![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List]
Re: How does Yahoo (or its registrars) get away with this ?
George Langford, Sc.D.
amenex at amenex.com
Sat Feb 5 14:56:15 EST 2005
Mike Easter wrote:
>> SC wants to notify slurp at inktomi.com based on the arin for
>> OrgName: Inktomi Corporation
>> NetRange: 68.142.192.0 - 68.142.255.255
>> CIDR: 68.142.192.0/18
>> which actually sez:
>> Comment: For general abuse contact netblockadmin at yahoo-inc.com.
>> Comment: For Web Crawler questions please contact slurp at inktomi.com.
>> AbuseEmail: netblockadmin at yahoo-inc.com
>
> so I would say netblockadmin at yahoo is better.
That's good to know.
> I don't find the tracert to be a good strategy. It is a poor substitute
> for the ASN, and the upstream notifications are often inappropriate.
> There's no point in notifying upstreams of the IP of a yahoo/inktomi
> website issue.
I didn't make myself clear. TraceRT often knows the IP address of
a mysterious domain before anyone else. Why else could I connect
when none of the WhoIs's that I knew could do it yet ? Also, TraceRt
can get past any redirect sites so that the real location of the sourcecode
can be found. As well as the IP address of the redirect site, whose
abuse@ may want to know how his resources are being used fraudulently.
TraceRT actually de-obfuscated the IP address for me:
> TraceRT FROM voa.his.com TO www.citifinancialinf.com:
> traceroute to premium3.geo.yahoo.akadns.net (68.142.234.76)
The second line above is the conversion, The last line in the TraceRT is:
> 12 p3w8.geo.re2.yahoo.com (68.142.234.76)
Note that the IP block is correct. I get to the same location whether I add
the www. to the domain or not. I notified abuse at akamai.com because of
the akadns.net relationship to the destination IP address.
> The registration information for a domainname is found according to the
> tld, toplevel domain, in this case .com, so I use internic, which comes
> up empty, so then I use crsnic which sez whois.melbourneit.com and is
> brandnew as of today.
Sho' 'nuf, http://www.completewhois.com/ finally comes around and sez:
> Domain Name: CITIFINANCIALINF.COM
> Namespace: ICANN Unsponsored Generic TLD - http://www.icann.org
> TLD Info: See IANA Whois - http://www.iana.org/root-whois/com.htm
> Registry: VeriSign, Inc. - http://www.verisign-grs.com
> Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE -
> http://www.melbourneit.com
> Whois Server: whois.melbourneit.com
> Name Server[whois+dns with ip] YNS1.YAHOO.COM 66.218.71.205
> Name Server[whois+dns with ip] YNS2.YAHOO.COM 216.109.116.20
> Status: ACTIVE
> Updated Date: 04-feb-2005
> Creation Date: 04-feb-2005
> Expiration Date: 04-feb-2006
> [whois.melbourneit.com]
It wouldn't do that while I was capturing the sourcecodes with Mozilla's
Composer HTML editor. This is the same guy as Mike quoted; alas only
one Google hit, on the man's name. However, I did find out that he owns
property at the address given in the WhoIs record.
>> To whom should I have addressed a LART about the lack of information
>> about the registrant of the domain, citifinancialinf.com ?
> I think somehow you went astray in looking for that. It isn't available
> at internic for some reason.
I guess the answer is that, as far as Yahoo is concerned, these slowly
propagating WhoIs records are probably going to be found first at
http://whois.melbourneit.com, which works for me, too, by golly.
Thanks for heping out with this fine resource.
George Langford (amenex)
More information about the SpamCop-List
mailing list