Jump to content

About SpamCop statistics generation


showker
 Share

Recommended Posts

Greets, humor an off-the-wall question:

In tracking and analyzing the spam we receive from a half dozen

email accounts we find an overwhelming amount spamvertising

the same domains, owned or registered by the same entities.

(average 600 to 800 every 8-hours)

When I search on the "Top" or some of the other statistics available

in the SpamCop site (Spamvertised Statistics)

the domains or IP addresses are never there... nor in any of the other

statistic charts.

What does this mean?

[_] I'm getting spam that no one else reports?

[_] I'm on the leading edge and they haven't had enough reports yet?

[_] There is a spammer sending spam to just me?

[_] Spamcop doesn't list those for fear of Russian Mob reprisals?

Here's an example from one account, received in the past 4 hours:

ablerealization.com

ablerealization.com

ablerealization.com

arcuslavwoe.com

cornercome.com

cornercome.com

cornercome.com

cornercome.com

cornercome.com

countbed.com

countbed.com

countbed.com

describesoon.com

describesoon.com

deyns.hotnoun.com/?fwvhrl

documentationmart.com

emilimport.com/e-card.exe

fikcja.nazwa.pl/index1.php

fineepic.com

giantwelove.com

giantwelove.com

goodtimessmart.com

hhkwh.betterbird.com/?ibvd

lakegood.com

loanfinanc.com

loanfinanc.com

mue.hotnoun.com/?cia

mue.hotnoun.com/?cia

r.betterbird.com/?qpy

reachcarry.com

reachmake.com

riselift.com

shopresponsibility.com

tearpower.com

tjel.hotnoun.com/?yjurk

touchsuggest.com

touchsuggest.com

touchsuggest.com

touchsuggest.com

touchsuggest.com

touchsuggest.com

tuv.czwhite.cn

tvoh.czwhite.cn

u.hotnoun.com/?vcuyab

vca.hotnoun.com/?o

whenprosperity.com = [ 61.18.180.230 ]

whenprosperity.com = [ 61.18.180.230 ]

whenprosperity.com

whenprosperity.com

whenprosperity.com

whenprosperity.com

whenprosperity.com

willtape.com = [ 218.61.7.21 ]

woa.hotnoun.com/?l = [ 93.100.137.13 ] Russian

worgassome.com

www.doskdeg.cn/?bjgkobbcuh = [ 89.187.49.14 ]

www.gatrepa.cn/?prmmnpgpt = [ 89.187.49.14 ]

www.kiltery.cn/?ypqyqrcbjt

www.kompyuk.cn/?okbexjkceoxnv

www.kompyuk.cn/?okbexjkceoxnv

www.letabip.cn/?kzkpijgue

www.lizatbb.cn/?gjmitafzefsnm

www.odyneba.cn/?tsixpnoiew

www.ottraxal.cn/?gfneskenfeoeb

www.petyshok.cn/?dogapcjluxa

www.rebyjera.cn/?ofrcmdcclxu

www.rebyjera.cn/?ofrcmdcclxu

www.sychkan.cn/?mijkmnccru

www.vonyhejy.cn/?nhesfhwatpm

www.vonyhejy.cn/?nhesfhwatpm = [ 89.187.49.14 ]

www.ybeuert.cn/?fvxmdcofpv = [89.187.49.14 ]

x.betterbird.com/?aw = [ 221.126.242.8 ]

xiep.hotnoun.com/?eml

y.hotnoun.com/?jqqw = [ 89.173.46.52 ]

yht.betterbird.com/?ikk

zhqwnk.hotnoun.com/?h

Link to comment
Share on other sites

<snip>

In tracking and analyzing the spam we receive from a half dozen

email accounts we find an overwhelming amount spamvertising

the same domains, owned or registered by the same entities.

(average 600 to 800 every 8-hours)

<snip>

What does this mean?

[_] I'm getting spam that no one else reports?

[_] I'm on the leading edge and they haven't had enough reports yet?

[_] There is a spammer sending spam to just me?

[_] Spamcop doesn't list those for fear of Russian Mob reprisals?

<snip>

...None of the above. My guess is a combination of the following:
  • SpamCop optionally sends messages to the abuse address for the spamvertized site (if it can find it quickly) but takes no other action to stop spamvertizing.
  • Reporters are either not using tools such as Complainterator and Knujon to shut down the spamvertized sites or those tools are not successful.

