Whois
First of all let's understand what is whois service.
I think this explanation is clear enough.
********************
WHOIS - Domain names explained
by Bill Mattocks
The WHOIS database is a compendium of domain names.
You may already know that the Internet itself does not speak "human" or "english." It speaks in IP (Internet Protocol) addresses. Those addresses have to be linked to the human domain names in a database in order to be useful. If I were typing from a Unix prompt, I would type the commands like this:
whois comp-sol.com
-or-
whois 156.46.104.0
-or-
whois '!NETBLK-SPRINT-CF284F'
The point here is that WHOIS can be used in a variety of ways to query the infomation contained therein. Sometimes, you may get a bewildering response from Internic, but there is usually something further that you can query to track a source of spam. If you don't know how to begin, try just typing in whois "anything" and see what you get. You won't break it or make anyone mad at you.
Querying a domain name
If you query a domain name, say "spamlovers.com" and get a "No Response Found" reply from Internic, that means that it is NOT a legitimate domain name, because Internic has authority over all domain names that end in .com. Same for .net, .org, and .edu. Notice, please that you must enter "spamlovers.com" and not "www.spamlovers.com" or "spammachine.spamlovers.com" to get a positive response. It is just the last bit of the domain name in front of the dot that we are interested it. The bit in front of "spamlovers.com" denotes a machine belonging to that organization, but it is named locally, not by Internic. Now, on to the domain name. If you are querying a US domain name, and it is legitimate, you should get back a response, and it may look something like this:
whois comp-sol.com
[rs.internic.net]
Computer Solutions of Kenosha (COMP-SOL-DOM)
2031 22nd Avenue
Kenosha, WI 53140
US
Domain Name: COMP-SOL.COM
Administrative Contact, Technical Contact, Zone Contact:
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM (414)551-8088
Billing Contact:
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM
(414)551-8088
Record last updated on 06-Sep-97.
Record created on 09-Aug-95.
Database last updated on 12-Sep-97 04:47:08 EDT.
Domain servers in listed order:
DARKSTAR.NOMAD.NET 156.46.104.2
NOMAD.NET 156.46.104.1
The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information.
Let's deconstruct the information and see what it means:
Computer Solutions of Kenosha (COMP-SOL-DOM)
2031 22nd Avenue
Kenosha, WI 53140
US
OK, so this is a supposedly a business, called Computer Solutions of Kenosha, in Kenosha, Wisconsin. The "(COMP-SOL-DOM)" bit indicates that comp-sol.com is indeed the domain name. Please bear in mind that spammers are becoming educated about domain names and whois. They often put bogus information in when they register with Internic to get their domain name. That's against the rules, but Internic won't do anything about it at this time. We live with what is. Still, many times this information will be correct. If nothing else, Internic has to have a way to bill the domain. If the information given is totally bogus, the spammer probably intends not to pay the bill, but merely to use the domain name until it expires, and then register a new one.
Let's move on:
Administrative Contact, Technical Contact, Zone Contact:
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM
(414)551-8088
Billing Contact:
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM
(414)551-8088
This bit tells us who is responsible for the domain, who pays the bills, who keeps it running, etc. Again, it is supposed to contain legitimate information, and again, it often does not. Just the same, if the information is accurate, we now have an e-mail address to complain to. Hmm, happens to be me, doesn't it. Well. Please don't take me too literally. We also have a telephone number to call if we wish to register a complaint that way.
Record last updated on 06-Sep-97.
Record created on 09-Aug-95.
Database last updated on 12-Sep-97 04:47:08 EDT.
This bit is not too exciting. It is as it appears, showing us when the domain was created, and when it was last changed.
As a spammer hops from ISP to ISP, they take their domain names with them, and that will show up. Just a tiny bit of information, but it may help to prove to your satisfaction that a spammer is indeed a spammer, and that a particular domain is or is not a spamhaus. It's the little things...
