Jump to content

Different reporting address every time?


Cornholio
 Share

Recommended Posts

Hi,

I'm receiving 10-15 spam messages advertising viagra for the site kosoro . com every day (the spammer uses spaces in the address too). When I enter that address (minus the spaces) into spamcop, it gives me a different reporting address every time! Which one do I use? All of them?

Try this link: http://www.spamcop.net/sc?track=kosoro.com and refresh the page a few times. It gives a different IP address and a different reporting address each time.

What's the deal? How can I report this ***hole?

Link to comment
Share on other sites

Technically, I'm not sure what your question really is. At the time of a/the parse, look-ups are done to come up with locations and targets. As you've noted, the is a spammer controlled item, complete with rotating DNS and web-page content holding places. Nothing new there.

Point is that the report would be valid for the conditions seen at that point in time. Things working normqlly would possibly lead to an abuse-desk person receiving/reading the complaint hours later, taking a look, and of course, not finding anything, as the spammer had already moved on to the next batch of compromised machines.

03/26/07 12:52:08 dns kosoro.com

Canonical name: kosoro.com

Addresses:

65.32.79.247

74.141.176.10

68.48.231.246

75.73.49.51

71.235.5.251

03/26/07 12:52:29 Slow traceroute kosoro.com

Trace kosoro.com (74.141.176.10) ...

144.232.20.129 RTT: 274ms TTL: 96 (sl-bb21-kc-3-0.sprintlink.net ok)

144.232.23.70 RTT: 236ms TTL: 96 (sl-gw16-kc-0-0.sprintlink.net ok)

160.81.75.198 RTT: 236ms TTL: 96 (sl-insig-5-0.sprintlink.net ok)

* * * failed

* * * failed

already moved on

03/26/07 13:00:50 dns kosoro.com

Canonical name: kosoro.com

Addresses:

65.32.79.247

70.48.239.64

24.173.6.166

12.31.211.99

70.251.235.76

03/26/07 13:01:37 Slow traceroute kosoro.com

Trace kosoro.com (24.173.6.166) ...

24.93.34.105 RTT: 249ms TTL: 96 (gig15-0-0.hstntxtid-rtr1.houston.rr.com ok)

24.28.97.70 RTT: 266ms TTL: 96 (gig1-0-0.hstntxroy-ubr18.houston.rr.com ok)

24.173.6.166 RTT:1722ms TTL:112 (rrcs-24-173-6-166.sw.biz.rr.com ok)

whois -h whois.crsnic.net kosoro.com ...

Redirecting to XIN NET TECHNOLOGY CORPORATION

whois -h whois.paycenter.com.cn kosoro.com ...

Domain Name:kosoro.com

Registrant:

wen

No.12 chang'an road

100001

Administrative Contact:

top wen

wen

No.12 chang'an road

beijing Beijing 100001

China

tel: 86 010 3393884

fax: 86 010 4399388

12[at]12.com

Technical Contact:

top wen

wen

No.12 chang'an road

beijing Beijing 100001

China

tel: 86 010 3393884

fax: 86 010 4399388

12[at]12.com

Billing Contact:

top wen

wen

No.12 chang'an road

beijing Beijing 100001

China

tel: 86 010 3393884

fax: 86 010 4399388

12[at]12.com

Registration Date: 2007-03-04

Update Date: 2007-03-22

Expiration Date: 2008-03-04

Primary DNS: ns.ajaxmx.com 64.110.241.4

Secondary DNS: ns2.ajaxmx.com 75.53.97.227

Can't help but think that the data seen there is anything but 100% truthful, honest, and accurate <g>

Anyway, take a look at Complainterator take a look at this Topic/tool if you really want to 'do' something about this, beyond setting down and manually reporting all this crap to all the ISPs involved with the compromised computers involved (and that gets old pretty quick)

Link to comment
Share on other sites

So, basically, all of the various reporting email addresses I'm seeing are correct.. What I'm going to do is keep refreshing the page, collect all the various reporting email addresses and put them in a list (abuse[at]x.com, abuse[at]y.net, etc) and every time I get one of these emails forward it to the entire list!

Thank you for clarifying things.

Link to comment
Share on other sites

I was finally able to get Complainterator to work.. I use Yahoo (web-based) mail so I had to use prompted mode... In order to get that to work, I had to change my home page settings to a blank page. Thanks again for your help!

If you can get Complainterator to work (Works for me) and a web site is taken down you have made millions of spams useless.

SpamCop informs (or tries to) as many ISP's of their and or customers security problems.

