[SpamCop-List] Re: Ok, I'll ask: What is going on here?

Sun May 30 22:03:58 EDT 2004

"Mike Easter" <MikeE at ster.invalid> wrote in
news:c9dcso$6uo$1 at news.spamcop.net: 

> That seems like a strange strategy to me;  and I suppose that it
> isn't likely that Julian will appear to explain it.
> 

When the new parsing strategy became active for the first time, it was
in a sort of "verbose" mode, explaining more of what it was doing.  I
reproduced it in my two postings that day with subject "New parser
feature, smart grouping of links": 

[quote relevant part]

Resolving link obfuscation
http://www.connote.net
http://www.pirogue.net
http://www.regress.com
   host 63.249.194.116 = 116-194-249-63-rev.propagation.net (cached)
http://www.conferrable.net
http://www.carouse.org
http://www.cocklebur.com
http://www.skillet.org
   host 216.183.164.103 (getting name) no name
http://www.bagley.net
   host 216.10.106.149 = mailapoint002.mailbank.com (cached)
http://www.ben.org
   host 217.160.226.131 (getting name) no name
http://www.ritual.net
   host 209.163.221.194 = 209-163-221-194.gen.twtelecom.net (cached)
http://www.beadle.org
   host 204.251.10.214 = dn4.directnic.com (cached)
http://www.musket.com
   host 216.127.95.19 (getting name) no name
http://www.accuse.org
   host 69.25.27.173 (getting name) no name
http://www.notch.org
   host 216.127.84.20 = mail.mercuryloungenyc.com (cached)
http://www.flaunt.org
   host 209.123.16.11 (getting name) no name
   host 209.123.16.11 = signatureparking.visual.com (old cache)
http://www.depletion.org
http://www.buttonweed.org
http://www.antebellum.com
   host 69.38.76.67 (getting name) no name
http://www.hackberry.com
   host 66.173.241.226 = 66-173-241-226.serial.cavtel.net (cached)
http://www.dialysis.org
   host 64.40.102.41 = cluster1.verticalaxis.com (cached)
http://www.automotive.net
http://www.buggy.com
   host 207.199.74.10 (getting name) no name
http://www.acorn.org
   host 64.106.148.72 = acorn.org (cached)
http://www.personal.org
   host 202.71.255.44 (getting name) no name
http://www.transfusable.com
http://www.vantage.com
   host 64.80.203.250 (getting name) no name
http://webster3456biz.biz/b94
   host 61.250.93.204 (getting name) no name
http://www.hydrous.org
http://www.widennet
http://www.goad.net
   host 207.44.250.61 = host.goad.net (cached)
http://www.sever.org
   host 64.15.205.202 (getting name) no name
http://www.insecure.org
   host 205.217.153.53 = www.insecure.org (cached)
http://www.drake.org
   host 130.94.179.101 = drake.org (cached)
http://www.armament.webster3456biz.biz/d.ddd
   host 61.186.254.23 (getting name) no name
webster3456biz.biz has multiple links with different subdomains
pointing to it.
I wonder if a random one would work...
yep, webster3456biz.biz returned an address of 61.250.93.204
Name service for this domain is supplied by NS3.AIRMARAMBA.biz. 
NS2.AUDI56SEW.biz.
IP address(es) for name service: 61.250.93.207 61.186.254.23
Still too many links. Time to prioritize!
The domain webster3456biz.biz appears multiple times, testing it.
Everything else only appears once, not testing further.

Tracking nameserver: 61.250.93.207

Tracking ip 61.250.93.207
Cached masters for 61.250.93.207: abuse at epnetworks.co.kr 
spamrelay at certcc.or.kr spamcop at kisa.or.kr postmaster at epnetworks.co.kr

Tracking nameserver: 61.186.254.23

Tracking ip 61.186.254.23
Cached masters for 61.186.254.23: abuse at publicf.bta.net.cn anti-
spam#chinanet.cn.net at devnull.spamcop.net postmaster at cta.cq.cn 
jieliang#ix.netcom.com at devnull.spamcop.net wangyan at public.cta.cq.cn 
dnsmail at public.cta.cq.cn spam#ctsi.com.cn at devnull.spamcop.net 
zhong at public.cta.cq.cn

[/quote]

As you can see by following the "chatty" parse, the parser discards the 
bogus links without even bothering to test them because each one appears 
just once in the spam.  The domain webster3456biz.biz appears in multiple 
links, so the parser tests it further for its DNS service.

-- 
Daniel Diaz
My Personal email: ddiazxn @ telefonica . net