Jump to content

At least one instance of failed DNS lookup


Recommended Posts

I've only noticed this happening once, but in the processing of the spam, SpamCop is saying that it's not able to resolve a hostname, but a separate DNS query I did is able to determine this. I just want to make sure that the spammer isn't taking advantage of some kind of (temporary) DNS shortcoming to avoid that domain name being included in the report. I receive the error:

Recurse multipart:

Parsing text part

Parsing HTML part

Resolving link obfuscation

http://avynaturalzz.com/

Host avynaturalzz.com (checking ip) IP not found ; avynaturalzz.com discarded as fake.

Tracking link: http://avynaturalzz.com/

[report history]

Cannot resolve http://avynaturalzz.com/

And further details are at:

http://www.spamcop.net/sc?id=z1506027037zf...cd82726e0ee2a6z

User-targeted report, see notes, if any.

http://www.spamcop.net/w3m?i=z2593645221z7...37de8725b9b646z

Now that I check that out, I see that the DNS entry since five minutes ago has been resolved, and new information appears. I'm guessing that's normal. But, I don't know if the spam report is actually sent to the correct place in the end, since the correct DNS lookup happened at the time after I clicked to send the spam reports. I see that the whois information is:

Domain Name: AVYNATURALZZ.COM

Registrar: TODAYNIC.COM, INC.

Whois Server: whois.todaynic.com

Referral URL: http://www.NOW.CN

Name Server: NS1.NJCVHEALTHOK.COM

Name Server: NS2.NJCVHEALTHOK.COM

Status: clientTransferProhibited

Updated Date: 21-oct-2007

Creation Date: 21-oct-2007

Expiration Date: 21-oct-2008

So I don't know if there is a window of possibility for the spammer where they can avoid the spam report being sent if DNS lookup is delayed for some reason. I hope that this is clear.

Link to comment
Share on other sites

Part of a botnet changing constantly

Currently

canonical name avynaturalzz.com.

aliases

addresses 210.14.129.7

Ref: SBL56347

210.14.128.0/19 is listed on the Spamhaus Block List (SBL)

30-Sep-2007 11:30 GMT | SR02

ZBYD Technology Co.,Ltd

No response to multiple SBL listings. Hosting many ROKSO and botnet spam gang's websites and nameservers

many others also but it will change again in a few minutes.

Link to comment
Share on other sites

I'm currently seeing:

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

H:\>nslookup

...

> set type=all

> avynaturalzz.com

...

Non-authoritative answer:

avynaturalzz.com nameserver = ns1.njcvhealthok.com

avynaturalzz.com nameserver = ns2.njcvhealthok.com

ns1.njcvhealthok.com internet address = 210.14.129.7

ns2.njcvhealthok.com internet address = 116.199.133.10

>

SC is not optimal for dealing with ROKSO-hosting scum or with fast-flux botnets. It is not clear or assured whether the "Complainterator" approach would be any more effective in this case but it is approach which has some success in dealing with those that SC "misses"
Complainterator is a tool which has proven highly successful in the wholesale removal of tens of thousands of spammed websites. Like Spamcop when used with standard rather than "quick" reporting, it allows the user to select whether or not to forward the generated complaint for the spammed site.

The difference is that Complainterator addresses the complaint not to the ISP who owns the IP address on which the spammed site is hosted; instead, it addresses the complaint to the Registrar for the hosting site.

Rationale - When a spammed site is illegal, the registrar has accepted a contract to register its name from a criminal. Once a complaint is lodged, the registrar has to decide whether to uphold that contract with the criminal. or whether it is better to terminate the contract and avoid the possibility of legal proceedings for aiding and abetting a crime. Most legitimate registrars make the right decision. ...

You might like to look at that post - or the entire topic. Others swear by Knujon - you can search these pages for references, testimonials and links.
Link to comment
Share on other sites

Hi,

I'm seeing quite a few more instances of this same problem. It seems that I am being spammed by the same style spammer, so one or more of those may be connected to others. My basic question is just how to most effectively track down the spammer. Also, what about preventing the search forums from being completely searchable by Google and instead only accessible when you're logged into the site? The spammer could just search for the domain names they had registered to look for a topic like this to see what efforts are under way to find the source of the spammer and then invent ways to circumvent this. I guess the spammer could also have an account on SpamCop too, perhaps, but then also in theory SpamCop's web servers could log the queries being made and do some correlation with source IP and things like that. Also, can the last poster elaborate on "Knujon", "complainterator" and so on? In particular, if there are further efforts that I can make beyond SpamCop, then I'd be interested to know more.