Link to comment
Share on other sites

...When I search on the "Top" or some of the other statistics available

in the SpamCop site (Spamvertised Statistics)

the domains or IP addresses are never there... nor in any of the other

statistic charts.

What does this mean?

[_] I'm getting spam that no one else reports?

[_] I'm on the leading edge and they haven't had enough reports yet?

[_] There is a spammer sending spam to just me?

[_] Spamcop doesn't list those for fear of Russian Mob reprisals?

...

Very droll. None of the above. SC looks at the hosting of spamvertized sites (the internet address). The ones you, I, most of us get much of the time are hosted on botnets (or redirected via those). Taking one of your cases -

C:\Documents and Settings\Steve>nslookup cornercome.com

...

Non-authoritative answer:

Name: cornercome.com

Addresses:

89.208.2.97,

89.208.27.71,

89.208.200.112,

90.184.33.198

93.100.137.13,

218.190.85.230,

218.254.132.123,

221.124.208.164,

61.18.133.69

61.18.180.230,

68.33.208.119,

69.245.174.253,

79.111.85.98,

79.111.237.226

79.126.0.181,

85.193.28.176,

85.216.49.214,

89.169.189.86,

89.173.46.52

89.173.53.72

C:\Documents and Settings\Steve>

So the 'address' approach doesn't work well - SC, at best, will send a report to the topmost host at the time of parsing (they rotate all the time). Often it won't even resolve that one. Search the forum for 'botnet scenario' posted by TerryNZ if you want an explanation of how a different approach is needed for these. The domain is far more vulnerable. For instance:

C:\Documents and Settings\Steve>whois -r cornercome.com

WHOIS Server: whois.35.com

Registrant:

Vasiliev Alex douglasmargarucK[at]aol.com +7.3834427731

Vasiliev Alex

21 12 Dundicha

Novosibirsk,NOV,RU 630000

Domain Name:cornercome.com

Record last updated at 2008-08-18 06:40:54

Record created on 2008/8/15

Record expired on 2009/8/15

Domain servers in listed order:

ns0.02872ed.com ns1.02872ed.com

Administrator:

21 12 Dundicha

Novosibirsk

NOV,

RU

630000

name:(Vasiliev Alex)

mail:(douglasmargarucK[at]aol.com) +7.3834427731

Vasiliev Alex

Technical Contactor:

21 12 Dundicha

Novosibirsk

NOV,

RU

630000

name:(Vasiliev Alex)

mail:(douglasmargarucK[at]aol.com) +7.3834427731

Vasiliev Alex

Billing Contactor:

21 12 Dundicha

Novosibirsk

NOV,

RU

630000

name:(Vasiliev Alex)

mail:(douglasmargarucK[at]aol.com) +7.3834427731

Vasiliev Alex

Registration Service Provider:

name: Vasiliev Alex

tel: +7.3834427722

fax: +7.3834427722

web:

Now you are hardly the only person to receive spam from 'Vasiliev Alex' (Canadian pharmacy etc.)

See http://www.domaintools.com/registrant-search/ and enter his two names (Match ALL of these terms: 1. and 2.) - then for $375 you can have a list of 664 other domains he has.

In the link quoted from your post at the top I've taken the liberty of alterning the url. You don't need tinyurl if you give the link a title and the url you used was for logged-in members. I left that in your post, just changed it in the quote of it in this post.

[on edit]Just to be clear, 'Vasiliev Alex' is almost certainly a fake name, everything else in the whois record is likely to be false, deceptive, misleading or a slander on some innocent citizen too. Spammers lie.

Link to comment
Share on other sites

Some ISPs filter using spamvertized websites - the blocklist for that is fed by spamcop. spamcop blocklist is only for the /source/ of spam, not the websites advertised.

I forget what the blocklist name is, but one server admin estimated that 25% of the spam filtered out was by spamvertised websites.

Miss Betsy

Link to comment
Share on other sites

...I forget what the blocklist name is...
SURBL - http://forum.spamcop.net/forums/index.php?showtopic=5120

e.g., picking one currently featuring many times in http://www.spamcop.net/w3m?action=inprogress;type=www

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

H:\>nslookup

...

> epicgreat.com.sc.surbl.org

...

Name: epicgreat.com.sc.surbl.org

Address: 127.0.0.2

> set type=txt

> epicgreat.com.sc.surbl.org

...

Non-authoritative answer:

epicgreat.com.sc.surbl.org text =

"Blocked, See: http://www.surbl.org/lists.html#sc"

>

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...