[lug] MX record lookups

rm at fabula.de rm at fabula.de
Wed Feb 27 04:55:28 MST 2002


On Tue, Feb 26, 2002 at 02:55:06PM -0700, D. Stimits wrote:
> "Riggs, Rob" wrote:
> > 
> > If it doesn't have a "whois" entry, it doesn't have an MX... It sounds like
> > they are spoofing hostnames or using bogus reverse lookup data. Your best
> > bet in that case is to lookup who owns the IP block and go at it from that
> > end. "whois xxx.xxx.xxx.xxx at whois.arin.net" (or whois.apnic.net,
> > whois.ripe.net) should do the trick.
> 
> Quite possible, though not via spoofing (forged email headers). The real
> address seems to be 211.206.215.136. I'm trying to become a bit more
> fluent in the means of verifying headers and tracing real sources of
> forged headers. I know the 211.206.215.136 is correct, the origio.net
> address is the return address, which apparently does not exist. 

In all likeliness, spoofed!. It's up to the owner of the address block to
provide the correct host/domain for a given IP address -- if your spammer 
owns a whole block he might easily give you false reverse lookup results
to distract you.

When i really need to know who 'owns' an IP address i usually do a 'traceroute'
to the address and a reverse lookup of all the addresses that show up, in
rfeverse order. At some point you most likeley find a local or national provider.
That's the one to contact :-)
In the given case the last IP that traceroute can resolve is:

 ...
  9  208.185.161.164.hanaro.com (208.185.161.164) 
 10  210.180.97.173

a 'dig -x' on the first unresolved yields:

 ...

 97.180.210.in-addr.arpa.  54m57s IN SOA  ns.hanarotel.net. master.ns.hanarotel.net. (
 ...

So here's your administrative contact (master at ns.hanarotel.net). Their website (www.hanaro.com)
does look like a ISP website (sorry, my korean is a bit rusty ;-)

  
  Ralf


> I do
> know that a series of these spams are advertising Korean sites and have
> .kr domains, plus a few others in asia.
> 
> D. Stimits, stimits at idcomm.com
> 
> > 
> > -Rob
> > 
> > -----Original Message-----
> > From: D. Stimits [mailto:stimits at idcomm.com]
> > Sent: Tuesday, February 26, 2002 2:25 PM
> > To: BLUG
> > Subject: [lug] MX record lookups
> > 
> > What would be the proper way to find out who owns a domain name (in this
> > case origio.net) or who the registar is for that domain, if it is only
> > an MX record and normal nslookup or whois does not know anything about
> > it? Similar for ip addresses that are in email headers but which have no
> > reverse lookup...what is a good way to find out who they are?
> > 
> > D. Stimits, stimits at idcomm.com
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list