kae Posted July 25, 2007 Share Posted July 25, 2007 Here's the Tracking URL: http://www.spamcop.net/sc?id=z1369372060zc...570a71ddcf3e2az The link that was discarded appears to work like this: http://{any old junk here in front}.kiosuoyon.cn/?elbdgjxowwvycizchcmafhkm translates to: http://{any old junk here in front}.kiosuoyon.cn/e/?elbdgjxowwvycizchcmafhkm and points to some Canadian pharmacy. It's like the junk in front of the kiosuoyon.cn makes the parser stop. Is there a way to catch this type of link obfuscation? Link to comment Share on other sites More sharing options...
Wazoo Posted July 25, 2007 Share Posted July 25, 2007 tired .. it's been a "fix cars" day ... so before i even think about trying to work through this garbage yet again .... have you ever taken the time to look at the SpamCop FAQ here? ..... Parsing Problems / Issues How Do I Show Full / Technical Details in a Parse? "Header incomplete, aborting." and "No source IP address found, cannot proceed." Causes of "Would send" and "If reported today, reports would be sent to:" messages SpamCop said "No reports filed." What does it mean? Steps taken by the parser, general overview The Link Analysis Process SpamCop reporting of spamvertized sites - some philosophy In particular, the last three referenced links .... This type of spammer-controlled-web-server stuff has been touched many, many times before 'in here' ... Link to comment Share on other sites More sharing options...
Farelf Posted July 25, 2007 Share Posted July 25, 2007 Yes, "spamvertized sites" are not the main mission for SC as Wazoo's references attest - research will also show many who wish it otherwise but there is only limited SC support of the SURBL which does try to address these matters (FAQ Entry: How does SpamCop interface with SURBL?) which is as close as there is to any tangible effect from SC reporting (WRT the webhosting of spamvertized sites) for all sorts of reasons, most of which are covered in Wazoo's references. Noting some lookup detail for kiosuoyon.cn Address lookup canonical name kiosuoyon.cn. aliases addresses 220.227.52.125 Domain Whois record Queried whois.cnnic.net.cn with "kiosuoyon.cn"... Domain Name: kiosuoyon.cn ROID: 20070719s10001s26044893-cn Domain Status: clientHold Domain Status: inactive Registrant Organization: N/A Registrant Name: Helvey Don Administrative Email: helveydonson[at]yahoo.com Sponsoring Registrar: 厦门åŽå•†ç››ä¸–网络有é™å…¬å¸ Registration Date: 2007-07-19 17:16 Expiration Date: 2008-07-19 17:16 Network Whois record Queried whois.apnic.net with "220.227.52.125"... % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 220.224.0.0 - 220.227.255.255 netname: RelianceInfocomm descr: Reliance Infocom Ltd country: IN admin-c: BN96-AP tech-c: SC1210-AP tech-c: CL1307-AP status: ALLOCATED PORTABLE notify: Antiabuse.support[at]relianceada.com notify: ISM.Helpdesk[at]relianceada.com mnt-by: APNIC-HM mnt-lower: MAINT-IN-SN changed: hm-changed[at]apnic.net 20040301 changed: hm-changed[at]apnic.net 20060208 changed: hm-changed[at]apnic.net 20060404 changed: hm-changed[at]apnic.net 20070724 source: APNIC route: 220.227.52.0/23 descr: Reliance Infocom Ltd Internet Data Centre origin: AS18101 mnt-by: MAINT-IN-SN changed: ip.nnoc[at]relianceinfo.com 20060819 source: APNIC country: IN person: B Nagaraj nic-hdl: BN96-AP remarks: Send spam & abuse Reports remarks: include detailed information & time remarks: to antiabuse.support[at]relianceada.com e-mail: ricip.admin[at]relianceada.com address: Reliance Communication Ventures Ltd, address: 2CA 13 , D Block , 2nd Floor, address: Dhirubai Ambani Knowledge City, address: Thane Belapur Road, KoparKhairne, address: Navi Mumbai - 400710 , INDIA. phone: +91-22-30383796 fax-no: +91-22-30383899 country: IN changed: