Jump to content

Host ... (checking ip) IP not found ; ... discarded as fake


kae

Recommended Posts

Here's the Tracking URL: http://www.spamcop.net/sc?id=z1369372060zc...570a71ddcf3e2az

The link that was discarded appears to work like this:

http://{any old junk here in front}.kiosuoyon.cn/?elbdgjxowwvycizchcmafhkm

translates to:

http://{any old junk here in front}.kiosuoyon.cn/e/?elbdgjxowwvycizchcmafhkm and points to some Canadian pharmacy.

It's like the junk in front of the kiosuoyon.cn makes the parser stop.

Is there a way to catch this type of link obfuscation?

Link to comment
Share on other sites

tired .. it's been a "fix cars" day ... so before i even think about trying to work through this garbage yet again .... have you ever taken the time to look at the SpamCop FAQ here? .....

Parsing Problems / Issues

How Do I Show Full / Technical Details in a Parse?

"Header incomplete, aborting." and "No source IP address found, cannot proceed."

Causes of "Would send" and "If reported today, reports would be sent to:" messages

SpamCop said "No reports filed." What does it mean?

Steps taken by the parser, general overview

The Link Analysis Process

SpamCop reporting of spamvertized sites - some philosophy

In particular, the last three referenced links ....

This type of spammer-controlled-web-server stuff has been touched many, many times before 'in here' ...

Link to comment
Share on other sites

Yes, "spamvertized sites" are not the main mission for SC as Wazoo's references attest - research will also show many who wish it otherwise but there is only limited SC support of the SURBL which does try to address these matters (FAQ Entry: How does SpamCop interface with SURBL?) which is as close as there is to any tangible effect from SC reporting (WRT the webhosting of spamvertized sites) for all sorts of reasons, most of which are covered in Wazoo's references.

Noting some lookup detail for kiosuoyon.cn

Address lookup

canonical name kiosuoyon.cn.

aliases

addresses 220.227.52.125

Domain Whois record

Queried whois.cnnic.net.cn with "kiosuoyon.cn"...

Domain Name: kiosuoyon.cn

ROID: 20070719s10001s26044893-cn

Domain Status: clientHold

Domain Status: inactive

Registrant Organization: N/A

Registrant Name: Helvey Don

Administrative Email: helveydonson[at]yahoo.com

Sponsoring Registrar: 厦门华商盛世网络有限公司

Registration Date: 2007-07-19 17:16

Expiration Date: 2008-07-19 17:16

Network Whois record

Queried whois.apnic.net with "220.227.52.125"...

% [whois.apnic.net node-2]

% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 220.224.0.0 - 220.227.255.255

netname: RelianceInfocomm

descr: Reliance Infocom Ltd

country: IN

admin-c: BN96-AP

tech-c: SC1210-AP

tech-c: CL1307-AP

status: ALLOCATED PORTABLE

notify: Antiabuse.support[at]relianceada.com

notify: ISM.Helpdesk[at]relianceada.com

mnt-by: APNIC-HM

mnt-lower: MAINT-IN-SN

changed: hm-changed[at]apnic.net 20040301

changed: hm-changed[at]apnic.net 20060208

changed: hm-changed[at]apnic.net 20060404

changed: hm-changed[at]apnic.net 20070724

source: APNIC

route: 220.227.52.0/23

descr: Reliance Infocom Ltd Internet Data Centre

origin: AS18101

mnt-by: MAINT-IN-SN

changed: ip.nnoc[at]relianceinfo.com 20060819

source: APNIC

country: IN

person: B Nagaraj

nic-hdl: BN96-AP

remarks: Send spam & abuse Reports

remarks: include detailed information & time

remarks: to antiabuse.support[at]relianceada.com

e-mail: ricip.admin[at]relianceada.com

address: Reliance Communication Ventures Ltd,

address: 2CA 13 , D Block , 2nd Floor,

address: Dhirubai Ambani Knowledge City,

address: Thane Belapur Road, KoparKhairne,

address: Navi Mumbai - 400710 , INDIA.

phone: +91-22-30383796

fax-no: +91-22-30383899

country: IN

changed: ricip.admin[at]relianceada.com 20061107

mnt-by: MAINT-IN-SN

source: APNIC

person: Shankha Chaudhuri

nic-hdl: SC1210-AP

remarks: Send spam & abuse Reports

remarks: include detailed information & time

remarks: to antiabuse.support[at]relianceada.com

e-mail: ricip.admin[at]relianceada.com

address: Reliance Communication Ventures Ltd,

address: 2W14 , DB 17 , D Block , 2nd Floor,

address: Dhirubai Ambani Knowledge City,

address: Thane Belapur Road, KoparKhairne,

address: Navi Mumbai - 400710 , INDIA.

phone: +91-22-30383936

fax-no: +91-22-30383899

country: IN

changed: ricip.admin[at]relianceada.com 20060613

mnt-by: MAINT-IN-SN

source: APNIC

person: Cavin Lobo

nic-hdl: CL1307-AP

remarks: Send spam & abuse Reports

remarks: include detailed information & time

remarks: to antiabuse.support[at]relianceada.com

e-mail: ricip.admin[at]relianceada.com

address: Reliance Communication Ventures Ltd,

address: 3W24, Block-D,

address: DAKC, Kopar khairne,

address: Navi Mumbai 400 709

phone: +91-22-30383851

fax-no: +91-22-30383899

country: IN

changed: ricip.admin[at]relianceada.com 20060613

mnt-by: MAINT-IN-SN

source: APNIC

The antiabuse.support address for relianceada.com would be my nomination for a report FWIW - but explaining that the complaint is not about spam transmission (but is about webhosting) can be difficult and I would be checking SpamHaus first to see if there's any point. If they are a know blackhat, there certainly wouldn't be.

