Incomplete or false registrations and IP addresses

[amenex]

Here's the link to the spam/phish at issue:

http://www.spamcop.net/sc?id=z1329430016zd...dd0e11bf185f87z

SpamCop says:

> Resolving link obfuscation

> http://session-4021028.nationalcity.com.dl...s/TreasuryMgmt/

> Host session-4021028.nationalcity.com.dllet.bz (checking ip) = 217.228.7.46

> host 217.228.7.46 = pD9E4072E.dip0.t-ipconnect.de (cached)

WhoIs (http://centralops.net/co/DomainDossier.aspx) says:

> canonical name session-4021028.nationalcity.com.dllet.bz.

> aliases

> addresses 70.51.93.176

> 190.142.13.144

> 217.228.7.46

> 62.43.145.36

> 83.200.117.134

None of these IP's match SpamCop's WhoIs data (217.228.7.46).

My own 'puter tcptracerte'd the phisher's domain as follows:

> Tracing the path to session-4021028.nationalcity.com.dllet.bz (80.143.218.3) on TCP port 80 (www), 30 hops max

...

> 11 dtag-level3-oc48.NewYork1.Level3.net (4.68.111.70) 27.464 ms 28.382 ms 29.721 ms

> 12 62.153.176.54 122.449 ms 121.048 ms 122.439 ms

> 13 217.0.73.69 127.437 ms 123.784 ms 214.967 ms

> 14 p508FDA03.dip.t-dialin.net (80.143.218.3) [open] 170.089 ms 178.081 ms 179.967 ms

This IP address (80.143.218.3) doesn't match SpamCop's either.

Registrant (http://www.belizenic.bz/):

> ... redac ed

> ... redacted

> ... redacted

> United States

> Phone:143-50-914

Probably ID theft; phone number isn't a USA number, and I can Google the

guy's address to a real estate transaction.

> Domain Name: dllet.bz

> Created on.............: 2007-06-08 06:33:41

> Expires on.............: 2008-06-08 06:33:41

> Record last updated on..: 2007-06-08 06:33:41

I've reported this domain countless times in the last few days.

> Administrative Contact:

... redacted

> Email: czubakowski817[at]yahoo.com

Yahoo hasn't responded to my reports of this email as the phisher, either.

...

> Domain servers in listed order:

> ns1.smile-np.com 75.126.65.24

> ns2.smile-np.com 72.201.23.147

Neither of the above IP's matches Spamcop's; Googling reveals that smile-np.com

is a known phisher/spammer that won't go away.

WhoIs (http://centralops.net/co/DomainDossier.aspx) says:

> canonical name ns1.smile-np.com.

> aliases

> addresses 64.74.124.156

Different from the Belize registration ...

WhoIs says:

> canonical name ns2.smile-np.com

> aliases

> addresses 72.201.23.147

Omigosh ! It matches Belizenic ! But not to my trace, nor SpamCop's.

My routine with the Regions and National City phishes has been:

1. Use Venkman's java scri_pt Debugger to capture the sourcecode at

the phishing site.

2. Perform a tcptraceroute with my debian-based PC.

3. Use Centralops' Domain Dossier to look up the WhoIs data for the

original canonical domain name and for tcptraceroute's result.

4. Report and forward the phish to all the abuse addresses found, plus

the various groups claiming an interest in stamping out phishers.

I now discover that SpamCop is getting completely different data from mine.

In the present case, I reported this phish as follows:

To: jeff.sumner[at]nationalcity.com

Cc: reyner[at]globalcon.net, abuse[at]t-ipnet.de, abuse[at]cox.net,

network-abuse[at]cc.yahoo-inc.com, PIRT[at]castlecops.com,

scams[at]fraudwatchinternational.com, reportphishing[at]antiphishing.org,

spam[at]uce.gov

You will note that somehow I managed to include abuse[at]t-ipnet.de with

my apparently different IP address.

SpamCop's routing details page offers no clues:

> Reports routes for 217.226.92.162:

> routeid:27952578 217.224.0.0 - 217.237.161.47 to:ripe.dtip[at]telekom.de

> Administrator found from whois records

> routeid:27952579 217.224.0.0 - 217.237.161.47 to:abuse[at]t-ipnet.de

> Administrator found from whois records

Note that the routing details reported in the paragraph immediately above

differ from the routing details that I quote at the top of this page.

When I did a tcptraceroute again just this minute, I got another result

altogether:

> Tracing the path to session-4021028.nationalcity.com.dllet.bz (190.142.13.144) on TCP port 80 (www), 30 hops max

...

> 12 * ro-ccs-03.ro.intercable.net.ve (200.75.113.7) 103.480 ms 103.698 ms

> 13 * * *

> 14 200.75.112.8 97.865 ms 98.581 ms 99.774 ms

> 15 190.142.13.144 [open] 117.631 ms 106.192 ms 119.846 ms

This phisher appears to have a dynamic method of changing registrations;

is there any point in continuing to report these phishes ?

amenex

[StevenUnderwood]

WhoIs (http://centralops.net/co/DomainDossier.aspx) says:

> canonical name session-4021028.nationalcity.com.dllet.bz.

> aliases

> addresses 70.51.93.176

> 190.142.13.144

> 217.228.7.46

> 62.43.145.36

> 83.200.117.134

None of these IP's match SpamCop's WhoIs data (217.228.7.46).

Stopping right here.... compare the third entry found with that of spamcop's parse.

[amenex]

Stopping right here.... compare the third entry found with that of spamcop's parse.

Aha ! Looks as though I should be reporting all five of those addresses.

What about the smile-np.com and the dllet.bz domains ? They appear to

remain immune to anti-phishing efforts.

amenex

[Miss Betsy]

<snip>

This phisher appears to have a dynamic method of changing registrations;

is there any point in continuing to report these phishes ?

IMHO, no.

However, you might be interested in Complainerator - the thread is here http://forum.spamcop.net/forums/index.php?...=complainerator - it is in the Suggested tools Forum.

Miss Betsy

[amenex]

IMHO, no.

However, you might be interested in Complainerator - the thread is here http://forum.spamcop.net/forums/index.php?...=complainerator - it is in the Suggested tools Forum.

Miss Betsy

Alas, I use linux for tracking phishes. Oh, well.

I tried tracking another phish today that was registered as ...mode.kg. Every time

I tried WhoIs, I got a different list of five IP addresses. But the .kg registrar is

broken - can't get the person's registration data. When I used tcptraceroute, I

got different IP addresses every time I tried for the listed IP's. Hopeless.

amenex