ricip.admin[at]relianceada.com 20061107 mnt-by: MAINT-IN-SN source: APNIC person: Shankha Chaudhuri nic-hdl: SC1210-AP remarks: Send spam & abuse Reports remarks: include detailed information & time remarks: to antiabuse.support[at]relianceada.com e-mail: ricip.admin[at]relianceada.com address: Reliance Communication Ventures Ltd, address: 2W14 , DB 17 , D Block , 2nd Floor, address: Dhirubai Ambani Knowledge City, address: Thane Belapur Road, KoparKhairne, address: Navi Mumbai - 400710 , INDIA. phone: +91-22-30383936 fax-no: +91-22-30383899 country: IN changed: ricip.admin[at]relianceada.com 20060613 mnt-by: MAINT-IN-SN source: APNIC person: Cavin Lobo nic-hdl: CL1307-AP remarks: Send spam & abuse Reports remarks: include detailed information & time remarks: to antiabuse.support[at]relianceada.com e-mail: ricip.admin[at]relianceada.com address: Reliance Communication Ventures Ltd, address: 3W24, Block-D, address: DAKC, Kopar khairne, address: Navi Mumbai 400 709 phone: +91-22-30383851 fax-no: +91-22-30383899 country: IN changed: ricip.admin[at]relianceada.com 20060613 mnt-by: MAINT-IN-SN source: APNIC The antiabuse.support address for relianceada.com would be my nomination for a report FWIW - but explaining that the complaint is not about spam transmission (but is about webhosting) can be difficult and I would be checking SpamHaus first to see if there's any point. If they are a know blackhat, there certainly wouldn't be. That (simplified) Chinese for the "sponsoring registrar" translates as Xiamen Chinese businessman prosperous times network limited company according to BabelFish and was well worth the "journey" by itself IMO . Link to comment Share on other sites More sharing options...
Farelf Posted July 25, 2007 Share Posted July 25, 2007 Oh yes, it looks like it is on the SURBL (for some value of "on"): http://www.surbl.org/dns-queries.unmatched...hpercentile.txt And while SiteAdvisor says (currently) it has never heard of kiosuoyon.cn a Google search brings up: http://www.siteadvisor.com/sites/kiosuoyon...ostid/?p=411242 which is notable for the "reviews" since no exploit assessment has yet been completed. Link to comment Share on other sites More sharing options...
Wazoo Posted July 25, 2007 Share Posted July 25, 2007 07/25/07 02:01:19 Slow traceroute kiosuoyon.cn Trace kiosuoyon.cn failed, no such host 07/25/07 02:02:19 whois kiosuoyon.cn .cn is a domain of China (international dialing code 86) Searches for .cn can be run at http://www.cnnic.cn/cgi-bin/domainqc I don't know of a whois server for cn, sorry http://www.cnnic.cn/cgi-bin/domainqc = HTTP 404 07/25/07 02:04:30 Browsing http://kiosuoyon.cn/ Host kiosuoyon.cn doesn't exist, trying mail.kiosuoyon.cn instead DNSreport for kiosuoyon.cn Generated by www.DNSreport.com at 07:06:27 GMT on 25 Jul 2007. [ERROR: The parent servers say that the domain kiosuoyon.cn does not exist. Note that the DNSreport only works on domains, not hostnames.] Google = Your search - kiosuoyon.cn group:*abuse* - did not match any documents. whois -h whois.cnnic.net.cn kiosuoyon.cn ... Domain Name: kiosuoyon.cn ROID: 20070719s10001s26044893-cn Domain Status: clientHold Domain Status: inactive ^^^^^^^^^^^^^^^ - I'm also keying on that bit of description 07/25/07 02:13:24 Browsing http://etrgfytuioh.kiosuoyon.cn/ No such server as etrgfytuioh.kiosuoyon.cn ^^^^^^^^^^^^^^^^^^^ - per original poster's remarks 07/25/07 02:16:08 Browsing http://etrgfytuioh.kiosuoyon.cn/e/ No such server as etrgfytuioh.kiosuoyon.cn 07/25/07 02:17:11 Browsing http://etrgfytuioh.kiosuoyon.cn/e/?elbdgjxowwvycizchcmafhkm No such server as etrgfytuioh.kiosuoyon.cn Cannot duplicate the alleged results ot the Topic Starting post ..... I'm done .... Link to comment Share on other sites More sharing options...
