The following URL's show up in unending attempts to post comment spam to the blog:
All of the above translate to IP address 126.96.36.199
A WHOIS lookup of 188.8.131.52 results in:
A WHOIS lookup of future-2000.net results in:
A WHOIS lookup of ronnieazza.com results in:
As both registrants are in the middle of Manhattan Island at addresses that do not correspond to any mailing address known to Google or Yahoo, I'm willing to bet that they're fake. Let's take a look at the mailing addresses for the technical and administrative contacts.
A WHOIS lookup for support-2000.net returns:
Ah, it's that nice Registrar in France: Gandi. How about the other? A WHOIS lookup for support-24x7.biz returns:
Yep, the nice Registrar again. Let's look at mail servers...
The mail server for future-2000.net is:
Hmm... Doesn't exist. If we ask ns0.future-2000.net we get:
So it doesn't exist. An "A" query for future-2000.net (just in case it's an explicit name rather than a MX) yields the similar results. Actually, any query to ns0.future-2000.net returns only pointers to the root servers. This might be valuable later in complaining about the domain.
Also, please note that the root servers indicate that the domain is served by ns0.future-2000.net and that it is at 184.108.40.206. This most definitely is valuable when we look at server headers below.
The mail server for support-24x7.biz is:
Let's see if we can grab web server headers:
This could be the standard redir that some of the registrar's have started doing. (Yeah, even Network Solutions uses this unethical practice.)
Ah! Not a redirect! Grabbing www.future-2000.net returns a page that looks like:
This former info is currently under investigation - Due to mis-proper use of the hosting account
In the above, I disabled the following two lines:
<form name=frm method='post' action='
http://220.127.116.11/submitAbuse.php' onsubmit='return checkSubmit()'>
Somehow, I'm still not convinced. Let's take a look at that IP address. A reverse lookup of 18.104.22.168 returns:
A Google lookup on "shetef.com" leads to a slew of bloggers who've gotten this far and have complained about a spammer and are looking for someone to pound.
A WHOIS lookup on the 22.214.171.124 returns:
Just to play it safe, let's look at WebStream also. A WHOIS returns:
A DNS MX lookup on shetef.com returns:
The mail server for shetef.com is in yet another IP range? A WHOIS lookup on 126.96.36.199 returns:
A DNS reverse lookup on 188.8.131.52 returns:
Remember the WHOIS lookup for future-2000.net? It had the following DNS servers:
A WHOIS lookup on dns2005.net returns:
Again, Gandi.net. Also note the IP addresses for the DNS servers: 184.108.40.206. We've seen that one. It's our friend shetef.com again!
How about the DNS servers for ronnieazza.com? A WHOIS lookup on manage-dns.net returns:
Again, the Gandi registrar and the shetef.com DNS server. How about MX records for those two?
A DNS MX lookup on dns2005.net returns:
A familiar failure. A DNS MX lookup on manage-dns.net returns:
So MX records for manage-dns.net aren't configured. Remember that the WHOIS lookup for manage-dns.net points back to 220.127.116.11. Let's take a closer look at that IP. Remember the reverse lookup on 18.104.22.168 returned:
and that the MX record for shetef.com returned:
Connecting to port 25 on the mail server returns:
Pointing a browser at http://shetef.com () indicates that shetef.com is an Israeli software seller with the following info:
Grabbing the server headers for shetef.com returns:
The domain websitewelcome.com is registered via Enom, Inc. who does not give out their customer's domain info.
Grabbing the web server headers for http://escape.webserverwelcome.com returns:
Pointing a browser at http://escape.websitewelcom.com brings up the standard cPanel default page. So does pointing the browser at the IP address.
Performing a Google lookup on websitewelcome.com reveals that that domain appears to be a reseller client of hostgator.com. Suspiciously, it appears to be their only reseller client. One of HostGator's features is that reseller clients are allowed to host unlimited sites.
Pointing a browser at http://www.websitewelcome.com returns a directory listing.
Going back to shetef.com, a Google search reveals that CodyTheFreak is quite unhappy with shetef.com. He also points out a few extra domains. It appears that CodyTheFreak and I are the only ones that have traced the spammer back that far and have complained about it. All other Google entries appear to be spam for the shareware/software available on shetef's site.
I've probably missed a bunch of stuff associated with this spammer, but as I've spent the better part of a Saturday afternoon working on this, I'm going to drop it here.