Jump to content

SC doesn't resolve some hosts.


zappe
 Share

Recommended Posts

Why doesn't SC resolve the url in this spammail?

http://www.spamcop.net/sc?id=z1205496411zd...9370bf3fd11a77z

http://www.spamcop.net/sc?id=z1205503193zf...ddd5583a2d0e5ez

If i try myself i can resolve it and see what ip-address it points to. I've seen quite alot of these .info domains that SC can't resolve.

As mentioned in numerous other threads here, a browser is designed to wait an extremely long time to display the target. Spamcop, because of the number of reports being sent, does not have that luxury. Checking the host at dnsstuff.com, I just got the following for the first lokup:

DNS Lookup:

A timeout occurred getting the NS records from your nameservers! None of your nameservers responded fast enough. They are probably down or unreachable. I can't continue since your nameservers aren't responding. If you have a Watchguard Firebox, it's due to a bug in their DNS Proxy, which must be disabled (31 Jul 2006 UPDATE: several years after being informed of this, there is a rumor that there is a fix that allows the Watchguard DNS proxy to work).

DNS Timing:

Searching for citymadethrough.info A record at h.root-servers.net Got referral to f9.info.afilias-nst.org. [took 10 ms]

Searching for citymadethrough.info A record at f9.info.afilias-nst.org. Got referral to ns2.howewila.info. [took 10 ms]

Searching for citymadethrough.info A record at ns2.howewila.info. Timed out. Trying again.

Searching for citymadethrough.info A record at ns2.howewila.info. Timed out. Trying again.

Searching for citymadethrough.info A record at ns2.howewila.info. Timed out. Trying again.

Searching for citymadethrough.info A record at ns2.howewila.info. Timed out. Trying again.

Searching for citymadethrough.info A record at ns2.howewila.info. Timed out. Trying again.

Searching for citymadethrough.info A record at ns2.howewila.info. Timed out. Trying again.

Sorry, I could not continue.

I leave it as an exercise for the reader to check the link in the second report.

Link to comment
Share on other sites

...I leave it as an exercise for the reader to check the link in the second report.
DNS Report for boxyetbe.info

Generated by www.DNSreport.com at 03:22:17 GMT on 27 Jan 2007.

Parent PASS Missing Direct Parent check OK. Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.

INFO NS records at parent servers Your NS records at the parent servers are:

ns2.howewila.info. [82.131.208.66] [TTL=86400] [HU]

ns1.outoffroad.info. [212.112.96.30] [TTL=86400] [KG]

[These were obtained from f9.info.afilias-nst.org]

PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.

PASS Glue at parent nameservers OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names.

PASS DNS servers have A records OK. All your DNS servers either have A records at the zone parent servers, or do not need them (if the DNS servers are on other TLDs). A records are required for your hostnames to ensure that other DNS servers can reach your DNS servers. Note that there will be problems if your DNS servers do not have these same A records.

NS FAIL NS A timeout occurred getting the NS records from your nameservers! None of your nameservers responded fast enough. They are probably down or unreachable. I can't continue since your nameservers aren't responding. If you have a Watchguard Firebox, it's due to a bug in their DNS Proxy, which must be disabled (31 Jul 2006 UPDATE: several years after being informed of this, there is a rumor that there is a fix that allows the Watchguard DNS proxy to work).

... noting, yes, a browser (the intended target) will resolve it - but I would suggest going in anonymously through Google translate or LinkScanner if you wish to verify.
Link to comment
Share on other sites

okey okey, i see.. so they are using som kind of "fake" NS?

i'm reporting this sites manually now.

It isn't surprising for spammers to use, eh, "special" nameservers for their websites. They may be normal BIND hosts operated by themselves or other parties, or they may be hosted (or appear to be hosted) on zombies. These jackleg nameservers are often programmed to change the IP address of the website very frequently (called 'rotating IPs').

I did a dig lookup on the name in question and found:

alu-g4pb:~ rconner$ dig citymadethrough.info

** snip **

;; ANSWER SECTION:
citymadethrough.info.   600	 IN	  A	   85.11.54.238

Here, the '600' indicates that this lookup is only valid for 10 minutes (600 seconds), after which local nameservers are supposed to refresh the address. By this time, the spammer may well have pointed this name to some other IP. Hard to say whether this is/was the case here, but the low TTL value certainly points in that direction.

