All Activity
This stream auto-updates
- Yesterday
-
Tau started following Spammers now hiding behind Cloudflare and others
-
I've been using their online form to report a phishing website that was often redirected to in the spams I received, and I can say their are reactive. Only a couple hours after the report, i've received an email in which they said: We have notified our customer of your report. We have forwarded your report on to the responsible hosting provider. You may also direct your report to: 1. The provider where xxxxxx.com is hosted (provided above); 2. The owner listed in the WHOIS record for xxxxxxx.com and/or; 3. The contact listed on the xxxxxxx.com site. Then I visited the website and i had this: (before it was a fake Amazon survey to win an Iphone) And this: (seems that the hoster was reactive too) I'm so glad it worked ! 😁
- 5 replies
-
- spamcop
- cloudflare
-
(and 1 more)
Tagged with:
-
ultrawalty joined the community
-
ReviveKeto1 joined the community
-
cilenkuing joined the community
-
ichaeloei joined the community
-
biopineixe joined the community
-
dkjsgkox joined the community
- Last week
-
Tau changed their profile photo
-
Extension for Thunderbird 78+ : Just Report It
Tau posted a topic in Suggested Tools and Applications
Hi, There's a new extension that could be very useful for Thunderbird's users: Just Report It-
- ressource
- thunderbird
-
(and 4 more)
Tagged with:
-
Yes my trash bin is full of similar email addresses. They must get paid by volume not quality.
-
This time there are too many links in this email from the same spammer/scammer. 😁 https://www.spamcop.net/sc?id=z6703675679z0b2e800d6ef2bdd1c32b01f69681cbb6z So the website making redirects to the scamming website - appbahiafm.com.br/r/ - won't be reported through SC. 🤢 I did it manually. I wonder if the spammer is pissed-off because of the reports, because the first link in the message is to suckthisd***.com. I hope so! 😊
-
I knew that, but thanks. My confusion is only about whether these are valid active URLs used for tracking/loading content or not. The reason why I called their structure "strange" is because they include another domain, and it seems to me that they are forged and do not correspond to the usual structure of a website. I know that they are not valid image URLs, because they do not include any image name with the extension, they are not included with the appropriate html tag <img src="..."/> AND SC do not parse for image URLs. From what i've checked, only ONE of the URLs that SC wants me to report is valid, and it's the URLS the spammer/scammer wants users to access when reading the message when distant content is allowed: fb.todaynewse.com/g This URL is "normal", and despite the report(s), still active and redirecting to golden-prize-dealer.life (hosted by the infamous Media Land LLC, and then to the scam website (fake Amazon contest to win an iPhone). Once again the redirects depend on the country from where they are accessed. I know you're willing to help, but i'm not sure at all that you understand my point(s), and by the way you're answering questions I didn't ask and not answering those I asked. 😉 To be frank, I'm not sure that's what he was talking about when he mentioned "bots". Wasn't he talking about robot crawlers indexing the content of this forum, not of bots forging spam content? But I may be wrong...
-
For a quick crash course, everything between the "://" and the first "/" is the domain. The part immediately after the first "/" is there to make you think it is someone else's domain in order to add confusion. So as below, example,com is the what will get reported, even though they are trying to get you to think this is a valid image site. https :// example,com /i.pinimg,com/ This is what Lking means when he sayd bots. As the bots add a separate domain name after the first "/" in the URL of where they stole the image/content from.
-
One of the disadvantages of a well indexed internet content is that the bots/spiders that craw the internet for content do not read the content quite the same way you, a human does. One of the down sides is that websites with more references/links get rated higher in list of related sites. That is one reason for referencing spam by TRACKING URL and NOT including live links to spam or spam content in post here. I am sure no one here wants to inadvertently help promote a spammer. I have edited the post above to break the live links. IF someone really wants to follow a link, the information is available -- IF you replace the semicolons and commas with the appropriate characters.
