What's going on here?
Numerous examples of porn spam sent Sunday have all different hostnames that resolve to the same few IP addresses, apparently by round robin:
$ host takinoivanober.com takinoivanober.com has address 68.142.212.127 takinoivanober.com has address 68.142.212.128 takinoivanober.com has address 68.142.212.129 takinoivanober.com has address 68.142.212.130 takinoivanober.com has address 68.142.212.135 takinoivanober.com has address 68.142.212.126 $ host zascehjukalsderr.com zascehjukalsderr.com has address 68.142.212.130 zascehjukalsderr.com has address 68.142.212.135 zascehjukalsderr.com has address 68.142.212.126 zascehjukalsderr.com has address 68.142.212.127 zascehjukalsderr.com has address 68.142.212.128 zascehjukalsderr.com has address 68.142.212.129 $ host sex368yzx.com sex368yzx.com has address 68.142.212.129 sex368yzx.com has address 68.142.212.130 sex368yzx.com has address 68.142.212.135 sex368yzx.com has address 68.142.212.136 sex368yzx.com has address 68.142.212.137 sex368yzx.com has address 68.142.212.128
Reverse DNS resolves to Yahoo, only:
$ host 68.142.212.130 130.212.142.68.in-addr.arpa domain name pointer p10w14.geo.mud.yahoo.com. $ host 68.142.212.127 127.212.142.68.in-addr.arpa domain name pointer p10w11.geo.mud.yahoo.com. $ host 68.142.212.128 128.212.142.68.in-addr.arpa domain name pointer p10w12.geo.mud.yahoo.com.
The range 68.142.192 through 68.142.255 is all Inktomi, contact address network-abuse@cc.yahoo-inc.com, so it really is Yahoo.
The interesting bit is that connecting by IP address or yahoo hostname gets a "Error 400 - Bad Request", but connecting by the spammer hostname gets a web page.
I'd be especially interested in a generalized way of catching this.
Joseph Brennan Columbia University Information Technology
Unfortunately, Yahoo is one of the top Spam domain hosts. I don't think there is much you can do about it, generally. Just report the domains as usual.
-Stuart
Joseph Brennan wrote:
What's going on here?
Numerous examples of porn spam sent Sunday have all different hostnames that resolve to the same few IP addresses, apparently by round robin:
$ host takinoivanober.com takinoivanober.com has address 68.142.212.127 takinoivanober.com has address 68.142.212.128 takinoivanober.com has address 68.142.212.129 takinoivanober.com has address 68.142.212.130 takinoivanober.com has address 68.142.212.135 takinoivanober.com has address 68.142.212.126 $ host zascehjukalsderr.com zascehjukalsderr.com has address 68.142.212.130 zascehjukalsderr.com has address 68.142.212.135 zascehjukalsderr.com has address 68.142.212.126 zascehjukalsderr.com has address 68.142.212.127 zascehjukalsderr.com has address 68.142.212.128 zascehjukalsderr.com has address 68.142.212.129 $ host sex368yzx.com sex368yzx.com has address 68.142.212.129 sex368yzx.com has address 68.142.212.130 sex368yzx.com has address 68.142.212.135 sex368yzx.com has address 68.142.212.136 sex368yzx.com has address 68.142.212.137 sex368yzx.com has address 68.142.212.128
Reverse DNS resolves to Yahoo, only:
$ host 68.142.212.130 130.212.142.68.in-addr.arpa domain name pointer p10w14.geo.mud.yahoo.com. $ host 68.142.212.127 127.212.142.68.in-addr.arpa domain name pointer p10w11.geo.mud.yahoo.com. $ host 68.142.212.128 128.212.142.68.in-addr.arpa domain name pointer p10w12.geo.mud.yahoo.com.
The range 68.142.192 through 68.142.255 is all Inktomi, contact address network-abuse@cc.yahoo-inc.com, so it really is Yahoo.
The interesting bit is that connecting by IP address or yahoo hostname gets a "Error 400 - Bad Request", but connecting by the spammer hostname gets a web page.
I'd be especially interested in a generalized way of catching this.
Joseph Brennan Columbia University Information Technology
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Unfortunately, Yahoo is one of the top Spam domain hosts. I don't think there is much you can do about it, generally. Just report the domains as usual.
Yahoo webhosting is a total mess. I guess there must be a reason why they attract so much illegal content.
On top of all the regular porn and phishing spam domains hosted by Yahoo I get on average about four child pornography sites hosted on Yahoo per day (357 domains in just over 90 days).
