99clunk Posted December 6, 2006 Share Posted December 6, 2006 Almost clever this one. (Given that I'm still learning it may not seem almost clever to anyone else...) The spam for 'OEM software' contained the link: masterhostfatal.info Lookup gives: ; <<>> DiG 9.2.2 <<>> masterhostfatal.info a ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39487 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;masterhostfatal.info. IN A ;; ANSWER SECTION: masterhostfatal.info. 180 IN A 184.108.40.206 masterhostfatal.info. 180 IN A 220.127.116.11 masterhostfatal.info. 180 IN A 18.104.22.168 masterhostfatal.info. 180 IN A 22.214.171.124 masterhostfatal.info. 180 IN A 126.96.36.199 OK, I have to make several reports to cover the IP range, spread over a range of different reporting addresses. I'm going to try to find out how they set up this spread of multiple IPs, but if anyone wants to chip in in the meantime. My guess is that they just duplicate the A records, substituting new IP addresses. I haven't a clue, I'm new to this and don't mind saying so, never having set up a web server. The page residing at masterhostfatal.info contains a manual link to www.yoroem.com, the site where they really want the traffic. As a means of frustrating default reporting via Spamcop, it seems to be a new twist, as a bit more work is required over the default automatic report generation I used to always use. So be it - I'll take the challenge. [Moderator edit - links broken. I note re the yoroem one, linkscanner initially said it received a suspicious request and refused to have anything to do with that url. That behavior has changed with repeated scans but I wouldn't touch it with a bargepole. Farelf] Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.