Host avynaturalzz.com (checking ip) IP not found ; avynaturalzz.com discarded as fake.

Host www.azyhealthnew.com (checking ip) IP not found ; www.azyhealthnew.com discarded as fake.

Host gudss.com (checking ip) IP not found ; gudss.com discarded as fake.

Host ckysplashhealthy.com (checking ip) IP not found ; ckysplashhealthy.com discarded as fake.

Host hmttp.com (checking ip) IP not found ; hmttp.com discarded as fake.

Host dishealthyy.com (checking ip) IP not found ; dishealthyy.com discarded as fake.

Host itarpicksarehealthh.com (checking ip) IP not found ; itarpicksarehealthh.com discarded as fake.

Host althywun.com (checking ip) IP not found ; althywun.com discarded as fake.

Host www.iusaacel.com (checking ip) IP not found ; www.iusaacel.com discarded as fake.

Host onmoonhealth.com (checking ip) IP not found ; onmoonhealth.com discarded as fake.

Host www.itfvideo.com (checking ip) IP not found ; www.itfvideo.com discarded as fake.

Host adsl21-172.kln.forthnet.gr (checking ip) IP not found ; adsl21-172.kln.forthnet.gr discarded as fake.

Host ssgrcenet.com (checking ip) IP not found ; ssgrcenet.com discarded as fake.

Host lthinsecretz.com (checking ip) IP not found ; lthinsecretz.com discarded as fake.

(where the later listings are the fresher spams). The corresponding report links should be as follows:

http://www.spamcop.net/sc?id=z1506027037zf...cd82726e0ee2a6z

http://www.spamcop.net/sc?id=z1507300635z9...ea0cfc982f1921z

http://www.spamcop.net/sc?id=z1508074767z6...05a6b796600ed2z

http://www.spamcop.net/sc?id=z1510044195zb...4b67c8edd6c1e4z

http://www.spamcop.net/sc?id=z1510044274zf...057934c509a3afz

http://www.spamcop.net/sc?id=z1510044854z6...81010261af6653z

http://www.spamcop.net/sc?id=z1510257373z5...91f2dbff5cc1fez

http://www.spamcop.net/sc?id=z1510258323z9...0ff36e4050c763z

http://www.spamcop.net/sc?id=z1510444295z1...3c2fa7a55d2b81z

http://www.spamcop.net/sc?id=z1510443204z1...94d5c0c2a5e62az

http://www.spamcop.net/sc?id=z1510684324z9...c0afe3bb17c836z

http://www.spamcop.net/sc?id=z1510939092z6...b8d90a2450e72fz

http://www.spamcop.net/sc?id=z1511399817zb...d4b66d03dc051bz

http://www.spamcop.net/sc?id=z1511403048z9...5bb44a468758b8z

I'm currently seeing:

SC is not optimal for dealing with ROKSO-hosting scum or with fast-flux botnets. It is not clear or assured whether the "Complainterator" approach would be any more effective in this case but it is approach which has some success in dealing with those that SC "misses"You might like to look at that post - or the entire topic. Others swear by Knujon - you can search these pages for references, testimonials and links.

Link to comment
Share on other sites

<snip>

My basic question is just how to most effectively track down the spammer.

<snip>

...Do you have millions to spare on investigators and legal professionals? If so, there's hope; if not, you'd be best advised to forget about it.
Also, can the last poster elaborate on "Knujon", "complainterator" and so on?

<snip>

...You don't have to wait -- you can go to the top of any SpamCop Forum page and type in "Knujon" or "complainterator" in the box between the buttons labeled "Search for -->" and "Go" and then press either button.
Link to comment
Share on other sites

...Also, can the last poster elaborate on "Knujon", "complainterator" and so on? In particular, if there are further efforts that I can make beyond SpamCop, then I'd be interested to know more....
Just click the http://forum.spamcop.net/forums/index.php?...t&pid=60620 link for TerryNZ's post, (as provided from the little arrow icon post_snapback.gif on the quote I gave) - as for Knujon, look for previous posts as Steve T advises above (like http://forum.spamcop.net/forums/index.php?showtopic=8029), I have no "self-contained" references like TerryNZ's Complainterator post handy, just find the discussions and links to the Knujon site for further information, I'm sure you can work it out. Edited by Farelf
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...