Today I received another comment spam and, after reporting on this tutorial on how to trace a spammer's address, I decided to write a short tutorial on the same subject, for Mac OS X users.
If you don't know it already, there is a little jewel in the Utilities called Network Utility, and it is your friend to find out more about all sorts of Internet things. Find it and launch it.
My goal is to trace a comment spammer, starting with the notification email I received from MovableType:
Date: Mar nov 11, 2003 17:48:52 Europe/Paris
Subject: [padawan.info] New Comment Posted to 'Comment Authentication (4)'
A new comment has been posted on your blog padawan.info, on entry #426
(Comment Authentication (4)).
IP Address: 188.8.131.52
Email Address: firstname.lastname@example.org
Since this guy already left a similar comment spam in the past to advertise his business site on my weblog, he'll serve as the guinea-pig for this demonstration.
Let's start by finding who's behind the domain
certificationking.net. This is the job of the whois tab:
I entered the domain name
certificationking.net into the first field and selected
whois.networksolutions.com as the whois server using the popup. The image above sports
whois.wildwestdomains.com, just to show that you can also use other whois servers than the ones provided by default. This is sometimes necessary if the domain registrar info is not in one of the listed whois. I found out about whois.wildwestdomains.com by first searching through whois.internic.net, which gave me this result:
Domain Name: CERTIFICATIONKING.NET
Registrar: WILD WEST DOMAINS, INC.
Whois Server: whois.wildwestdomains.com
Referral URL: http://www.wildwestdomains.com
Hence the search on
whois.wildwestdomains.com. Remember to look for a whois server when you cannot find the info from Network Solutions or your favorite whois server.
Now I know that
certificationking.net belongs to a certain Sudhir Chaudhry supposedly living in New Delhi, India, who happens to be also the administrative and technical contact for the domain.
The next step is to find out which IP address is behind the spammer's domain. This is where lookup comes handy:
Lookup tells me that this domain resolves to the IP address
184.108.40.206. A search on
www.certificationking.net gives the same result. Additionally, I know that the domain name server handling it sits on the domain
Let's try to locate the IP address, first the one used to post the comment. Back to whois:
Here I had to check various choices, which correspond to geographies, until there is an answer (here, the IP range sits on the APNIC zone, which is the Asia Pacific zone). I know that the spammer used either a company or an ISP named Spectranet Network Devices, based in New Delhi, India (it looks like an ISP). A similar search on
220.127.116.11 leads me to an answer from the ARIN (the American Registry) zone with the following info:
OrgName: Network Operations Center Inc.
Address: PO Box 591
NetRange: 18.104.22.168 - 22.214.171.124
NetType: Direct Allocation
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
TechName: Arcus, S. Matthew
OrgTechName: Arcus, S. Matthew
The site at http://www.hostnoc.net/ is not particularly wordy. Let's try to come closer, by using traceroute. Here I could use the Traceroute tab on Network Utility, but this rarely gives any result, because my ISP blocks traceroute searches upfront. Let's use Sam Spade instead:
www.certificationking.net resolves to 126.96.36.199
Do not contact either Los Nettos (ln.net) or Centergate Research Group (centergate.com) based on the results of this traceroute.
3 188.8.131.52 2.782 ms isi-1-lngw2-atm.ln.net [AS226] Los Nettos origin AS 4 184.108.40.206 7.338 ms ge-9-3.a01.lsanca02.us.ra.verio.net [AS2914] Verio 5 220.127.116.11 9.929 ms xe-1-0-0-4.r21.lsanca01.us.bb.verio.net [AS2914] Verio 6 18.104.22.168 12.243 ms p16-1-1-0.r21.snjsca04.us.bb.verio.net [AS2914] Verio 7 22.214.171.124 14.679 ms p64-0-0-0.r20.mlpsca01.us.bb.verio.net [AS2914] Verio 8 126.96.36.199 87.057 ms p16-5-0-0.r00.nwrknj01.us.bb.verio.net [AS2914] Verio 9 188.8.131.52 82.915 ms p16-3-0-0.r01.nwrknj01.us.bb.verio.net [AS2914] Verio 10 184.108.40.206 79.390 ms p4-0-1.a03.phlapa01.us.ra.verio.net [AS2914] Verio 11 220.127.116.11 79.425 ms fa-1-0.a05.phlapa01.us.ra.verio.net (Fake rDNS) [AS2914] Verio 12 18.104.22.168 79.358 ms ge-1-2.a01.phlapa04.us.ra.verio.net (Fake rDNS) [AS2914] Verio 13 22.214.171.124 80.171 ms ge-1-2.a01.phlapa04.us.ce.verio.net (DNS error) [AS2914] Verio 14 126.96.36.199 85.504 ms DNS error 15 188.8.131.52 83.820 ms DNS error [AS21788] Unknown
Using Sam Spade's blackhole list check, I found that the last two IPs are known as belonging to the spam-friendly hostnoc.net (a name we've seen before), as reported by FIVENET:
IP address 184.108.40.206 is listed here as hostnoc.net spam-support. Please note that the following comments apply to hostnoc.net since 220.127.116.11 seems to be owned or controlled by them.
This does NOT mean that we ever received spam from 18.104.22.168. It just means that the upstream owner of that address block (which seems to be hostnoc.net) is listed here for spam support. That upstream needs to resolve the below issues.
"added 2002-10-30; spam support - hosting azoogle"
"added 2002-12-25; spam support - moving azoogle to avoid blocks"
"added 2003-04-26; spam support - hosting eserve02.com on 22.214.171.124/24"
This is not good, as hostnoc.net, of course, does not publish any information, starting with an anti-spam policy and an abuse email address (not particularly astonishing from a spam-friendly host). A Google Groups search for hostnoc.net in news.admin.net-abuse.* returns 1,180 results, which gives me little hope that writing to email@example.com will yield to any positive result. But, just for the sake of showing how hard it is to hide yourself on the Internet, I performed a reverse link search with link:hostnoc.net on Google which led me to this where, bingo, is firstname.lastname@example.org (a simpler request to the Arin whois would have given me the same result).
At this point, I have banned the whole Spectranet range (126.96.36.199 to 188.8.131.52) from commenting on my weblog. I had found more encouraging information about the host (like an anti-spam policy), I would have emailed their abuse mailbox with a copy of the comment spam to get the site removed. I have written to abuse@Spectranet.com though.
Here you are, I hope it gave you some useful information about the Network Utility in Mac OS X. For those who prefer the Terminal, here are the commands to perform the same steps. For finding who registered the domain:
whois -h whois.wildwestdomains.com certificationking.net (the
-h option allows me to hit the right whois server). For the IP part, I prefer to do a
traceroute www.certificationking.net directly, which gives me the IP address that I can turn back into
whois -h whois.arin.net 184.108.40.206 to find the host.
[Update (March 25, 2004) Sam Spade has disabled several of its services due to technical constraints, so some of the above links may not work.]