efa Posted April 17, 2007 Share Posted April 17, 2007 I got error in "Resolving link obfuscation" part of parsing. Host www.theironoly.net (checking ip) IP not found ; www.theironoly.net discarded as fake. Host www.theironoly.net (checking ip) IP not found ; www.theironoly.net discarded as fake. Cannot resolve http://www.theironoly.net/ when theironoly.net seems perfectly browsable with Browser. here' s the tracking URL: http://www.spamcop.net/sc?id=z1280946609z3...85c87009795d61z Link to comment Share on other sites More sharing options...
StevenUnderwood Posted April 17, 2007 Share Posted April 17, 2007 when theironoly.net seems perfectly browsable with Browser. Please check out the FAQ sections titled: Steps taken by the parser, general overview The Link Analysis Process SpamCop reporting of spamvertized sites - some philosophy Starting here: http://forum.spamcop.net/forums/index.php?...opic=2238#SCPRS and looking for the subsection titled: Parsing Problems / Issues Short answer: Browers are designed to wait a long time to show a web site, time that the parser can not devote to a secondary goal. There are other tools (including manual reporting) that can be used if getting the web site closed is your goal. Link to comment Share on other sites More sharing options...
Farelf Posted April 17, 2007 Share Posted April 17, 2007 Adding that things are far from fine with theironoly.net - ref How I am searching: Searching for theironoly.net A record at j.root-servers.net [192.58.128.30]: Got referral to E.GTLD-SERVERS.net. (zone: net.) [took 81 ms] Searching for theironoly.net A record at E.GTLD-SERVERS.net. [192.12.94.30]: Got referral to ns1.practicekiss.net. (zone: theironoly.net.) [took 103 ms] Searching for theironoly.net A record at ns1.practicekiss.net. [203.121.174.133]: Timed out. Trying again. Searching for theironoly.net A record at ns1.practicekiss.net. [203.121.174.133]: Timed out. Trying again. Searching for theironoly.net A record at ns1.practicekiss.net. [203.121.174.133]: Timed out. Trying again. Searching for theironoly.net A record at ns1.practicekiss.net. [203.121.174.133]: Timed out. Trying again. Searching for theironoly.net A record at ns2.norchikmik.com. [81.31.26.22]: Timed out. Trying again. Searching for theironoly.net A record at ns2.champakdagon.com. [210.48.145.52]: Timed out. Trying again. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted April 17, 2007 Share Posted April 17, 2007 Adding that things are far from fine with theironoly.net - ref Locally, I get: Non-authoritative answer: Name: www.theironoly.net Address: 60.210.101.74 Reporting addresses: ct-abuse[at]abuse.sprint.net abuse[at]cnc-noc.net support[at]sdinfo.net Link to comment Share on other sites More sharing options...
efa Posted April 19, 2007 Author Share Posted April 19, 2007 Much interesting, thanks for the explanation. What I cannot understand is: - browsers do a simple DNS lookup like the Linux 'host' application, to get the IP. On my system I got immediate answer: $ host theironoly.net theironoly.net has address 200.246.142.170 The Linux 'dig' application answer a more complete DNS record, but with the same information, in a reasonable time: $ dig theironoly.net ; <<>> DiG 9.2.2 <<>> theironoly.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13008 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;theironoly.net. IN A ;; ANSWER SECTION: theironoly.net. 600 IN A 200.246.142.170 ;; AUTHORITY SECTION: theironoly.net. 600 IN NS ns1.theironoly.net. theironoly.net. 600 IN NS ns2.theironoly.net. theironoly.net. 600 IN NS ns3.theironoly.net. ;; ADDITIONAL SECTION: ns1.theironoly.net. 600 IN A 200.246.142.170 ns2.theironoly.net. 600 IN A 200.246.142.170 ns3.theironoly.net. 600 IN A 165.147.12.67 ;; Query time: 285 msec ;; SERVER: 138.132.1.1#53(138.132.1.1) ;; WHEN: Thu Apr 19 13:57:25 2007 ;; MSG SIZE rcvd: 150 What other method use spamcomp to resolve DNS onto IP address? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted April 19, 2007 Share Posted April 19, 2007 Much interesting, thanks for the explanation. What I cannot understand is: - browsers do a simple DNS lookup like the Linux 'host' application, to get the IP. On my system I got immediate answer: ... ;; Query time: 285 msec What you call immediate is a lifetime for a system processing 9 to 12 messages every second. Spamcop processes 2-3 entire messages in the time your one lookup took. You have used more than a quarter of a second on one part of a parse on one message. For another point of view: http://www.dnsreport.com/tools/dnsreport.c...=theironoly.net Take a close look at the stats behind that little graph at the top of the page. Once again, you are always welcome to send your own manual reports or if you have paid reporting, you can do the lookup manually and add the address to the reports you send through spamcop. Link to comment Share on other sites More sharing options...
efa Posted April 19, 2007 Author Share Posted April 19, 2007 understood, thanks Link to comment Share on other sites More sharing options...
