AlphaCentauri Posted February 11, 2007 Share Posted February 11, 2007 I have been getting a ton of spam from MyCanadianPharmacy lately that SpamCop is having trouble dealing with. The URLs in the body each return with a message like the following: Resolving link obfuscation http://nonsense.someurl.com/12345 Host nonsense.someurl.com (checking ip) IP not found ; nonsense.someurl.com discarded as fake. But if you check out the URL, it does lead to the spamvertised site, so apparently someone on the internet can find what IP number that URL goes to. If you watch it load, all the images are loading from IP 217.170.77.210 on each of the various spamvertised sites. Putting that IP in Spamcop's parser gives the following: Parsing input: 217.170.77.210 host 217.170.77.210 (getting name) no name host 217.170.77.210 = db2.sorenssystem.com (old cache) host 217.170.77.210 (getting name) no name host 217.170.77.210 = db2.sorenssystem.com (old cache) Routing details for 217.170.77.210 [refresh/show] Cached whois for 217.170.77.210 : admin[at]internet33.com Using abuse net on admin[at]internet33.com abuse net internet33.com = abuse[at]rtcomm.ru, abuse[at]eltel.net, abuse[at]alfahost.net, postmaster[at]internet33.com, abuse[at]rt.ru Using best contacts abuse[at]rtcomm.ru abuse[at]eltel.net abuse[at]alfahost.net postmaster[at]internet33.com abuse[at]rt.ru Reports disabled for abuse[at]rtcomm.ru Using abuse#rtcomm.ru[at]devnull.spamcop.net for statistical tracking. Statistics: 217.170.77.210 not listed in bl.spamcop.net More Information.. 217.170.77.210 not listed in dnsbl.njabl.org 217.170.77.210 not listed in dnsbl.njabl.org 217.170.77.210 not listed in cbl.abuseat.org 217.170.77.210 not listed in dnsbl.sorbs.net Reporting addresses: abuse[at]eltel.net abuse[at]alfahost.net postmaster[at]internet33.com abuse[at]rt.ru Anybody know what's actually going on and how they manage to make the parser believe the URL is fake? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted February 11, 2007 Share Posted February 11, 2007 Anybody know what's actually going on and how they manage to make the parser believe the URL is fake? Timing issues. Search these forums for MyCanadianPharmacy and you will likely see what is happening. Basically, spamcop is not a browser and not willing to wait an enternity (in network time) for it to resolve. Link to comment Share on other sites More sharing options...
remay Posted March 4, 2007 Share Posted March 4, 2007 re: Basically, spamcop is not a browser and not willing to wait an enternity (in network time) for it to resolve. Is there a way to REQUEST a longer timeout or some user-selectable parameter we can adjust for cases like this? I have gotten over 30 spam emails in two days promoting a site that is very much alive and functional, but spamcop fails to record it: Host kikaq.hk (checking ip) IP not found ; kikaq.hk discarded as fake. Host kikaq.hk (checking ip) IP not found ; kikaq.hk discarded as fake. : : Tracking link: http://kikaq.hk/ No recent reports, no history available Cannot resolve http://kikaq.hk/ What is the suggestion for reporting ALIVE domains/websites that spamcop does not handle? Link to comment Share on other sites More sharing options...