Domain servers in listed order:
DARKSTAR.NOMAD.NET 156.46.104.2
NOMAD.NET 156.46.104.1
Finally, we have the bit about the Domain servers. A domain server is simply the machine that does lookups for a particular domain name when someone sends anything to that domain, like when you go to a web page or when you send mail to a particular domain. In this case, if anyone goes to a web page at www.comp-sol.com, their request will be "looked up" by one or both of the machines above. This is important, because a spammer may receive his upstream account (or feed) from one source, and have another source do his DNS or Domain Name Service. It could be another source to complain to. Many times, when you are dealing with a spammer, you will see this:
Domain servers in listed order:
NS7.CYBERPROMO.COM 205.199.2.250
NS5.CYBERPROMO.COM 205.199.212.50
NS8.CYBERPROMO.COM 207.124.161.65
NS9.CYBERPROMO.COM 207.124.161.50
And you know you are dealing with the deathstar itself. To many of us here on NANAE, seeing this is final and irrevocable proof that the domain in question is a spamhaus, and the sender of the e-mail is a spammer. We tend not to believe that there are ANY legitimate domains hosted by Cyberpromo.
When you see this, it is like swimming in the ocean and seeing a dorsal fin rise up out of the water and start towards you.
Using whois to look up an ip range
As we mentioned above, whois can be used in other ways, not simply to look up a domain name. For example, we can use it to find out who a particular IP address belongs to:
whois 156.46.104.1
[rs.internic.net]
[No name] (NOMAD4-HST)
Hostname: NOMAD.NET
Address: 156.46.104.1
System: IBM PC 486/66 running DOS/IPAD
Record last updated on 03-Aug-95.
Database last updated on 12-Sep-97 04:47:08 EDT.
This in itself doesn't give us much information (In fact, this information is out of date, and needs to be updated.) Ah well, another task, another day. What's more important than spam-fighting? So, we can look for the owner of the license in question by stripping off the last digit of the IP address and replacing it with a zero. In this case we would do:
whois 156.46.104.0
[rs.internic.net]
No match for "156.46.104.0".
OK, so we didn't get a match. Still, someone owns the IP range in question. So, now we take off the last two IP "octets" and replace both of them with zeros. Thus:
whois 156.46.0.0
[rs.internic.net]
alpha dot net, corp. (NET-ALPHA)
324 East Wisconsin Avenue, Suite 609
Milwaukee WI, 53202
Netname: ALPHA
Netnumber: 156.46.0.0
Coordinator:
Chase, Tim (TC15) support@ALPHA.NET
414-274-7040
Domain System inverse mapping provided by:
HOMER.ALPHA.NET 156.46.10.10
HELEN.ALPHA.NET 156.46.10.20
Record last updated on 10-Jan-96.
Database last updated on 12-Sep-97 04:47:08 EDT.
Here is some useful information! We see that the actual IP range (often called a "Class C license") is owned by someone else entirely. In this case, it is owned by alpha dot net corp, in Milwaukee, Wisconsin. We have a contact name and e-mail address, and we have a telephone number. Remember, this will be an upstream provider for the spammer in question, and possibly not spammers themselves. We phrase our complaint accordingly, so as to not offend the good guys.
If that failed to get a result, we could simply keep replacing octets with zeros until we got the owner of an entire block of licenses, and again, we would have someone else to complain to.
The further away we get from the spammer, the less likely it is that we are dealing with spammer-friendly folks. If they get enough complaints, they MAY decide to take action, and we have all heard the phrase, "Shit rolls downhill." Eventually, someone has to take the heat and perhaps terminate the spammer. Keep this in mind.
Using whois when there are multiple results
Sometimes, when we use whois, we get many responses, not just one. Here is an example:
whois mattocks
[rs.internic.net]
Mattocks E-mail Service (MATTOCKS-DOM) MATTOCKS.COM
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM (414)551-8088
Mattocks, Bill (BM1199) bmattocks@COMP-SOL.COM (414)551-8088
Mattocks, Christopher (CM3732) kolis@LVWEBMASTERS.COM 6024884305
Mattocks, Darryl (DM812) darryl.mattocks@BOOKSHOP.CO.UK
Mattocks, Jeff (MJ100-ORG) JeffMattocks@MSN.COM (360) 896-8150
To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first.
