Cannot resolve http://www.theironoly.net/

[efa]

I got error in "Resolving link obfuscation" part of parsing.

Host www.theironoly.net (checking ip) IP not found ; www.theironoly.net discarded as fake.

Host www.theironoly.net (checking ip) IP not found ; www.theironoly.net discarded as fake.

Cannot resolve http://www.theironoly.net/

when theironoly.net seems perfectly browsable with Browser.

here' s the tracking URL:

http://www.spamcop.net/sc?id=z1280946609z3...85c87009795d61z

[StevenUnderwood]

when theironoly.net seems perfectly browsable with Browser.

Please check out the FAQ sections titled:

Steps taken by the parser, general overview

The Link Analysis Process

SpamCop reporting of spamvertized sites - some philosophy

Starting here: http://forum.spamcop.net/forums/index.php?...opic=2238#SCPRS

and looking for the subsection titled: Parsing Problems / Issues

Short answer: Browers are designed to wait a long time to show a web site, time that the parser can not devote to a secondary goal. There are other tools (including manual reporting) that can be used if getting the web site closed is your goal.

[Farelf]

Adding that things are far from fine with theironoly.net - ref

How I am searching:

Searching for theironoly.net A record at j.root-servers.net [192.58.128.30]: Got referral to

E.GTLD-SERVERS.net. (zone: net.) [took 81 ms]

Searching for theironoly.net A record at E.GTLD-SERVERS.net. [192.12.94.30]: Got referral to

ns1.practicekiss.net. (zone: theironoly.net.) [took 103 ms]

Searching for theironoly.net A record at ns1.practicekiss.net. [203.121.174.133]: Timed out. Trying again.

Searching for theironoly.net A record at ns1.practicekiss.net. [203.121.174.133]: Timed out. Trying again.

Searching for theironoly.net A record at ns1.practicekiss.net. [203.121.174.133]: Timed out. Trying again.

Searching for theironoly.net A record at ns1.practicekiss.net. [203.121.174.133]: Timed out. Trying again.

Searching for theironoly.net A record at ns2.norchikmik.com. [81.31.26.22]: Timed out. Trying again.

Searching for theironoly.net A record at ns2.champakdagon.com. [210.48.145.52]: Timed out. Trying again.

[StevenUnderwood]

Adding that things are far from fine with theironoly.net - ref

Locally, I get:

Non-authoritative answer:

Name: www.theironoly.net

Address: 60.210.101.74

Reporting addresses:

ct-abuse[at]abuse.sprint.net

abuse[at]cnc-noc.net

support[at]sdinfo.net

[efa]

Much interesting, thanks for the explanation.

What I cannot understand is:

- browsers do a simple DNS lookup like the Linux 'host' application, to get the IP.

On my system I got immediate answer:

$ host theironoly.net

theironoly.net has address 200.246.142.170

The Linux 'dig' application answer a more complete DNS record, but with the same information, in a reasonable time:

$ dig theironoly.net

; <<>> DiG 9.2.2 <<>> theironoly.net

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13008

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:

;theironoly.net. IN A

;; ANSWER SECTION:

theironoly.net. 600 IN A 200.246.142.170

;; AUTHORITY SECTION:

theironoly.net. 600 IN NS ns1.theironoly.net.

theironoly.net. 600 IN NS ns2.theironoly.net.

theironoly.net. 600 IN NS ns3.theironoly.net.

;; ADDITIONAL SECTION:

ns1.theironoly.net. 600 IN A 200.246.142.170

ns2.theironoly.net. 600 IN A 200.246.142.170

ns3.theironoly.net. 600 IN A 165.147.12.67

;; Query time: 285 msec

;; SERVER: 138.132.1.1#53(138.132.1.1)

;; WHEN: Thu Apr 19 13:57:25 2007

;; MSG SIZE rcvd: 150

What other method use spamcomp to resolve DNS onto IP address?

[StevenUnderwood]

Much interesting, thanks for the explanation.

What I cannot understand is:

- browsers do a simple DNS lookup like the Linux 'host' application, to get the IP.

On my system I got immediate answer:

...

;; Query time: 285 msec

What you call immediate is a lifetime for a system processing 9 to 12 messages every second. Spamcop processes 2-3 entire messages in the time your one lookup took. You have used more than a quarter of a second on one part of a parse on one message.

For another point of view: http://www.dnsreport.com/tools/dnsreport.c...=theironoly.net

Take a close look at the stats behind that little graph at the top of the page. Once again, you are always welcome to send your own manual reports or if you have paid reporting, you can do the lookup manually and add the address to the reports you send through spamcop.

[efa]

understood, thanks

[Telarin]

It also seems to be more and more common for spammer controlled nameservers to block requests from places like SpamCop and DNSStuff.

