Cornholio Posted March 26, 2007 Share Posted March 26, 2007 Hi, I'm receiving 10-15 spam messages advertising viagra for the site kosoro . com every day (the spammer uses spaces in the address too). When I enter that address (minus the spaces) into spamcop, it gives me a different reporting address every time! Which one do I use? All of them? Try this link: http://www.spamcop.net/sc?track=kosoro.com and refresh the page a few times. It gives a different IP address and a different reporting address each time. What's the deal? How can I report this ***hole? Link to comment Share on other sites More sharing options...
Wazoo Posted March 26, 2007 Share Posted March 26, 2007 Technically, I'm not sure what your question really is. At the time of a/the parse, look-ups are done to come up with locations and targets. As you've noted, the is a spammer controlled item, complete with rotating DNS and web-page content holding places. Nothing new there. Point is that the report would be valid for the conditions seen at that point in time. Things working normqlly would possibly lead to an abuse-desk person receiving/reading the complaint hours later, taking a look, and of course, not finding anything, as the spammer had already moved on to the next batch of compromised machines. 03/26/07 12:52:08 dns kosoro.com Canonical name: kosoro.com Addresses: 65.32.79.247 74.141.176.10 68.48.231.246 75.73.49.51 71.235.5.251 03/26/07 12:52:29 Slow traceroute kosoro.com Trace kosoro.com (74.141.176.10) ... 144.232.20.129 RTT: 274ms TTL: 96 (sl-bb21-kc-3-0.sprintlink.net ok) 144.232.23.70 RTT: 236ms TTL: 96 (sl-gw16-kc-0-0.sprintlink.net ok) 160.81.75.198 RTT: 236ms TTL: 96 (sl-insig-5-0.sprintlink.net ok) * * * failed * * * failed already moved on 03/26/07 13:00:50 dns kosoro.com Canonical name: kosoro.com Addresses: 65.32.79.247 70.48.239.64 24.173.6.166 12.31.211.99 70.251.235.76 03/26/07 13:01:37 Slow traceroute kosoro.com Trace kosoro.com (24.173.6.166) ... 24.93.34.105 RTT: 249ms TTL: 96 (gig15-0-0.hstntxtid-rtr1.houston.rr.com ok) 24.28.97.70 RTT: 266ms TTL: 96 (gig1-0-0.hstntxroy-ubr18.houston.rr.com ok) 24.173.6.166 RTT:1722ms TTL:112 (rrcs-24-173-6-166.sw.biz.rr.com ok) whois -h whois.crsnic.net kosoro.com ... Redirecting to XIN NET TECHNOLOGY CORPORATION whois -h whois.paycenter.com.cn kosoro.com ... Domain Name:kosoro.com Registrant: wen No.12 chang'an road 100001 Administrative Contact: top wen wen No.12 chang'an road beijing Beijing 100001 China tel: 86 010 3393884 fax: 86 010 4399388 12[at]12.com Technical Contact: top wen wen No.12 chang'an road beijing Beijing 100001 China tel: 86 010 3393884 fax: 86 010 4399388 12[at]12.com Billing Contact: top wen wen No.12 chang'an road beijing Beijing 100001 China tel: 86 010 3393884 fax: 86 010 4399388 12[at]12.com Registration Date: 2007-03-04 Update Date: 2007-03-22 Expiration Date: 2008-03-04 Primary DNS: ns.ajaxmx.com 64.110.241.4 Secondary DNS: ns2.ajaxmx.com 75.53.97.227 Can't help but think that the data seen there is anything but 100% truthful, honest, and accurate <g> Anyway, take a look at Complainterator take a look at this Topic/tool if you really want to 'do' something about this, beyond setting down and manually reporting all this crap to all the ISPs involved with the compromised computers involved (and that gets old pretty quick) Link to comment Share on other sites More sharing options...
Cornholio Posted March 26, 2007 Author Share Posted March 26, 2007 So, basically, all of the various reporting email addresses I'm seeing are correct.. What I'm going to do is keep refreshing the page, collect all the various reporting email addresses and put them in a list (abuse[at]x.com, abuse[at]y.net, etc) and every time I get one of these emails forward it to the entire list! Thank you for clarifying things. Link to comment Share on other sites More sharing options...
Cornholio Posted March 27, 2007 Author Share Posted March 27, 2007 I was finally able to get Complainterator to work.. I use Yahoo (web-based) mail so I had to use prompted mode... In order to get that to work, I had to change my home page settings to a blank page. Thanks again for your help! Link to comment Share on other sites More sharing options...
petzl Posted March 27, 2007 Share Posted March 27, 2007 I was finally able to get Complainterator to work.. I use Yahoo (web-based) mail so I had to use prompted mode... In order to get that to work, I had to change my home page settings to a blank page. Thanks again for your help! If you can get Complainterator to work (Works for me) and a web site is taken down you have made millions of spams useless. SpamCop informs (or tries to) as many ISP's of their and or customers security problems. Many ISP's react quickly to this. If an ISP is incompetent they will be added to SpamCop's blocklist. Which stops spam as it is being sent not after it is sent, this then instantly and bit-bins and or puts spam in spam folder. Attack is your best defence against spammers SpamCop also alerts crime investigators of spammer activity and many are finding themselves in court for this Link to comment Share on other sites More sharing options...