And sure enough, there are instructions right there as to how to narrow down your search. Simply type in an "!" followed by the information shown in the parenthesis. In my case, it would be:
whois '!BM561' and that would bring up my information.
Foreign whois searches
What about domains located outside the US? Well, our information is a bit spotty there. There are equivalents of Internic outside of the US, and they work the same way. Some of them can be searched using the WHOIS tool, but just telling it to point itself at a different database. Other times, a search of the web using something like www.yahoo.com will bring you to a web page that will let you do a foreign whois search directly from that web page.
NOTE: In fact, that would be a great idea for an anti-spam web page, if someone is not already doing it - a link to all the foreign whois databases that we can find...hint, hint.
I apologize for my lack of knowledge in this area. If anyone has the information on various countries that have a WHOIS database to point whois at, I'd be very appreciative if they would post it here. Since we are beginning to see more spam originating from countries outside of the US, it would be most helpful to use WHOIS to track that spam as well.
That concludes the lesson for today. Please feel free to throw roses or brickbats, as you see fit. Permission is hereby granted for anyone who wishes to publish this information in any form, as long as it remains intact and attribution to the author is given. I maintain copyright and transfer all other rights to the public.
Best Regards,
Bill Mattocks, CIIU
*****************************
Now, how we can make queries?
I often use this whois services:
whois.webhosting.info
whois.sc
But this links also can be helpful.
www.corenic.net
The CORE Network Management Database contains information about IP address space allocations and assignments, routing policies and reverse delegations regarding .com, .org and .net domains.
www.ripe.net
The RIPE Network Management Database contains information about IP address space allocations and assignments, routing policies and reverse delegations in the RIPE (European) region.
whois.arin.net
The ARIN Network Management Database contains information about IP address space allocations and assignments, routing policies and reverse delegations in the ARIN (American) region.
www.apnic.net
The APNIC Network Management Database contains information about IP address space allocations and assignments, routing policies and reverse delegations in the APNIC (Asia-Pacific) region.
I think this explanation is clear enough.
********************
WHOIS - Domain names explained
by Bill Mattocks
The WHOIS database is a compendium of domain names.
You may already know that the Internet itself does not speak "human" or "english." It speaks in IP (Internet Protocol) addresses. Those addresses have to be linked to the human domain names in a database in order to be useful. If I were typing from a Unix prompt, I would type the commands like this:
whois comp-sol.com
-or-
whois 156.46.104.0
-or-
whois '!NETBLK-SPRINT-CF284F'
The point here is that WHOIS can be used in a variety of ways to query the infomation contained therein. Sometimes, you may get a bewildering response from Internic, but there is usually something further that you can query to track a source of spam. If you don't know how to begin, try just typing in whois "anything" and see what you get. You won't break it or make anyone mad at you.
Querying a domain name
If you query a domain name, say "spamlovers.com" and get a "No Response Found" reply from Internic, that means that it is NOT a legitimate domain name, because Internic has authority over all domain names that end in .com. Same for .net, .org, and .edu. Notice, please that you must enter "spamlovers.com" and not "www.spamlovers.com" or "spammachine.spamlovers.com" to get a positive response. It is just the last bit of the domain name in front of the dot that we are interested it. The bit in front of "spamlovers.com" denotes a machine belonging to that organization, but it is named locally, not by Internic. Now, on to the domain name. If you are querying a US domain name, and it is legitimate, you should get back a response, and it may look something like this:
whois comp-sol.com
[rs.internic.net]
Computer Solutions of Kenosha (COMP-SOL-DOM)
2031 22nd Avenue
Kenosha, WI 53140
US
Domain Name: COMP-SOL.COM
Administrative Contact, Technical Contact, Zone Contact:
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM (414)551-8088
Billing Contact:
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM
(414)551-8088
Record last updated on 06-Sep-97.
Record created on 09-Aug-95.
Database last updated on 12-Sep-97 04:47:08 EDT.
Domain servers in listed order:
DARKSTAR.NOMAD.NET 156.46.104.2
NOMAD.NET 156.46.104.1
The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information.
