[Scspamcop] Re: domain is "terminated-for-abuse" but website is still up!?

Mike Easter MikeE at ster.invalid
Fri Nov 2 16:40:19 EDT 2007 

Andre Guirard wrote:

> disguisement.info

That is not a link, that is a domainname.  A link looks like
http://disguisement.info or has a path.

disguisement.info DNS 216.37.96.10 which IP is of

whois -h whois.arin.net 216.37.96.10 ...

OrgName:    Active Network Solutions,
NetRange:   216.37.96.0 - 216.37.111.255
OrgAbuseEmail:  abuse at ansi1.com

... whereas the domainname registration is like this:

whois.afilias.info
Sponsoring Registrar:Moniker Online Services Inc. (R245-LRMS)
Registrant Name:Moniker Privacy Services

The registrant info is privatized by those services.

> There are more, but these will serve as an example. When I use
> samspade.org to trace the domains to find out who's hosting them, I
> get, for instance: 216.37.96.10 = [
> 216-37-96-10.terminated-for-abuse.net ]

That part means that the rDNS for the IP 216.37.96.10 isn't the same as
the DNS for disguisement.info

That is 'normal'/common -- not necessarily to rDNS to
'terminated-for-abuse' but normal common to not parnoid resolve where
DNS = rDNS.

> ERROR: Unable to connect to rwhois.ansi1.net for 216.37.96.10 ...
> Aborting ...

It is also not unusual for a particular 'private' whois to not be
operational.  That is the Active Network Solutions rwhois, which wasn't
going to tell you anything any different from the afilias info anyway
because the info has been privatized.

> What I'm trying to figure out is, if the domain has been terminated
> for abuse (as well it might be!), why is the website still up? How do
> I tell who is actually hosting it now?

The website hosting process is based on the IP address 216.37.96.10
which is Active Network Solutions contact abuse at ansi1.com -- whereas the
domainname registration is at Moniker Online Services Inc. (R245-LRMS)

Moniker's website is here http://www.moniker.com/index.jsp

As a general rule it is unlikely that the domainname registrar is going
to take some kind of action against the domainname registrant
registration because of your allegation that the domainname associated
with spamsupport.

The 'entity' which is in charge of the rDNS information is the IP block
holder Active Network.

> When spam has been reported
> and the IP address is listed as terminated,

That part isn't true.  The URL I posted above resolves to an IP where a
webserver answers with a webpage inviting you to input your email
address and unsub.

> why, a week later, has
> there been no effect whatsoever on the spammer's business?

The address I gave above resolves.  You didn't give an address which you
found in the spam which might have a different payload than the one I
saw.

> They might
> as well not bother using a new domain every day, because the old ones
> keep on working! Why, when I do manage to track down the website
> hosting company, do they have no idea that the domain has been
> terminated.

The domain hasn't been terminated.  How the name resolves is up to the
nameservers for the domainname, in this case

  ns2.domainservice.com A (Address) 208.49.40.12
  ns1.domainservice.com A (Address) 208.79.78.12
  ns3.domainservice.com A (Address) 64.49.213.231
  ns4.domainservice.com A (Address) 208.49.40.13

Those are under the 'aegis' of Moniker.

How an IP address rDNS is a completely different process.  It is based
on the 'resolution' of 4.3.2.1.in-addr.arpa or in this case
10.96.37.216.in-addr.arpa which is handled by different nameservers
which are under the aegis of Active Network

Dig 10.96.37.216.in-addr.arpa at 207.69.188.171 ...
Non-authoritative answer
Recursive queries supported by this server

  10.96.37.216.in-addr.arpa PTR (Pointer)
216-37-96-10.terminated-for-abuse.net
  96.37.216.in-addr.arpa NS (Nameserver) ns2.ansi1.com
  96.37.216.in-addr.arpa NS (Nameserver) ns1.ansi1.com
  ns1.ansi1.com A (Address) 216.37.96.6
  ns2.ansi1.com A (Address) 216.37.96.7

> How is it I talk to an administrator there

where?

> and they have
> no idea what samspade.org is or where they get their information?

Some admin isn't responsible for educating you into the ways of DNS and
rDNS.  Here's a little thing you might like to read about it.

... oops.  I can't find what I was looking for at DNSStuff, they've
reorganized.

> What should I tell people like this so that they will be able to put
> procedures in place to actually shut down people who have supposedly
> bee shut down?

The 'story' on 216.37.96.10 is that it isn't in spamhaus, nor is
ansi1.com in spamhaus US provider listings, so there isn't any other
evidence of them being nonresponsive.

When you submit a regular spamcop report, which you haven't shown a
tracker for, then that tracker might illustrate how spamcop parsed a
spam and how the spam was notified.

You haven't given any information here.  You haven't provided a tracker
to an example of a spam, you haven't named an actual spam contained
weblink.  You have just given some information about your experience in
resolving a domainname and trying to obtain additional information on
the rDNS of the IP you got.

The way to notify for a website in a spam is to resolve it to the IP (if
you are interested you can try to rDNS the IP, but that result isn't
really very important) and then to notify the RIR regional internet
registrar such as arin, lacnic, ripe, afrinic, apnic, etc listed contact
information or its abuse.net equivalent.  That is the way SC notifies
and that is a good way.

SC does not notify any contacts derived from the domainname or its
registration.  Some people do that manually.

-- 
Mike Easter
kibitzer, not SC admin

More information about the SCspamcop mailing list