Cornholio Posted April 3, 2007 Author Share Posted April 3, 2007 If you can get Complainterator to work (Works for me) and a web site is taken down you have made millions of spams useless. Well unfortunuately this hasn't helped... I've reported 5 different sites this spammer uses (all with the same DNS server) over about a week with no results. Apparently XIN Net has no interest in stopping spammers. The spammer continues to harrass me with a deluge of daily spams. :angry: I have also been forwarding all the emails to each abuse address for all the rotating IP addresses he uses... No progress on that front either... Nobody seems to care! Link to comment Share on other sites More sharing options...
Wazoo Posted April 3, 2007 Share Posted April 3, 2007 I have also been forwarding all the emails to each abuse address for all the rotating IP addresses he uses... No progress on that front either... Nobody seems to care! Not sure about what you might have meant as far as "forwarding all the e-mails" ... but would be easy to read a lot of things wrong in that picture .... As mentioned elsewehre, above, in other discussions, in the newsgroups, etc. ... one sample/complaint may not do anything for even the most fervent abuse desk person. You send a complaint that a web-page is hosted at IP adress 123.123.123.123 .... abuse staff takes a look and there is no web-page at 123.123.123.123 ..... moves on to the next complaint. In a cae like this, the whole scenario needs to be pointed out. The fact that IP addresss 123.123.123.123 is but one of the many involved addresses used in the particular spam run. Sit back, capture the rotating DNS and pointer data, capture some of the URL traffic involved ... then build your complaint, include all that captured data to show the systems involved, make it a CC: to all the involved abuse folks. Link to comment Share on other sites More sharing options...
Cornholio Posted April 18, 2007 Author Share Posted April 18, 2007 In a cae like this, the whole scenario needs to be pointed out. The fact that IP addresss 123.123.123.123 is but one of the many involved addresses used in the particular spam run. Sit back, capture the rotating DNS and pointer data, capture some of the URL traffic involved ... then build your complaint, include all that captured data to show the systems involved, make it a CC: to all the involved abuse folks. I've been religiously doing this, but.. while it's likely that many of these individual IPs have been shut down, the spammer's DNS server, ajaxmx.com, which he's been using all along has still not been shut down. It's hosted by XIN Net, who apparently do not care about spam! :angry: Link to comment Share on other sites More sharing options...
bobbear Posted April 18, 2007 Share Posted April 18, 2007 Hi, I'm receiving 10-15 spam messages advertising viagra for the site kosoro . com every day (the spammer uses spaces in the address too). When I enter that address (minus the spaces) into spamcop, it gives me a different reporting address every time! Which one do I use? All of them?<snip> I don't know if this adds anything, but it appears to be a 'double zombie botnet': http://www.dnsstuff.com/tools/traversal.ch....com&type=A Looking up at the 4 kosoro.com. parent servers: ---------------Nameserver---------------------------------------------Response--------------- ns3.ajaxmx.com [68.72.167.130] 66.234.202.106 69.108.112.12 70.168.145.5 70.243.12.130 75.73.218.150 ns4.ajaxmx.com [75.21.148.164] 66.234.202.106 69.108.112.12 70.168.145.5 70.243.12.130 75.73.218.150 ns2.ajaxmx.com [68.51.120.95] 66.234.202.106 69.108.112.12 70.168.145.5 70.243.12.130 75.73.218.150 ns.ajaxmx.com [67.184.86.22] Timeout The nameserver IPs and the host, (Response) IPs, (the only ones that Spamcop sees & change all the time) all appear to be compromised adsl machines. He's possibly got an Apache webserver on another IP somewhere controlling all of this, (I'm no DNS expert). The nameserver domain ajaxmx.com has almost certainly been registered by the spammer..... As Wazoo says, that snapshot above changes all the time, the only two consistent things are the nameserver domain and the site domain. Link to comment Share on other sites More sharing options...
Cornholio Posted April 23, 2007 Author Share Posted April 23, 2007 I have no idea what a 'double zombie botnet' is... The website name he uses changes every couple days to a week. His latest is ShowRx.com. In all cases, however, he always uses ajaxmx.com as his DNS. This is registered with XIN Net. I have probably sent them 30 emails and yet they have done nothing. Apparently XIN Net is either a spammer's paradise or he works for the company or something. I was also wondering something... In cases like this where the spammer uses a rotating DNS, why does spamcop only pick one of the IPs (apparently at random) and report that? Why not report them all at the same time? This would save me refreshing the page over and over again (20-30 times as the same IP will come up many times) trying to get all the unique IPs. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted April 23, 2007 Share Posted April 23, 2007 I was also wondering something... In cases like this where the spammer uses a rotating DNS, why does spamcop only pick one of the IPs (apparently at random) and report that? Why not report them all at the same time? This would save me refreshing the page over and over again (20-30 times as the same IP will come up many times) trying to get all the unique IPs. These networks are usually made up of corrupt end user machines that can be running the spamvertized web sites and the DNS pointing to them or are simply redirectors to the actual servers, hiding them. The IP returned by the parser is the current one as if spamcop does a NSLOOKUP. It is random because of the way the spammer is handing out the IP addresses. Any time your application asks for an IP address, only one is returned. It should be quite possible to do more of a dig and get all of the current IP addresses, but that will require someone to delve into the "spagetti of code" that the parser is. In most of these cases, the DNS is controlled by the spammer and the machines are corrupt end user machines where the ISP support desk is not going to do anything about it anyways. Doing the extra work of finding all the alternate IP addresses and adding them to the report is likely only making more work for you with little or no benefit on the other end. I simply accept the parsers results and am done with it. Link to comment Share on other sites More sharing options...