Many ISP's react quickly to this. If an ISP is incompetent they will be added to SpamCop's blocklist. Which stops spam as it is being sent not after it is sent, this then instantly and bit-bins and or puts spam in spam folder.

Attack is your best defence against spammers SpamCop also alerts crime investigators of spammer activity and many are finding themselves in court for this

Edited by petzl
Link to comment
Share on other sites

If you can get Complainterator to work (Works for me) and a web site is taken down you have made millions of spams useless.

Well unfortunuately this hasn't helped... I've reported 5 different sites this spammer uses (all with the same DNS server) over about a week with no results. Apparently XIN Net has no interest in stopping spammers. The spammer continues to harrass me with a deluge of daily spams. :angry:

I have also been forwarding all the emails to each abuse address for all the rotating IP addresses he uses... No progress on that front either... Nobody seems to care!

Edited by Cornholio
Link to comment
Share on other sites

I have also been forwarding all the emails to each abuse address for all the rotating IP addresses he uses... No progress on that front either... Nobody seems to care!

Not sure about what you might have meant as far as "forwarding all the e-mails" ... but would be easy to read a lot of things wrong in that picture ....

As mentioned elsewehre, above, in other discussions, in the newsgroups, etc. ... one sample/complaint may not do anything for even the most fervent abuse desk person. You send a complaint that a web-page is hosted at IP adress 123.123.123.123 .... abuse staff takes a look and there is no web-page at 123.123.123.123 ..... moves on to the next complaint.

In a cae like this, the whole scenario needs to be pointed out. The fact that IP addresss 123.123.123.123 is but one of the many involved addresses used in the particular spam run. Sit back, capture the rotating DNS and pointer data, capture some of the URL traffic involved ... then build your complaint, include all that captured data to show the systems involved, make it a CC: to all the involved abuse folks.

Link to comment
Share on other sites

  • 2 weeks later...

In a cae like this, the whole scenario needs to be pointed out. The fact that IP addresss 123.123.123.123 is but one of the many involved addresses used in the particular spam run. Sit back, capture the rotating DNS and pointer data, capture some of the URL traffic involved ... then build your complaint, include all that captured data to show the systems involved, make it a CC: to all the involved abuse folks.

I've been religiously doing this, but.. while it's likely that many of these individual IPs have been shut down, the spammer's DNS server, ajaxmx.com, which he's been using all along has still not been shut down. It's hosted by XIN Net, who apparently do not care about spam! :angry:

Link to comment
Share on other sites

Hi,

I'm receiving 10-15 spam messages advertising viagra for the site kosoro . com every day (the spammer uses spaces in the address too). When I enter that address (minus the spaces) into spamcop, it gives me a different reporting address every time! Which one do I use? All of them?<snip>

I don't know if this adds anything, but it appears to be a 'double zombie botnet':

http://www.dnsstuff.com/tools/traversal.ch....com&type=A

Looking up at the 4 kosoro.com. parent servers:

---------------Nameserver---------------------------------------------Response---------------

ns3.ajaxmx.com [68.72.167.130] 66.234.202.106 69.108.112.12 70.168.145.5 70.243.12.130 75.73.218.150

ns4.ajaxmx.com [75.21.148.164] 66.234.202.106 69.108.112.12 70.168.145.5 70.243.12.130 75.73.218.150

ns2.ajaxmx.com [68.51.120.95] 66.234.202.106 69.108.112.12 70.168.145.5 70.243.12.130 75.73.218.150

ns.ajaxmx.com [67.184.86.22] Timeout

The nameserver IPs and the host, (Response) IPs, (the only ones that Spamcop sees & change all the time) all appear to be compromised adsl machines. He's possibly got an Apache webserver on another IP somewhere controlling all of this, (I'm no DNS expert).

The nameserver domain ajaxmx.com has almost certainly been registered by the spammer.....

As Wazoo says, that snapshot above changes all the time, the only two consistent things are the nameserver domain and the site domain.

Edited by bobbear
Link to comment
Share on other sites

I have no idea what a 'double zombie botnet' is...

The website name he uses changes every couple days to a week. His latest is ShowRx.com. In all cases, however, he always uses ajaxmx.com as his DNS. This is registered with XIN Net. I have probably sent them 30 emails and yet they have done nothing. Apparently XIN Net is either a spammer's paradise or he works for the company or something.

I was also wondering something... In cases like this where the spammer uses a rotating DNS, why does spamcop only pick one of the IPs (apparently at random) and report that? Why not report them all at the same time? This would save me refreshing the page over and over again (20-30 times as the same IP will come up many times) trying to get all the unique IPs.

