Jump to content

Mis-parsing by SpamCop?


Recommended Posts

Greetings! I am being sent anywhere from 10 - 20 really obnoxious porno spams per day, all with similar content, and all referencing different sites with gibberish names such as http://uluhovyf.info. SpamCop always claims that the web sites do not exist, but here is the whois on one such site:

Domain Name:ULUHOVYF.INFO

Created On:07-Jun-2007 10:44:48 UTC

Last Updated On:07-Jun-2007 16:38:39 UTC

Expiration Date:07-Jun-2008 10:44:48 UTC

Sponsoring Registrar:Direct Information Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS)

Status:CLIENT TRANSFER PROHIBITED

Status:TRANSFER PROHIBITED

Registrant ID:DI_6700359

Registrant Name:Sarah Armour

Registrant Organization:N/A

Registrant Street1:22 North

Registrant Street2:

Registrant Street3:

Registrant City:Palm Harbor

Registrant State/Province:Florida

Registrant Postal Code:34684

Registrant Country:US

Registrant Phone:+1.5207062511

.....

Tech Email:saraharmouraa[at]yahoo.com

Name Server:NS2.GARLEL.INFO

Name Server:NS1.NSSATER.INFO

All of the gibberish sites I've looked up are owned by the same person. The actual spams originate from spam-friendly ISPs all over the world, so this is more than likely a front. It's annoying enough to receive this daily blizzard of really obnoxious spam (incest, weird perversions, etc. etc.) but it's REALLY frustrating to find that SpamCop can't deal with the URLs. Does anyone have any suggestions?

Link to comment
Share on other sites

SpamCop always claims that the web sites do not exist, but here is the whois on one such site:

...

All of the gibberish sites I've looked up are owned by the same person. Does anyone have any suggestions?

; <<>> DiG 9.2.1 <<>> uluhovyf.info

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1553

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;uluhovyf.info. IN A

;; ANSWER SECTION:

uluhovyf.info. 600 IN A 190.54.55.101

;; Query time: 690 msec;; SERVER: 192.168.4.1#53(192.168.4.1)

;; WHEN: Fri Jun 8 08:17:01 2007

;; MSG SIZE rcvd: 47

Since they are all registered to the same person, it is likely they are all using the same slow DNS responses to get around SpamCops parsers. This query took over half a second. SpamCop receives about 10 spam messages every second. This has been discusses here quite often. SpamCop is not really saying the site does not exist. It is saying the DNS servers did not respond in a reasonable amount of time. Browsers are designed to wait much longer for a response so the user will not get the "site does not exist" error page.

The suggestion is to manually parse just the web site and/or IP address you find and, if you are a paid reporter, add the address to your outgoing reports, or send manual reports, which often times are more effective.

Parsing input: 190.54.55.101

Reporting addresses:

abuse[at]ip.telmexchile.cl

postmaster[at]telmexchile.cl

Please check out http://forum.spamcop.net/forums/index.php?...ost&p=27712 for a more official explaination.

Link to comment
Share on other sites

If this such an unrecondite spamhost, a dyed-in-the-wool blackhat, then it may be that sending love notes will have little effect. Some "here" advocate more agressive approaches and some of those swear by knujon - Chris Souter's post and user damaging spammer provider topic - are a couple of instances (and other posts and topics for the searching). Others imply it is all puffery and flummery but perhaps not, on casual observation, through first-hand experience. Worth a try, I think.

Link to comment
Share on other sites

06/08/07 15:25:59 dig ULUHOVYF.INFO [at] 208.67.220.220

Dig ULUHOVYF.INFO[at]ns1.nssater.INFO (222.76.212.236) ...

failed, couldn't connect to nameserver

Dig ULUHOVYF.INFO[at]ns2.garlel.INFO (203.11.111.5) ...

failed, couldn't connect to nameserver

Dig ULUHOVYF.INFO[at]208.67.220.220 ...

Non-authoritative answer

Recursive queries supported by this server

Query for ULUHOVYF.INFO type=255 class=1

ULUHOVYF.INFO NS (Nameserver) ns2.garlel.INFO

ULUHOVYF.INFO NS (Nameserver) ns1.nssater.INFO

06/08/07 15:26:37 dns ULUHOVYF.INFO

Mail for ULUHOVYF.INFO is handled by mail.ULUHOVYF.INFO

Canonical name: ULUHOVYF.INFO

Addresses:

66.226.210.135

06/08/07 15:30:40 Slow traceroute ULUHOVYF.INFO

Trace ULUHOVYF.INFO (66.226.210.135) ...

69.26.209.89 RTT: 65ms TTL:170 (airband-69-26-209-89.airband.net probable bogus rDNS: No DNS)

69.26.218.147 RTT: 59ms TTL:170 (airband-69-26-218-147.airband.net probable bogus rDNS: No DNS)

* * * failed

66.226.210.130 RTT: 78ms TTL:170 (No rDNS)

66.226.210.135 RTT: 74ms TTL: 49 (www.oneforever.com fraudulent rDNS)

at the moment, the 'defined' DNS servers don't respond, the typical-spammer-configuration of having the (probably compromised) computer handling both the web-site, DNS, (and lord knows what else) ... using a (non-browser) tool or two returns no content at the web-site at present ...

on the other hand, the web-site 'reported' in the traceroute results does bring up a 'free dating' web page ...

Link to comment
Share on other sites

One of our users is getting these too :(

PublicDomainRegistry.com don't seem to be able to / or want to stop this spammer registering names even though the WHOIS is faked. The names are still live after the spammer has moved on to new names

Edited by JamesM
Link to comment
Share on other sites

One of our users is getting these too :(

PublicDomainRegistry.com don't seem to be able to / or want to stop this spammer registering names even though the WHOIS is faked. The names are still live after the spammer has moved on to new names

You/your user are not completely powerless in that situation, as GraemeL recently pointed out in http://forum.spamcop.net/forums/index.php?...ost&p=57240 - you will find other references if you search the posts at this site. No magical solutions, just a matter of chipping away and contributing when possible.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...