That (simplified) Chinese for the "sponsoring registrar" translates as Xiamen Chinese businessman prosperous times network limited company according to BabelFish and was well worth the "journey" by itself IMO :D .

Link to comment
Share on other sites

Oh yes, it looks like it is on the SURBL (for some value of "on"): http://www.surbl.org/dns-queries.unmatched...hpercentile.txt

And while SiteAdvisor says (currently) it has never heard of kiosuoyon.cn a Google search brings up:

http://www.siteadvisor.com/sites/kiosuoyon...ostid/?p=411242 which is notable for the "reviews" since no exploit assessment has yet been completed.

Link to comment
Share on other sites

07/25/07 02:01:19 Slow traceroute kiosuoyon.cn

Trace kiosuoyon.cn failed, no such host

07/25/07 02:02:19 whois kiosuoyon.cn

.cn is a domain of China

(international dialing code 86)

Searches for .cn can be run at http://www.cnnic.cn/cgi-bin/domainqc

I don't know of a whois server for cn, sorry

http://www.cnnic.cn/cgi-bin/domainqc = HTTP 404

07/25/07 02:04:30 Browsing http://kiosuoyon.cn/

Host kiosuoyon.cn doesn't exist, trying mail.kiosuoyon.cn instead

DNSreport for kiosuoyon.cn

Generated by www.DNSreport.com at 07:06:27 GMT on 25 Jul 2007.

[ERROR: The parent servers say that the domain kiosuoyon.cn does not exist. Note that the DNSreport only works on domains, not hostnames.]

Google = Your search - kiosuoyon.cn group:*abuse* - did not match any documents.

whois -h whois.cnnic.net.cn kiosuoyon.cn ...

Domain Name: kiosuoyon.cn

ROID: 20070719s10001s26044893-cn

Domain Status: clientHold

Domain Status: inactive

^^^^^^^^^^^^^^^ - I'm also keying on that bit of description

07/25/07 02:13:24 Browsing http://etrgfytuioh.kiosuoyon.cn/

No such server as etrgfytuioh.kiosuoyon.cn

^^^^^^^^^^^^^^^^^^^ - per original poster's remarks

07/25/07 02:16:08 Browsing http://etrgfytuioh.kiosuoyon.cn/e/

No such server as etrgfytuioh.kiosuoyon.cn

07/25/07 02:17:11 Browsing http://etrgfytuioh.kiosuoyon.cn/e/?elbdgjxowwvycizchcmafhkm

No such server as etrgfytuioh.kiosuoyon.cn

Cannot duplicate the alleged results ot the Topic Starting post .....

I'm done ....

Link to comment
Share on other sites

Nothing like current data, my research evidently on cached results - though noting one little line amongst all those in the centralops reports:

Domain Status: inactive
So, the "other" reason for non-identification in the SC parse - domain gone/dying, the parser generally hasn't the resource that many of the "you-beaut" specialized tools have to hang in and sort that out. And even with the specialized tools, the clues are not always evident or numerous on hurried perusal.
Link to comment
Share on other sites

<snip>

Cannot duplicate the alleged results [ot] the Topic Starting post .....

I'm done ....

Sorry for the bother.

Feel free to delete the thread. It might help to reduce the useless information that comes out of the search engine when people search for this type of problem.

Link to comment
Share on other sites

Sorry for the bother.

Feel free to delete the thread. It might help to reduce the useless information that comes out of the search engine when people search for this type of problem.

No bother, de nada - but do you follow why it happens, how it happens and why SC (as such) doesn't "fix it"? Your recourse is to manually report unless it is clearly already shut down or between hosts OR it is a botnet-hosted entity, in which case a different strategy (from/to reporting to the host) might be indicated. In which case Googling for "bot net" will lead to some (lengthy but interesting) discussion and (finally) to pointers a tool :)
Link to comment
Share on other sites

  • 2 weeks later...

Well, whatever everyone did, kiosuoyon.cn is now dead. Sometimes the parser fails because the site really has been shut down.

The Spamcop parser runs into problems because .cn domains may load very slowly. But the spammers run into problems because of that, too. So it's a good problem to have.

The Spamcop parser also has problems with

1. Canadian Pharmacy sites -- Their botnet will have 20 different IP numbers for a domain at one time, and Spamcop's parser only will return one. The IP addresses change every 5 minutes (literally) (and the nameservers change about every 24 hours). So by the time your report gets to the domain host, the site is somewhere else. As you can imagine, the Spamcop blocklist has difficulty with the originating IP numbers as well, as there are so many bots involved that each infected computer may only send a few spams, never getting reported often enough to be listed and often only being logged into a dynamic IP at the time anyway. The spammer registers thousands of domains (literally) for the same site. They're being registered in China right now because the Hong Kong registrar HKDNR realized who they were dealing with and deleted the registration for 1250+ different domain names. Now antispammers are working on alerting bizcn.com, Xinnet and Beijing Innovative Linkage Technologies to see if they will crack down on those registrations as well.

2. MyCanadianPharmacy and similar sites. The malware infection that allows those sites to be hosted inserts a list of IPs that are not allowed to ping them. Ironport (Spamcop) is one of them, so the parser sees the site as "not found." Visa, Mastercard, various law enforcement agencies and some active antispammers also have their IP's on the list.

There is a lot of information about how these sites work at http://www.spamtrackers.eu/wiki/index.php?title=Main_Page

One of the most effective ways to fight these itinerant spam site is to remove domain and nameserver registration - they can move their sites as often as they want, but if the registration for the domain and the glue for the nameservers is gone, no one can connect to them. There is an automated tool at http://thecarpcstore.com/phpbb2/viewtopic.php?t=967 to send reports to registrars about spamvertised sites.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...