Jotka Posted September 27, 2007 Posted September 27, 2007 Hi, it seems to me that SpamCop Reporting does not find proper contact addresses for all Chinese IPs. Here is an example: I had a spam with this link in its body: "http://ggaciton.com/". SpamCop's analysis then found: ---- BEGIN CITED ---- Tracking link: http://ggaciton.com/ [report history] Resolves to 124.42.123.69 "whois 124.42.123.69[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: Abuse address in 'remarks' field: spam[at]apnic.net. Abuse address in 'remarks' field: abuse[at]apnic.net. Backup contact notify = dbmon[at]apnic.net whois.apnic.net found abuse contacts for 124.42.123.69 = abuse[at]apnic.net., spam[at]apnic.net. whois: 124.0.0.0 - 124.255.255.255 = abuse[at]apnic.net., spam[at]apnic.net. Routing details for 124.42.123.69 I refuse to bother abuse[at]apnic.net.. Using abuse#apnic.net.[at]devnull.spamcop.net for statistical tracking. I refuse to bother spam[at]apnic.net.. Using spam#apnic.net.[at]devnull.spamcop.net for statistical tracking. Using last resort contacts abuse#apnic.net.[at]devnull.spamcop.net spam#apnic.net.[at]devnull.spamcop.net ---- END CITED ---- With this result no administrator of the hosting site is informed ... though there IS a contact address! An APNIC query for that IP address returns some APNIC mail contacts for 124/8 (which - I agree - should not be bothered), but also an e-mail address for the admin-c/tech-c of 124.42.96/19: chenbin[at]sinnet.com.cn. I think that addresses like this should also be used for complaints, so I suggest to improve SpamCop accordingly. Thanks and kind regards Jotka PS: I hope that my post is okay in this forum. I am new to it, and could not find any posts about this topic, neither in this nor in other formus.
Wazoo Posted September 27, 2007 Posted September 27, 2007 Technically, you are asking for a change in the routing details. Please see SpamCop Newsgroups for where that takes place. The other side of the issue is the phrase you saw and included in your post .... I refuse to bother abuse[at]apnic.net. I refuse to bother spam[at]apnic.net. This means that the fine folks that handle those e-mail accounts asked/told SpamCop.net not to bother sending them any reports. I'm actually going to move this back over to the Reporting Help Forum section with this post. Noting that one could also ask APNIC to 'fix' their registration listings; remarks: Unresolved spam complaints to Auto-responder spam[at]apnic.net. remarks: Unresolved Network Abuse issues to Auto-responder remarks: abuse[at]apnic.net.
Miss Betsy Posted September 27, 2007 Posted September 27, 2007 Routing details for 124.42.123.69 I refuse to bother abuse[at]apnic.net.. Using abuse#apnic.net.[at]devnull.spamcop.net for statistical tracking. I refuse to bother spam[at]apnic.net.. Using spam#apnic.net.[at]devnull.spamcop.net for statistical tracking. Using last resort contacts abuse#apnic.net.[at]devnull.spamcop.net spam#apnic.net.[at]devnull.spamcop.net When an abuse desk requests no spamcop reports, spamcop honors that request. If you notice, however, the address does go to devnull.spamcop.net for statistical tracking. Not sending a report to the source does not mean that spamcop ignores the report. Some reports are added to the spamcop blocklist even though the source does not get a report because it requested no reports. As Wazoo mentions, there is a newsgroup where you can demonstrate that there is a better address for reports from a particular source. I haven't been there for years since it is usually way over my head, but it used to be that if you had a good demonstration of why and where a report should be sent, the deputies would change it in the parser (and again, that might not be a technically correct way of saying it since I only have a very basic understanding of how addresses are selected by the parser and what can be done to get it to select a specific address rather than the one it finds). Miss Betsy
gwelsh Posted October 5, 2007 Posted October 5, 2007 When an abuse desk requests no spamcop reports, spamcop honors that request. [sidebar: did APNIC request not to be disturbed or is SpamCop configured not to bother ARIN, RIPE, APNIC, LACNIC, etc. contact addresses (which is, in my not at all humble opinion, perfectly reasonable.)] The fundamental problem here is that SpamCop is not picking up on the proper WHOIS data. SpamCop's WHOIS for 124.42.123.69 shows only 124.0.0.0 - 124.255.255.255, but APNIC WHOIS (at http://wq.apnic.net/apnic-bin/whois.pl) returns a a more specific contact for 124.42.96.0 - 124.42.127.255 (see below.) I mention this only because I've requested report routing corrections in the past and have been told that the problem was with the lookup and that deputies can't possibly be expected to put in separate routing exceptions for every block allocated from the regional registry (which, again, I consider to be a reasonable