It parses spam, prepares reports to send to the spammers ISP & to the administrators of compromised networks, and compiles aggregate info for some kind of commonly used spam blacklist. I use it to analyse spam to attempt to discover the source & networks used, before either sending its reports as-is, or else sending them manually myself.
Before I reply further I'd better just say that really, I've decided the best thing to do is just let the filters take care of it. Don't want anyone to spend time on something that's increasingly looking like an insoluble problem. There are just too many unknowns for it to be anything other than an academic excercise now I think, for all but the most intrepid of spammer hunters.
Initially I wanted to try & convince the host of the spam-advertised site to take a look at it & consider closing it. But now, it seems like a lost cause as far as I can tell. I don't have enough network knowledge to differentiate fact from fiction in the headers and within spamcop's processing, to the depths necessary. It's looking like I would have to spend a massive amount of time & energy trying to successfully pin the true identity of the host down, and even if I did, there seems to be little hope of actually getting anything done short of engaging International Rescue.
All of these mails (and there are thousands of them now in my junk folder lol) advertise the same site. The domain name changes regularly, but it always resolves to the same IP, whether I use spamcop or various flavours of other tools such as traceroute - 18.104.22.168; & the site content shows up as identical on all domains. Looks like there's hundreds of different domains all pointing to one IP.
As far as I can tell using spamcop, 22.214.171.124 is under the control of chinatietong, for whom the abuse address appears to be @hichina.com - but I'm not entirely confident of this. hichina did acknowledge receipt of my reports, but denied any involvement & asked to recieve no further reports. Therefore, without any better info to go on, I've no choice to believe them. I don't believe them, but with the tools and abilities at my command I can't prove anything.
The quandry is that whilst I must give them the benefit of the doubt, china railway / chinatietong / hichina do seem to have been widely accused in the past of providing a 'bulletproof haven' of web hosting to spammers, from reading around the spam newsgroups. From what I've read, I would totally expect them to deny hosting a spammer's website & accuse the spam reporter themselves of spamming
At the same time however, as you mentioned, it's possible spammers may be spoofing hichina.com? I don't know. Hichina itself isn't mentioned by name in the spam - the connection is, that spamcop universally decides that the spamvertised domains always resolve to 126.96.36.199, and then it further attributes that IP each and every time to hichina hosting. See the example of spamcop's processing above. So, I guess the question would be, is it possible for the spammer to misattribute the host of the IP address somewhere along the line in the DNS system, so that spamcop thinks
hichina is the correct reporting address when in fact it's not.
Or, alternatively, is spamcop just plain getting it wrong when it says hichina is the host for 188.8.131.52 ? That's possible..
Or are hichina just passing the buck. After all, if they *are* hosting the spamvertised site, that still doesn't technically make them spam hosts themselves. They're just hosting a website. I haven't been able to find their TOS, maybe they don't even prohibit it! In which case, I guess that's the end of the story, short of asking Tony Blair & George Bush to intervene in the international spam wars
One thing does seem suspicious & that is that hichina appears to bounce all messages to their abuse address from spamcop. It was only when I mailed them direct that I got any kind of response at all. Sign of guilt from an dodgy ISP, or exasperation from an ISP under fire from a misconfigured spam-reporting organisation?
'Who Knows' lol. Certainly not the end users like me. Back to the filters.
I'll have a look at iHateSpam, thanks.