Okay, perhaps I'm just a complete idiot, but I've seen several events where spam bots from IPs like this 95.158.142.219.broad.bj.bj.dynamic.163data.com.cn show up on the server (and post to non-captcha forms, etc.)

Trying to resolve that out to an IP goes nowhere.

I've tried every approach I can think of so I can block it and the range.

But for example, this is what NW Tools returns:

http://network-tools.com/default.asp?prog=express&host=95.158.142.219.broad.bj.bj.dynamic.163data.co m.cn

IP address:
Error: Host not found

Host name: 95.158.142.219.broad.bj.bj.dynamic.163data.com.cn
is from () in region

TraceRoute to [95.158.142.219.broad.bj.bj.dynamic.163data.com.cn]
Hop (ms) (ms) (ms) IP Address Host name

Trace complete

whois query for 163data.com.cn...

Results returned from whois.cnnic.net.cn:

Domain Name: 163data.com.cn
ROID: 20070711s10011s23187457-cn
Domain Status: inactive
Registrant Organization: 北京三方创业网络技术有限公司
Administrative Email: wangchen@sfn.cn
Sponsoring Registrar: 北京中科三方网络技术有限公司
Registration Date: 2007-07-11 17:04
Expiration Date: 2009-07-11 17:04

Retrieving DNS records for 95.158.142.219.broad.bj.bj.dynamic.163data.com.cn. ..
Attempt to get a DNS server for 95.158.142.219.broad.bj.bj.dynamic.163data.com.cn failed: 95.158.142.219.broad.bj.bj.dynamic.163data.com.cn does not exist in the DNS

Network IP address lookup:

whois query for ...

Query error: No whois server known for the given domain

Any ideas?

Thanks!

The domain name is inactive according to the whois return from DNSstuff and the IP address is a European range not normally allocated (I won't swear to the latter interpretation but it seems to be an administrative IP range).

That means the combination of IP and domain has been spoofed and the domain itself has been spoofed. If you choose to block the IP address you may find you are blocking genuine contacts.

However I can't see that temporary blocking would do any serious harm and it may be long enough to outlast the short attention span of most attackers.

You may be able to find the true source from an example of the spam and I'd be interested in comments from others on whether, in view of the tendency for spammers to move on quickly, whether such research is worthwhile. And whether such email can get through an email server setup which checks email origin.

Gordon W (who is learning a lot but that's just enough to be aware that he has a lot more to learn).

Hi Aeronautic,
Lack of knowledge if you look for the answer cant' be consider idiotic ;).
The info you input at the search at network-tools was the rDNS record, the actual IP is:219.142.158.95. (it's written in the rDNS backwards)

From the same network-tools using the real IP:

219.142.158.95 is from China(CN) in region Southern and Eastern Asia

TraceRoute to 219.142.158.95 [95.158.142.219.broad.bj.bj.dynamic.163data.com.cn]


By the way, is almost the same info you already had in the reverse record.
The domain is 163data.com.cn and by the rest of the rDNS seems to be for an IPS that dynamically assign IPs, maybe clable modem, dsl, etc.
That is the reason the domain is not resolving anywhere, doesn't have to.

In this case, don't waste any time reporting the offender ...

Hi Ikaruz,

Ahhh!

I'd tried 95.158.142.219, of course, and got nothing.

Thanks so much for that tip!

I've seen other strings that do seem to read left to right - never knew for rdns they can read right to left in that string.

Again, much appreciated.