position.) So, while it may be worth adding a report route for this particular block because it hosts so many spamvertised pages - which is also why it may not be worth reporting them since the operators are probably well aware of their activites - it would be worth far more to find out why SpamCop isn't getting the information it needs and updating the code if necessary. inetnum: 124.42.96.0 - 124.42.127.255 netname: SINNETHT descr: BEIJING GUANGHUAN HENGTONG DIGITAL TECHNOLOGY CO.,LTD. descr: Room506, Tower C, Hui Long Sen International Enterprises Technology Area, descr: No.18 Xi Hua Nan Lu, Beijing Economic Teconology Delopment Zone country: CN admin-c: WH271-CN tech-c: WH271-CN mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CN-SINNETHT status: ALLOCATED PORTABLE changed: ipas[at]cnnic.cn 20070903 source: CNNIC person: Wang Huijun nic-hdl: WH271-CN e-mail: chenbin[at]sinnet.com.cn address: Room506, Tower C, Hui Long Sen International Enterprises Technology Area, address: No.18 Xi Hua Nan Lu, Beijing Economic Teconology Delopment Zone. phone: +86-010-64181150 fax-no: +86-010-64181819 country: CN changed: ipas[at]cnnic.net.cn 20070807 mnt-by: MAINT-CNNIC-AP source: CNNIC
Telarin Posted October 5, 2007 Posted October 5, 2007 I believe that the line changed: ipas[at]cnnic.cn 20070903 indicates that on 9/3/2007 cnnic changed whatever email address was listed in the whois data to this value. Usually this is done because they find a contact address to be invalid or otherwise undeliverable. Unfortunately, the regional NICs don't have much power to do more than this, and request that the registrant voluntarily update their WHOIS data with correct information. I have also found cases of spamcop simply ignoring contact information found in WHOIS records, and on talking to deputies have learned that if they believe a particular contact may actually be the spammer themselves, they set up a manual null route so that they do not receive spamcop reports.
Wazoo Posted October 5, 2007 Posted October 5, 2007 The fundamental problem here is that SpamCop is not picking up on the proper WHOIS data. SpamCop's WHOIS for 124.42.123.69 shows only 124.0.0.0 - 124.255.255.255, but APNIC WHOIS (at http://wq.apnic.net/apnic-bin/whois.pl) returns a a more specific contact for 124.42.96.0 - 124.42.127.255 (see below.) Personally, I'm not all that impressed with the 'additional' data. In additiona, your suggestion isn't a 'simple' lookup .. it's actually a Perl scri_pt feeding an HTML page to a browser, looking for user interaction. Most definitely not the way the parser works. I mention this only because I've requested report routing corrections in the past and have been told that the problem was with the lookup and that deputies can't possibly be expected to put in separate routing exceptions for every block allocated from the regional registry (which, again, I consider to be a reasonable position.) Technically, you are asking for a change in the routing details. Please see SpamCop Newsgroups for where that takes place. Noting that one could also ask APNIC to 'fix' their registration listings; These last items are basically combined, as the hint / instructions I placed on the Wiki page say it all. it is expected that you will do your homework first I can tell you that Jotka did not do this. Basically all that was done was to ask this same question over there. I have no idea what your 'requests' may have looked like.
Jotka Posted October 6, 2007 Author Posted October 6, 2007 Personally, I'm not all that impressed with the 'additional' data. In additiona, your suggestion isn't a 'simple' lookup .. it's actually a Perl scri_pt feeding an HTML page to a browser, looking for user interaction. Most definitely not the way the parser works. You are right for the HTTP address given by gwelsh, but this is not what originally I suggested. If SpamCop uses the ordinary whois service (TCP port 43 on whois.apnic.net, i.e. whois://whois.apnic.net), the same data will be returned ... in plain text, without all the HTML stuff, but including the additional CNNIC data (and all readers of this may feel encouraged to verify it themselves ). This is how my own spam complainer works that I had used before I discovered SpamCop, and it seems very likely to me that the parser uses some method alike. If, however, gwelsh is right with: The fundamental problem here is that SpamCop is not picking up on the proper WHOIS data. SpamCop's WHOIS for 124.42.123.69 shows only 124.0.0.0 - 124.255.255.255, but APNIC WHOIS [...] returns a a more specific contact for 124.42.96.0 - 124.42.127.255 it may indicate that SpamCop does not query APNIC, but uses an own, cached database, which seems not to be fed with the "additional data". As I don't know SC's internals, I can't tell. Nonetheless: Since APNIC's whois clearly does return a proper address, I continue to propose to evaluate these whois replies in greater depth.
