Fighting spam on Mac OS X

Published on:

Today I received another comment spam and, after reporting on this tutorial on how to trace a spammer's address, I decided to write a short tutorial on the same subject, for Mac OS X users.

If you don't know it already, there is a little jewel in the Utilities called Network Utility, and it is your friend to find out more about all sorts of Internet things. Find it and launch it.

nu-icon.gif

My goal is to trace a comment spammer, starting with the notification email I received from MovableType:

From: sunil78@yahoo.com
Date: Mar nov 11, 2003 17:48:52 Europe/Paris
Subject: [padawan.info] New Comment Posted to 'Comment Authentication (4)'

A new comment has been posted on your blog padawan.info, on entry #426
(Comment Authentication (4)).
http://www.padawan.info/weblog/comment_authentication_4.html

IP Address: 203.122.61.30
Name: sunil
Email Address: sunil78@yahoo.com
URL: http://www.certificationking.net/aplus.html

Comments:

congrats

Since this guy already left a similar comment spam in the past to advertise his business site on my weblog, he'll serve as the guinea-pig for this demonstration.

Let's start by finding who's behind the domain certificationking.net. This is the job of the whois tab:

nu-whois.gif

I entered the domain name certificationking.net into the first field and selected whois.networksolutions.com as the whois server using the popup. The image above sports whois.wildwestdomains.com, just to show that you can also use other whois servers than the ones provided by default. This is sometimes necessary if the domain registrar info is not in one of the listed whois. I found out about whois.wildwestdomains.com by first searching through whois.internic.net, which gave me this result:


Domain Name: CERTIFICATIONKING.NET
Registrar: WILD WEST DOMAINS, INC.
Whois Server: whois.wildwestdomains.com
Referral URL: http://www.wildwestdomains.com

Hence the search on whois.wildwestdomains.com. Remember to look for a whois server when you cannot find the info from Network Solutions or your favorite whois server.

Now I know that certificationking.net belongs to a certain Sudhir Chaudhry supposedly living in New Delhi, India, who happens to be also the administrative and technical contact for the domain.

The next step is to find out which IP address is behind the spammer's domain. This is where lookup comes handy:

nu-lookup.gif

Lookup tells me that this domain resolves to the IP address 64.191.62.185. A search on www.certificationking.net gives the same result. Additionally, I know that the domain name server handling it sits on the domain s3avahost.net.

Let's try to locate the IP address, first the one used to post the comment. Back to whois:

nu-whois2.gif

Here I had to check various choices, which correspond to geographies, until there is an answer (here, the IP range sits on the APNIC zone, which is the Asia Pacific zone). I know that the spammer used either a company or an ISP named Spectranet Network Devices, based in New Delhi, India (it looks like an ISP). A similar search on 64.191.62.185 leads me to an answer from the ARIN (the American Registry) zone with the following info:

OrgName: Network Operations Center Inc.
OrgID: NOC
Address: PO Box 591
City: Scranton
StateProv: PA
PostalCode: 18501-0591
Country: US

NetRange: 64.191.0.0 - 64.191.127.255
CIDR: 64.191.0.0/17
NetName: HOSTNOC-3BLK
NetHandle: NET-64-191-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.HOSTNOC.NET
NameServer: NS2.HOSTNOC.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-05-31
Updated: 2003-08-08

TechHandle: SMA4-ARIN
TechName: Arcus, S. Matthew
TechPhone: +1-570-343-8551
TechEmail: nic@hostnoc.net

OrgTechHandle: SMA4-ARIN
OrgTechName: Arcus, S. Matthew
OrgTechPhone: +1-570-343-8551
OrgTechEmail: nic@hostnoc.net

The site at http://www.hostnoc.net/ is not particularly wordy. Let's try to come closer, by using traceroute. Here I could use the Traceroute tab on Network Utility, but this rarely gives any result, because my ISP blocks traceroute searches upfront. Let's use Sam Spade instead:

Traceroute www.certificationking.net:

www.certificationking.net resolves to 64.191.62.185

Do not contact either Los Nettos (ln.net) or Centergate Research Group (centergate.com) based on the results of this traceroute.

