Re: How does Yahoo (or its registrars) get away with this ?
MikeE at ster.invalid
Sat Feb 5 12:39:12 EST 2005
George Langford, Sc.D. wrote:
> Mike Easter wrote:
>> I don't find the tracert to be a good strategy. It is a poor
>> substitute for the ASN, and the upstream notifications are often
>> inappropriate. There's no point in notifying upstreams of the IP of
>> a yahoo/inktomi website issue.
> I didn't make myself clear. TraceRT often knows the IP address of
> a mysterious domain before anyone else.
Ah. We are saying different things I think. I think you are talking
about using some suite of tools called TraceRT which can perform
nslookup and dig and such, whereas I was talking about the unix
commandtool traceroute or the win commandtool tracert which performs a
single function. Could you be more specific about what you mean when
you say TraceRT so I can understand if it is an application or suite of
tools or what? Is there a website? I'll show some below about what I
mean on my end.
> Why else could I connect
> when none of the WhoIs's that I knew could do it yet ? Also, TraceRt
> can get past any redirect sites so that the real location of the
> sourcecode can be found. As well as the IP address of the redirect
> site, whose abuse@ may want to know how his resources are being used
> TraceRT actually de-obfuscated the IP address for me:
>> TraceRT FROM voa.his.com TO www.citifinancialinf.com:
>> traceroute to premium3.geo.yahoo.akadns.net (188.8.131.52)
> The second line above is the conversion, The last line in the
> TraceRT is:
>> 12 p3w8.geo.re2.yahoo.com (184.108.40.206)
My SSwin tool's DNS tool sez this about that
02/05/05 12:19:45 dns www.citifinancialinf.com
Canonical name: premium3.geo.yahoo.akadns.net
So, that shows you the various IPs to which the domainname resolves,
also the CNAME at/of akadns.
which doesn't involve anything about tracert [or traceroute] which is an
entirely different function which looks like this:
7 220.127.116.11 (ae-0-0.bbr2.Washington1.Level3.net ok)
8 18.104.22.168 (ge-3-0-0-55.gar1.Washington1.Level3.net ok)
9 22.214.171.124 (No rDNS)
10 126.96.36.199 (UNKNOWN-206-190-41-73.yahoo.com bogus rDNS: host not
11 188.8.131.52 (premium3.geo.yahoo.akadns.net ok)
excluding the top part and the hoptimes for brevity.
That is, I think you are using your TraceRT to get a DNS on the
domainname and a rDNS on the result. That's fine, that is useful
information, but when I talk about the tracert I'm thinking about the
people who are using the tracert result to find out about an upstream,
ie my #10 and #9 [which is silently level3] above.
> Note that the IP block is correct. I get to the same location whether
> I add the www. to the domain or not. I notified abuse at akamai.com
> because of the akadns.net relationship to the destination IP address.
>> The registration information for a domainname is found according to
>> the tld, toplevel domain, in this case .com, so I use internic,
>> which comes up empty, so then I use crsnic which sez
>> whois.melbourneit.com and is brandnew as of today.
> Sho' 'nuf, http://www.completewhois.com/ finally comes around and sez:
>>> To whom should I have addressed a LART about the lack of information
>>> about the registrant of the domain, citifinancialinf.com ?
>> I think somehow you went astray in looking for that. It isn't
>> available at internic for some reason.
> I guess the answer is that, as far as Yahoo is concerned, these slowly
> propagating WhoIs records are probably going to be found first at
> http://whois.melbourneit.com, which works for me, too, by golly.
> Thanks for heping out with this fine resource.
Clear me up on exactly which resource we're talking about.
kibitzer, not SC admin
More information about the SpamCop-List