lbickley Posted September 23, 2014 Posted September 23, 2014 I keep seeing statments about "I refuse to bother" about sites that have valid persons to bother! For instance, this recent: --------------------------- "Cached whois for 103.255.206.57 : helpdesk[at]apnic.net netops[at]apnic.net I refuse to bother helpdesk[at]apnic.net. warning:Using helpdesk#apnic.net[at]devnull.spamcop.net for statistical tracking. I refuse to bother netops[at]apnic.net. --------------------------- Yet when I do a whois on 103.255.206.57 I get the following: --------------------------- whois 103.255.206.57 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '103.255.204.0 - 103.255.207.255' inetnum: 103.255.204.0 - 103.255.207.255 netname: FANSHALA descr: FANSHALA admin-c: MM1335-AP tech-c: NA342-AP country: IN mnt-by: MAINT-IN-IRINN mnt-irt: IRT-FANSHALA-IN mnt-routes: MAINT-IN-FANSHALA status: ASSIGNED PORTABLE changed: hm-changed[at]apnic.net 20140106 source: APNIC irt: IRT-FANSHALA-IN address: 71, DSIDC, Okhla Industrial Area, Phase-1 phone: +91 01141066522 fax-no: +91 01126819575 e-mail: support[at]fanshala.com abuse-mailbox: support[at]fanshala.com admin-c: MM1335-AP tech-c: NA342-AP auth: # Filtered mnt-by: MAINT-IN-FANSHALA changed: support[at]fanshala.com 20140106 source: APNIC role: Network Admin address: 71, DSIDC, Okhla Industrial Area, Phase-1 country: IN phone: +91 01141066522 fax-no: +91 01126819575 e-mail: admin[at]fanshala.com admin-c: MM1335-AP tech-c: MM1335-AP nic-hdl: NA342-AP remarks: send spam and abuse report to support[at]fanshala.com notify: support[at]fanshala.com abuse-mailbox: support[at]fanshala.com mnt-by: MAINT-IN-FANSHALA changed: support[at]fanshala.com 20140106 source: APNIC person: Mohit Madan address: 71, DSIDC, Okhla Industrial Area, Phase-1 country: IN phone: +91 01141066522 fax-no: +91 01126817595 e-mail: support[at]fanshala.com nic-hdl: MM1335-AP remarks: send spam and abuse report to support[at]fanshala.com notify: support[at]fanshala.com abuse-mailbox: support[at]fanshala.com mnt-by: MAINT-IN-FANSHALA changed: support[at]fanshala.com 20140106 source: APNIC % Information related to '103.255.204.0/22AS58904' route: 103.255.204.0/22 descr: FANSHALA - Route Object origin: AS58904 country: IN remarks: send spam and abuse report to support[at]fanshala.com notify: admin[at]koonk.com mnt-routes: MAINT-IN-IRINN mnt-by: MAINT-IN-IRINN changed: admin[at]koonk.com 20140715 source: APNIC ------------------------------------------------- More and more of my spams are receiving the "I refuse to bother" message. It looks like the spammers have figured out that they can safely hide at ISP's like APNIC - and know that they will not ever be "bothered" by SpamCop. There are plenty of other email addresses in the above WHOIS where reports can be sent. Let's make it happen!
Lking Posted September 24, 2014 Posted September 24, 2014 Some things have not changed sense your first post. If reports bounce or the abuse/helpdesk have ask not to receive spam reports, SpamCop will not send them. SpamCop does not want to add the the spam in the world. There is no point sending reports to an ISP like APNIC when it is widely know that they don't care. As noted before your reports, although not forwarded, are used to help build the block list. You can of course send your own report to the ISP and/or upstream servers.
JBJB Posted September 27, 2014 Posted September 27, 2014 Some things have not changed sense your first post. If reports bounce or the abuse/helpdesk have ask not to receive spam reports, SpamCop will not send them. SpamCop does not want to add the the spam in the world. There is no point sending reports to an ISP like APNIC when it is widely know that they don't care. As noted before your reports, although not forwarded, are used to help build the block list. You can of course send your own report to the ISP and/or upstream servers. You have successfully overlooked the entire point of the post you are addressing reducing the likelihood that it will be addressed properly and making your reply completely irrelevant. How about reading posts before hitting reply?
Lking Posted September 27, 2014 Posted September 27, 2014 JBJB you may be correct. My 3 ex-wives would agree that I often miss the point. What do you thank the point was?
lisati Posted September 27, 2014 Posted September 27, 2014 JBJB you may be correct. My 3 ex-wives would agree that I often miss the point. What do you thank the point was? LOL!
AJR Posted October 14, 2014 Posted October 14, 2014 There is no point sending reports to an ISP like APNIC when it is widely know that they don't care. APNIC are not an "ISP", they're one of the five Regional Internet Registries (RIRs), whose role is to assign IP addresses (and some other resources) to ensure uniqueness of IP addresses and the efficient use of the limited available addresses. RIRs don't provide connectivity or have any control over how the addresses they have assigned are used. The five RIRs are: AFRINIC: Africa APNIC: Asia & Pacific ARIN: North America, some Carribean islands LACNIC: Latin America, some Carribean islands RIPE: Europe & Middle East The problem that libckley described is that the Spamcop parser is not picking up the correct contact details for 103.255.206.57 from the APNIC whois records which show the abuse contact as support[at]fanshala.com and is instead trying to report to APNIC, who quite reasonably don't want to receive reports about activity that they have no control over.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.