Wazoo Posted March 4, 2007 Share Posted March 4, 2007 Is there a way to REQUEST a longer timeout or some user-selectable parameter we can adjust for cases like this? New Features/Suggestions is a Forum section set up for just this. You'll see that several entries there already relate to resolving URLs. The answer .... take a look at the graphic/link provided at the top right of this page. Click on it, read some of the statistics. The tune of 20 spams a second being processed, with all the on-going checks, analysis, look-ups, database updates, calculations, etc. would seem to hint at the problem with "let's wait for another two or three minutes to see if any data shows up" ...... Host kikaq.hk (checking ip) IP not found ; kikaq.hk discarded as fake. 03/04/07 12:37:17 Slow traceroute kikaq.hk Trace kikaq.hk (200.62.226.85) ... 201.125.224.34 RTT: 154ms TTL: 96 (bbint-lima-chinchon-2pto0-0.uninet.net.mx ok) 201.125.233.65 RTT: 143ms TTL: 96 (customer-201-125-233-65.uninet.net.mx bogus rDNS: host not found [authoritative]) 200.62.128.194 RTT: 174ms TTL: 96 (host-200-62-128-194.telmex.com.pe bogus rDNS: host not found [authoritative]) 200.62.219.10 RTT: 154ms TTL: 96 (No rDNS) 200.62.226.85 RTT: 182ms TTL: 48 (kikaq.hk ok) 03/04/07 12:37:23 dns kikaq.hk Canonical name: kikaq.hk Addresses: 200.62.226.85 It is not 'normal' to run a DNS server on the same IP address as the web-site itself (hint) What is the suggestion for reporting ALIVE domains/websites that spamcop does not handle? Check the Dictionary, Glossary, SpamCop FAQ here, Wiki for a thing called Manual Reporting .... There's a Topic in the Suggested Tools and Applications Forum section about other tools, though it probably won't help in this case ...???? Link to comment Share on other sites More sharing options...
AlphaCentauri Posted March 4, 2007 Author Share Posted March 4, 2007 What is the suggestion for reporting ALIVE domains/websites that spamcop does not handle? Some of us have started using a program called Complainterator, written by an anti-spammer well known on the Castlecops website and posted here: http://thecarpcstore.com/phpbb2/viewtopic.php?t=575 It just automates the process of looking up the nameservers for the URL, then writing a very courteous and informative letter about how to shut off the nameserver. Shutting down the nameserver stops spam to multiple spam sites. For instance, if you enter kikaq.hk into the program, it finds out that its nameservers are NS1.AMYLACEOUSWER.COM NS1.NOHOEVENTS.COM NS2.CHARTEREDBOL.COM NS2.UNSELDOMDIG.COM These are registered with BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN reporting addresses: liwei[at]dns.com.cn, zhaifeng[at]dns.com.cn, huyan[at]dns.com.cn, abuse[at]anti-spam.cn, spam[at]ccert.edu.cn MONIKER ONLINE SERVICES, INC. reporting address: not preloaded in program; you have to look one up at ICANN and enter it in the program BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN reporting address: same as above DSTR ACQUISITION VII, LLC reporting address: support[at]registerapi.com Then it composes an email on your mail program to tell them: Dear Registrar This is a request for you to remove the domain amylaceouswer.com and to remove its name server Address record ns1.amylaceouswer.com From this link, you can see that it is used as a name server for a spammed site > http://www.dnsstuff.com/tools/traversal.ch...q.hk&type=a From this link, you can see that your company is the name server's registrar > http://www.dnsstuff.com/tools/whois.ch?ip=...om&email=on To remove the name server effectively, please set the status of domain amylaceouswer.com to clientTransferProhibited clientUpdateProhibited clientDeleteProhibited clientHold Then, set the name server Address record for ns1.amylaceouswer.com to a nonroutable address such as 0.0.0.0 or 61.61.61.61 You can test that this has been successful, by using the above traversal link. Thank you for your efforts to reduce spam and to keep criminals from abusing your terms of service. and writes a separate letter for each nameserver address. If you look up the nameservers on these addresses that Spamcop can't parse, you will see the same names keep coming up: tonsilsbot.com, groupron.com, amylaceouswer.com, belikeyous.com, etc. and the same registrars: Beijing Innovative Linkage Technology (the Chinese government, I think) and Moniker.com (a Florida company which specializes in registrations for people who only want the URL less than 5 days so they can give it up without having to pay, and for people who want anonymous registrations). Complaints about nameservers for spamvertised domains do not replace Spamcop reporting, which concentrates on notifying people who can shut down the machines actually sending the spam (especially important now that most spam is sent from malware infected computers owned by innocent home and business users who are not tech savvy enough to realize it until someone files a Spamcop report). And it is only for people who are brave enough to send email from their own addresses and therefore let the registrars know who they are (which they probably can figure out from Spamcop reports too, even though they are munged). Some registrars are better than others at shutting down the nameservers, and since the nameservers I mentioned above are still operating, Moniker and Beijing aren't among the better ones. And someone is cooperating with the spammers, since the address I first used to send reports is getting far less spam than my other addresses, even though they are all spam ads for spamvertised sites on these same servers, i.e., the address in my "from" address in my complaint was removed from the spammer's list. (The email complaint doesn't indicate which address the actual spam was sent to). I expect there may be some type of retaliation if enough people begin to participate to seriously inconvenience the spammers, as there was with the Blue Frog debacle. But I lived through that, so I'll stick my neck out for this. Link to comment Share on other sites More sharing options...