 3    130.152.180.21   2.782 ms   isi-1-lngw2-atm.ln.net [AS226] Los Nettos origin AS
 4    198.172.117.161  7.338 ms   ge-9-3.a01.lsanca02.us.ra.verio.net [AS2914] Verio
 5    129.250.29.136   9.929 ms   xe-1-0-0-4.r21.lsanca01.us.bb.verio.net [AS2914] Verio
 6    129.250.2.187    12.243 ms  p16-1-1-0.r21.snjsca04.us.bb.verio.net [AS2914] Verio
 7    129.250.5.2      14.679 ms  p64-0-0-0.r20.mlpsca01.us.bb.verio.net [AS2914] Verio
 8    129.250.5.113    87.057 ms  p16-5-0-0.r00.nwrknj01.us.bb.verio.net [AS2914] Verio
 9    129.250.4.22     82.915 ms  p16-3-0-0.r01.nwrknj01.us.bb.verio.net [AS2914] Verio
10    129.250.16.121   79.390 ms  p4-0-1.a03.phlapa01.us.ra.verio.net [AS2914] Verio
11    129.250.116.197  79.425 ms  fa-1-0.a05.phlapa01.us.ra.verio.net (Fake rDNS) [AS2914] Verio
12    129.250.116.213  79.358 ms  ge-1-2.a01.phlapa04.us.ra.verio.net (Fake rDNS) [AS2914] Verio
13    130.94.0.166     80.171 ms  ge-1-2.a01.phlapa04.us.ce.verio.net (DNS error) [AS2914] Verio
14    66.197.191.45    85.504 ms  DNS error
15    64.191.62.185    83.820 ms  DNS error [AS21788] Unknown

Using Sam Spade's blackhole list check, I found that the last two IPs are known as belonging to the spam-friendly hostnoc.net (a name we've seen before), as reported by FIVENET:

IP address 64.191.62.185 is listed here as hostnoc.net spam-support. Please note that the following comments apply to hostnoc.net since 64.191.62.185 seems to be owned or controlled by them.

This does NOT mean that we ever received spam from 64.191.62.185. It just means that the upstream owner of that address block (which seems to be hostnoc.net) is listed here for spam support. That upstream needs to resolve the below issues.

"added 2002-10-30; spam support - hosting azoogle"

"added 2002-12-25; spam support - moving azoogle to avoid blocks"

"added 2003-04-26; spam support - hosting eserve02.com on 66.197.173.0/24"

This is not good, as hostnoc.net, of course, does not publish any information, starting with an anti-spam policy and an abuse email address (not particularly astonishing from a spam-friendly host). A Google Groups search for hostnoc.net in news.admin.net-abuse.* returns 1,180 results, which gives me little hope that writing to abuse@hostnoc.net will yield to any positive result. But, just for the sake of showing how hard it is to hide yourself on the Internet, I performed a reverse link search with link:hostnoc.net on Google which led me to this where, bingo, is abuse@hostnoc.net (a simpler request to the Arin whois would have given me the same result).

At this point, I have banned the whole Spectranet range (203.122.60.0 to 203.122.61.255) from commenting on my weblog. I had found more encouraging information about the host (like an anti-spam policy), I would have emailed their abuse mailbox with a copy of the comment spam to get the site removed. I have written to abuse@Spectranet.com though.

Here you are, I hope it gave you some useful information about the Network Utility in Mac OS X. For those who prefer the Terminal, here are the commands to perform the same steps. For finding who registered the domain: whois -h whois.wildwestdomains.com certificationking.net (the -h option allows me to hit the right whois server). For the IP part, I prefer to do a traceroute www.certificationking.net directly, which gives me the IP address that I can turn back into whois -h whois.arin.net 64.191.62.185 to find the host.

[Update (March 25, 2004) Sam Spade has disabled several of its services due to technical constraints, so some of the above links may not work.]