Telarin Posted April 19, 2007 Share Posted April 19, 2007 It also seems to be more and more common for spammer controlled nameservers to block requests from places like SpamCop and DNSStuff. Link to comment Share on other sites More sharing options...
efa Posted April 22, 2007 Author Share Posted April 22, 2007 now there is another domain that seems abnormal: http://www.ShowRx.com/ every query, the DNS report a different IP and Spamcop report a different abuse email. but the website is everytime the same illegal pharmacy seller. In last 3 days I got these owner: 21 april 2007 15.24.41 +0200: * 2255515515 ( http://www.ShowRx.com/ ) To: abuse[at]prodigy.net 21 april 2007 16.05.17 +0200: * 2255596877 ( http://www.ShowRx.com/ ) To: postmaster[at]astound.net * 2255596846 ( http://www.ShowRx.com/ ) To: abuse[at]seren.com 21 april 2007 16.53.53 +0200: * 2255643297 ( http://www.ShowRx.com/ ) To: abuse[at]charter.net * 2255643293 ( http://www.ShowRx.com/ ) To: abuse[at]chartercom.com * 2255643289 ( http://www.ShowRx.com/ ) To: spamalert[at]charter.net 21 april 2007 17.39.40 +0200: * 2255708608 ( http://www.ShowRx.com/ ) To: abuse[at]sympatico.ca 21 april 2007 17.42.05 +0200: * 2255713169 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com 21 april 2007 20.04.18 +0200: * 2255875167 ( http://www.ShowRx.com/ ) To: abuse[at]prodigy.net 21 april 2007 21.08.39 +0200: * 2255946923 ( http://www.ShowRx.com/ ) To: abuse[at]comcast.net 21 april 2007 21.24.05 +0200: * 2255967216 ( http://www.ShowRx.com/ ) To: abuse[at]prodigy.net 21 april 2007 21.41.19 +0200: * 2255985103 ( http://www.ShowRx.com/ ) To: abuse[at]comcast.net 21 april 2007 22.14.10 +0200: * 2256014213 ( http://www.ShowRx.com/ ) To: postmaster[at]icsincorporated.com 21 april 2007 22.57.17 +0200: * 2256048037 ( http://www.ShowRx.com/ ) To: abuse[at]prodigy.net 22 april 2007 0.27.35 +0200: * 2256114542 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com 22 april 2007 0.33.08 +0200: * 2256119548 ( http://www.ShowRx.com/ ) To: abuse[at]prodigy.net 22 april 2007 6.27.19 +0200: * 2256398613 ( http://www.ShowRx.com/ ) To: abuse[at]comcast.net 22 april 2007 6.28.34 +0200: * 2256398701 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com 22 april 2007 6.29.07 +0200: * 2256399062 ( http://www.ShowRx.com/ ) To: abuse[at]prodigy.net 22 april 2007 6.31.28 +0200: * 2256400919 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com 22 april 2007 9.07.48 +0200: * 2256531299 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com 22 april 2007 9.46.28 +0200: * 2256564599 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com 22 april 2007 10.16.21 +0200: * 2256603265 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com 22 april 2007 10.18.41 +0200: * 2256601976 ( http://www.ShowRx.com/ ) To: internet.abuse#sjrb.ca[at]devnull.spamcop.net 22 april 2007 10.20.32 +0200: * 2256604515 ( http://www.ShowRx.com/ ) To: ipmanage[at]rogers.wave.ca Link to comment Share on other sites More sharing options...
Wazoo Posted April 22, 2007 Share Posted April 22, 2007 Rotating DNS, BotNet, compromised computers .. numerous descriptions of what you are attempting to describe, ask about, ?????? Link to comment Share on other sites More sharing options...
efa Posted April 23, 2007 Author Share Posted April 23, 2007 The only thing that I can see is that the abuse email related to the same domain, change very rapidly. Is it normal? Link to comment Share on other sites More sharing options...
Wazoo Posted April 23, 2007 Share Posted April 23, 2007 Is it normal? No, that's why the various words were offered in my previous post .... rotating DNS, Botnet, compromised computers .... these are not the 'normal' locations for a hosted web-site .... Link to comment Share on other sites More sharing options...
efa Posted April 23, 2007 Author Share Posted April 23, 2007 How can I distinguish from those situations: rotating DNS, Botnet, compromised computers, ecc... ? Link to comment Share on other sites More sharing options...
agsteele Posted April 23, 2007 Share Posted April 23, 2007 How can I distinguish from those situations: rotating DNS, Botnet, compromised computers, ecc... ? I'm not sure you need to. Just trust the parser Link to comment Share on other sites More sharing options...
Cornholio Posted April 23, 2007 Share Posted April 23, 2007 now there is another domain that seems abnormal: http://www.ShowRx.com/ every query, the DNS report a different IP and Spamcop report a different abuse email. but the website is everytime the same illegal pharmacy seller. In last 3 days I got these owner: We share the same spammer apparently! Check out this thread: http://forum.spamcop.net/forums/index.php?showtopic=8076 Link to comment Share on other sites More sharing options...
efa Posted April 24, 2007 Author Share Posted April 24, 2007 We share the same spammer apparently! I do not know if this is a good thing! :-) Seems that "Global Pharmacy" register a lot of different domains, fill with same junk, and spam all over the users with all those domains. Another one is "Anatrim" diet junk: http://g36a6e6e726e716e717f7a45743379w7exmueu.tirek.hk/n/ they do not use simple domain, change domain about every days, but the method is similar. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.