k9axux00vgy6vfk001 Posted November 1, 2007 Posted November 1, 2007 I've only noticed this happening once, but in the processing of the spam, SpamCop is saying that it's not able to resolve a hostname, but a separate DNS query I did is able to determine this. I just want to make sure that the spammer isn't taking advantage of some kind of (temporary) DNS shortcoming to avoid that domain name being included in the report. I receive the error: Recurse multipart: Parsing text part Parsing HTML part Resolving link obfuscation http://avynaturalzz.com/ Host avynaturalzz.com (checking ip) IP not found ; avynaturalzz.com discarded as fake. Tracking link: http://avynaturalzz.com/ [report history] Cannot resolve http://avynaturalzz.com/ And further details are at: http://www.spamcop.net/sc?id=z1506027037zf...cd82726e0ee2a6z User-targeted report, see notes, if any. http://www.spamcop.net/w3m?i=z2593645221z7...37de8725b9b646z Now that I check that out, I see that the DNS entry since five minutes ago has been resolved, and new information appears. I'm guessing that's normal. But, I don't know if the spam report is actually sent to the correct place in the end, since the correct DNS lookup happened at the time after I clicked to send the spam reports. I see that the whois information is: Domain Name: AVYNATURALZZ.COM Registrar: TODAYNIC.COM, INC. Whois Server: whois.todaynic.com Referral URL: http://www.NOW.CN Name Server: NS1.NJCVHEALTHOK.COM Name Server: NS2.NJCVHEALTHOK.COM Status: clientTransferProhibited Updated Date: 21-oct-2007 Creation Date: 21-oct-2007 Expiration Date: 21-oct-2008 So I don't know if there is a window of possibility for the spammer where they can avoid the spam report being sent if DNS lookup is delayed for some reason. I hope that this is clear.
Merlyn Posted November 1, 2007 Posted November 1, 2007 Part of a botnet changing constantly Currently canonical name avynaturalzz.com. aliases addresses 210.14.129.7 Ref: SBL56347 210.14.128.0/19 is listed on the Spamhaus Block List (SBL) 30-Sep-2007 11:30 GMT | SR02 ZBYD Technology Co.,Ltd No response to multiple SBL listings. Hosting many ROKSO and botnet spam gang's websites and nameservers many others also but it will change again in a few minutes.
Farelf Posted November 2, 2007 Posted November 2, 2007 I'm currently seeing: Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. H:\>nslookup ... > set type=all > avynaturalzz.com ... Non-authoritative answer: avynaturalzz.com nameserver = ns1.njcvhealthok.com avynaturalzz.com nameserver = ns2.njcvhealthok.com ns1.njcvhealthok.com internet address = 210.14.129.7 ns2.njcvhealthok.com internet address = 116.199.133.10 > SC is not optimal for dealing with ROKSO-hosting scum or with fast-flux botnets. It is not clear or assured whether the "Complainterator" approach would be any more effective in this case but it is approach which has some success in dealing with those that SC "misses"Complainterator is a tool which has proven highly successful in the wholesale removal of tens of thousands of spammed websites. Like Spamcop when used with standard rather than "quick" reporting, it allows the user to select whether or not to forward the generated complaint for the spammed site. The difference is that Complainterator addresses the complaint not to the ISP who owns the IP address on which the spammed site is hosted; instead, it addresses the complaint to the Registrar for the hosting site. Rationale - When a spammed site is illegal, the registrar has accepted a contract to register its name from a criminal. Once a complaint is lodged, the registrar has to decide whether to uphold that contract with the criminal. or whether it is better to terminate the contract and avoid the possibility of legal proceedings for aiding and abetting a crime. Most legitimate registrars make the right decision. ... You might like to look at that post - or the entire topic. Others swear by Knujon - you can search these pages for references, testimonials and links.
