HELP locating IP addresses in BULK

[showker]

I"m working on an action suit with the Attorney General and need to

* analyze 30 days of spam...

* locate spamvertised domain in each (if one exists)

* locate the IP number for each

* identify the advertised "message" of the domain

It's impossible to do it all by hand.

As you know, many of the spammers are now leveraging "Domain Tasting"

for their spamvertised sites -- so, within 5 days, the domain goes dead

or the IP addresses change. Others routinely move or change IP just

to ellude detection.

So I need to analyze on a daily basis -- 400 to 1200 spamvertised domains.

The QUESTION is:

Does anyone here know of an automated method of accomplishing the above?

QUESTION #2

How would I locate an expert on analyzing spam -- for HIRE ?

Thanks

Fred

[Telarin]

Check out Knujon.com. They do most of the analysis for submitted spam. They also maintain a huge database specifically to assist with law enforcement.

[rconner]

The QUESTION is:

Does anyone here know of an automated method of accomplishing the above?

QUESTION #2

How would I locate an expert on analyzing spam -- for HIRE ?

The time-honored sequence of steps that I use is to (1) attempt to verify that the site is online (i.e., returning an HTTP 200 code) (2) do an nslookup on the URL to get one or more IP addresses, followed by (3) whois lookups on each of the addresses from (2) to identify the block owner and reporting contacts. I have cobbled together a Perl scri_pt that does all of these for me in one step, plus spotting and tracking various kinds of website redirections. Kinda like one-stop shopping for spam websites, it saves me a great deal of time. As with any other Unix command, it could be automated by means of shell scripting or similar mechanisms, and could put its text output anywhere you are able to pipe it. The scri_pt is not really in condition for a formal public release, but if you PM me we can discuss.

One of the problems you may encounter is that spam websites are diffuse and rapidly-moving targets.

• Many such sites are hosted via botnet, meaning that their addresses can change quite literally every two minutes (or even more often!). Any reports you run on such a site (or on any website, really) are thus fixes in time and should not be considered to represent what came before or what will come afterward.
  
• I also suspect that these guys may still be using obscure DNS tricks to stuff caches on local name servers, so you have to be sure you do a top-down DNS lookup (starting with the root servers) if you wish to get a true and complete picture of the situation.
  

This might be an issue for your AG depending upon what they intend to do with the data you provide. That is, if they decide to file a complaint against bigisp.foo because a spam website appeared in one of its netblocks, it is very likely to have left there long before the AG even gets to know about it.

Re Knujon: I don't wish to seem like a whiner, but I am bound to say that as a paid member of Knujon, I'm never shown much in the way of technical details on the work they do, and I have not found them to be at all responsive even to routine customer-service-type inquiries. I have some fairly deep questions about how they identify spam URLs and what they do with them, but these questions remain unanswered. Perhaps if I were a federal agent or a state's attorney they might be more willing to share with me. At this point, I see absolutely no reason to continue on as a paid member once my subscription runs out.

-- rick