skydealer Posted August 24, 2008 Share Posted August 24, 2008 I get 10-20 spams a day from a Russian server called rusonyx.ru. The spams are all from different locations as they are using a botnet to send from different IP addresses, but the website (watch.ru) is always the same. The problem is when i forward the spams to my Spamcop account, or even try entering them in manually, SpamCop is not registering the website www.watch.ru to blacklist it. I've even tried refreshing and refreshing the page and the spam site doesn't get picked up by Spamcop. Is there another way to get these crooks put on a blacklist? Link to comment Share on other sites More sharing options...
Wazoo Posted August 24, 2008 Share Posted August 24, 2008 I get 10-20 spams a day from a Russian server called rusonyx.ru. The spams are all from different locations as they are using a botnet to send from different IP addresses, but the website (watch.ru) is always the same. The problem is when i forward the spams to my Spamcop account, or even try entering them in manually, SpamCop is not registering the website www.watch.ru to blacklist it. A bit confusing in that you chose to use www, in one instance, no sib-domain www. in the other. Which is it? (Noting that the question would have not needed to be asked if a Tracking URL had been provided.) I've even tried refreshing and refreshing the page and the spam site doesn't get picked up by Spamcop. Is there another way to get these crooks put on a blacklist? Technically, not sure about the background of your query. The SpamCopDNSBL does not list Domains, only IP Addresses. If you're talking about getting a Domain to somehow get picked up by the SURBL, there's a bit more to it than just you reporting a spam or two. *There is a FAQ entry in the SpamCop FAQ as found 'here' that might help. In this case; Slow traceroute watch.ru Trace watch.ru (89.253.245.191) ... 89.253.245.191 RTT: 162ms TTL: 47 (watch2.v.shared.ru ok) Slow traceroute www.watch.ru Trace www.watch.ru (89.253.245.191) ... 89.253.245.191 RTT: 166ms TTL: 47 (watch2.v.shared.ru ok) However, a 'dig' on watch.ru comes back almost immediately, whereas a 'dig' on www.watch.ru has been sitting for almost 5 minutes thus far with no return. Dig watch.ru[at]ns4.nic.ru (194.226.96.8) ... Authoritative Answer Query for watch.ru type=255 class=1 watch.ru SOA (Zone of Authority) Primary NS: ns3.nic.ru Responsible person: expert[at]clock.ru serial:65012741 refresh:14400s (4 hours) retry:3600s (60 minutes) expire:2592000s (30 days) minimum-ttl:600s (10 minutes) watch.ru MX (Mail Exchanger) Priority: 10 mail.watch.ru watch.ru A (Address) 89.253.245.191 watch.ru NS (Nameserver) ns4.nic.ru watch.ru NS (Nameserver) ns3.nic.ru mail.watch.ru A (Address) 89.253.245.191 Dig watch.ru[at]ns3.nic.ru (194.85.61.20) ... Authoritative Answer Query for watch.ru type=255 class=1 watch.ru SOA (Zone of Authority) Primary NS: ns3.nic.ru Responsible person: expert[at]clock.ru serial:65012741 refresh:14400s (4 hours) retry:3600s (60 minutes) expire:2592000s (30 days) minimum-ttl:600s (10 minutes) watch.ru NS (Nameserver) ns4.nic.ru watch.ru NS (Nameserver) ns3.nic.ru watch.ru A (Address) 89.253.245.191 watch.ru MX (Mail Exchanger) Priority: 10 mail.watch.ru ns3.nic.ru A (Address) 194.85.61.20 ns4.nic.ru A (Address) 194.226.96.8 mail.watch.ru A (Address) 89.253.245.191 Dig watch.ru[at]208.67.220.220 ... Non-authoritative answer Recursive queries supported by this server Query for watch.ru type=255 class=1 watch.ru NS (Nameserver) ns3.nic.ru watch.ru NS (Nameserver) ns4.nic.ru whois -h whois.ripn.net www.watch.ru ... No entries found for the selected source(s). whois -h whois.ripn.net watch.ru ... domain: WATCH.RU type: CORPORATE nserver: ns3.nic.ru. nserver: ns4.nic.ru. state: REGISTERED, DELEGATED person: Lev N Novogrudsky phone: +7 095 4886147 fax-no: +7 095 4886147 e-mail: expert[at]clock.ru registrar: RUCENTER-REG-RIPN created: 1998.05.25 paid-till: 2009.06.01 source: TC-RIPN As you can see, the leading 'www.' makes quite a difference in this case. I also don't see how you tied two Domains together .... this watch.ru and rusonyx.ru .... yet again, a Tracking URL might have explained what you're talking about ...????? Link to comment Share on other sites More sharing options...