To make matters worse, the spammers will often rotate the IPs of the nameservers themselves; this is particularly true for 'botnet-hosted' websites that can be shuffled around among literally hundreds of zombie infested machines (I've counted as many as 1200 IPs appearing for a single website name over periods of a few days).

-- rick

Link to comment
Share on other sites

I've seen this issue of spamcop not resolving URLs within a spam. In many cases, if I put just the URL in the window by itself, it will resolve it just fine. Sometimes if I move the URL to a different part of the message body, it will resolve it. It seems like there is something more happening (or not) here than meets the eye.

m

Link to comment
Share on other sites

I've seen this issue of spamcop not resolving URLs within a spam. In many cases, if I put just the URL in the window by itself, it will resolve it just fine. Sometimes if I move the URL to a different part of the message body, it will resolve it. It seems like there is something more happening (or not) here than meets the eye.

m

Putting a single IPaddress of URL into the parser does follow a different path and seems to be more robust.

Moving the URL to a different part of the message body is directly forbidden by the material changes rules you accepted to become a spamcop reporter. It likely means the message has been created incorrectly in order to fool the parser, but that SHOULD also render it a non-clickable link in the message unless the email client (Microsoft, usually) is taking some liberties to "fix" the spammers bad coding.

Link to comment
Share on other sites

  • 2 weeks later...

But why does this phenomenon only happen with .info domains? I have yet to see a single .info domain - even from supposedly "legit" [sic] emails with fake "unsubscribe" links - successfully turn up an IP. But I haven't seen any .net, .com, .org domains that can't be resolved and reported... I get a flood of email every day - mostly disgusting pr0n crap (even by a no-morals person's standards), despite never having signed up for anything. Many messages have ".info" domains that can't be resolved, but work immediately in my browser. Do .info domains block lookup requests from SC or something?

Edited by Falcon4
Link to comment
Share on other sites

But why does this phenomenon only happen with .info domains? I have yet to see a single .info domain - even from supposedly "legit" [sic] emails with fake "unsubscribe" links - successfully turn up an IP. But I haven't seen any .net, .com, .org domains that can't be resolved and reported... I get a flood of email every day - mostly disgusting pr0n crap (even by a no-morals person's standards), despite never having signed up for anything. Many messages have ".info" domains that can't be resolved, but work immediately in my browser. Do .info domains block lookup requests from SC or something?

SpamCop allocates time it often does not have to look up a link, so if this link is outside time SpamCop moves on

This said you can in "NOTES" add this link to your report

I write this

SPAMVERTISED URL

http://samvertised.url

ip ****.****.***.****

Using any tracert program will convert the URL to a IP address and a second SpamCop reorting window will give abuse addresses for that IP

Link to comment
Share on other sites

...Do .info domains block lookup requests from SC or something?
Obviously not if n7mk gets a good resolution rate by puting the "URL in the window by itself". IMO Rick Conner (see above) has it right - it's just a timing issue, the SC parser sometimes doesn't have the luxury of taking the time to resolve these. "Sometimes" becomes "most times" when the "target" keeps moving and evidently a high proportion of .info domains are moving targets. (I guess they've taken over from .biz, a one-time rogues' gallery.)

I came across an indirect reference to a "theory" formulated by some of the Newgroup guys that it took three refreshes to resolve most of the "hard" URLs within a "spamitem" - as some term spam. This practice would not be recommended (the parser has lots to do already without doing it over and over) but could tie in with cache refreshes to keep up with 600 second rotating nameservers. Bottom line - you have to do a lot more, if you want to achieve anything, than to figuratively send a report to the landlord at "the last known address" of someone who wants very badly to be elsewhere when it arrives. Why get hung up about them? (difficult resolutions)

Edited by Farelf
Link to comment
Share on other sites

I see. Well, I have to process so many spams at the same time that I really hate to tediously go through each one to resolve/note the addresses. I hope that the admins the message gets sent to end up killing the source anyway. I just wish there were a more automated solution to the .info problem. :)

Edited by Falcon4
Link to comment
Share on other sites

But why does this phenomenon only happen with .info domains?

????? Geeze .... the way-too-many-times-to-count that this issue has come up before, just in this Forum .. not even going to try to hazard a guess at newsgroup traffic .... I have no idea where you get the idea (other than your personal experience) that this happens to "only" .info adresses .... This has come up so many times, so many places, that there are multiple entries in the SpamCop FAQ here about it.

Link to comment
Share on other sites

I tried searching... it only gave me forum results, and that's where I found this. :(

Search Engine queries really are 'rocket science' ... issue being that one has to guess just how the problem/issue was described by that "other person" ....

