Jump to content

DNS entries missing?


Noia

Recommended Posts

It's kinda weird - I never had issues with Spamcop, and I reported God-knows-how-much by now - but a certain type of spam I receive a LOT of every day, refer to a site called xxxxx.info with the xxxxx being something nonsensical (changes every mail) - ALL of those point to the same IP owned by MTCO, but for some obscure reason spamcop tells me it can't resolve the IP of the xxxxx.info-addresses even though I have absolutely no problems grabbing the info from ping, tracert, pathping, online NS databases, etc.

I looked this up in previous posts where people were referring to long NS resolving, which is fair enough - but a tracert shows 135 ms lookup time, which shouldn't be over the top.

Tracing route to bineyyr.info [207.179.200.70]

over a maximum of 30 hops:

1 <1 ms <1 ms Internal

2 1 ms 1 ms Internal

3 2 ms 3 ms Internal

4 2 ms 2 ms Internal

5 105 ms 106 ms External but belonging to Internal company

6 106 ms 107 ms 106 ms 12.126.124.85

7 128 ms 128 ms 131 ms tbr1-p014001.n54ny.ip.att.net [12.123.3.1]

8 126 ms 126 ms 127 ms tbr1-cl14.cgcil.ip.att.net [12.122.10.2]

9 127 ms 126 ms 127 ms 12.122.99.13

10 129 ms 129 ms 130 ms 12.116.74.6

11 129 ms 129 ms 128 ms noc-cisco2-gig-0-2.mtco.com [207.179.237.194]

12 131 ms 131 ms 132 ms northcisco-ser-1-0.mtco.com [207.179.250.230]

13 131 ms 131 ms 131 ms northcisco2-gig-1-0.mtco.com [207.179.251.158]

14 130 ms 131 ms 131 ms 03434a-ds3-mtco.mtco.com [207.179.252.126]

15 133 ms 132 ms 135 ms 03434b-ds3-5.mtco.com [207.179.200.70]

I'm getting more than 15 mails a day, all of which refer to various .info addresses, belonging to that IP-address, so something should be done - they even maintain the same basic subject-line template, so they're easily recognizable - but Spamcop can't resolve it. I've sent a mail from a temporary owned address to the hostmaster and abuse department of MTCO to hear what they say, but other than that I'm a bit in the dark to be quite honest. So far Spamcop has sent the reports all over, lastly to Brazil - but as long as the site isn't resolved, it won't be part of the statistics.

I haven't read through the other posts nearly enough admittingly, but don't have much time at present (and no, this post only took a couple of minutes to write, I'm a speedtyper :-P) But... what to do?

Kudos

~Chris

Link to comment
Share on other sites

Hi, ~Chris!

<snip>

Spamcop can't resolve it. I've sent a mail from a temporary owned address to the hostmaster and abuse department of MTCO to hear what they say, but other than that I'm a bit in the dark to be quite honest. So far Spamcop has sent the reports all over, lastly to Brazil - but as long as the site isn't resolved, it won't be part of the statistics.

I haven't read through the other posts nearly enough admittingly, but don't have much time at present (and no, this post only took a couple of minutes to write, I'm a speedtyper :-P) But... what to do?

...Please provide a Tracking URL so we can see what happened. It's hard to know without the context.

...If what you are referring to is a spamvertised URL, don't worry about SpamCop not being able to resolve it. Reporting spamvertised web site is a secondary (maybe even lower) function of the SpamCop parser and such web site addresses do not feed the statistics. Reporting them manually, as you are doing, is fine.

Link to comment
Share on other sites

I looked this up in previous posts where people were referring to long NS resolving, which is fair enough - but a tracert shows 135 ms lookup time, which shouldn't be over the top.

Tracert is not the same as nslookup. From DNSreport.com

http://www.dnsreport.com/tools/dnsreport.c...in=bineyyr.info

From DNSstuff.com

Searching for bineyyr.info A record at f.root-servers.net Got referral to A9.INFO.AFILIAS-NST.info. [took 58 ms]

Searching for bineyyr.info A record at A9.INFO.AFILIAS-NST.info. Got referral to ns2.pointprinter.com. [took 5 ms]

[Had to look up A record for ns2.pointprinter.com.; assume 200ms]

Searching for bineyyr.info A record at ns2.pointprinter.com. Timed out. Trying again.