k9axux00vgy6vfk001 Posted November 6, 2007 Author Posted November 6, 2007 Hi, I'm seeing quite a few more instances of this same problem. It seems that I am being spammed by the same style spammer, so one or more of those may be connected to others. My basic question is just how to most effectively track down the spammer. Also, what about preventing the search forums from being completely searchable by Google and instead only accessible when you're logged into the site? The spammer could just search for the domain names they had registered to look for a topic like this to see what efforts are under way to find the source of the spammer and then invent ways to circumvent this. I guess the spammer could also have an account on SpamCop too, perhaps, but then also in theory SpamCop's web servers could log the queries being made and do some correlation with source IP and things like that. Also, can the last poster elaborate on "Knujon", "complainterator" and so on? In particular, if there are further efforts that I can make beyond SpamCop, then I'd be interested to know more. Host avynaturalzz.com (checking ip) IP not found ; avynaturalzz.com discarded as fake. Host www.azyhealthnew.com (checking ip) IP not found ; www.azyhealthnew.com discarded as fake. Host gudss.com (checking ip) IP not found ; gudss.com discarded as fake. Host ckysplashhealthy.com (checking ip) IP not found ; ckysplashhealthy.com discarded as fake. Host hmttp.com (checking ip) IP not found ; hmttp.com discarded as fake. Host dishealthyy.com (checking ip) IP not found ; dishealthyy.com discarded as fake. Host itarpicksarehealthh.com (checking ip) IP not found ; itarpicksarehealthh.com discarded as fake. Host althywun.com (checking ip) IP not found ; althywun.com discarded as fake. Host www.iusaacel.com (checking ip) IP not found ; www.iusaacel.com discarded as fake. Host onmoonhealth.com (checking ip) IP not found ; onmoonhealth.com discarded as fake. Host www.itfvideo.com (checking ip) IP not found ; www.itfvideo.com discarded as fake. Host adsl21-172.kln.forthnet.gr (checking ip) IP not found ; adsl21-172.kln.forthnet.gr discarded as fake. Host ssgrcenet.com (checking ip) IP not found ; ssgrcenet.com discarded as fake. Host lthinsecretz.com (checking ip) IP not found ; lthinsecretz.com discarded as fake. (where the later listings are the fresher spams). The corresponding report links should be as follows: http://www.spamcop.net/sc?id=z1506027037zf...cd82726e0ee2a6z http://www.spamcop.net/sc?id=z1507300635z9...ea0cfc982f1921z http://www.spamcop.net/sc?id=z1508074767z6...05a6b796600ed2z http://www.spamcop.net/sc?id=z1510044195zb...4b67c8edd6c1e4z http://www.spamcop.net/sc?id=z1510044274zf...057934c509a3afz http://www.spamcop.net/sc?id=z1510044854z6...81010261af6653z http://www.spamcop.net/sc?id=z1510257373z5...91f2dbff5cc1fez http://www.spamcop.net/sc?id=z1510258323z9...0ff36e4050c763z http://www.spamcop.net/sc?id=z1510444295z1...3c2fa7a55d2b81z http://www.spamcop.net/sc?id=z1510443204z1...94d5c0c2a5e62az http://www.spamcop.net/sc?id=z1510684324z9...c0afe3bb17c836z http://www.spamcop.net/sc?id=z1510939092z6...b8d90a2450e72fz http://www.spamcop.net/sc?id=z1511399817zb...d4b66d03dc051bz http://www.spamcop.net/sc?id=z1511403048z9...5bb44a468758b8z I'm currently seeing: SC is not optimal for dealing with ROKSO-hosting scum or with fast-flux botnets. It is not clear or assured whether the "Complainterator" approach would be any more effective in this case but it is approach which has some success in dealing with those that SC "misses"You might like to look at that post - or the entire topic. Others swear by Knujon - you can search these pages for references, testimonials and links.
turetzsr Posted November 6, 2007 Posted November 6, 2007 <snip> My basic question is just how to most effectively track down the spammer. <snip> ...Do you have millions to spare on investigators and legal professionals? If so, there's hope; if not, you'd be best advised to forget about it.Also, can the last poster elaborate on "Knujon", "complainterator" and so on? <snip> ...You don't have to wait -- you can go to the top of any SpamCop Forum page and type in "Knujon" or "complainterator" in the box between the buttons labeled "Search for -->" and "Go" and then press either button.
Farelf Posted November 6, 2007 Posted November 6, 2007 ...Also, can the last poster elaborate on "Knujon", "complainterator" and so on? In particular, if there are further efforts that I can make beyond SpamCop, then I'd be interested to know more....Just click the http://forum.spamcop.net/forums/index.php?...t&pid=60620 link for TerryNZ's post, (as provided from the little arrow icon on the quote I gave) - as for Knujon, look for previous posts as Steve T advises above (like http://forum.spamcop.net/forums/index.php?showtopic=8029), I have no "self-contained" references like TerryNZ's Complainterator post handy, just find the discussions and links to the Knujon site for further information, I'm sure you can work it out.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.