« new pats posted - 20090917 (maintenance pats release) | Main | DHCP doesn't necessarily mean dynamic »

September 18, 2009

Now this is just silly (WHOIS FAIL)

So, today I was trying to research a domain I had added a pattern for (one of its hosts was reportedly sending spam to traps, it was generically named, and so into EL's pats database it goes). The domain? krawarkon.pl. The host itself had no tokens or indication of what it might be, as is often the case.

host-217-98-88-181.krawarkon.pl [217.98.88.181]

OK, I know from cruel experience that Polish WHOIS service (via the whois protocol) is useless, generally only giving created on dates, a contact handle and some information about how to contact the registrar by postal mail or phone. And sure enough, I was right.

$ whois krawarkon.pl

DOMAIN:                 krawarkon.pl

registrant's handle:    nta90646 (CORPORATE)

nameservers:            dns.tkb.pl. [212.33.84.2]

                       dns2.tkb.pl. [89.161.65.227]

created:                2006.03.31 17:15:35

last modified:          2009.03.12 11:37:07

no option

REGISTRAR: NetArt

Zabawa 118

32-020 Wieliczka

Polska/Poland

+48.801 33 22 33

+48.12 297 88 10

+48.12 297 88 08

biuro@nazwa.pl

OK, so now I know the domain is registered. Woo-hoo! If I wanted to call Poland, or drop them a postcard to ask what sort of company with the domain krawarkon.pl is, I'd be all set. Or I could bug the admin contact via email, if s/he spoke English or I translated a question into Polish. Well, sometimes their Web-based WHOIS service is better (though not usually; often enough you go through the painful process of guessing whether or not the CAPTCHA they use is going to be case-sensitive or not, only to find that a lookup of foo.pl returns the useful information that it belongs to "FOO Sp. z o.o."). So, I gave that a try, and lo! The CAPTCHA entered correctly, I got back the following:

REGISTRANT:
company: PPUH "KRAWARKON" SpóŽka z o.o.
street: Burgaska / Warszawa 2-4
city: 02-758 Warszawa
location: pl
last modified: 2006.03.31

Well, that's more than I had. Now I know they are a Polish company, in Warsaw, that their full name is PPUH "KRAWARKON" SpóŽka z o.o. ("Sp. Z o.o." being roughly translated as "Polish Limited Liability Corporation"), and that they're only three or so years old. Well, that doesn't give me an indication of what kind of company they are, whether they're an ISP or telco or gasket manufacturer or veterinary hospice care provider, so I look up the IP in WHOIS.

inetnum:        217.98.88.0 - 217.98.88.255
netname:        KRAWARKON
descr:          PPH Krawarkon Sp. z o.o.
descr:          ul. Burgaska 2/4
descr:          02-758 Warszawa
country:        PL
admin-c:        MW1321-RIPE
tech-c:         PB4904-RIPE
status:         ASSIGNED PA
mnt-by:         TPNET
source:         RIPE # Filtered

Same information, more or less, if slightly abbreviated. No comments or remarks to the effect that you'd be able to tell what sort of service they have. It's only a /24, which suggests a small company or one of several blocks assigned to a larger one; a quick query to whois.ripe.net for "Krawarkon" later, and I know they have several netblocks, nine /24s to be exact, so I figure it's a pretty small company, but it's probably not simply corporate if it has nine /24s for two locations. OK, then so now I know it's probably an ISP of some kind. (It's probably not a telephone company, because there aren't that many in Poland, per this Wikipedia article, and what few there are tend to have "tel" or "evdo" or "gsm" in their names, TPNET and Netia notwithstanding).

By now, I'm getting annoyed, though honestly I shouldn't complain much - at least the WHOIS records contained the company name (they often don't in some other countries, like Russia), and the name wasn't immediately followed by the name of some engineer or other (which confused me for the first couple of years I did this). But all I really wanted to know was this: is the host dynamically assigned, and what sort of service is it providing?

As a last resort, I finally go to the Web site, and learn immediately from the title of the home page that we're dealing with a triple-play Internet/Television/Telephone concern (from the Polish "Internet Telewizja Telefon"). But the home page is in Flash, so I skip the intro and get to the next page, whose title reads "Telewizja Kablowa Krawarkon", or "Krawarkon Cable Television" (even I can read that much Polish). Great. But the text on the rest of the page is in Polish, too - so I jump over to Google Translate and see what I can learn about their service. Unfortunately, with the exception of the text "about us", it's all graphics, which Translate doesn't translate. So now I have to click through to "INTERNET" and then to "Cennik" (or "pricing", which is usually the best bet for finding out whether they offer public IP addresses or just stick customers behind NAT interfaces, and whether those public IPs are statically assigned or not).