-
Here are all the URls with the websites SC wants to report. I'm a noob in html and many other things related to internet, but it seems to me that these URl's structure is strange: they ALL include another website into them, and a subdomain related to image hosting, but they are not tagged with html code related to images, thus identified by SC parsing process. https;//maintainsuggestions,com/img.sendemail.sequentyel,fr/im/108729/541a15207a241f240cdb2808b92be69057d0db045f20e613a353136db8d4988c?e=XSRP0c8CItgNbDTRlKqL37c-mCT-AaG_YgX2n7TvZzKLOJF4jxVZ-Zgzo7c22W0PJNGm4l9-Xp9rcXjRWs9xruDqME9PYsC4xAS3sZXQJQISgCtzQJRYKStXVUIRL6kdBHNqtb2vCpVYcs9F1OSbQMolcXzs3KVTXUrPRS_mUnQftKyDW92Vxq0qy7dfZ1kWATg6gP9xrZHf2Ky30Ubrtbvx971ILtQUOCT81vU17kHa9i1AbS6bKE-H8dM https;//canadianhedgewatch,com/img.srv2.de/assets/bm/rinary/c/2/7/0/c27098bd7# rel="external nofollow">https://fanghebuy.com/i.f1g.fr/media/madama/432x244_crop/sites/default/files/img/2020/11/5-conseils-pour-prendre-les-meilleures-decisions https;//victorhenderson.com/img.hesperide.com/news/nl_offre_decembre_04_12_20_prospects/img/separatyon_bot https;//theothersideofparadise,com/img.sbc29.com/5a686347b85b536a9f4bebb5/R6wv2tSNQJGywXXTf9Lxfg/XgS4aZHwTOa_hCzDHR5VQA-Couverture36 https;//recompenseshusky,com/i.pinimg,com/474x/a7/13/95/a713958m818ec34b72d3cfebbe4601f3 All these site appear only ONCE in the code. https;//maintainsuggestions,com/img.sendemail.sequentyel,fr/... https;//canadianhedgewatch,com/img.srv2,de/... https;//fanghebuy,om/i.f1g.fr/... https;//victorhenderson.com/img.hesperide,com/... https;//theothersideofparadise.com/img.sbc29,com/... https;//recompenseshusky.com/i.pinimg,com/... Here are the URLs of websites supposedly hosting the message's images : https;//divinghouse.com/hosteqimages-cdn.aweber-static.com/NTg4MTIz/original/5112b805e82745a0a2d7deaad4ede7c4.png https;//wedderspoonherbfarm.com/i.pinimg.com/100x150/21/3c/e7/213ce7982c6c148b02aa9e8a79347eff.png https;//lepcolourprinters.com/action.metaffiliation.com/trk.php?taff=3DP46423563A551A281&r=3D80324&r=3DCACHEBUSTER&altid=3D901f2a0c7523a4b1695f2f45c1f2daf2,png https;//jllsilicone.com/300o3.img.af.d.sendibt2.com/im/1830603/b179640f7479ae2b22a7cc1ed2a72aad91ce20c5183f5e4528034b09c899130f?e=3DKsN35ijZ3uaF6M-yuov-jv4-PFNhPXyo4txZ9alFohGn96vay4Sg3ZHH7O_1DYAdPEL3UJ3_2tJ20NHh7g4uRffYfnhZ-s0UUzq75S_73BKl5pVEGlWSIh-ObQVWJVAlfDUndM5AWFy3LEa80t69wqZnywpYYAHOsuCoz9r8XZzoOTjxIPIOx8ADpd3-nxBmLPtk1wU2hKqQv78fwxU.png https;//freeware995,com/dl.grafycs.fr/hippo/record.php?em=3Dalix.letheu.ehpad@orange.fr,png All have also this strange structure including another domain. These are the only ones working (the message is a fake Twitter private message): https;//pbs.twimg.com/profile_images/1241785843779584001/o4Q9j8Ry_reasonably_small.jpg https;//ea.twimg.com/email/self_serve/media/twitter-logo@3x-1415137482132.png fb.todaynewse.com , which is THE (sub)domain really involved, has 13 matches, 8 of them are clickable links, and they ARE the links the spammer wants the user to click on, because they lead to his active scam site through a redirect (a different one depending on the country you're from). Why the spammer would involve 8 domains in a message, and take the risk to have them reported and unusable? Why is he not using only the main valid website? That makes no sense, that's also why I think these domains are NOT involved in this spam and should not be spotted by SC. Here is the message's body source, converted from Quoted Printable code: https;//pastebin.com/wmyeEjAr
-
I get it: you think it's fine that SC send these reports. I think these reports are irrelevant and should not be sent. Next move from spammers like this one will be to put hundreds of fake links and admins will receive thousands of irrelevant reports. Ok with me if you think that's fine. I don't.
-
✔️
-
As an administrator of my own server, I want to know when a link is being abused. If I can tell it is not spam, I may chose to ignore that report. This is why even though my items are not spam, I still want the reports. I get to make the final decision whether I take down the items, not SpamCop.