SpamCop can't find

URL won't resolve

Parser broken

SpamCop fooled

rotating DNS

Parser screwing up

Just a few of the ways the issue gets 'defined' in a query/complint/rant ... so which word did you use?

OK, you show the use of "info +domains" .... exactly my point .... none of the above <g>

edit: who still uses newsgroups anyway? o_O

People like this;

From: "WazoO" <nobody[at]devnull.spamcop.net>

Newsgroups: spamcop.mail

Subject: Re: Dysfunctional services

Date: Sun, 11 Feb 2007 05:36:05 -0600

Message-ID: <eqmv35$rmm$1[at]news.spamcop.net>

References: <eorgm9$rnr$1[at]news.spamcop.net> <eqmsds$nur$1[at]news.spamcop.net>

"Jim P." <xxxxxxx[at]cqmail.net> wrote in message

news:eqmsds$nur$1[at]news.spamcop.net...

> With no thanks to Spamcop, I discovered that the problem is with IE7. The

> bad news is that some websites (Spamcop is the only one I've encountered so

> far) will only function correctly if they recognize the browser as IE6. The

> good news is that MS has a patch (uasutility-v2-x86) which makes IE7 look

> like IE6 to such sites, whereupon the functionality is restored.

Whatever ..... though noting that the 'flood' of user complaints is not

really apparent. ...????

> BTW, I attempted to register with a more used Spamcop forum, but extreme

> clunkiness thwarted me. Inept and user unfriendly processes, failure to

> deliver necessary email for consummation of registration.

Huh? Forum log check;

Email Error Logs (Show all)

Logged Emails Errors

To Subject Error MSG Date

No results

(since moved to a new server back in November, I think ....

prior to that, Forum e-mail was handled on a server I

didn't have access to ...)

Database check using data found within the headers of this

newsgroup post ....

Member No: 4802

xxxxxx[at]cqmail.net (24.15.xx.xxx)

xxxxxx[at]cqmail.net

Members (0 Posts)

Joined: 12-November 05

Last Active 27th April 2006 - 04:47 AM

You registered a long time ago. Forum application software

has been updated at least two major revisions since your last

logged-in visit, server changed, OS changed, on and on ....

You've never made a post .... The Wiki has appeared

since your last visit .. on and on ... don't grok all your

commentary ....

Your registration using your e-mail address as a user name

had you targeted for an e-mail from me, but I don't believe

I got that far into the alphabet ..... too many idiots reporting as

spam my pointers to the following items; I gave up trying ....

Spammers love Forum name = e-mail address

http://forum.spamcop.net/forums/index.php?showtopic=4962

Forum FAQ

SECTION 7 - Change of Username

http://forum.spamcop.net/forums/index.php?showtopic=4351

Interesting enough, out of the numerous responses this guy received about some of the other things he was bitching about, this is the only post that didn't rate a reply in that thread ......

Link to comment
Share on other sites

Wow, that is way over my head. Newsgroup formatting and oldfangled operation is so... outdated. Web forums such as this one are much more intuitive and easier to access (at least for modern Windows users) than archaic newsgroup servers and groups are...

However that is neither my place nor my argument. I guess I got a decent enough answer - .info addresses, predominantly, are sleuthy enough to get around being reported by SC. I really, really appreciate this service (even though as of yet it hasn't reduced my spam volume, but increasing my ego and exacting revenge is always nice) and if I weren't income-less and $1,300 in credit card debt, I'd certainly be donating. I guess all I can give is my thanks for the time being, and a word that sometime, when I do finally find an employer that can see my true potential, you'll certainly receive a fair cut. :)

It's also nice to see the head-admin-dude being active in the forums. Thanks!

Link to comment
Share on other sites

<snip>

I really, really appreciate this service (even though as of yet it hasn't reduced my spam volume

<snip>

...And I hope this doesn't surprise you, as it is no part of any intention of SpamCop to do that. If it is a surprise to you, please let us know where you saw something suggesting that it was so we can try to get it changed! :) <g>
It's also nice to see the head-admin-dude being active in the forums.

<snip>

...Wazoo is a long-time activist and volunteered to act as Forum admin pretty much as a favor to JT, who is really the "owner" of the SpamCop Forum but didn't have time to do all the admin work necessary, so being active in the forums is Wazoo's principal purpose here and his "admin" role simply a byproduct of his generosity (please correct me if I'm wrong in any particulars, Wazoo! :) <g>).
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...