Does anybody have any inside contacts to get these resolved more quickly? If the sites are online long enough so that CP customers can sign up then this isn't going to stop.
Joe Wein
joewein.de LLC Yokohama, Japan WWW: http://www.joewein.net WWW: http://www.jwspamspy.net WWW: http://www.419scam.org
-Stuart
Joseph Brennan wrote:
What's going on here?
Numerous examples of porn spam sent Sunday have all different hostnames that resolve to the same few IP addresses, apparently by round robin:
$ host takinoivanober.com takinoivanober.com has address 68.142.212.127 takinoivanober.com has address 68.142.212.128 takinoivanober.com has address 68.142.212.129 takinoivanober.com has address 68.142.212.130 takinoivanober.com has address 68.142.212.135 takinoivanober.com has address 68.142.212.126 $ host zascehjukalsderr.com zascehjukalsderr.com has address 68.142.212.130 zascehjukalsderr.com has address 68.142.212.135 zascehjukalsderr.com has address 68.142.212.126 zascehjukalsderr.com has address 68.142.212.127 zascehjukalsderr.com has address 68.142.212.128 zascehjukalsderr.com has address 68.142.212.129 $ host sex368yzx.com sex368yzx.com has address 68.142.212.129 sex368yzx.com has address 68.142.212.130 sex368yzx.com has address 68.142.212.135 sex368yzx.com has address 68.142.212.136 sex368yzx.com has address 68.142.212.137 sex368yzx.com has address 68.142.212.128
Reverse DNS resolves to Yahoo, only:
$ host 68.142.212.130 130.212.142.68.in-addr.arpa domain name pointer p10w14.geo.mud.yahoo.com. $ host 68.142.212.127 127.212.142.68.in-addr.arpa domain name pointer p10w11.geo.mud.yahoo.com. $ host 68.142.212.128 128.212.142.68.in-addr.arpa domain name pointer p10w12.geo.mud.yahoo.com.
The range 68.142.192 through 68.142.255 is all Inktomi, contact address network-abuse@cc.yahoo-inc.com, so it really is Yahoo.
The interesting bit is that connecting by IP address or yahoo hostname gets a "Error 400 - Bad Request", but connecting by the spammer hostname gets a web page.
I'd be especially interested in a generalized way of catching this.
Joseph Brennan Columbia University Information Technology
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Monday, October 2, 2006, 1:33:15 PM, Joe Wein wrote:
Unfortunately, Yahoo is one of the top Spam domain hosts. I don't think there is much you can do about it, generally. Just report the domains as usual.
Yahoo webhosting is a total mess. I guess there must be a reason why they attract so much illegal content.
Yahoo is abused probably just because it's a major web host. Big hosts probably get abused more often.
On top of all the regular porn and phishing spam domains hosted by Yahoo I get on average about four child pornography sites hosted on Yahoo per day (357 domains in just over 90 days).
Does anybody have any inside contacts to get these resolved more quickly? If the sites are online long enough so that CP customers can sign up then this isn't going to stop.
Joe Wein
Yahoo does process the mail sent to:
abuse@yahoo.com
Everyone should report abuse to them.
Jeff C. -- Don't harm innocent bystanders.
Yahoo does process the mail sent to:
abuse@yahoo.com
Everyone should report abuse to them.
I don't have time to report spam one by one. We reject 1.2 million a day and still get 2,000 spam reports a day. I would implement something automated. We look up URL hostnames in SURBL, URL IP addresses in Spamhaus, and under consideration now is looking up PTR for the IP and scoring as possible spam if it points to yahoo. The only question weighing how useful that test would be against the time to do DNS lookup.
Joseph Brennan Columbia University Information Technology
On Tuesday, October 3, 2006, 6:25:48 AM, Joseph Brennan wrote:
I don't have time to report spam one by one. We reject 1.2 million a day and still get 2,000 spam reports a day. I would implement something automated. We look up URL hostnames in SURBL, URL IP addresses in Spamhaus, and under consideration now is looking up PTR for the IP and scoring as possible spam if it points to yahoo. The only question weighing how useful that test would be against the time to do DNS lookup.
Given that Yahoo is one of the larger web hosts in the world, it would seem that could result in some false positives. Also it's not clear if yahoo's own sites use similar IP space, but their own sites are quite frequently mentioned in hams. Therefore that test may not be too useful.
Reporting spams back to Yahoo is probably a good thing. I can't recall if they have feedback loops, etc., but sending correctly identified spams to their abuse address may help.
Jeff C. -- Don't harm innocent bystanders.