[efa]

now there is another domain that seems abnormal:

http://www.ShowRx.com/

every query, the DNS report a different IP and Spamcop report a different abuse email.

but the website is everytime the same illegal pharmacy seller.

In last 3 days I got these owner:

21 april 2007 15.24.41 +0200:

* 2255515515 ( http://www.ShowRx.com/ ) To: abuse[at]prodigy.net

21 april 2007 16.05.17 +0200:

* 2255596877 ( http://www.ShowRx.com/ ) To: postmaster[at]astound.net

* 2255596846 ( http://www.ShowRx.com/ ) To: abuse[at]seren.com

21 april 2007 16.53.53 +0200:

* 2255643297 ( http://www.ShowRx.com/ ) To: abuse[at]charter.net

* 2255643293 ( http://www.ShowRx.com/ ) To: abuse[at]chartercom.com

* 2255643289 ( http://www.ShowRx.com/ ) To: spamalert[at]charter.net

21 april 2007 17.39.40 +0200:

* 2255708608 ( http://www.ShowRx.com/ ) To: abuse[at]sympatico.ca

21 april 2007 17.42.05 +0200:

* 2255713169 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com

21 april 2007 20.04.18 +0200:

* 2255875167 ( http://www.ShowRx.com/ ) To: abuse[at]prodigy.net

21 april 2007 21.08.39 +0200:

* 2255946923 ( http://www.ShowRx.com/ ) To: abuse[at]comcast.net

21 april 2007 21.24.05 +0200:

* 2255967216 ( http://www.ShowRx.com/ ) To: abuse[at]prodigy.net

21 april 2007 21.41.19 +0200:

* 2255985103 ( http://www.ShowRx.com/ ) To: abuse[at]comcast.net

21 april 2007 22.14.10 +0200:

* 2256014213 ( http://www.ShowRx.com/ ) To: postmaster[at]icsincorporated.com

21 april 2007 22.57.17 +0200:

* 2256048037 ( http://www.ShowRx.com/ ) To: abuse[at]prodigy.net

22 april 2007 0.27.35 +0200:

* 2256114542 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com

22 april 2007 0.33.08 +0200:

* 2256119548 ( http://www.ShowRx.com/ ) To: abuse[at]prodigy.net

22 april 2007 6.27.19 +0200:

* 2256398613 ( http://www.ShowRx.com/ ) To: abuse[at]comcast.net

22 april 2007 6.28.34 +0200:

* 2256398701 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com

22 april 2007 6.29.07 +0200:

* 2256399062 ( http://www.ShowRx.com/ ) To: abuse[at]prodigy.net

22 april 2007 6.31.28 +0200:

* 2256400919 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com

22 april 2007 9.07.48 +0200:

* 2256531299 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com

22 april 2007 9.46.28 +0200:

* 2256564599 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com

22 april 2007 10.16.21 +0200:

* 2256603265 ( http://www.ShowRx.com/ ) To: abuse[at]rr.com

22 april 2007 10.18.41 +0200:

* 2256601976 ( http://www.ShowRx.com/ ) To: internet.abuse#sjrb.ca[at]devnull.spamcop.net

22 april 2007 10.20.32 +0200:

* 2256604515 ( http://www.ShowRx.com/ ) To: ipmanage[at]rogers.wave.ca

[Wazoo]

Rotating DNS, BotNet, compromised computers .. numerous descriptions of what you are attempting to describe, ask about, ??????

[efa]

The only thing that I can see is that the abuse email related to the same domain, change very rapidly.

Is it normal?

[Wazoo]

Is it normal?

No, that's why the various words were offered in my previous post .... rotating DNS, Botnet, compromised computers .... these are not the 'normal' locations for a hosted web-site ....

[efa]

How can I distinguish from those situations:

rotating DNS, Botnet, compromised computers, ecc...

?

[agsteele]

How can I distinguish from those situations:

rotating DNS, Botnet, compromised computers, ecc...

?

I'm not sure you need to. Just trust the parser

[Cornholio]

now there is another domain that seems abnormal:

http://www.ShowRx.com/

every query, the DNS report a different IP and Spamcop report a different abuse email.

but the website is everytime the same illegal pharmacy seller.

In last 3 days I got these owner:

We share the same spammer apparently! Check out this thread: http://forum.spamcop.net/forums/index.php?showtopic=8076

[efa]

We share the same spammer apparently!

I do not know if this is a good thing!

:-)

Seems that "Global Pharmacy" register a lot of different domains, fill with same junk, and spam all over the users with all those domains.

Another one is "Anatrim" diet junk:

http://g36a6e6e726e716e717f7a45743379w7exmueu.tirek.hk/n/

they do not use simple domain, change domain about every days, but the method is similar.