showker Posted August 19, 2008 Share Posted August 19, 2008 Greets, humor an off-the-wall question: In tracking and analyzing the spam we receive from a half dozen email accounts we find an overwhelming amount spamvertising the same domains, owned or registered by the same entities. (average 600 to 800 every 8-hours) When I search on the "Top" or some of the other statistics available in the SpamCop site (Spamvertised Statistics) the domains or IP addresses are never there... nor in any of the other statistic charts. What does this mean? [_] I'm getting spam that no one else reports? [_] I'm on the leading edge and they haven't had enough reports yet? [_] There is a spammer sending spam to just me? [_] Spamcop doesn't list those for fear of Russian Mob reprisals? Here's an example from one account, received in the past 4 hours: ablerealization.com ablerealization.com ablerealization.com arcuslavwoe.com cornercome.com cornercome.com cornercome.com cornercome.com cornercome.com countbed.com countbed.com countbed.com describesoon.com describesoon.com deyns.hotnoun.com/?fwvhrl documentationmart.com emilimport.com/e-card.exe fikcja.nazwa.pl/index1.php fineepic.com giantwelove.com giantwelove.com goodtimessmart.com hhkwh.betterbird.com/?ibvd lakegood.com loanfinanc.com loanfinanc.com mue.hotnoun.com/?cia mue.hotnoun.com/?cia r.betterbird.com/?qpy reachcarry.com reachmake.com riselift.com shopresponsibility.com tearpower.com tjel.hotnoun.com/?yjurk touchsuggest.com touchsuggest.com touchsuggest.com touchsuggest.com touchsuggest.com touchsuggest.com tuv.czwhite.cn tvoh.czwhite.cn u.hotnoun.com/?vcuyab vca.hotnoun.com/?o whenprosperity.com = [ 61.18.180.230 ] whenprosperity.com = [ 61.18.180.230 ] whenprosperity.com whenprosperity.com whenprosperity.com whenprosperity.com whenprosperity.com willtape.com = [ 218.61.7.21 ] woa.hotnoun.com/?l = [ 93.100.137.13 ] Russian worgassome.com www.doskdeg.cn/?bjgkobbcuh = [ 89.187.49.14 ] www.gatrepa.cn/?prmmnpgpt = [ 89.187.49.14 ] www.kiltery.cn/?ypqyqrcbjt www.kompyuk.cn/?okbexjkceoxnv www.kompyuk.cn/?okbexjkceoxnv www.letabip.cn/?kzkpijgue www.lizatbb.cn/?gjmitafzefsnm www.odyneba.cn/?tsixpnoiew www.ottraxal.cn/?gfneskenfeoeb www.petyshok.cn/?dogapcjluxa www.rebyjera.cn/?ofrcmdcclxu www.rebyjera.cn/?ofrcmdcclxu www.sychkan.cn/?mijkmnccru www.vonyhejy.cn/?nhesfhwatpm www.vonyhejy.cn/?nhesfhwatpm = [ 89.187.49.14 ] www.ybeuert.cn/?fvxmdcofpv = [89.187.49.14 ] x.betterbird.com/?aw = [ 221.126.242.8 ] xiep.hotnoun.com/?eml y.hotnoun.com/?jqqw = [ 89.173.46.52 ] yht.betterbird.com/?ikk zhqwnk.hotnoun.com/?h Link to comment Share on other sites More sharing options...
turetzsr Posted August 19, 2008 Share Posted August 19, 2008 <snip> In tracking and analyzing the spam we receive from a half dozen email accounts we find an overwhelming amount spamvertising the same domains, owned or registered by the same entities. (average 600 to 800 every 8-hours) <snip> What does this mean? [_] I'm getting spam that no one else reports? [_] I'm on the leading edge and they haven't had enough reports yet? [_] There is a spammer sending spam to just me? [_] Spamcop doesn't list those for fear of Russian Mob reprisals? <snip> ...None of the above. My guess is a combination of the following: SpamCop optionally sends messages to the abuse address for the spamvertized site (if it can find it quickly) but takes no other action to stop spamvertizing. Reporters are either not using tools such as Complainterator and Knujon to shut down the spamvertized sites or those tools are not successful. Link to comment Share on other sites More sharing options...
