99 Comments

  1. As of April 26, 2007, the following is the DNS data for “broadcastemailingagency.com”

    (Here’s the command I used, you can do this yourself now.)
    nslookup -type=any broadcastemailingagency.com ns1.dns.com.cn

    Server: ns5.dns.com.cn
    Address: 218.30.114.205

    broadcastemailingagency.com
    primary name server = ns2.dns.com.cn
    responsible mail addr = root.ns2.dns.com.cn
    serial = 2007042322
    refresh = 3600 (1 hour)
    retry = 3600 (1 hour)
    expire = 68400 (19 hours)
    default TTL = 180 (3 mins)
    broadcastemailingagency.com nameserver = ns1.dns.com.cn
    broadcastemailingagency.com nameserver = ns2.dns.com.cn
    ns1.dns.com.cn internet address = 218.30.114.204
    ns1.dns.com.cn internet address = 218.30.114.205
    ns2.dns.com.cn internet address = 218.244.47.6
    ns2.dns.com.cn internet address = 218.244.47.5

  2. Don’t know how to read the DNS data? It’s simple when you know how. So here’s how.

    serial = 2007042322

    The serial number is used by a secondary server to determine if it requires a zone transfer from the primary server. If the secondary server’s number is lower, then the secondary server knows that its records are out of date. In this example, the convention used can identify when the last change was made, but other administrators may use different conventions. The first 8 digits denote YYYYMMDD. The other two numbers are the number of changes made by day or as a whole (Albitz & Liu, 89).

    refresh = 3600 (1 hour)
    retry = 3600 (1 hour)
    expire = 68400 (19 hours)
    default TTL = 180 (3 mins)

    Refresh, retry and expire intervals deal directly with the primary-secondary server relationship. The TTL interval deals with the cached records on other servers. In this case, other servers are told to keep this data for 3 minutes and then flush it. 3 hours is the normal default.

    The refresh interval tells a slave for the zone how often to check that the data for this zone is up to date. In this case, slaves must check every hour.

    The retry interval tells a slave how often it must try to reach the master server, if the master server becomes unavailable. In this case a slave will try to reach the master every hour.

    The expire interval gives the amount of time that a slave server will try to reach a master server before it expires the zone and will no longer give information about that zone. The amount of time in this record is 19 hours.

    So, anyone who wanted to write a script to check when the above data changes should query the dns server no less than every 19 hours, and no more than every 3 minutes – although personally I would not do it more than once an hour, unless it is determined by testing that the data changes more frequently.

  3. If someone does get a script going I’ll host the file for us all to d/l. Im assuming that all the interaction it would require would be to ask for the host name being searched for. Then just display the results, perhaps w/a time/date stamp also, to be able to copy/paste the whole thing in the email as more evidence.

  4. Who wants to find robert with me and give him an american style beat down?

  5. Just show that not matter how many people are affected there’s nothing we can do.

  6. ANT Says:
    April 30th, 2007 at 9:25 am
    Just show that not matter how many people are affected there’s nothing we can do.

    But we are doing something about it ANT. Read above 1st.

  7. If someone does get a script going I’ll host the file for us all to d/l. Im assuming that all the interaction it would require would be to ask for the host name being searched for. Then just display the results, perhaps w/a time/date stamp also, to be able to copy/paste the whole thing in the email as more evidence.

    Actually, I was thinking more along the lines of a seperate file containing a list of domains to be checked, rather than having to type in each one. The script would read the list, checking each domain for changes. The ideal way to do it would be to setup a mySQL database to maintain the domains prior information to compare against for changes – in particular, changes to the DNS nameservers.

    There needs to be a mechanism that figures out who the registrar is, and then automatically email the registrar a complaint.

    That way, the whole thing is automatic. Let cron fire it up once a day, and forget about it. I say once a day, because you don’t want to have it email the registar more than once a day. Even once a day may be too often if you want to stay on the registar’s good side.

  8. By the way… I started out talking about “whois” and gravitated towards “nslookup”. What I should of noticed earlier, is that the whois data doesn’t necessarily match the nslookup data.