skydealer Posted August 24, 2008 Author Share Posted August 24, 2008 The spams all have the typical forged headers and all advertise the domain link www.watch.ru/ I ran Neotrace on www.watch.ru/ and it shows the following: IP Address: 89.253.245.191 aka flyfirebird.ru Location: MOSKVA (55.750N, 37.583E) Network: 89-RIPE nserver: ns1.rusonyx.ru. nserver: ns2.rusonyx.ru. And back on 08/21 one of the spams I reported to SpamCop did actually pick up on the watch.ru server: Submitted: Thursday, August 21, 2008 11:10:08 PM -0500: Rolex, Rado, Patek Philipppe,, Omega, Gucci 3404645874 (www.watch.ru/) To: abuse[at]rusonyx.ru But I have about 50 other spams that are all advertising www.watch.ru/ and the SpamCop reports never pick up on the IP address of www.watch.ru/. All of my reported spams only pick up on the sender IP, and never on www.watch.ru/... even though it's mentioned in each spam. These are all the same spams from the same website (www.watch.ru) but are being sent through a botnet so the IP addresses of the sender is always different. Typical spams. Here's a page that I reported today. As you can see, none of the Spamcop reports picked up on the watch.ru address that was listed in the spam. This is important as they are the ones responsible! Submitted: Saturday, August 23, 2008 1:05:06 AM -0500: Rollex, Rado, Patek Philipppe, Omega, Gucci 3408819858 ( z_User_Notification ) To: abuse[at]rusonyx.ru 3408819857 ( 58.35.132.1 ) To: webmaster#online.sh.cn[at]devnull.spamcop.net 3408819856 ( 58.35.132.1 ) To: ip-admin[at]mail.online.sh.cn 3408819855 ( 58.35.132.1 ) To: abuse#online.sh.cn[at]devnull.spamcop.net 3408819854 ( 58.35.132.1 ) To: postmaster#online.sh.cn[at]devnull.spamcop.net 3408819853 ( 58.35.132.1 ) To: anti-spam[at]ns.chinanet.cn.net -------------------------------------------------------------------------------- Submitted: Saturday, August 23, 2008 1:05:06 AM -0500: Rolex, Raddo, PPatek Philippe, Omega, Gucci 3408819838 ( z_User_Notification ) To: abuse[at]rusonyx.ru 3408819836 ( 68.29.42.21 ) To: abuse-quiet[at]sprint.net 3408819835 ( 68.29.42.21 ) To: abuse[at]sprintpcs.com 3408819834 ( 68.29.42.21 ) To: abuse[at]messaging.sprintpcs.com 3408819833 ( 68.29.42.21 ) To: postmaster[at]sprintpcs.com -------------------------------------------------------------------------------- Submitted: Saturday, August 23, 2008 1:05:06 AM -0500: Rolexx, Rado, Patek PPhilippe, Omega, Gucci 3408819830 ( z_User_Notification ) To: abuse[at]rusonyx.ru 3408819829 ( 72.8.92.208 ) To: abuse[at]viawest.net 3408819828 ( 72.8.92.208 ) To: postmaster[at]mstarmetro.net 3408819827 ( 72.8.92.208 ) To: abuse[at]outblaze.com -------------------------------------------------------------------------------- Submitted: Saturday, August 23, 2008 1:05:06 AM -0500: Rolex, Rado, PPatek Philippe, Omegaa, Gucci 3408819773 ( z_User_Notification ) To: abuse[at]rusonyx.ru 3408819772 ( 79.9.196.150 ) To: abuse[at]retail.telecomitalia.it 3408819771 ( 79.9.196.150 ) To: abuse[at]telecomitalia.it 3408819769 ( 79.9.196.150 ) To: abuse[at]business.telecomitalia.it -------------------------------------------------------------------------------- Submitted: Saturday, August 23, 2008 1:05:06 AM -0500: Rolex, Rado,, Patek Philippe, Omega, Gucci 3408819452 ( z_User_Notification ) To: abuse[at]rusonyx.ru 3408819449 ( 79.19.69.195 ) To: abuse[at]retail.telecomitalia.it 3408819445 ( 79.19.69.195 ) To: abuse[at]telecomitalia.it 3408819431 ( 79.19.69.195 ) To: abuse[at]business.telecomitalia.it -------------------------------------------------------------------------------- Submitted: Saturday, August 23, 2008 12:19:07 AM -0500: Rolex, Rado, Patek Philippe, OOmega, Gucci 3408731015 ( z_User_Notification ) To: abuse[at]rusonyx.ru 3408731003 ( 221.143.121.240 ) To: abuse[at]hanaro.com 3408730988 ( 221.143.121.240 ) To: abuse[at]hananet.net 3408730986 ( 221.143.121.240 ) To: spamrelay[at]certcc.or.kr 3408730977 ( 221.143.121.240 ) To: spamcop[at]kisa.or.kr If the SpamCop submissions never pick up on the www.watch.ru website mentioned in each spam (the spams are in english) then it can never blacklist the IP address of www.watch.ru, right? www.watch.ru is hosted thru rusonyx.ru.... which is why the complaints are being sent there, or at least they should be if the submissions could pick up on the www.watch.ru domain mention in the spams, but they do not. They are simple text spams - not the image ones. [moderator edit - links broken. Spammer links don't belong on *these* pages - and there is some suspicion the site or some part of it may be carrying exploits] Link to comment Share on other sites More sharing options...
