[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: What Happened Here?

Mike Easter MikeE at ster.invalid
Mon Oct 31 14:21:01 EST 2005 

Michael Brennan" <"Michael Brennan Nobody wrote:
> Regarding a Report Here:
>
www.spamcop.net/sc?id=z821657304z827f981d88b239c3f1866b40f5ae8639z
>
> I got the original parse back in the SpamCop Autoreply and saw that
> the SpamCop parser hadn't been able to resolve a spampage in the
> advertisement,

It is very very common and in fact 'normal' for SC to not resolve
things.  Sometimes it apparently 'chooses' to not try to resolve
something, sometimes it tries very hard to resolve something but fails.
Sometimes it doesn't resolve things one time and does resolve it
another.
>
> http://ream2gn.mort60sec.net/3/index/omega/i6eetdt

At the 'present' time where 'present' = the 'moment' that I asked SC to
parser the item in the tracer [which can be parsed differently every
time it is parsed] SC chose to resolve the url/s and report it/them like
this:

Resolving link obfuscation
   http://ream2gn.mort60sec.net/3/index/omega/i6eetdt
   Host ream2gn.mort60sec.net (checking ip) = 61.100.1.108
   host 61.100.1.108 (getting name) no name
   http://7nuvy8bd.mort60sec.net/rem.php
   Host 7nuvy8bd.mort60sec.net (checking ip) = 61.100.1.108
   host 61.100.1.108 (getting name) no name

If reported today, reports would be sent to:

Re: http://7nuvy8bd.mort60sec.net/rem.php (Administrator of network
hosting website referenced in spam)
postmaster at epnetworks.co.kr
spamcop at kisa.or.kr
abuse at epnetworks.co.kr

Re: http://ream2gn.mort60sec.net/3/index/omega/i6eetdt (Administrator of
network hosting website referenced in spam)
postmaster at epnetworks.co.kr
spamcop at kisa.or.kr
abuse at epnetworks.co.kr

> So I went to SamSpade and did a whois lookup and got this:

The result of a SS whois lookup should be done 'properly' if you are
going to compare your results with SC's.  Your whois is a domainname
registrar whois.  SC's whois is a RIR regional internet registrar or
'netblock' whois.  That is, your whois is on the mort60sec.net name -- 
that isn't the way SC notifies.  SC notifies on the basis of the IP -- 
where the IP in the case of the url in question is 61.100.1.108 which
whois is in the RIR apnic

whois -h whois.apnic.net 61.100.1.108 ...
inetnum:      61.96.0.0 - 61.111.255.255
netname:      KRNIC-KR
descr:        Korea Network Information Center

>From the apnic you can go to the nic.or.kr whois

whois -h whois.nic.or.kr 61.100.1.108 ...
Org Name      : Enterprise Networks
E-mail        : abuse at epnetworks.co.kr

and abuse.net on the resultant domainname
whois -h whois.abuse.net epnetworks.co.kr ...
abuse at epnetworks.co.kr   spamcop at kisa.or.kr  postmaster at epnetworks.co.kr


>   Name      : Ronald Hentington
>   Email     : ronaldhentington at gmail.com
>   Address   : 759 Mount Pleasant Road
>   Zipcode   : M4S 2N4
>   Nation    : CA
>   Tel       : 1.2063384168
>   Fax       : 1.2063384168

>   Created Date   2005-10-20 01: 13: 28 EDT

> This registration address is transparently bogus.  The postcode is
> non-U.S., there is no city, and the telephone number (like so many
> obtained from other spampage registrations and bogus diploma-mill .GIF
> images "Please call us at....") is a Seattle CLEC unlisted number.

Your domainname strategy is not the same as the SC notify method.  You
are performing what I call a 'domainname attack' where you try to do
something to 'force' the domainname registrar to live up to its ICANN or
internic responsibilities about having proper registration information.

> Just for grins, I did a further lookup of the "alpha" nameserver
> listed above and got the IP = 66.249.31.55, which I did yet another
> lookup on, and got this:
>
> Server Used: [ whois.arin.net ]
>
> 66.249.31.55 = [  ]
>   OrgName:    Name Intelligence  Inc.

Now you have switched your whois strategy back to the RIR whois lookup
at arin.  That is a different method than what you did with the yesnic
whois.


> So who is the responsible registrar here -- Yesnic?

Yesnic is the domainname registrar.  The RIR apnic netspace registrar is
krnic.

>  I thought so.

You are answering your own question, but not quite exactly correctly.

> But when I subbed the referenced SpamCop report and then checked it
> again, I saw this :
>
> Re: 211.217.140.241 (Administrator of network where email originates)
>
> nomaster at devnull.spamcop.net
>
> Re: 211.217.140.241 (Third party interested in email source)
>
> spamcop at imaphost.com
>
> Re: http://7nuvy8bd.mort60sec.net/rem.php (Administrator of network
> hosting website referenced in spam)
>
> postmaster at epnetworks.co.kr
> spamcop at kisa.or.kr
> abuse at epnetworks.co.kr
>
> Re: http://ream2gn.mort60sec.net/3/index/omega/i6eetdt (Administrator
> of network hosting website referenced in spam)
>
> postmaster at epnetworks.co.kr
> spamcop at kisa.or.kr
> abuse at epnetworks.co.kr

That time when you SC parsed the item, it resolved the url and
determined the IP and with the IP was able to determine the apnic RIR
whois information and the corresponding notify.

> So who is the responsible registrar for the shambles I turned up at
> SamSpade.org with the whois lookup?

If you use SSonline 'correctly' you can determine the appropriate
resolution to the appropriate IP and if you use the appropriate RIR,
apnic in this case, you can whois apnic and find krnic as the netspace
responsible and determine the notify at krnic with the tools at
SSonline.

>  I was about to fry Yesnic (again)
> in a complaint to Internic, but now SpamCop tells me they've
> identified the upstream as Epnetworks.co.kr.

That isn't an 'upstream'   That is the notify based on the resolution of
the name to the IP and then the whois lookup in the appropriate RIR
apnice which leads to a 'subregional' whois at krnic or nic.or.kr.

 > And where does Name
> Intelligence, Inc., of Bellevue, Washington, fit in?

It is the netspace provider for the IP of the nameserver you chose to
lookup.

>  It certainly
> fits in with all the Seattle-area telephone numbers I've been seeing.
> But are they IB, or the ultimate spamhost, or what?

They provide the nameservice for the domainname mort60sec.net according
to your lookups.

My lookups on the domainname failed with my dns and the whois at yesnic
so I used the tools at dnsstuff which showed these nameservers

alpha.usaelender.com. [66.249.31.55]
beta.usaelender.com. [66.249.31.55]
delta.usaelender.com. [66.249.31.55]
iota.usaelender.com. [61.100.1.108]
kappa.usaelender.com. [61.100.1.108]

but dnsstuff also showed that 3 namesservers failed and there was also a
stealth nameserver problem.

> I recognize the spamcop at kisa.or.kr as the Korean (unrelated to
> SpamCop) spam-reporting desk, from conversations in this NG -- and
> I'm mindful that some contributors thought them basically a national
> listwashing service for the sleazehosts, and that therefore reporting
> to them is not a good idea for the clueful who have other avenues.
>
> Comments?  Advice?  Do I drop it on Yesnic after all, or is my
> complaint misdirected?

If you are doing a domainname registration information attack, you do
that with yesnic, and I think the best way to do it is with the form
process at internic.http://wdprs.internic.net/  Whois Data Problem
Report System



-- 
Mike Easter
kibitzer, not SC admin

More information about the SpamCop-List mailing list