heliophagus Posted June 8, 2007 Posted June 8, 2007 Greetings! I am being sent anywhere from 10 - 20 really obnoxious porno spams per day, all with similar content, and all referencing different sites with gibberish names such as http://uluhovyf.info. SpamCop always claims that the web sites do not exist, but here is the whois on one such site: Domain Name:ULUHOVYF.INFO Created On:07-Jun-2007 10:44:48 UTC Last Updated On:07-Jun-2007 16:38:39 UTC Expiration Date:07-Jun-2008 10:44:48 UTC Sponsoring Registrar:Direct Information Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS) Status:CLIENT TRANSFER PROHIBITED Status:TRANSFER PROHIBITED Registrant ID:DI_6700359 Registrant Name:Sarah Armour Registrant Organization:N/A Registrant Street1:22 North Registrant Street2: Registrant Street3: Registrant City:Palm Harbor Registrant State/Province:Florida Registrant Postal Code:34684 Registrant Country:US Registrant Phone:+1.5207062511 ..... Tech Email:saraharmouraa[at]yahoo.com Name Server:NS2.GARLEL.INFO Name Server:NS1.NSSATER.INFO All of the gibberish sites I've looked up are owned by the same person. The actual spams originate from spam-friendly ISPs all over the world, so this is more than likely a front. It's annoying enough to receive this daily blizzard of really obnoxious spam (incest, weird perversions, etc. etc.) but it's REALLY frustrating to find that SpamCop can't deal with the URLs. Does anyone have any suggestions?
StevenUnderwood Posted June 8, 2007 Posted June 8, 2007 SpamCop always claims that the web sites do not exist, but here is the whois on one such site: ... All of the gibberish sites I've looked up are owned by the same person. Does anyone have any suggestions? ; <<>> DiG 9.2.1 <<>> uluhovyf.info ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1553 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;uluhovyf.info. IN A ;; ANSWER SECTION: uluhovyf.info. 600 IN A 190.54.55.101 ;; Query time: 690 msec;; SERVER: 192.168.4.1#53(192.168.4.1) ;; WHEN: Fri Jun 8 08:17:01 2007 ;; MSG SIZE rcvd: 47 Since they are all registered to the same person, it is likely they are all using the same slow DNS responses to get around SpamCops parsers. This query took over half a second. SpamCop receives about 10 spam messages every second. This has been discusses here quite often. SpamCop is not really saying the site does not exist. It is saying the DNS servers did not respond in a reasonable amount of time. Browsers are designed to wait much longer for a response so the user will not get the "site does not exist" error page. The suggestion is to manually parse just the web site and/or IP address you find and, if you are a paid reporter, add the address to your outgoing reports, or send manual reports, which often times are more effective. Parsing input: 190.54.55.101 Reporting addresses: abuse[at]ip.telmexchile.cl postmaster[at]telmexchile.cl Please check out http://forum.spamcop.net/forums/index.php?...ost&p=27712 for a more official explaination.
Farelf Posted June 8, 2007 Posted June 8, 2007 If this such an unrecondite spamhost, a dyed-in-the-wool blackhat, then it may be that sending love notes will have little effect. Some "here" advocate more agressive approaches and some of those swear by knujon - Chris Souter's post and user damaging spammer provider topic - are a couple of instances (and other posts and topics for the searching). Others imply it is all puffery and flummery but perhaps not, on casual observation, through first-hand experience. Worth a try, I think.
Wazoo Posted June 8, 2007 Posted June 8, 2007 06/08/07 15:25:59 dig ULUHOVYF.INFO [at] 208.67.220.220 Dig ULUHOVYF.INFO[at]ns1.nssater.INFO (222.76.212.236) ... failed, couldn't connect to nameserver Dig ULUHOVYF.INFO[at]ns2.garlel.INFO (203.11.111.5) ... failed, couldn't connect to nameserver Dig ULUHOVYF.INFO[at]208.67.220.220 ... Non-authoritative answer Recursive queries supported by this server Query for ULUHOVYF.INFO type=255 class=1 ULUHOVYF.INFO NS (Nameserver) ns2.garlel.INFO ULUHOVYF.INFO NS (Nameserver) ns1.nssater.INFO 06/08/07 15:26:37 dns ULUHOVYF.INFO Mail for ULUHOVYF.INFO is handled by mail.ULUHOVYF.INFO Canonical name: ULUHOVYF.INFO Addresses: 66.226.210.135 06/08/07 15:30:40 Slow traceroute ULUHOVYF.INFO Trace ULUHOVYF.INFO (66.226.210.135) ... 69.26.209.89 RTT: 65ms TTL:170 (airband-69-26-209-89.airband.net probable bogus rDNS: No DNS) 69.26.218.147 RTT: 59ms TTL:170 (airband-69-26-218-147.airband.net probable bogus rDNS: No DNS) * * * failed 66.226.210.130 RTT: 78ms TTL:170 (No rDNS) 66.226.210.135 RTT: 74ms TTL: 49 (www.oneforever.com fraudulent rDNS) at the moment, the 'defined' DNS servers don't respond, the typical-spammer-configuration of having the (probably compromised) computer handling both the web-site, DNS, (and lord knows what else) ... using a (non-browser) tool or two returns no content at the web-site at present ... on the other hand, the web-site 'reported' in the traceroute results does bring up a 'free dating' web page ...
JamesM Posted June 15, 2007 Posted June 15, 2007 One of our users is getting these too PublicDomainRegistry.com don't seem to be able to / or want to stop this spammer registering names even though the WHOIS is faked. The names are still live after the spammer has moved on to new names
Farelf Posted June 16, 2007 Posted June 16, 2007 One of our users is getting these too PublicDomainRegistry.com don't seem to be able to / or want to stop this spammer registering names even though the WHOIS is faked. The names are still live after the spammer has moved on to new names You/your user are not completely powerless in that situation, as GraemeL recently pointed out in http://forum.spamcop.net/forums/index.php?...ost&p=57240 - you will find other references if you search the posts at this site. No magical solutions, just a matter of chipping away and contributing when possible.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.