Farelf Posted July 25, 2007 Share Posted July 25, 2007 Nothing like current data, my research evidently on cached results - though noting one little line amongst all those in the centralops reports: Domain Status: inactiveSo, the "other" reason for non-identification in the SC parse - domain gone/dying, the parser generally hasn't the resource that many of the "you-beaut" specialized tools have to hang in and sort that out. And even with the specialized tools, the clues are not always evident or numerous on hurried perusal. Link to comment Share on other sites More sharing options...
kae Posted July 25, 2007 Author Share Posted July 25, 2007 <snip> Cannot duplicate the alleged results [ot] the Topic Starting post ..... I'm done .... Sorry for the bother. Feel free to delete the thread. It might help to reduce the useless information that comes out of the search engine when people search for this type of problem. Link to comment Share on other sites More sharing options...
Farelf Posted July 26, 2007 Share Posted July 26, 2007 Sorry for the bother. Feel free to delete the thread. It might help to reduce the useless information that comes out of the search engine when people search for this type of problem. No bother, de nada - but do you follow why it happens, how it happens and why SC (as such) doesn't "fix it"? Your recourse is to manually report unless it is clearly already shut down or between hosts OR it is a botnet-hosted entity, in which case a different strategy (from/to reporting to the host) might be indicated. In which case Googling for "bot net" will lead to some (lengthy but interesting) discussion and (finally) to pointers a tool Link to comment Share on other sites More sharing options...
AlphaCentauri Posted August 5, 2007 Share Posted August 5, 2007 Well, whatever everyone did, kiosuoyon.cn is now dead. Sometimes the parser fails because the site really has been shut down. The Spamcop parser runs into problems because .cn domains may load very slowly. But the spammers run into problems because of that, too. So it's a good problem to have. The Spamcop parser also has problems with 1. Canadian Pharmacy sites -- Their botnet will have 20 different IP numbers for a domain at one time, and Spamcop's parser only will return one. The IP addresses change every 5 minutes (literally) (and the nameservers change about every 24 hours). So by the time your report gets to the domain host, the site is somewhere else. As you can imagine, the Spamcop blocklist has difficulty with the originating IP numbers as well, as there are so many bots involved that each infected computer may only send a few spams, never getting reported often enough to be listed and often only being logged into a dynamic IP at the time anyway. The spammer registers thousands of domains (literally) for the same site. They're being registered in China right now because the Hong Kong registrar HKDNR realized who they were dealing with and deleted the registration for 1250+ different domain names. Now antispammers are working on alerting bizcn.com, Xinnet and Beijing Innovative Linkage Technologies to see if they will crack down on those registrations as well. 2. MyCanadianPharmacy and similar sites. The malware infection that allows those sites to be hosted inserts a list of IPs that are not allowed to ping them. Ironport (Spamcop) is one of them, so the parser sees the site as "not found." Visa, Mastercard, various law enforcement agencies and some active antispammers also have their IP's on the list. There is a lot of information about how these sites work at http://www.spamtrackers.eu/wiki/index.php?title=Main_Page One of the most effective ways to fight these itinerant spam site is to remove domain and nameserver registration - they can move their sites as often as they want, but if the registration for the domain and the glue for the nameservers is gone, no one can connect to them. There is an automated tool at http://thecarpcstore.com/phpbb2/viewtopic.php?t=967 to send reports to registrars about spamvertised sites. Link to comment Share on other sites More sharing options...
Wazoo Posted August 5, 2007 Share Posted August 5, 2007 There is an automated tool at http://thecarpcstore.com/phpbb2/viewtopic.php?t=967 to send reports to registrars about spamvertised sites. Complainterator was / is announced 'here' in the Suggested Tools and Applications Forum section at Complainterator V5 Announcement Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.