Fighting spam on Mac OS X

Today I received another comment spam and, after reporting on this tutorial on how to trace a spammer's address, I decided to write a short tutorial on the same subject, for Mac OS X users.

If you don't know it already, there is a little jewel in the Utilities called Network Utility, and it is your friend to find out more about all sorts of Internet things. Find it and launch it.


My goal is to trace a comment spammer, starting with the notification email I received from MovableType:

Date: Mar nov 11, 2003 17:48:52 Europe/Paris
Subject: [] New Comment Posted to 'Comment Authentication (4)'

A new comment has been posted on your blog, on entry #426
(Comment Authentication (4)).

IP Address:
Name: sunil
Email Address:



Since this guy already left a similar comment spam in the past to advertise his business site on my weblog, he'll serve as the guinea-pig for this demonstration.

Let's start by finding who's behind the domain This is the job of the whois tab:


I entered the domain name into the first field and selected as the whois server using the popup. The image above sports, just to show that you can also use other whois servers than the ones provided by default. This is sometimes necessary if the domain registrar info is not in one of the listed whois. I found out about by first searching through, which gave me this result:

Whois Server:
Referral URL:

Hence the search on Remember to look for a whois server when you cannot find the info from Network Solutions or your favorite whois server.

Now I know that belongs to a certain Sudhir Chaudhry supposedly living in New Delhi, India, who happens to be also the administrative and technical contact for the domain.

The next step is to find out which IP address is behind the spammer's domain. This is where lookup comes handy:


Lookup tells me that this domain resolves to the IP address A search on gives the same result. Additionally, I know that the domain name server handling it sits on the domain

Let's try to locate the IP address, first the one used to post the comment. Back to whois:


Here I had to check various choices, which correspond to geographies, until there is an answer (here, the IP range sits on the APNIC zone, which is the Asia Pacific zone). I know that the spammer used either a company or an ISP named Spectranet Network Devices, based in New Delhi, India (it looks like an ISP). A similar search on leads me to an answer from the ARIN (the American Registry) zone with the following info:

OrgName: Network Operations Center Inc.
Address: PO Box 591
City: Scranton
StateProv: PA
PostalCode: 18501-0591
Country: US

NetRange: -
NetHandle: NET-64-191-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
RegDate: 2002-05-31
Updated: 2003-08-08

TechHandle: SMA4-ARIN
TechName: Arcus, S. Matthew
TechPhone: +1-570-343-8551

OrgTechHandle: SMA4-ARIN
OrgTechName: Arcus, S. Matthew
OrgTechPhone: +1-570-343-8551

The site at is not particularly wordy. Let's try to come closer, by using traceroute. Here I could use the Traceroute tab on Network Utility, but this rarely gives any result, because my ISP blocks traceroute searches upfront. Let's use Sam Spade instead:

Traceroute resolves to

Do not contact either Los Nettos ( or Centergate Research Group ( based on the results of this traceroute.

 3   2.782 ms [AS226] Los Nettos origin AS
 4  7.338 ms [AS2914] Verio
 5   9.929 ms [AS2914] Verio
 6    12.243 ms [AS2914] Verio
 7      14.679 ms [AS2914] Verio
 8    87.057 ms [AS2914] Verio
 9     82.915 ms [AS2914] Verio
10   79.390 ms [AS2914] Verio
11  79.425 ms (Fake rDNS) [AS2914] Verio
12  79.358 ms (Fake rDNS) [AS2914] Verio
13     80.171 ms (DNS error) [AS2914] Verio
14    85.504 ms  DNS error
15    83.820 ms  DNS error [AS21788] Unknown

Using Sam Spade's blackhole list check, I found that the last two IPs are known as belonging to the spam-friendly (a name we've seen before), as reported by FIVENET:

IP address is listed here as spam-support. Please note that the following comments apply to since seems to be owned or controlled by them.

This does NOT mean that we ever received spam from It just means that the upstream owner of that address block (which seems to be is listed here for spam support. That upstream needs to resolve the below issues.

"added 2002-10-30; spam support - hosting azoogle"
"added 2002-12-25; spam support - moving azoogle to avoid blocks"
"added 2003-04-26; spam support - hosting on"

This is not good, as, of course, does not publish any information, starting with an anti-spam policy and an abuse email address (not particularly astonishing from a spam-friendly host). A Google Groups search for in* returns 1,180 results, which gives me little hope that writing to will yield to any positive result. But, just for the sake of showing how hard it is to hide yourself on the Internet, I performed a reverse link search with on Google which led me to this where, bingo, is (a simpler request to the Arin whois would have given me the same result).

At this point, I have banned the whole Spectranet range ( to from commenting on my weblog. I had found more encouraging information about the host (like an anti-spam policy), I would have emailed their abuse mailbox with a copy of the comment spam to get the site removed. I have written to though.

Here you are, I hope it gave you some useful information about the Network Utility in Mac OS X. For those who prefer the Terminal, here are the commands to perform the same steps. For finding who registered the domain: whois -h (the -h option allows me to hit the right whois server). For the IP part, I prefer to do a traceroute directly, which gives me the IP address that I can turn back into whois -h to find the host.

[Update (March 25, 2004) Sam Spade has disabled several of its services due to technical constraints, so some of the above links may not work.]


Ce billet illustre bien le temps que peut nous faire perdre les spammeurs... C'est long et complexe, et le combat demande beaucoup d'énergie.
PS. Passe à Jaguar ;-)
PS bis. Mais qu'est-ce que je fais ici ? ;-)

Je suis sur Jaguar, tu veux dire Panther je suppose :-)
J'attends toujours mon CD qu'Apple prétend m'avoir envoyé il y a bientôt trois semaines (le transport à dos d'âne depuis Cork, ça ne fonctionne pas bien) :(.

Désolé, je me mélange dans les fauves .-) L'utilitaire réseau a été pas mal relooké.

Sorry for the comments in French, I am being trolled by the very same guy who called me a traitor because I was writing predominantly in English on my weblog :-).

English program resuming now...