rconner Posted March 4, 2007 Share Posted March 4, 2007 What is the suggestion for reporting ALIVE domains/websites that spamcop does not handle? Rather than depend upon SpamCop to do this for you, you can learn to do it yourself, and then paste the results right into your SpamCop report. It takes a bit of extra time, but becomes pretty easy once you get the hang of it. The first step is to get the address(es) for the host. You can do this from a command line using the nslookup command. For example (using a spam I just got): rconner$ nslookup www.eleccie.com Server: 10.0.1.1 Address: 10.0.1.1#53 Non-authoritative answer: Name: www.eleccie.com Address: 218.188.64.201 I ran this using the terminal program in Mac OS X, but it should work identically in a DOS window. Our answer is at the very bottom, shown as a non-authoritative answer because it came from my ISP's local cache; in most cases this is not an issue, but if you prefer an authoritative answer you can use the DNS lookup tool at DNSStuff (for example). Our second step is to find out who controls this address, and how we can contact them with an abuse report. We use the whois command for this: rconner$ whois 218.188.64.201 ( snipped some extraneous output from ARIN ) % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 218.188.0.0 - 218.189.255.255 netname: HGC descr: Hutchison Global Communications country: HK admin-c: IH17-AP tech-c: IH17-AP mnt-by: APNIC-HM mnt-lower: MAINT-HK-HGCADMIN remarks: included the /17 previous allocation changed: andycw[at]hgc.com.hk 20040209 status: ALLOCATED PORTABLE changed: hm-changed[at]apnic.net 20040212 source: APNIC person: ITMM HGC nic-hdl: IH17-AP e-mail: hgcnetwork[at]hgc.com.hk address: 9/F Low Block , address: Hutchison Telecom Tower, address: 99 Cheung Fai Rd, Tsing Yi, address: HONG KONG phone: +852-21229555 fax-no: +852-21239523 country: HK remarks: Send spam reports to abuse[at]on-nets.com remarks: and abuse reports to abuse[at]on-nets.com remarks: Please include detailed information and remarks: times in HKT changed: hgcnetwork[at]hgc.com.hk 20050620 mnt-by: MAINT-HK-HGCADMIN source: APNIC If you are running Windows, you may not have the whois command; in this case, you can simply use DNSStuff or else one of the many other online whois tools. As you can see, this address is run by hgc.com.uk, and several contact e-mails are given (including a abuse-related contact) The final step is to include this info in your SpamCop report: simply paste the e-mail addresses into the field marked "To:" just under "User Notification." Then, follow the "Notes" link from this spot down to the "Comments for User Notificaiton Field" and enter a brief statement like "www.eleccie.com resolves to 218.188.64.201". I find that while the My Canadian Pharmacy websites are almost never resolved by SpamCop even after page reolading, I can nearly always find them myself by this method (unless they are truly offline). If you would like a bit more detail, you can visit my web page http://www.rickconner.net/spamweb/tools-home.html and follow the links for host/nslookup and IP-whois. -- rick Link to comment Share on other sites More sharing options...