Link to comment
Share on other sites

I was also wondering something... In cases like this where the spammer uses a rotating DNS, why does spamcop only pick one of the IPs (apparently at random) and report that? Why not report them all at the same time? This would save me refreshing the page over and over again (20-30 times as the same IP will come up many times) trying to get all the unique IPs.

These networks are usually made up of corrupt end user machines that can be running the spamvertized web sites and the DNS pointing to them or are simply redirectors to the actual servers, hiding them.

The IP returned by the parser is the current one as if spamcop does a NSLOOKUP. It is random because of the way the spammer is handing out the IP addresses. Any time your application asks for an IP address, only one is returned. It should be quite possible to do more of a dig and get all of the current IP addresses, but that will require someone to delve into the "spagetti of code" that the parser is.

In most of these cases, the DNS is controlled by the spammer and the machines are corrupt end user machines where the ISP support desk is not going to do anything about it anyways. Doing the extra work of finding all the alternate IP addresses and adding them to the report is likely only making more work for you with little or no benefit on the other end. I simply accept the parsers results and am done with it.

Link to comment
Share on other sites

Well... The spammer uses spaces in his URLs, so the parser doesn't report him. I've been doing it manually. It sounds like this spammer has beaten the system and is untouchable and I'm just wasting my time.
Taking out botnets is not SpamCop's purpose. If you want to do that (as many do), look at TerryNZ's Botnet scenario and Complainterator V5 Announcement, Automated complaints to registrars - noting the lastest version source is shown in http://forum.spamcop.net/forums/index.php?...ost&p=55766
Link to comment
Share on other sites

  • 6 months later...

Taking out botnets is not SpamCop's purpose. If you want to do that (as many do), look at TerryNZ's Botnet scenario and Complainterator V5 Announcement, Automated complaints to registrars - noting the lastest version source is shown in http://forum.spamcop.net/forums/index.php?...ost&p=55766

Kind of old article, but before starting a new topic may be I add it here.

Wouldn't it be possible, that Spamcop did several whois on every IP found on a nslookup (host)? Like for example now the spammer at "we-need-your-help-d.com" has the following IPs (a bot net):

we-need-your-help-d.com has address 69.243.17.93

we-need-your-help-d.com has address 71.59.39.237

we-need-your-help-d.com has address 75.42.211.52

we-need-your-help-d.com has address 75.56.221.99

we-need-your-help-d.com has address 76.208.138.29

we-need-your-help-d.com has address 84.237.155.86

we-need-your-help-d.com has address 89.20.148.9

we-need-your-help-d.com has address 98.203.197.253

we-need-your-help-d.com has address 124.86.136.145

we-need-your-help-d.com has address 124.244.154.210

we-need-your-help-d.com has address 125.231.209.1

we-need-your-help-d.com has address 216.186.177.74

we-need-your-help-d.com has address 218.93.5.234

we-need-your-help-d.com has address 221.127.213.120

we-need-your-help-d.com has address 222.110.111.82

we-need-your-help-d.com has address 58.92.130.174

we-need-your-help-d.com has address 60.41.212.85

we-need-your-help-d.com has address 69.22.240.204

we-need-your-help-d.com has address 69.104.54.133

we-need-your-help-d.com has address 69.182.209.214

Why not generate multiple reports to all hostmaster of the IPs appearing here? If Spamcop just grabs one and sends reports like now, AND the hostmaster would take actions, there are still the others there and no complaints are sent, and no (possible) action will be taken.

May be it cause a too high system load?

Link to comment
Share on other sites

Kind of old article, but before starting a new topic may be I add it here.
...Thanks, I think that was considerate of you! :) <g>
Wouldn't it be possible, that Spamcop did several whois on every IP found on a nslookup (host)?

<snip>

Why not generate multiple reports to all hostmaster of the IPs appearing here? If Spamcop just grabs one and sends reports like now, AND the hostmaster would take actions, there are still the others there and no complaints are sent, and no (possible) action will be taken.

May be it cause a too high system load?

...Yes, that would be my guess. If you look at the graphic at the top right of the page, you'll see that SpamCop receives anywhere from about 10 to 25 spams per second and sends anywhere from 10 to 40 messages per second, so it has to be very fast when it processes spam.
Link to comment
Share on other sites

If Spamcop just grabs one and sends reports like now, AND the hostmaster would take actions, there are still the others there and no complaints are sent, and no (possible) action will be taken.

May be it cause a too high system load?

Although system load is likely to be one consideration, it is also true that SpamCop was established for the purpose of identifying the source(s) of identifiable spam messages. Since a single message didn't originate from all the machines in a botnet, SpamCop would not generate a report for all the machines, just those from which an identifiable message has been received.

Andrew

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...