Fighting spam on Mac OS X
Today I received another comment spam and, after reporting on this tutorial on how to trace a spammer's address, I decided to write a short tutorial on the same subject, for Mac OS X users.
If you don't know it already, there is a little jewel in the Utilities called Network Utility, and it is your friend to find out more about all sorts of Internet things. Find it and launch it.
My goal is to trace a comment spammer, starting with the notification email I received from MovableType:
From: sunil78@yahoo.com
Date: Mar nov 11, 2003 17:48:52 Europe/Paris
Subject: [padawan.info] New Comment Posted to 'Comment Authentication (4)'
A new comment has been posted on your blog padawan.info, on entry #426
(Comment Authentication (4)).
http://www.padawan.info/weblog/comment_authentication_4.html
IP Address: 203.122.61.30
Name: sunil
Email Address: sunil78@yahoo.com
URL: http://www.certificationking.net/aplus.html
Comments:
congrats
Since this guy already left a similar comment spam in the past to advertise his business site on my weblog, he'll serve as the guinea-pig for this demonstration.
Let's start by finding who's behind the domain certificationking.net
. This is the job of the whois tab:
I entered the domain name certificationking.net
into the first field and selected whois.networksolutions.com
as the whois server using the popup. The image above sports whois.wildwestdomains.com
, just to show that you can also use other whois servers than the ones provided by default. This is sometimes necessary if the domain registrar info is not in one of the listed whois. I found out about whois.wildwestdomains.com by first searching through whois.internic.net, which gave me this result:
Domain Name: CERTIFICATIONKING.NET
Registrar: WILD WEST DOMAINS, INC.
Whois Server: whois.wildwestdomains.com
Referral URL: http://www.wildwestdomains.com
Hence the search on whois.wildwestdomains.com
. Remember to look for a whois server when you cannot find the info from Network Solutions or your favorite whois server.
Now I know that certificationking.net
belongs to a certain Sudhir Chaudhry supposedly living in New Delhi, India, who happens to be also the administrative and technical contact for the domain.
The next step is to find out which IP address is behind the spammer's domain. This is where lookup comes handy:
Lookup tells me that this domain resolves to the IP address 64.191.62.185
. A search on www.certificationking.net
gives the same result. Additionally, I know that the domain name server handling it sits on the domain s3avahost.net
.
Let's try to locate the IP address, first the one used to post the comment. Back to whois:
Here I had to check various choices, which correspond to geographies, until there is an answer (here, the IP range sits on the APNIC zone, which is the Asia Pacific zone). I know that the spammer used either a company or an ISP named Spectranet Network Devices, based in New Delhi, India (it looks like an ISP). A similar search on 64.191.62.185
leads me to an answer from the ARIN (the American Registry) zone with the following info:
OrgName: Network Operations Center Inc.
OrgID: NOC
Address: PO Box 591
City: Scranton
StateProv: PA
PostalCode: 18501-0591
Country: US
NetRange: 64.191.0.0 - 64.191.127.255
CIDR: 64.191.0.0/17
NetName: HOSTNOC-3BLK
NetHandle: NET-64-191-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.HOSTNOC.NET
NameServer: NS2.HOSTNOC.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-05-31
Updated: 2003-08-08
TechHandle: SMA4-ARIN
TechName: Arcus, S. Matthew
TechPhone: +1-570-343-8551
TechEmail: nic@hostnoc.net
OrgTechHandle: SMA4-ARIN
OrgTechName: Arcus, S. Matthew
OrgTechPhone: +1-570-343-8551
OrgTechEmail: nic@hostnoc.net
The site at http://www.hostnoc.net/ is not particularly wordy. Let's try to come closer, by using traceroute. Here I could use the Traceroute tab on Network Utility, but this rarely gives any result, because my ISP blocks traceroute searches upfront. Let's use Sam Spade instead:
Traceroute www.certificationking.net:
www.certificationking.net resolves to 64.191.62.185
Do not contact either Los Nettos (ln.net) or Centergate Research Group (centergate.com) based on the results of this traceroute.