Wazoo Posted March 4, 2007 Share Posted March 4, 2007 Rather than depend upon SpamCop to do this for you, you can learn to do it yourself, and then paste the results right into your SpamCop report. It takes a bit of extra time, but becomes pretty easy once you get the hang of it. The first step is to get the address(es) for the host. You can do this from a command line using the nslookup command. For example (using a spam I just got): I ran this using the terminal program in Mac OS X, but it should work identically in a DOS window. First issue, most Windows users don't have access to this 'command' .... We use the whois command for this: Repeat of the above ... The final step is to include this info in your SpamCop report: simply paste the e-mail addresses into the field marked "To:" just under "User Notification." Then, follow the "Notes" link from this spot down to the "Comments for User Notificaiton Field" and enter a brief statement like "www.eleccie.com resolves to 218.188.64.201". I am thinking that this is a 'paid-account' option ... the additional notifies line isn't available to free-reporting accounts. If you would like a bit more detail, you can visit my web page http://www.rickconner.net/spamweb/tools-home.html and follow the links for host/nslookup and IP-whois. Admitting that the development of the How to use .... Instructions, Tutorials > Research Tools Forum section here has been woefully lacking ..... Link to comment Share on other sites More sharing options...
rconner Posted March 4, 2007 Share Posted March 4, 2007 First issue, most Windows users don't have access to this 'command' .... Quite probably you are correct, tho' I've seen nslookup on most versions of Windows that I personally have used (Win95, Win2k Pro, WinXP Pro, possibly even NT5.0 if I remember correctly). You will note that I mentioned DNSStuff as an alternative for web-based access to both nslookup and whois. I would add http://www.completewhois.com/ for particularly stubborn whois jobs, since it seems to be smarter and more persistent than the typical whois, particularly for domain-whois lookups. -- rick Link to comment Share on other sites More sharing options...
Wazoo Posted March 4, 2007 Share Posted March 4, 2007 Quite probably you are correct, tho' I've seen nslookup on most versions of Windows that I personally have used (Win95, Win2k Pro, WinXP Pro, possibly even NT5.0 if I remember correctly). Even it's available, there's the issue of getting to an MS-DOS Prompt / command-line screen in order to type it in, see/catch the results, etc. Link to comment Share on other sites More sharing options...
Farelf Posted March 5, 2007 Share Posted March 5, 2007 ...there's the issue of getting to an MS-DOS Prompt / command-line screen in order to type it in ...Off topic, but just to note it took me 12 years to find out you can paste from the Windows/application clipboard into the DOS command (prompt) line. In case there are others out there coming late to that "discovery". How many times I typed/transcribed from Windows to a command-line prompt I would hate to guess. Sure, they took away the icon (sometime after W95) on the DOS window (I hadn't noticed/forgot about it anyway) but with XP you just right-click in the top frame of the live DOS "box", select "Edit" then choose "Paste". Call me a waste of space if you will but I believe there may be others who don't know this. More precisely I need to believe. Link to comment Share on other sites More sharing options...
Wazoo Posted March 5, 2007 Share Posted March 5, 2007 Off topic, but just to note it took me 12 years to find out you can paste from the Windows/application clipboard into the DOS command (prompt) line. In case there are others out there coming late to that "discovery". How many times I typed/transcribed from Windows to a command-line prompt I would hate to guess. Sure, they took away the icon (sometime after W95) on the DOS window (I hadn't noticed/forgot about it anyway) but with XP you just right-click in the top frame of the live DOS "box", select "Edit" then choose "Paste". Call me a waste of space if you will but I believe there may be others who don't know this. More precisely I need to believe. Actually, in the days before XP, it depended on just how you pulled it up. The 'magic' was basically in the associated .pif file .... if the settings were not there to allow mouse traffic, cut/paste, etc. those options weren't available .... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.