[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: Mystery spam source

Philippe Verdy (n.o-s.p.a.m+abuse) verdy_p at wanadoo.fr
Tue Aug 30 02:18:21 EDT 2005 

"spamacyde" <mwnospam at comcast.net> a écrit dans le message de news: 
detjmq$i60$1 at news.spamcop.net...
>I received spam refering to fuckmyass.com a couple of weeks ago.  This
> morning when I pinged fuckmyass.com, the ip address was 216.34.131.135. 
> Now
> it's 66.197.67.72.
>
> Can somebody explain what's going on in detailed English?  Kindly provide 
> a
> glossary.

When you want to identify the IP address of a suspect spam source, DON'T use 
PING.
Instead use "nslookup". For example, on Windows:
| C:\> nslookup
| > set type=ANY
| > fuckmyass.com
|...
| Réponse ne faisant pas autorité :
| fuckmyass.com   MX preference = 10, mail exchanger = 
localhost.fabulous.com
| fuckmyass.com   nameserver = ns2.fabulous.com
| fuckmyass.com   nameserver = ns1.fabulous.com

It says that the domain is served by two domain name servers in the 
"fabulous.com" domain, and that this domain also managed the incoming emails 
sent to any address like <*@fuckmyass.com>

Now it's most probably that the "fuckmyass.com" is just one of many domains 
hosted by fabulous.com, and that only fabulous.com is effectively hosted by 
an ISP; let's see:

| > fabulous.com
|...
| Réponse ne faisant pas autorité :
| fabulous.com    nameserver = ns2.darkbluesea.com
| fabulous.com    nameserver = ns1.darkbluesea.com

(well it points to another domain, let's see again)

| > darkbluesea.com
|...
| Réponse ne faisant pas autorité :
| fabulous.com    nameserver = ns2.darkbluesea.com
| fabulous.com    nameserver = ns1.darkbluesea.com

Note that all the above are marked with "Réponse ne faisant pas autorité" 
because it's the French message in my local nslookup.exe program in Windows. 
It says it is not authoritative because the reply comes from an intermediate 
cache. This is the normal usage for DNS, but if one wanted to make sure, one 
would need to search for authoritative answers coming from an official .com 
registry server. This normally not necessary if you are connected to 
internet using a trustable ISP, whose DNS server normally gets fed at 
regular time with authoritative replies when cached entries have expired 
(don't try to resolve with authoritative entries as your client IP address 
may get detected by the spamming domain; let this task of querying the final 
domain to your ISP).

So now let's look at who hosts the domain really:

| > ns1.darkbluesea.com
|...
| Réponse ne faisant pas autorité :
| ns1.darkbluesea.com     internet address = 64.15.205.133
| > ns2.darkbluesea.com
|...
| Réponse ne faisant pas autorité :
| ns2.darkbluesea.com     MX preference = 10, mail exchanger = 
mail.darkbluesea.com
| ns2.darkbluesea.com     internet address = 64.15.205.134

The two names servers are both in the same 64.15.205.* /24 block, using 
addresses distant only by 1. So they are on the same physical network, with 
the same routings on the Internet (this is definitely not a recommanded 
option for normal web servers, so this is really suspect, and shows that 
this is actually not a address block managed by a serious ISP).

So one has to reverse the IP address to see more details:
| > 133.205.15.64.in-addr.arpa
| ...
| 133.205.15.64.in-addr.arpa      name = ns1.darkbluesea.com
So the address correctly resolves back to a registered domain, but it does 
not indicate the effective ISP. To get this info you need to use whois 
(visit www.completewhois.com to get reliable whois replies from the 
wellknown RIRs or NIRs).

It is also interesting to see how this name server will resolve host you 
detected in the domain, for example:
| > www.fuckmyass.com
|...
| Réponse ne faisant pas autorité :
| www.fuckmyass.com       MX preference = 10, mail exchanger = 
localhost.fabulous.com
| www.fuckmyass.com       internet address = 216.34.131.135
| www.fuckmyass.com       nameserver = ns1.fabulous.com
| www.fuckmyass.com       nameserver = ns2.fabulous.com
| www.fuckmyass.com
|         primary name server = ns1.fabulous.com
|         responsible mail addr = hostmaster.fabulous.com
|         serial  = 1
|         refresh = 3600 (1 hour)
|         retry   = 1800 (30 mins)
|         expire  = 1814400 (21 days)
|         default TTL = 300 (5 mins)
This is exactly the type of DNS request that you browser would perform to 
reach the spamming domain. This is also the request perform by the PING 
utility before it starts pinging the destination host at the discovered IP 
address. Note that it is effectively resolved by name servers in the 
"fabulous.com" intermediate domain. This also shows that you don't need to 
use PING to resolve www.fuckmyass.com into its IP address.

The IP address (here 216.34.131.135) may change every hour, as indicated in 
the reply (note the very uncommon default TTL of 5 minutes which is 
excessively short for normal webs and that forces your client to requery its 
DNS server, and the short retry time of only 30 minutes to indicate that 
resolution must be retried at most after 30 minutes by your DNS server if 
resolution failed, and at most every hour if it succeeded, the cached entry 
becoming invalid and flushed out by the DNS server after 3 weeks if it has 
failed repeatedly for that period since last success)

The fabulous.com name servers are then questionable. For example with 
nslookup (and asways with type=ANY to get all the info and not only one IP 
address resolution):
| > set type=ANY
| >
| >  ns1.fabulous.com
|...
| Réponse ne faisant pas autorité :
| Nom :    ns1.fabulous.com
| Address:  64.15.205.211
The fact that there's only one IP address for the name server is not common 
for serious ISPs. There should be several IPs to reach the name server 
hosting the fuckmyass.com domain (in addition of having at least two name 
servers on separate networks).

Now you could look at how SpamCop sees that domain (SpamCop uses whois info 
to find the actual ISP). Just put www.fuckmyass.com in the SpamCop.net input 
form and click "process spam". You get this:

| Parsing input: www.fuckmyass.com
| host www.fuckmyass.com (checking ip) = 216.34.131.135
| host 216.34.131.135 (getting name) no name
| Routing details for 216.34.131.135
| [refresh/show] Cached whois for 216.34.131.135 : abuse at savvis.net
| Using abuse net on abuse at savvis.net
| abuse net savvis.net = abuse at savvis.net
| Using best contacts abuse at savvis.net

| Statistics:
| 216.34.131.135 not listed in bl.spamcop.net
| More Information..
| 216.34.131.135 not listed in dnsbl.njabl.org
| 216.34.131.135 not listed in dnsbl.njabl.org
| 216.34.131.135 not listed in cbl.abuseat.org
| 216.34.131.135 not listed in dnsbl.sorbs.net
| 216.34.131.135 not listed in relays.ordb.org.
|
| Reporting addresses:
| abuse at savvis.net
The whois info comes from ARIN, and shows that the whole block 216.32.0.0 to 
216.35.255.255 is owned by savvis.net; the reporting address is returned 
correctly by spamcop...
Note that this IP address is not listed by SpamCop in its SCBL, because 
SpamCop (as well as other RBLs above) only lists the mail source address and 
not the target spamvertized webs... (However Spamcop can process spams and 
alert the ISPs hosting the spamvertized domains, notably if the target web 
is hosting some malicious script or illegally collects personnal data)
The effective source of your spam is most probably one of the many 
open-relays or PCs infected by viral spamwares...

More information about the SpamCop-List mailing list