agsteele Posted August 24, 2008 Share Posted August 24, 2008 ...when i forward the spams to my Spamcop account, or even try entering them in manually, SpamCop is not registering the website www.watch.ru to blacklist it. I've even tried refreshing and refreshing the page and the spam site doesn't get picked up by Spamcop. Is there another way to get these crooks put on a blacklist? The reporting of spamvertised websites via SpamCop does not contribute to a blacklist. The SCBL is, as you probably know, a list of IP addresses where the spam originates from and these reports will be recorded for their place of origin. The website reporting is simply an Email to the relevant organisations to alert them that the website is being spamvertised. Because, for whatever reason, there isn't an address to report to in the SC database (or perhaps such reports are returned undelivered and the SC admins decide they don't which to receive te returns) such reports aren't being sent. But they wouldn't have contributed to a blacklist anyway. Andrew Link to comment Share on other sites More sharing options...
Farelf Posted August 24, 2008 Share Posted August 24, 2008 ...Because, for whatever reason, there isn't an address to report to in the SC database (or perhaps such reports are returned undelivered and the SC admins decide they don't which to receive te returns) such reports aren't being sent. But they wouldn't have contributed to a blacklist anyway. ...True, though the SC 'observations' feed the SURBL, another type of BL, another owner, often mentioned in these pages. And yes, watch.ru is 'sort of' listed on that: Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Steve>nslookup ... > watch.ru.sc.surbl.org ... *** UnKnown can't find watch.ru.sc.surbl.org: Non-existent domain not listed in sc.surbl.org, find IP address > watch.ru ... Non-authoritative answer: Name: watch.ru Address: 89.253.245.191 try IP address in SURBL instead > 191.245.253.89.sc.surbl.org ... Non-authoritative answer: Name: 191.245.253.89.sc.surbl.org Address: 127.0.0.2 a hit! > set type=txt > 191.245.253.89.sc.surbl.org ... Non-authoritative answer: 191.245.253.89.sc.surbl.org text = "Blocked, See: http://www.surbl.org/lists.html#sc" confirmed Now, maybe watch.ru is playing some sorts of DNS games but its internet address - 89.253.245.191 has been picked up by the SURBL. http://www.robtex.com/dns/watch.ru.html confirms the RUSONYX-RU connection and says www.watch.ru is the only user on that IP address. In the newsgroups user Rooster is querying possible exploits on other watch.ru pages which may or may not have anything to do with the SURBL listing. But yes, for whatever reason, it is listed on the SURBL and that may be due to it being present in SC reports. The parser is capable of resolving watch.ru - http://www.spamcop.net/sc?track=http%3A%2F%2Fwww.watch.ru - if it doesn't offer to send a report either it is a bit busy or, as Andrew suggests, there may be a good reason. I suspect abuse[at]rusonyx.ru has already received enough reports to do something about watch.ru spamming if they had any intention of doing so. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 24, 2008 Share Posted August 24, 2008 If the SpamCop submissions never pick up on the www.watch.ru website mentioned in each spam (the spams are in english) then it can never blacklist the IP address of www.watch.ru, right? As already mentioned above, SpamCop does NOT list the IP addresses of spamvertized web sites. It is not on the list of priorities to work around various games the spammers play. So even if this web site were listed on every one of your reports, the IP address for www.watch.ru would NOT end up on SpamCop's Blocklist. All that would happen is lots of notifications being sent to the host, which is likely already aware they are hosting the spammer and turning a profit doing it. Oh, and it MAY end up on the SURBL, which is not directly related to SpamCop and requires a scan of the body of each message to be used. Link to comment Share on other sites More sharing options...
Wazoo Posted August 25, 2008 Share Posted August 25, 2008 Rooster provided a Tracking URL for one of his over in the spamcop.geeks newsgroup. So much easier to sort things out when one can actually see the data involved. Newsgroup Post Tracking URL In that sample, it is made obvious why things won't parse (in addition to my previous) ... the "Quoted-Printable" content, both plain-text and HTML is broken. Actually amazing, but then again .... Point is that neither attempted URL is actually recognizable to the parser. One would like to think that neither one would actually be a clickable link within an e-mail either, but ...??? Link to comment Share on other sites More sharing options...
turetzsr Posted August 25, 2008 Share Posted August 25, 2008 The spams all have the typical forged headers and all advertise the domain link www.watch.ru/ <snip> Hi, skydealer, ...You may wish to search the SpamCop Forums for mention of "Knujon" and "Complainterator". IIUC, those tools have as their purpose the reporting of spamvertized web sites, whereas SpamCop does not. Link to comment Share on other sites More sharing options...
duncanh Posted August 25, 2008 Share Posted August 25, 2008 In reply to You may be interested in using Spamhaus's SBL and XBL service against spamvertized URLs. Spamhaus blogs about the capability here: http://www.spamhaus.org/news.lasso?article=633 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.