Jump to content

Glitch in updated parser?


btech

Recommended Posts

Since the update, I noticed that there are some odd occurances when I manually look up a spamvertized link.

Parsing input: super-Raffle.com

Host super-raffle.com (checking ip) = 194.54.31.40

host 194.54.31.40 (getting name) no name

Host super-raffle.com (checking ip) = 194.54.31.40

host 194.54.31.40 (getting name) no name

[report history]

Routing details for 24.215.134.33

[refresh/show] Cached whois for 24.215.134.33 : abuse[at]abuse.earthlink.net

Using abuse net on abuse[at]abuse.earthlink.net

abuse net abuse.earthlink.net = abuse[at]abuse.earthlink.net

Using best contacts abuse[at]abuse.earthlink.net

Statistics:

24.215.134.33 not listed in bl.spamcop.net

More Information..

24.215.134.33 not listed in dnsbl.njabl.org

24.215.134.33 not listed in dnsbl.njabl.org

24.215.134.33 not listed in cbl.abuseat.org

24.215.134.33 listed in dnsbl.sorbs.net ( 127.0.0.10 )

24.215.134.33 not listed in relays.ordb.org.

Reporting addresses:

abuse[at]abuse.earthlink.net

The spammer is using DNS tricks, because that destination IP and address changes everytime you check it:

http://www.dnsstuff.com/tools/tracert.ch?ip=super-Raffle.com

But the parser shows 194.54.31.40 as the address and then looks up the abuse information for 24.215.134.33.

I did the look up 5 times and came across this error (albeit different IP addresses) 2 times.

Link to comment
Share on other sites

Since the update, I noticed that there are some odd occurances when I manually look up a spamvertized link.

I'll ask .... what update? IronPort doesn't talk to me, the only thing stated in a newsgroup post by Ellen was a 'maintenance window' ..... and the only 'public' data showing hasn't changed ...

From my record keeping file;

10 Oct 2006 - SpamCop v 1.600 Copyright ? 1998-2006

15 Nov 2006 - SpamCop v 1.603 Copyright ? 1998-2006

07 Dec 2006 - SpamCop v #612 Copyright © 1998-2006

This last is still showing in a parse done a few minutes ago ...

Link to comment
Share on other sites

I assumed v #612 was the reason for the maintenance yesterday, because I noticed it was v #611 prior.

Have no idea on how to respond to that actually .... I believe that there are multiple systems in use, and apparently not all running the same codebase at all times. On the other hand, I don't report spam myself through SpamCop.net for the most part, so it's usually when I'm working on someone else's issue and I'll follow their provided Tracking URL to see what's happening. The first thing I look at is the version number, and if it's changed, I make a note of that and add it to my little database. Issues/problems with a 'new' version have in fact caused a couple of 'rollbacks' when I pointed them out.

As noted in my list, the jumps in version numbers are rather significant ... this last one really catching my eye due to the changed numbering scheme. On the other hand, I can state that I never saw version #611 .. and that the #612 showed up last month and has been what I've seen since .... again, perhaps luck of the draw on just what (parsing) server is hit, I do not know.

It's more than a bit frustrating in that no one from IronPort says anything here or in the newsgroups ... and the "engineering reports" have been described as technical mumbo-jumbo by the paid-staff that do receive that bit of data ... and of course, none of that info is passed out either ....

So, as has been the case since Julian first started this thing, 'how it works' has been an exercise in noting just what happens when and where, then trying to figure out why / how something changed .... in this last but of 'maintenance window' it appears that major code has been changed and the network exchange of some critical data is not happening for some reason .... and that 'guess' comes from wearing that systems analyst hat and applying lessons learned over the years elsewhere to the results being displayed/complained about currently ....

Link to comment
Share on other sites

I assumed v #612 was the reason for the maintenance yesterday, because I noticed it was v #611 prior.
The maintenance window was for a hardware upgrade. The new releases don't require taking down the system. We just publish the new code and there it is.

Anyway, the hardware upgrade turned on the IT guys somehow, and they were forced to quit and run away. During all this, a database was disabled somehow, which has been causing all sorts of parse and lookup goofiness, he said with his best technical voice.

Sorry for all the trouble. The database is back on line now and things are back to normal.

- Don D'Minion - SpamCop Admin -

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...