity and false whois data, (as it always is), some registrars are very responsive and others are still totally not interested. Guess which the crooks generally choose....

[Wazoo]

Just noting that there is a How to use ... Research Tools Forum section put into places ages ago .....

and of course, there's the current Wiki that awaits further population ....

[99clunk]

Welcome to the world of the 'bog-standard' botnet...

http://www.dnsstuff.com/tools/traversal.ch...info&type=A

It was down when I first tried it, but now it's back up again..... Note the rotating list of compromised machines. The nameserver domain, (updpit.org - Tucows), is certainly also owned by the crooks involved as it was only registered on Nov. 6th.

You can file an evidential report demonstrating the use of a botnet with Tucows for both the main domain and the nameserver domain, but they don't stick in my mind for being responsive.

Then there's the two nameserver host IP's:

ns1.updpit.org [75.68.89.66]

ns2.updpit.org [75.84.65.110]

Comcast & Roadrunner - the dynamic, (more like satanic....), duo......

A lot depends on how you report them - the registrars especially are not generally interested in spam, (even though they may have lots of fine words in their AUP about how responsible they are and how they deal with spam....), but if you can demonstrate criminal activity and false whois data, (as it always is), some registrars are very responsive and others are still totally not interested. Guess which the crooks generally choose....

Useful and informative. Thanks. I'll keep biting in small chunks, digesting and ruminating, and with luck I'll get to understand it all soon. It's working so far as a strategy...

Just noting that there is a How to use ... Research Tools Forum section put into places ages ago .....

and of course, there's the current Wiki that awaits further population ....

These now make much more sense. Thanks Wazoo.

[99clunk]

Thanks to all who replied and enlightened me - some of the replies will have taken a bit of time to put together - appreciated. I now feel like the proverbial kid locked in the candy store.

[jongrose]

Just noting that there is a How to use ... Research Tools Forum section put into places ages ago .....

and of course, there's the current Wiki that awaits further population ....

One of the reason I posted the thread above was that it might be helpful if included in the Wiki, but I wanted to see if the way I was going about the IP lookup was in going with the "standard" way of doing it, or if there was a different or preferred way.

[Farelf]

... One of the reason I posted the thread above was that it might be helpful if included in the Wiki, but I wanted to see if the way I was going about the IP lookup was in going with the "standard" way of doing it, or if there was a different or preferred way.

Thanks jongrose. I don't think there's a standard way of doing it - different tools might produce slightly different results at different times, might be offline/overloaded at different times and so on. For instance pinging doesn't work in that example at the moment but completewhois finds results while noting

Status:SUSPENDED

Note: This Domain Name is Suspended. In this status the domain name is

InActive and will not function.

(Somebody did us all a favor! But one fears, like Arnold and Doug McArthur, they will be back/return.) As to whether helpful for the Wiki - you bet, do you want add it? No-one should hesitate if they have a contribution, the nature of the medium being one of continual review and refinement, no need to hold back the first attempt at an entry (or a subsequent edit) through any doubt about adequacy or worthiness.

[bobbear]

Thanks to all who replied and enlightened me - some of the replies will have taken a bit of time to put together - appreciated. I now feel like the proverbial kid locked in the candy store.

Here's another highly despicable fraudster you may find interesting that has been spamming me a lot recently & I've been hitting on all morning:

savechilds.net

http://www.dnsstuff.com/tools/traversal.ch....net&type=A

The site purports to be a childrens charity soliciting for donations, but the registrar whois data & method of spamming indicate he's just the usual rather nasty fraudster after your money, bank account details & credit card details.

It seems the practice now for even the nameserver host IPs to be compromised machines as everything is rotating every time the DNS traversal is viewed. It's pretty well impossible to nail these crooks unless the registrars take immediate action and it indicates the necessity of some control over or standardisation of registrar policy if the problem is to be addressed.

No response yet from either the main site registrar, (BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN) or the nameserver domain registrar, (MONIKER ONLINE SERVICES, INC.), but then the crooks don't choose responsible registrars....

[jongrose]

The site purports to be a childrens charity soliciting for donations, but the registrar whois data & method of spamming indicate he's just the usual rather nasty fraudster after your money, bank account details & credit card details.

How did you determine that they are a fraudulent charity? If they are using phishing tactics, you could report them to phishtank, but that is a tough call, it looks legit to me, but I would have no idea.

[Wazoo]

The Forum FAQ states more than a couple of times that deleting uncexessary content in a quoted post is the 'way' .... please limit quoting to just what's 'necessary' ....

[bobbear]

How did you determine that they are a fraudulent charity? If they are using phishing tactics, you could report them to phishtank, but that is a tough call, it looks legit to me, but I would have no idea.

Unfortunately they all look legit, e.g:

icslt.net

vikfn.biz

norden.hk

I use many indicators to form an opinion of a site, (no guarantees of course!).

1) What it says on the site and how that correlates with the registrar whois data i.e. this operation claims to have been in operation for many years, but the site was only registered recently

2) The registrar whois data itself - does it look legit? (Some crooks make little effort to even make it look legit). This site's whois data definitely doesn't look legit.

3) Is he a spammer? Yes - more than 10 a day to me on multiple addesses. (Image spam too...)

4) Is he using a legitimate network? No - he's using exactly the same sort of zombie botnet all the other crooks listed above are.

5) Nameserver host - is it a legitimate looking long-term registration? No - it was only registered a couple of weeks ago.

6) Google is your friend - there is information already in the public domain on savechilds.net which confirms my own research.

The above is just some of the information I use to form an opinion of whether a site is legit or not, but at the end of the day, if it looks like a duck, if it quacks like a duck, if it waddles like a duck, etc.....

There is not a shred of doubt in my mind that savechilds.net is a particularly despicable fraud. The original nameserver host agreed with me and took it down but it was soon back up on his own nameserver.