Let's deconstruct the information and see what it means:
Computer Solutions of Kenosha (COMP-SOL-DOM)
2031 22nd Avenue
Kenosha, WI 53140
US
OK, so this is a supposedly a business, called Computer Solutions of Kenosha, in Kenosha, Wisconsin. The "(COMP-SOL-DOM)" bit indicates that comp-sol.com is indeed the domain name. Please bear in mind that spammers are becoming educated about domain names and whois. They often put bogus information in when they register with Internic to get their domain name. That's against the rules, but Internic won't do anything about it at this time. We live with what is. Still, many times this information will be correct. If nothing else, Internic has to have a way to bill the domain. If the information given is totally bogus, the spammer probably intends not to pay the bill, but merely to use the domain name until it expires, and then register a new one.
Let's move on:
Administrative Contact, Technical Contact, Zone Contact:
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM
(414)551-8088
Billing Contact:
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM
(414)551-8088
This bit tells us who is responsible for the domain, who pays the bills, who keeps it running, etc. Again, it is supposed to contain legitimate information, and again, it often does not. Just the same, if the information is accurate, we now have an e-mail address to complain to. Hmm, happens to be me, doesn't it. Well. Please don't take me too literally. We also have a telephone number to call if we wish to register a complaint that way.
Record last updated on 06-Sep-97.
Record created on 09-Aug-95.
Database last updated on 12-Sep-97 04:47:08 EDT.
This bit is not too exciting. It is as it appears, showing us when the domain was created, and when it was last changed.
As a spammer hops from ISP to ISP, they take their domain names with them, and that will show up. Just a tiny bit of information, but it may help to prove to your satisfaction that a spammer is indeed a spammer, and that a particular domain is or is not a spamhaus. It's the little things...
Domain servers in listed order:
DARKSTAR.NOMAD.NET 156.46.104.2
NOMAD.NET 156.46.104.1
Finally, we have the bit about the Domain servers. A domain server is simply the machine that does lookups for a particular domain name when someone sends anything to that domain, like when you go to a web page or when you send mail to a particular domain. In this case, if anyone goes to a web page at www.comp-sol.com, their request will be "looked up" by one or both of the machines above. This is important, because a spammer may receive his upstream account (or feed) from one source, and have another source do his DNS or Domain Name Service. It could be another source to complain to. Many times, when you are dealing with a spammer, you will see this:
Domain servers in listed order:
NS7.CYBERPROMO.COM 205.199.2.250
NS5.CYBERPROMO.COM 205.199.212.50
NS8.CYBERPROMO.COM 207.124.161.65
NS9.CYBERPROMO.COM 207.124.161.50
And you know you are dealing with the deathstar itself. To many of us here on NANAE, seeing this is final and irrevocable proof that the domain in question is a spamhaus, and the sender of the e-mail is a spammer. We tend not to believe that there are ANY legitimate domains hosted by Cyberpromo.
When you see this, it is like swimming in the ocean and seeing a dorsal fin rise up out of the water and start towards you.
Using whois to look up an ip range
As we mentioned above, whois can be used in other ways, not simply to look up a domain name. For example, we can use it to find out who a particular IP address belongs to:
whois 156.46.104.1
[rs.internic.net]
[No name] (NOMAD4-HST)
Hostname: NOMAD.NET
Address: 156.46.104.1
System: IBM PC 486/66 running DOS/IPAD
Record last updated on 03-Aug-95.
Database last updated on 12-Sep-97 04:47:08 EDT.
This in itself doesn't give us much information (In fact, this information is out of date, and needs to be updated.) Ah well, another task, another day. What's more important than spam-fighting? So, we can look for the owner of the license in question by stripping off the last digit of the IP address and replacing it with a zero. In this case we would do:
whois 156.46.104.0
[rs.internic.net]
No match for "156.46.104.0".
