Whois utility SamSpade

Do you often get IP addresses connecting to your email server and you wonder who the **** is that? The answer is that there is a "Whois" of that information, and for Windows users there is a small well-written program that is very helpful. A visit to SamSpage.org shows "back soon" but the program can still be found for download at;

http://majorgeeks.com/Sam_Spade_d594.html

At just over a Mb it certainly isn't bloated with anything! Once installed it can be opened to reveal a simpe gray window. Put the unknown IP address in the top left box, for this example we will use the spammer just referred to, at 67.159.33.100;

The main registers for IP address ranges are;
ARIN, North American continent
RIPE, European continent and Middle East
LACNIC, Central and South America
APNIC, Asia, Pacific, Far East and Oceana
AFRINIC, Africa

Top center of SamSpade you will see a choice box, select whois.arin.net and then look to the left, down a little you will see an icon for "whois". Click on that and you get the following in your SamSpade window;

NetRange: 67.159.0.0 - 67.159.63.255
CIDR: 67.159.0.0/18
OriginAS:
NetName: FDCSERVERS
NetHandle: NET-67-159-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
RegDate: 2004-10-12
Updated: 2006-12-27

OrgName: FDCservers.net
OrgId: FDCSE
Address: 141 w jackson blvd.
Address: suite #1135
City: Chicago
StateProv: IL
PostalCode: 60604
Country: US
RegDate: 2003-05-20
Updated: 2011-03-28

In our experience FDCServers do not have a good reputation and quite often have their IP addresses listed in the top 100 spam senders at any one time. Probably not too caring about the spam problem.

Another test that you can perform is from the top toolbar, the button called "Basics". Click on that and second one down on the list is NSLOOKUP, a test for finding the DNS name recorded for the IP address or domain name. For 67.159.33.100 we get the following result;

"nslookup 67.159.33.100
No reverse DNS (WSANO_DATA)"

Very impressive, there isn't one. FDCServers have an IP address pumping out emails with no reverse DNS set. The spammer therefore can set the HELO/EHLO server name to what ever he likes and change it whenever he likes. FDC should write the server name in their DNS and setup the PTR record so that it accords with the A record, therefore permitting real-time reverse DNS (rDNS) tests to succeed. You will note that our email server timed out trying to get that IP address DNS record. Failing to do so is open to abuse as we have seen, yet it is so easy to do, it literally takes 5 minutes to edit the DNS and only needs doing once.

Email servers can send emails for and on behalf of numerous domain names and this does not affect the name of the server in DNS, it's reverse DNS record or the HELO/EHLO used.

To get another opinion about IP addresses, networks, network providerss and server hosting businesses, try the following;

http://www.senderbase.org/

Over on the right of the home page you will see a box for "reputation lookup", insert 67.159.33.100 and click the button underneath. The window shows results for the IP address and associated email senders of the same domain name and IP addresses (in this case 67.159.33.0/24). Note the results;

67.159.33.33 is shown as "neutral" written in black text
67.159.33.100 is shown as "neutral" written in black text
67.159.33.101 is shown as "good" written in green text but
67.159.33.100 is shown as "poor" written in red text

Now change the address block to be /18 as the Whois tells us, FDCServers have an IP address block of that size, click "Go";

At the time of writing there are nearly 400 detected email senders from that /18 IP block and there is a lot of red! This second opinion of FDC agrees with our own experience.

Top center of the SenderBase.org web page is a button called "Top Senders", choose "Top Spam Senders" to see a recent report and the same old names.