[Scspamcop] Re: domain is "terminated-for-abuse" but website is
still up!?
Antispam Knight
nobody at spamcop.net
Sat Nov 3 01:24:06 EDT 2007
"Andre Guirard" <aguirard at comcast.net> wrote in message
news:fgfvmk$ogm$1 at news.spamcop.net...
> I'm looking at the following domains which are the target of links in spam
> I've been receiving a lot of recently:
>
> disguisement.info
> unreclaimed.net
> reposit.net
>
> There are more, but these will serve as an example. When I use
> samspade.org to trace the domains to find out who's hosting them, I get,
> for instance:
> 216.37.96.10 = [ 216-37-96-10.terminated-for-abuse.net ]
> ERROR: Unable to connect to rwhois.ansi1.net for 216.37.96.10 ... Aborting
> ...
>
> What I'm trying to figure out is, if the domain has been terminated for
> abuse (as well it might be!), why is the website still up? How do I tell
> who is actually hosting it now? When spam has been reported and the IP
> address is listed as terminated, why, a week later, has there been no
> effect whatsoever on the spammer's business? They might as well not bother
> using a new domain every day, because the old ones keep on working! Why,
> when I do manage to track down the website hosting company, do they have
> no idea that the domain has been terminated. How is it I talk to an
> administrator there and they have no idea what samspade.org is or where
> they get their information? What should I tell people like this so that
> they will be able to put procedures in place to actually shut down people
> who have supposedly bee shut down?
>
>
What leads you to believe the domain has been terminated for abuse?
If you are using traceroute to 216.37.96.10 you should be aware that the
rdns shown is unreliable. It can be spoofed. If you do a nameserver lookup
of disguisement.info, as an example, you find that the domain is alive and
well:
Answer records
name class type data time to live
disguisement.info IN NS ns1.domainservice.com 86400s (1d)
disguisement.info IN NS ns3.domainservice.com 86400s (1d)
disguisement.info IN NS ns2.domainservice.com 86400s (1d)
disguisement.info IN NS ns4.domainservice.com 86400s (1d)
Authority records
name class type data time to live
disguisement.info IN NS ns1.domainservice.com 86400s (1d)
disguisement.info IN NS ns2.domainservice.com 86400s (1d)
disguisement.info IN NS ns3.domainservice.com 86400s (1d)
disguisement.info IN NS ns4.domainservice.com 86400s (1d)
Additional records
name class type data time to live
ns4.domainservice.com IN A 208.49.40.13 21743s (6h 2m 23s)
ns3.domainservice.com IN A 64.49.213.231 24423s (6h 47m 3s)
ns2.domainservice.com IN A 208.49.40.12 24423s (6h 47m 3s)
ns1.domainservice.com IN A 208.79.78.12 22956s (6h 22m 36s)
-- end --
If you then do a nameserver lookup at one or more of the authority servers
above
(ns1.domainservice.com,ns2.domainservice.com,ns3.domainservice.com,ns4.domainservice.com),
you find the following:
Answer records
name class type data time to live
disguisement.info IN NS ns3.domainservice.com 21600s (6h)
disguisement.info IN NS ns2.domainservice.com 21600s (6h)
disguisement.info IN NS ns1.domainservice.com 21600s (6h)
disguisement.info IN NS ns4.domainservice.com 21600s (6h)
disguisement.info IN A 216.37.96.10 <--------NOTE 21600s (6h)
disguisement.info IN MX preference: 1
exchange: mail.uspercent.info
21600s (6h)
disguisement.info IN SOA server: ns1.domainservice.com
email: dnsadmin at moniker.com
serial: 2007110100
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 21600
21600s
Note that the A record shows that the domain is alive and well at
216.37.96.10.
Sorry for the length of the post. Educational purposes only.
AK
More information about the SCspamcop
mailing list