OK, so we didn't get a match. Still, someone owns the IP range in question. So, now we take off the last two IP "octets" and replace both of them with zeros. Thus:
whois 156.46.0.0
[rs.internic.net]
alpha dot net, corp. (NET-ALPHA)
324 East Wisconsin Avenue, Suite 609
Milwaukee WI, 53202
Netname: ALPHA
Netnumber: 156.46.0.0
Coordinator:
Chase, Tim (TC15) support@ALPHA.NET
414-274-7040
Domain System inverse mapping provided by:
HOMER.ALPHA.NET 156.46.10.10
HELEN.ALPHA.NET 156.46.10.20
Record last updated on 10-Jan-96.
Database last updated on 12-Sep-97 04:47:08 EDT.
Here is some useful information! We see that the actual IP range (often called a "Class C license") is owned by someone else entirely. In this case, it is owned by alpha dot net corp, in Milwaukee, Wisconsin. We have a contact name and e-mail address, and we have a telephone number. Remember, this will be an upstream provider for the spammer in question, and possibly not spammers themselves. We phrase our complaint accordingly, so as to not offend the good guys.
If that failed to get a result, we could simply keep replacing octets with zeros until we got the owner of an entire block of licenses, and again, we would have someone else to complain to.
The further away we get from the spammer, the less likely it is that we are dealing with spammer-friendly folks. If they get enough complaints, they MAY decide to take action, and we have all heard the phrase, "Shit rolls downhill." Eventually, someone has to take the heat and perhaps terminate the spammer. Keep this in mind.
Using whois when there are multiple results
Sometimes, when we use whois, we get many responses, not just one. Here is an example:
whois mattocks
[rs.internic.net]
Mattocks E-mail Service (MATTOCKS-DOM) MATTOCKS.COM
Mattocks, Bill (BM561) bmattocks@COMP-SOL.COM (414)551-8088
Mattocks, Bill (BM1199) bmattocks@COMP-SOL.COM (414)551-8088
Mattocks, Christopher (CM3732) kolis@LVWEBMASTERS.COM 6024884305
Mattocks, Darryl (DM812) darryl.mattocks@BOOKSHOP.CO.UK
Mattocks, Jeff (MJ100-ORG) JeffMattocks@MSN.COM (360) 896-8150
To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first.
And sure enough, there are instructions right there as to how to narrow down your search. Simply type in an "!" followed by the information shown in the parenthesis. In my case, it would be:
whois '!BM561' and that would bring up my information.
Foreign whois searches
What about domains located outside the US? Well, our information is a bit spotty there. There are equivalents of Internic outside of the US, and they work the same way. Some of them can be searched using the WHOIS tool, but just telling it to point itself at a different database. Other times, a search of the web using something like www.yahoo.com will bring you to a web page that will let you do a foreign whois search directly from that web page.
NOTE: In fact, that would be a great idea for an anti-spam web page, if someone is not already doing it - a link to all the foreign whois databases that we can find...hint, hint.
I apologize for my lack of knowledge in this area. If anyone has the information on various countries that have a WHOIS database to point whois at, I'd be very appreciative if they would post it here. Since we are beginning to see more spam originating from countries outside of the US, it would be most helpful to use WHOIS to track that spam as well.
That concludes the lesson for today. Please feel free to throw roses or brickbats, as you see fit. Permission is hereby granted for anyone who wishes to publish this information in any form, as long as it remains intact and attribution to the author is given. I maintain copyright and transfer all other rights to the public.
Best Regards,
Bill Mattocks, CIIU
*****************************
Now, how we can make queries?
I often use this whois services:
whois.webhosting.info
whois.sc
But this links also can be helpful.
www.corenic.net
The CORE Network Management Database contains information about IP address space allocations and assignments, routing policies and reverse delegations regarding .com, .org and .net domains.
www.ripe.net
The RIPE Network Management Database contains information about IP address space allocations and assignments, routing policies and reverse delegations in the RIPE (European) region.
whois.arin.net
The ARIN Network Management Database contains information about IP address space allocations and assignments, routing policies and reverse delegations in the ARIN (American) region.
www.apnic.net
The APNIC Network Management Database contains information about IP address space allocations and assignments, routing policies and reverse delegations in the APNIC (Asia-Pacific) region.
posted by msdos.sys at
9:37 PM
|
9 comments