Cornholio Posted April 24, 2007 Author Share Posted April 24, 2007 Well... The spammer uses spaces in his URLs, so the parser doesn't report him. I've been doing it manually. It sounds like this spammer has beaten the system and is untouchable and I'm just wasting my time. Link to comment Share on other sites More sharing options...
Farelf Posted April 24, 2007 Share Posted April 24, 2007 Well... The spammer uses spaces in his URLs, so the parser doesn't report him. I've been doing it manually. It sounds like this spammer has beaten the system and is untouchable and I'm just wasting my time.Taking out botnets is not SpamCop's purpose. If you want to do that (as many do), look at TerryNZ's Botnet scenario and Complainterator V5 Announcement, Automated complaints to registrars - noting the lastest version source is shown in http://forum.spamcop.net/forums/index.php?...ost&p=55766 Link to comment Share on other sites More sharing options...
ankman Posted November 9, 2007 Share Posted November 9, 2007 Taking out botnets is not SpamCop's purpose. If you want to do that (as many do), look at TerryNZ's Botnet scenario and Complainterator V5 Announcement, Automated complaints to registrars - noting the lastest version source is shown in http://forum.spamcop.net/forums/index.php?...ost&p=55766 Kind of old article, but before starting a new topic may be I add it here. Wouldn't it be possible, that Spamcop did several whois on every IP found on a nslookup (host)? Like for example now the spammer at "we-need-your-help-d.com" has the following IPs (a bot net): we-need-your-help-d.com has address 69.243.17.93 we-need-your-help-d.com has address 71.59.39.237 we-need-your-help-d.com has address 75.42.211.52 we-need-your-help-d.com has address 75.56.221.99 we-need-your-help-d.com has address 76.208.138.29 we-need-your-help-d.com has address 84.237.155.86 we-need-your-help-d.com has address 89.20.148.9 we-need-your-help-d.com has address 98.203.197.253 we-need-your-help-d.com has address 124.86.136.145 we-need-your-help-d.com has address 124.244.154.210 we-need-your-help-d.com has address 125.231.209.1 we-need-your-help-d.com has address 216.186.177.74 we-need-your-help-d.com has address 218.93.5.234 we-need-your-help-d.com has address 221.127.213.120 we-need-your-help-d.com has address 222.110.111.82 we-need-your-help-d.com has address 58.92.130.174 we-need-your-help-d.com has address 60.41.212.85 we-need-your-help-d.com has address 69.22.240.204 we-need-your-help-d.com has address 69.104.54.133 we-need-your-help-d.com has address 69.182.209.214 Why not generate multiple reports to all hostmaster of the IPs appearing here? If Spamcop just grabs one and sends reports like now, AND the hostmaster would take actions, there are still the others there and no complaints are sent, and no (possible) action will be taken. May be it cause a too high system load? Link to comment Share on other sites More sharing options...
turetzsr Posted November 9, 2007 Share Posted November 9, 2007 Kind of old article, but before starting a new topic may be I add it here....Thanks, I think that was considerate of you! <g>Wouldn't it be possible, that Spamcop did several whois on every IP found on a nslookup (host)? <snip> Why not generate multiple reports to all hostmaster of the IPs appearing here? If Spamcop just grabs one and sends reports like now, AND the hostmaster would take actions, there are still the others there and no complaints are sent, and no (possible) action will be taken. May be it cause a too high system load? ...Yes, that would be my guess. If you look at the graphic at the top right of the page, you'll see that SpamCop receives anywhere from about 10 to 25 spams per second and sends anywhere from 10 to 40 messages per second, so it has to be very fast when it processes spam. Link to comment Share on other sites More sharing options...
agsteele Posted November 9, 2007 Share Posted November 9, 2007 If Spamcop just grabs one and sends reports like now, AND the hostmaster would take actions, there are still the others there and no complaints are sent, and no (possible) action will be taken. May be it cause a too high system load? Although system load is likely to be one consideration, it is also true that SpamCop was established for the purpose of identifying the source(s) of identifiable spam messages. Since a single message didn't originate from all the machines in a botnet, SpamCop would not generate a report for all the machines, just those from which an identifiable message has been received. Andrew Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.