    Because whois data is more of a convenience rather than something required (from a technical standpoint), that data can be ignored, other than to figure out who you’re supposed to complain to.

    What actually matters, is what the DNS records show, because that’s the only way things will actually work right. If you want people to be able to access your website, and/or send you email – DNS must be correct. Therefore, the only thing that matters is what nslookup tells us.

    With that said, if you lookup any of the spammer domains in the posts above, you’ll notice ALL of them are using dns.com.cn as their name servers.

    Therefore, all letter writing campaigns should be directed to them, at this time. Should the name server information change, then the new host of those DNS records should be the target of your POLITE & RESPECTFUL complaint as outlined in previous posts above.

  9. In the event that BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. doing business as DNS.COM.CN
    is non-cooperative (and please, please give them a chance to cooperate) then yet another avenue to pursue is http://gsyj.saic.gov.cn/wcm/WCMData/pub/saic/english/Contact%20Us/t20060225_14607.htm

    which is The State Administration for Industry & Commerce (SAIC) of the People‚Äôs Republic of China. They are the competent authority directly under the State Council in charge of market supervision/regulation and related law enforcement through administrative means. Its functions are as follows: (go to the website, look under “About Us” and then click on “mission” to see it’s long list of functions.

    I would add this agency’s name to my complaint letter when writing to dns.com.cn

    Again – it’s always better to show the bottom dog that you know who the top dog to contact is, and threaten to contact them. In the event you actually have to go to the top dog, you have a WORSE chance of getting what you want done, because if the top dog says “we don’t care”, that’s it you’re done. There is no place else to go. So it’s better to make the bottom dog FEAR that you’ll go to the top dog, without actually doing it. Let the bottom dog fix the problem.

  10. **** ROKSO Spammer Robert Soloway Arrested ****

    Robert Soloway, one of the most persistent professional spammers listed since 2003 on Spamhaus’s Register Of Known Spam Operations (ROKSO) database, has been arrested in Seattle Washington in a joint operation conducted by the Washington State Attorney General’s Office, the FBI, FTC, Internal Revenue Service Criminal Investigations (IRS-CI) and the United States Postal Inspection Service (USPIS).
    more:-
    http://www.spamhaus.org/news.lasso?article=611
    &
    http://groups.google.co.uk/group/news.admin.net-abuse.email/browse_frm/thread/d25c6d58e900d8ed/3a97ef62e533128b?hl=en#3a97ef62e533128b

  11. !!! Y E S !!!

    A very good message for the world

    Thanks to all people who made the arrest possible

  12. I am receiving up to 3000 bounce-back spoofed messages a day from someone spoofing e-mail spam from my domain. Every website they are advertising is registered to Beijing Innovative Linkage Technology.

    This has GOT to stop.

  13. me too. I used to get hundreds per day, then they stopped for awhile. They started again the day after Soloway was arrested, but then stopped again a week ago or so. I think these losers just rotates the ‘from’ addresses they spoof and they’re taking a break from using my email address right now. I’m sure I’ll be getting hundreds a day again soon enough.

  14. i received a scam email from email address “info@microsoft.co.uk” Sounds legit doesnt it?
    Promising money won (large amount), so WHAT do i do now to stop them, they have the right header for the email, but i was alerted by the ‘not quite right’ sentences and grammar. Can someone please help me?
    Thankyou.
    Jeff.
    P.S. Can’t find a direct email address to microsoft to alert them of this new scam using their name (and Bill Gates!)

  15. Jeff: It’s extremely simple to make the FROM e-mail address be anything the spammer wants. What you have to do is go inside the header details and look at the originating IP address for the e-mail and see if it is a Microsoft IP address or not (I can tell you, it’s not.) You can use spamcop.net to process the entire header and tell you all sorts of things about the e-mail.

    http://spamcop.net/fom-serve/cache/22.html

  16. Robert Alan Soloway is reaponsible for all of this spam.

    He was arrested, pled guilty and will be going to jail for decades.

    Google his name and read all about him.

If you have a comment or question, please post it here!