[SpamCop-List] Re: How does Yahoo (or its registrars) get away with this ?

[Mike Easter]

George Langford, Sc.D. wrote:
> Mike Easter wrote:

>> I don't find the tracert to be a good strategy.  It is a poor
>> substitute for the ASN, and the upstream notifications are often
>> inappropriate. There's no point in notifying upstreams of the IP of
>> a yahoo/inktomi website issue.
>
> I didn't make myself clear.  TraceRT often knows the IP address of
> a mysterious domain before anyone else.

Ah.  We are saying different things I think.  I think you are talking
about using some suite of tools called TraceRT which can perform
nslookup and dig and such, whereas I was talking about the unix
commandtool traceroute or the win commandtool tracert which performs a
single function.  Could you be more specific about what you mean when
you say TraceRT so I can understand if it is an application or suite of
tools or what?  Is there a website?  I'll show some below about what I
mean on my end.

> Why else could I connect
> when none of the WhoIs's that I knew could do it yet ?  Also, TraceRt
> can get past any redirect sites so that the real location of the
> sourcecode can be found.  As well as the IP address of the redirect
> site, whose abuse@ may want to know how his resources are being used
> fraudulently.
>
> TraceRT actually de-obfuscated the IP address for me:
>> TraceRT FROM voa.his.com TO www.citifinancialinf.com:
>> traceroute to premium3.geo.yahoo.akadns.net (68.142.234.76)
> The second line above is the conversion,  The last line in the
> TraceRT is:
>> 12  p3w8.geo.re2.yahoo.com (68.142.234.76)

My SSwin tool's DNS tool sez this about that

02/05/05 12:19:45 dns www.citifinancialinf.com
Canonical name: premium3.geo.yahoo.akadns.net
Aliases:
  www.citifinancialinf.com
Addresses:
  68.142.234.36
  68.142.234.37
  68.142.234.38
  68.142.234.39
  68.142.234.40
  68.142.234.76
  68.142.234.77
  68.142.234.35

So, that shows you the various IPs to which the domainname resolves,
also the CNAME at/of akadns.

which doesn't involve anything about tracert [or traceroute] which is an
entirely different function which looks like this:

   7 64.159.0.230  (ae-0-0.bbr2.Washington1.Level3.net ok)
   8 4.68.121.130 (ge-3-0-0-55.gar1.Washington1.Level3.net ok)
   9 63.210.29.230  (No rDNS)
  10 206.190.41.73 (UNKNOWN-206-190-41-73.yahoo.com bogus rDNS: host not
found [authoritative])
  11 68.142.234.36 (premium3.geo.yahoo.akadns.net ok)

excluding the top part and the hoptimes for brevity.

That is, I think you are using your TraceRT to get a DNS on the
domainname and a rDNS on the result.  That's fine, that is useful
information, but when I talk about the tracert I'm thinking about the
people who are using the tracert result to find out about an upstream,
ie my #10 and #9 [which is silently level3] above.

> Note that the IP block is correct. I get to the same location whether
> I add the www. to the domain or not.  I notified abuse at akamai.com
>  because of the akadns.net relationship to the destination IP address.
>
>> The registration information for a domainname is found according to
>> the tld, toplevel domain, in this case .com, so I use internic,
>> which comes up empty, so then I use crsnic which sez
>> whois.melbourneit.com and is brandnew as of today.
>
> Sho' 'nuf, http://www.completewhois.com/ finally comes around and sez:


>>> To whom should I have addressed a LART about the lack of information
>>> about the registrant of the domain, citifinancialinf.com ?
>
>> I think somehow you went astray in looking for that.  It isn't
>> available at internic for some reason.
>
> I guess the answer is that, as far as Yahoo is concerned, these slowly
> propagating WhoIs records are probably going to be found first at
> http://whois.melbourneit.com, which works for me, too, by golly.
>
> Thanks for heping out with this fine resource.

Clear me up on exactly which resource we're talking about.


-- 
Mike Easter
kibitzer, not SC admin