Searching for bineyyr.info A record at ns1.shoegrape.info. Timed out. Trying again.

Searching for bineyyr.info A record at ns1.shoegrape.info. Timed out. Trying again.

Searching for bineyyr.info A record at ns2.pointprinter.com. Timed out. Trying again.

Searching for bineyyr.info A record at ns2.pointprinter.com. Timed out. Trying again.

Searching for bineyyr.info A record at ns2.pointprinter.com. Timed out. Trying again.

Link to comment
Share on other sites

http://www.spamcop.net/mcgi?action=gettrac...rtid=2073460900 is an example - it's not the bineyyr.info one, but it yields the same responses, from enoughdrive.info

And yes, you're right - the nslookup gives an odd response. However mine yields a

Server: dns1.cybercity.dk

Address: 212.242.40.3

DNS request timed out.

timeout was 2 seconds.

Non-authoritative answer:

Name: bineyyr.info

Address: 207.179.200.70

----------

another from a different nameserver

Server: dns2.cybercity.dk

Served by:

- ns1.cybercity.dk

212.242.41.248

cybercity.dk

- ns2.cybercity.dk

212.242.41.249

cybercity.dk

Name: bineyyr.info

Served by:

- A9.INFO.AFILIAS-NST.info

204.74.112.33

info

- B9.INFO.AFILIAS-NST.ORG

204.74.113.33

info

- C9.INFO.AFILIAS-NST.info

199.7.66.33

info

- D9.INFO.AFILIAS-NST.ORG

199.7.67.33

info

- E9.INFO.AFILIAS-NST.info

192.100.59.33

info

- F9.INFO.AFILIAS-NST.ORG

198.133.199.33

info

----------

and an nslookup from a different ISP only has one response

Server: ns.tele.dk

Address: 193.162.159.194

Name: bineyyr.info

Served by:

- C9.INFO.AFILIAS-NST.info

199.7.66.33

info

- D9.INFO.AFILIAS-NST.ORG

199.7.67.33

info

- E9.INFO.AFILIAS-NST.info

192.100.59.33

info

- F9.INFO.AFILIAS-NST.ORG

198.133.199.33

info

- A9.INFO.AFILIAS-NST.info

204.74.112.33

info

- B9.INFO.AFILIAS-NST.ORG

204.74.113.33

info

---

My knowledge of DNS inner workings is a bit limited to say what's going on there to be quite honest. Not exactly my usual field of expertise ;-)

Link to comment
Share on other sites

And a try a few minutes later using http://www.dnsreport.com/tools/dnsreport.c...in=bineyyr.info results in a basic total failure;

A timeout occurred getting the NS records from your nameservers! None of your nameservers responded fast enough. They are probably down or unreachable. I can't continue since your nameservers aren't responding.

Basically, spammy behaviour in setting up and using DNS records ... from your description and previous results, it's an easy assumption that this is yet another spammer using zombied computers to provide all these "services" ...

Link to comment
Share on other sites

Hi, Noia!...But one that's only visible to you. Please see http://forum.spamcop.net/forums/index.php?...ost&p=30058. Thanks!

Sorry mate, was a bit in a hurry, and didn't think straight:

http://www.spamcop.net/sc?id=z1173008582z0...2240b0fb1346e4z

And yes, it seems you're right Wazoo. How do you work with it though? I'm curious. It seems like it's a "foolproof" way to block services like Spamcop and the likes, by simply making sure you can't get proper NS records, and switching them around. Since 2 am, till now 10 am, I've received 21 spam mails, of which 4 are mails of the same kind - but the IP's different today, and now belonging to isla.net. Bineyyr.info now refers to 207.166.125.194, just like all the other mails with the same template, both new and old (so apparently they're reusing the same URLs)

http://www.spamcop.net/sc?id=z1173615442z4...57a9603cb921a8z

from today.

Link to comment
Share on other sites

Sorry mate, was a bit in a hurry, and didn't think straight:

http://www.spamcop.net/sc?id=z1173008582z0...2240b0fb1346e4z

<snip>

...No problem -- thanks for posting the tracking URL. But I see no mention in either parse or the body of either spam that mentions either bineyyr.info or 207.179.200.70, so I don't see what you are saying is the problem. Can you point me to the bits that point to the problem?
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...