3 130.152.180.21 2.782 ms isi-1-lngw2-atm.ln.net [AS226] Los Nettos origin AS 4 198.172.117.161 7.338 ms ge-9-3.a01.lsanca02.us.ra.verio.net [AS2914] Verio 5 129.250.29.136 9.929 ms xe-1-0-0-4.r21.lsanca01.us.bb.verio.net [AS2914] Verio 6 129.250.2.187 12.243 ms p16-1-1-0.r21.snjsca04.us.bb.verio.net [AS2914] Verio 7 129.250.5.2 14.679 ms p64-0-0-0.r20.mlpsca01.us.bb.verio.net [AS2914] Verio 8 129.250.5.113 87.057 ms p16-5-0-0.r00.nwrknj01.us.bb.verio.net [AS2914] Verio 9 129.250.4.22 82.915 ms p16-3-0-0.r01.nwrknj01.us.bb.verio.net [AS2914] Verio 10 129.250.16.121 79.390 ms p4-0-1.a03.phlapa01.us.ra.verio.net [AS2914] Verio 11 129.250.116.197 79.425 ms fa-1-0.a05.phlapa01.us.ra.verio.net (Fake rDNS) [AS2914] Verio 12 129.250.116.213 79.358 ms ge-1-2.a01.phlapa04.us.ra.verio.net (Fake rDNS) [AS2914] Verio 13 130.94.0.166 80.171 ms ge-1-2.a01.phlapa04.us.ce.verio.net (DNS error) [AS2914] Verio 14 66.197.191.45 85.504 ms DNS error 15 64.191.62.185 83.820 ms DNS error [AS21788] Unknown
Using Sam Spade's blackhole list check, I found that the last two IPs are known as belonging to the spam-friendly hostnoc.net (a name we've seen before), as reported by FIVENET:
IP address 64.191.62.185 is listed here as hostnoc.net spam-support. Please note that the following comments apply to hostnoc.net since 64.191.62.185 seems to be owned or controlled by them.
This does NOT mean that we ever received spam from 64.191.62.185. It just means that the upstream owner of that address block (which seems to be hostnoc.net) is listed here for spam support. That upstream needs to resolve the below issues.
"added 2002-10-30; spam support - hosting azoogle"
"added 2002-12-25; spam support - moving azoogle to avoid blocks"
"added 2003-04-26; spam support - hosting eserve02.com on 66.197.173.0/24"
This is not good, as hostnoc.net, of course, does not publish any information, starting with an anti-spam policy and an abuse email address (not particularly astonishing from a spam-friendly host). A Google Groups search for hostnoc.net in news.admin.net-abuse.* returns 1,180 results, which gives me little hope that writing to abuse@hostnoc.net will yield to any positive result. But, just for the sake of showing how hard it is to hide yourself on the Internet, I performed a reverse link search with link:hostnoc.net on Google which led me to this where, bingo, is abuse@hostnoc.net (a simpler request to the Arin whois would have given me the same result).
At this point, I have banned the whole Spectranet range (203.122.60.0 to 203.122.61.255) from commenting on my weblog. I had found more encouraging information about the host (like an anti-spam policy), I would have emailed their abuse mailbox with a copy of the comment spam to get the site removed. I have written to abuse@Spectranet.com though.
Here you are, I hope it gave you some useful information about the Network Utility in Mac OS X. For those who prefer the Terminal, here are the commands to perform the same steps. For finding who registered the domain: whois -h whois.wildwestdomains.com certificationking.net
(the -h
option allows me to hit the right whois server). For the IP part, I prefer to do a traceroute www.certificationking.net
directly, which gives me the IP address that I can turn back into whois -h whois.arin.net 64.191.62.185
to find the host.
[Update (March 25, 2004) Sam Spade has disabled several of its services due to technical constraints, so some of the above links may not work.]