I got a live one! - Spam source

Michael Peddemors michael at linuxmagic.com
Fri Nov 27 01:06:57 UTC 2009

Not to keep endlessly on this thread, but again with reference to good whois 
record keeping and bad.. mx2.yvzus.com mx3.xmabs.com mx5.zgows.com mx5.zntas.com

<GOOD> We know the activity is probably limited to:

Found a referral to whois.nac.net:43.

NAC-Rwhoisd32 Server Ready - [hydrogen/43] Rwhoisd32 - 1.0.76

Private (NET-40155780-26)
   1000 Elliott Ave W
   Seattle, WA  98119

OrgID   : NAC-40612
Netname : NET-40155780-26
NetUse  : additional loopback ips for

   Whitaker, Claude      washwhitaker at aol.com
   Phone: 206-407-3201 hikmvo.leadingsolutionlinks.com noqo.leadingsolutionlinks.com rqecf.leadingsolutionlinks.com

<GOOD> We know that the activity is probably limited to:

VPLS Inc. d/b/a Krypt Technologies VPLSNET (NET-67-229-0-0-1)
Roy Diaz ROY (NET-67-229-96-0-1)

(Other than VPLS/Krypt seems to really like these type of customers) mail1.ugallshwomange.com mail1.ugouricarali.com mail1.utanonesiana.com mail1.vatetricarkose.com mail1.venesiandsgu.com mail1.viandslahass.com mail1.vientianarica.com mail1.vientuckyan.com


Integra Telecom, Inc. ELI-NETWORK-ELIX (NET-70-96-0-0-1)
Syptec ITCM-70-97-118-0-23 (NET-70-97-118-0-1)

This is a /23 but with Syptec's record... They sure like opening ranges to 
email marketers first :)  Unless Syptec is operating those machines 
themselves.. but in that class C all the IP's don't appear to start on a 
normal boundary, .35-.65 with all the rest of the IP's having no reverse DNS.  
Does this client of theirs have control over the whole /23 or just a part? loneas41.instantcasheasynow.com lon69.instantcasheasynow.com lon83.instantcasheasynow.com click37.fallcreditcash.com track42.fallcreditcash.com click14.fallcreditcash.com track4.fallcreditcash.com


InfoRelay Online Systems, Inc. INFORELAY-EST-02 (NET-205-251-0-0-1)
Reaction54 REACT54-03 (NET-205-251-8-0-1)

Is this two different clients on Reaction54, or is this Reaction54 themselves?
I think you have to assume the later based on this whois information..  
Especially when you see that the whole class C has the same naming patterns. host6.chemistryearth.com host6.consecutiveworld.com


Internap Network Services Corporation PNAP-8-98 (NET-216-52-0-0-1)
Aurora Networking INAP-LAX-AURORA-34937 (NET-216-52-246-0-1)

More companies on Internap, but at least we know exactly what range is owned 
by this company.. We can just look at the one class 'C'.

And of course we can see that this is quite typical right across the range.. ad-a11.pointdnshere.com ns193.pointdnshere.com


Ummm.. we can't say the same operator is using all of these can we?

inetnum: -
netname:      HKNET-HK
descr:        HKNet Company Limited
descr:        15/F, Tower 2, Ever Gain Plaza,
descr:        88 Container Port Road, Kwai Chung, N.T.
country:      HK

And if we guessed, and said the same behavior was across the board, we would 
be hurting the poor guy on that class C in the top of the range..  

(Oh, yeah.. I know.. I threw that last example to show that this isn't just a 
North American problem)

On November 26, 2009, Rich Kulawiec wrote:
> On Wed, Nov 25, 2009 at 09:25:27AM -0800, Michael Peddemors wrote:
> > I here people saying that they don't publish whois information because
> > they don't want the email's made public.  Okay, at least  the registered
> > company name, or individual who presented the ID should be there.
> Without delving too far into this: there is no point whatsoever in
>  attempting to conceal or obfuscate email addresses --not any more.  It is
>  an obsolete, "cargo cult" practice that many are still engaged in without
>  grasping that it was quite thoroughly defeated by spammers and their
>  associates years ago.
> That said, I concur in full with your opinions in re whois data and
> the need to assign it properly.  I've long since stopped trying to
> deal with missing information and have adopted the rule that if the
> neighborhood looks sufficiently bad, I just block a /24 worth.  That
> may sound arbitrary, but in practice it works extremely well.
> ---Rsk

"Catch the Magic of Linux..."
Michael Peddemors - President/CEO - LinuxMagic
Products, Services, Support and Development
Visit us at http://www.linuxmagic.com
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-589-0037 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended 
solely for the use of the individual or entity to which they are addressed. 
Please note that any views or opinions presented in this email are solely 
those of the author and are not intended to  represent those of the company.

More information about the NANOG mailing list