Farelf Posted August 19, 2008 Share Posted August 19, 2008 ...When I search on the "Top" or some of the other statistics available in the SpamCop site (Spamvertised Statistics) the domains or IP addresses are never there... nor in any of the other statistic charts. What does this mean? [_] I'm getting spam that no one else reports? [_] I'm on the leading edge and they haven't had enough reports yet? [_] There is a spammer sending spam to just me? [_] Spamcop doesn't list those for fear of Russian Mob reprisals? ... Very droll. None of the above. SC looks at the hosting of spamvertized sites (the internet address). The ones you, I, most of us get much of the time are hosted on botnets (or redirected via those). Taking one of your cases - C:\Documents and Settings\Steve>nslookup cornercome.com ... Non-authoritative answer: Name: cornercome.com Addresses: 89.208.2.97, 89.208.27.71, 89.208.200.112, 90.184.33.198 93.100.137.13, 218.190.85.230, 218.254.132.123, 221.124.208.164, 61.18.133.69 61.18.180.230, 68.33.208.119, 69.245.174.253, 79.111.85.98, 79.111.237.226 79.126.0.181, 85.193.28.176, 85.216.49.214, 89.169.189.86, 89.173.46.52 89.173.53.72 C:\Documents and Settings\Steve> So the 'address' approach doesn't work well - SC, at best, will send a report to the topmost host at the time of parsing (they rotate all the time). Often it won't even resolve that one. Search the forum for 'botnet scenario' posted by TerryNZ if you want an explanation of how a different approach is needed for these. The domain is far more vulnerable. For instance: C:\Documents and Settings\Steve>whois -r cornercome.com WHOIS Server: whois.35.com Registrant: Vasiliev Alex douglasmargarucK[at]aol.com +7.3834427731 Vasiliev Alex 21 12 Dundicha Novosibirsk,NOV,RU 630000 Domain Name:cornercome.com Record last updated at 2008-08-18 06:40:54 Record created on 2008/8/15 Record expired on 2009/8/15 Domain servers in listed order: ns0.02872ed.com ns1.02872ed.com Administrator: 21 12 Dundicha Novosibirsk NOV, RU 630000 name:(Vasiliev Alex) mail:(douglasmargarucK[at]aol.com) +7.3834427731 Vasiliev Alex Technical Contactor: 21 12 Dundicha Novosibirsk NOV, RU 630000 name:(Vasiliev Alex) mail:(douglasmargarucK[at]aol.com) +7.3834427731 Vasiliev Alex Billing Contactor: 21 12 Dundicha Novosibirsk NOV, RU 630000 name:(Vasiliev Alex) mail:(douglasmargarucK[at]aol.com) +7.3834427731 Vasiliev Alex Registration Service Provider: name: Vasiliev Alex tel: +7.3834427722 fax: +7.3834427722 web: Now you are hardly the only person to receive spam from 'Vasiliev Alex' (Canadian pharmacy etc.) See http://www.domaintools.com/registrant-search/ and enter his two names (Match ALL of these terms: 1. and 2.) - then for $375 you can have a list of 664 other domains he has. In the link quoted from your post at the top I've taken the liberty of alterning the url. You don't need tinyurl if you give the link a title and the url you used was for logged-in members. I left that in your post, just changed it in the quote of it in this post. [on edit]Just to be clear, 'Vasiliev Alex' is almost certainly a fake name, everything else in the whois record is likely to be false, deceptive, misleading or a slander on some innocent citizen too. Spammers lie. Link to comment Share on other sites More sharing options...
Miss Betsy Posted August 20, 2008 Share Posted August 20, 2008 Some ISPs filter using spamvertized websites - the blocklist for that is fed by spamcop. spamcop blocklist is only for the /source/ of spam, not the websites advertised. I forget what the blocklist name is, but one server admin estimated that 25% of the spam filtered out was by spamvertised websites. Miss Betsy Link to comment Share on other sites More sharing options...
Farelf Posted August 20, 2008 Share Posted August 20, 2008 ...I forget what the blocklist name is...SURBL - http://forum.spamcop.net/forums/index.php?showtopic=5120 e.g., picking one currently featuring many times in http://www.spamcop.net/w3m?action=inprogress;type=www Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. H:\>nslookup ... > epicgreat.com.sc.surbl.org ... Name: epicgreat.com.sc.surbl.org Address: 127.0.0.2 > set type=txt > epicgreat.com.sc.surbl.org ... Non-authoritative answer: epicgreat.com.sc.surbl.org text = "Blocked, See: http://www.surbl.org/lists.html#sc" > Link to comment Share on other sites More sharing options...
Miss Betsy Posted August 20, 2008 Share Posted August 20, 2008 Thanks, Farelf! I knew someone would come up with the name. Miss Betsy Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.