Jump to content

Bug in SpamCop?


Michael in Paris
 Share

Recommended Posts

Hello,

I sent a spam email to SpamCop which mentioned the URL http://www.iugte.com/projects/Prague.php. SpamCop reported

Host www.iugte.com (checking ip) IP not found ; www.iugte.com discarded as fake.

yet pinging this address returned an IP (195.244.128.14 - in Latvia). The domain name is in the DNS, the inverse IP resolves as well.

Hence no reports were sent to the hosting company nor to the domain name holder.

I am not sure this is the right forum to report this, but I couldn't find any other way to do so.

Michael

Link to comment
Share on other sites

...

Host www.iugte.com (checking ip) IP not found ; www.iugte.com discarded as fake.

yet pinging this address returned an IP (195.244.128.14 - in Latvia). The domain name is in the DNS, the inverse IP resolves as well.

Hence no reports were sent to the hosting company nor to the domain name holder.

Hi Michael, yes this is the right place to raise the issue. You haven't mentioned any other error messages so presumably there were none1. Accordingly, it is most likely that address simply took too long to resolve. If you look at the statistics - http://www.spamcop.net/spamgraph.shtml?spamstats - you will see the processing rate is around 16 messages a second, often well over 24. The SC system cannot afford the time you might be able to use in getting the A record from a lookup. The business of finding these links is not SC's main purpose and is not given complete priority. It is not particularly recommended (because of the processing load) but sometimes if you reload the parse the link will then be resolved.

SC works on the originating IP address for the spam. Other services concentrate on the matter of shutting down spam websites. If you use the search facility found on most of the forum pages here to look at the mention/discussion of Complainterator2 and KnuJon, these are just two which are currently well documented.

1When I run that address through the parser I get the following

Parsing input: www.iugte.com

Cannot resolve www.iugte.com

No valid email addresses found, sorry!

* There are several possible reasons for this: The site involved may not want reports from SpamCop.

* SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.

* SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.

* There may be no working email address to receive reports.

You will note in that a whole raft of other reasons for the address not to be resolved. And there is, in other cases, one other possibility - some spammers are able to block SC queries.

2(in fact Complainterator V5 Announcement, Automated complaints to registrars is one you would find)

Link to comment
Share on other sites

Hello,

I sent a spam email to SpamCop which mentioned the URL http://www.iugte.com/projects/Prague.php. SpamCop reported

Host www.iugte.com (checking ip) IP not found ; www.iugte.com discarded as fake.

yet pinging this address returned an IP (195.244.128.14 - in Latvia). The domain name is in the DNS, the inverse IP resolves as well.

Hence no reports were sent to the hosting company nor to the domain name holder.

Hello, Michael, how's Paris?

SpamCop's main task is to locate the sources and relays used to send spam messages, and it is usually quite good at this.

Tracing the URLs of spam websites mentioned in the messages is but a secondary mission. Often, this is a tricky task due to spammers' manipulation of DNS, to tardy name servers, and to the use of botnets and rotating addresses. There are also cases in which the spammer's DNS service is slow or offline, or is deliberately engineered to deny service to known spam investigators. And, we haven't even broached the issues of portals, redirects, or reverse proxies.

You can see, then, that trying to get to the bottom of each spam URL would take a lot of CPU time and network resouces that SpamCop probably reckons is better spent on tracking mail sources.

You are free to report the spam URLs yourself -- if you can be sure that you are reporting to the right folks. For example, when I run a dig lookup on the URL you mentioned, I get the same address as you, but with a time-to-live of 3600 seconds (one hour), which is a bit on the short side for a public website. This suggests that the address might be changed within the next day or so (or less). So, the website might very well have moved to another IP by the time anyone gets to read your report.

Some of the people who post here use other (non-SpamCop) services to deal with spam websites, perhaps they will chime in and offer some suggestions.

-- rick

Link to comment
Share on other sites

Thanks for both your replies (and yes, Paris is fine - it's not Paris, Texas, but Paris, France, in case you wonder). I had interpreted the "cannot resolve" as "cannot DNS-resolve" (which it does) rather than as a SpamCop specific meaning (as you explained).

Yet there is something weird: when I use CoolWhois.com to query the DNS, it fails (signalling a PHP bug in its code). When I use SamSpade.org, it succeeds. So there must be something wrong in the reply to the DNS query which SamSpade.org ignores (or deals with), while SpamCop must fail to do (like CoolWhois.com).

Michael

Edited by Michael in Paris
Link to comment
Share on other sites

Yet there is something weird: when I use CoolWhois.com to query the DNS, it fails (signalling a PHP bug in its code). When I use SamSpade.org, it succeeds. So there must be something wrong in the reply to the DNS query which SamSpade.org ignores (or deals with), while SpamCop must fail to do (like CoolWhois.com).

SamSpade used here. Yes it resolved. However, by my stopwatch, it took a bit over 80 seconds to happen. Not quite the milli-second timframe that is seen on 'normal' lookups.

Link to comment
Share on other sites

I actually can't remember when the last time Steve's site was actually up (much beyond a single 'front' page)

He's changed hosts a number of times, but none of those arrangements apparently included the bandwidth to run all those tools.

Yes, SamSpade's been taking on water for awhile now, and that is too bad since I really learned a lot from using it over the years. Sam Spade for Windows (SSfW) is great, I have used it for years on my office computer. A bit hard to get hold of now, I think, unless someone has done the kindness to host or mirror it. Last time I had to download it, I had to find a link to it in some elderly search-engine cache, and then snoop around the website.

Anyway, anyone who is looking for a comprehensive public network toolset should try to get hold of SSFW.

-- rick

Link to comment
Share on other sites

Yet there is something weird: when I use CoolWhois.com to query the DNS, it fails (signalling a PHP bug in its code). When I use SamSpade.org, it succeeds. So there must be something wrong in the reply to the DNS query which SamSpade.org ignores (or deals with), while SpamCop must fail to do (like CoolWhois.com).
I don't know CoolWhois, but when dealing with spam, you can expect just about any sort of deviancy from normal network practices. So, this could indeed be an artifact from a jackleg name server operated by a spammer, a problem that is not well-trapped by the CoolWhois software.

I occasionally use a service called CompleteWhois, which greatly simplifies whois lookups of all kinds (IP, domain, abuse.net). It is also very persistent in digging up records where normal command-line whois will fail. These folks also run a "whois://" server (at whois.completewhois.com) which you can use on the command line (e.g., "whois -h whois.completewhois.com something.foo"). In my bash shell, I actually set an alias "cwhois=whois -h whois.completewhois.com" to make things easier still.

-- rick

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...