[SURBL-Discuss] Yahoo redirector?

Joseph Brennan brennan at columbia.edu
Mon Oct 2 21:43:00 CEST 2006


What's going on here?

Numerous examples of porn spam sent Sunday have all different hostnames
that resolve to the same few IP addresses, apparently by round robin:

$ host takinoivanober.com
takinoivanober.com has address 68.142.212.127
takinoivanober.com has address 68.142.212.128
takinoivanober.com has address 68.142.212.129
takinoivanober.com has address 68.142.212.130
takinoivanober.com has address 68.142.212.135
takinoivanober.com has address 68.142.212.126
$ host zascehjukalsderr.com
zascehjukalsderr.com has address 68.142.212.130
zascehjukalsderr.com has address 68.142.212.135
zascehjukalsderr.com has address 68.142.212.126
zascehjukalsderr.com has address 68.142.212.127
zascehjukalsderr.com has address 68.142.212.128
zascehjukalsderr.com has address 68.142.212.129
$ host sex368yzx.com
sex368yzx.com has address 68.142.212.129
sex368yzx.com has address 68.142.212.130
sex368yzx.com has address 68.142.212.135
sex368yzx.com has address 68.142.212.136
sex368yzx.com has address 68.142.212.137
sex368yzx.com has address 68.142.212.128

Reverse DNS resolves to Yahoo, only:

$ host 68.142.212.130
130.212.142.68.in-addr.arpa domain name pointer p10w14.geo.mud.yahoo.com.
$ host 68.142.212.127
127.212.142.68.in-addr.arpa domain name pointer p10w11.geo.mud.yahoo.com.
$ host 68.142.212.128
128.212.142.68.in-addr.arpa domain name pointer p10w12.geo.mud.yahoo.com.

The range 68.142.192 through 68.142.255 is all Inktomi, contact address
network-abuse at cc.yahoo-inc.com, so it really is Yahoo.

The interesting bit is that connecting by IP address or yahoo hostname
gets a "Error 400 - Bad Request", but connecting by the spammer hostname
gets a web page.

I'd be especially interested in a generalized way of catching this.

Joseph Brennan
Columbia University Information Technology











More information about the Discuss mailing list