Once again, the table containing the prices, while obviously showing that we're dealing with broadband cable (and television, which almost always denotes residential service), is also a graphic and is not translated. Besides the indignity of learning that if I were in a former Communist Bloc country I could be getting 10Mb/s for 122 zlotys (or less than the $45/month I'm paying at home for 6Mb/s from Road Runner), I learn nothing about dynamic or static assignment or NATs. Assuming residential cable customers probably get dynamics, I could stop here - but I notice in the image that one "a la carte" line reads "dodatkowy adres IP", so I jump over and translate that. "Additional IP address". Pricey at another 61 zlotys. But that suggests static assignment, so I have to be satisfied with the possibility that there may be static IPs in the mix as well as dynamics. Fortunately, there's a link to "Rules", or their acceptable use policy or terms and conditions, so I check it quickly to see if it has anything to say on the matter of whether they allow customers to run mail servers on their cable Internet. If there's anything more obtuse than legalese, it's legalese auto-translated from Polish. Nothing in there prohibiting someone from running a mail server.

I then check to see if the IP is listed in Spamhaus' PBL; nope. Not that this means it's definitely not dynamic; PBL doesn't list a lot of IPs we have patterns for, even dynamic patterns. A quick lookup of the entire range should help me make a final determination. Nope, no custom reverse DNS at all (which if seen might indicate at least some statics). Try all of the ranges we know about. Just a few obvious static hosts at the beginning of those ranges with generic PTRs like the one we first found in the trap feed. A couple of mail servers in the krawarkon.pl domain (poczta being Polish for "mail"). No custom reverse DNS in most of the ranges, beyond gateways and the few mail servers already mentioned.

Maybe the customer service link in the navbar will help - sometimes these contain screenshots (usually of Windows Networking control panel dialogs) showing how to configure DHCP. Nope, just hours of operation and phone numbers.

One other thing I can try: rsync the CBL list.txt file and check for listing density. As the ranges assigned to Krawarkon are all /24s, I can just grep for the first three octets of each. As I'm waiting for the rsync download to finish, I check the Enemieslist callback logs, which indicate reasons for acceptance or refusal of connections by certain users of the sendmail package. Lots of localhost and unqualified HELOs, all rejected by the reporting mail servers. Now that the CBL is done rsyncing, I check the densities and find:

195.116.47.0/24:      3
217.98.88.0/24:       1
217.98.89.0/24:       1
80.48.167.0/24:       0
80.48.171.0/24:       1
80.48.173.0/24:       0
80.48.183.0/24:       2
80.51.132.0/24:       4
80.51.73.0/24:        7

Few enough, especially for a Polish cable provider, but still looks like there are several bot-infected hosts in there. Few enough that I can check them manually using the CBL Lookup form; all bots: rustock, mega-d, grum, bagle-cb, cutwail. All of those in the 80.51.73/24 block are Rustock, suggesting that it may be the same botted host, getting new IPs. I make the final call - these are dynamic hosts.

Obviously, I don't always go through all of these steps when classifying hosts; often the class is obvious from tokens in the name or comments in the whois lookup. My point in writing this is to illustrate how a typical, truly generic, hostname is perniciously content-free, and how useless most of the traditional resources we might have been able to expect to use in order to gain information about such a host really are. If Krawarkon's hostmaster had simply used "cable.dyn" or similar in the naming convention, all this pain could have been avoided - along with all of the bot spam.

Posted by schampeo at September 18, 2009 2:13 PM

Trackback Pings

TrackBack URL for this entry:
http://enemieslist.com/mt/cgi-bin/mt-tb.cgi/1018

Search Blog

Browse

• Archives
• Categories
  • antispam in practice
  • consortiae
  • gripes
  • history
  • legal
  • news
  • privacy
  • project
  • security
  • spammers
  • studies and statistics
  • tactics
  • tools
  • viruses and worms

Feeds

• RSS
• ATOM

Enemieslist

• Package Features
• Contribute