-
gnarlymarley started following Irrelevant websites in SC reports and Back again with more nothing to do when reporting
-
Back again with more nothing to do when reporting
gnarlymarley replied to mrpHil's topic in SpamCop Reporting Help
I wonder, if you kept up the page that gave you a "nothing to do" and reloaded it later if it would work for you. It seems strange that the page would just start working. Last time I looked at someone else's tracking URL, it used their mailhosts setup, not mine. -
Due to link tracking (where spammers note if you click a link), SpamCop does not follow links. It only looks up the hostname and reports the link to the administrator. As for the missing content, it is possible that someone else had the same link, reported it, and the administrator probably already removed it.
-
Hi, I check reports before sending them, and i'm receiving spam with "fake" websites referenced in them. SC is always proposing to report them to the admins, but I think it's a mistake and it's exactly what should be avoided, like stated here: https://www.spamcop.net/sc?id=z6703415594zf4442841b004b4bbab8ba826949549afz For instance, in this spam I received today, SC wants to report 7 websites, and there is ONLY ONE that is directly involved with the spam/scam: http;//fb.todaynewse,com/g/ The URLs of the others lead to either offline sites or missing content. https;//victorhenderson,com/img.hesperide,com/news/nl_offre_decembre_04_12_20_prospects/img/separatyon_bot https;//divinghouse.com/hosteqimages-cdn.aweber-static.com/NTg4MTIz/original/5112b805e82745a0a2d7deaad4ede7c4.png Could an admin look into this? Shouldn't the parsing algorithms be revised to avoid that? Sure I uncheck manually the reports that are irrelevant, but this is an issue that should be dealt with.
- Earlier
-
Back again with more nothing to do when reporting
RobiBue replied to mrpHil's topic in SpamCop Reporting Help
both links parse correctly for me and both would report to Report spam to: Re: 193.47.69.243 (Bounce) To: abuse@virtono.com (Notes) I don't know if @Richard W or @Lking or another forum admin could figure out where your "nothing to do" problem lies... several years ago Don D'Minion (3rd message in following thread: added a yahoo host to the account, but from what I understand, you have no mailhosts in your account (neither have I FWIW) so the problem must lie elsewhere... Richard and Lking, sorry for the ping if it's not netiquette and I apologize. -
Back again with more nothing to do when reporting
mrpHil replied to mrpHil's topic in SpamCop Reporting Help
Another nore today: https://www.spamcop.net/sc?id=z6702643590zf1493181672d49a3ee781946c94b5c00z https://www.spamcop.net/sc?id=z6702643833z9e2608be062a1fe16fa4b29a7cab50a8z These both share the followng headers: Received: from mediapub.br.com (finetsky.com. [193.47.69.243]) by mx.google.com with ESMTP id v21si8334134wmj.175.2021.02.12.06.57.21 for <delyani@gmail.com>; Fri, 12 Feb 2021 06:57:21 -0800 (PST) Received-SPF: permerror (google.com: permanent error in processing during lookup of newsletter@jiorpdnymezubgbgzikw.meddiapub.br.com: relay.emailme.com not found) client-ip=193.47.69.243; Received: from mediapub.br.com (finetsky.com. [193.47.69.243]) by mx.google.com with ESMTP id s11si8041655pgp.124.2021.02.12.07.37.08 for <delyani@gmail.com>; Fri, 12 Feb 2021 07:37:09 -0800 (PST) Received-SPF: permerror (google.com: permanent error in processing during lookup of newsletter@yjgnvmsihgshxavzrwzb.meddiapub.br.com: relay.emailme.com not found) client-ip=193.47.69.243; -
Back again with more nothing to do when reporting
KNERD replied to mrpHil's topic in SpamCop Reporting Help
Maybe try making a new account? -
Back again with more nothing to do when reporting
mrpHil replied to mrpHil's topic in SpamCop Reporting Help
I don't have any special settings in spamcop, I just use the web UI to report the source. -
-
Back again with more nothing to do when reporting
RobiBue replied to mrpHil's topic in SpamCop Reporting Help
that is odd, as I get the same as KNERD 🤔 (except that since he already submitted it, I don't get the report link) I don't know what to say, except that there might be something going on if you have hosts set up in spamcop... -
"An error occurred while processing your request."
KNERD replied to ZapZombie's topic in SpamCop Reporting Help
I tried using the SORBES block list, but stopped after I noticed two things. When reporting spam, Spamcop would show the IP address is on the SORBES list, but still allowed to be sent to my server. The second thing was the SORBES block was blocking legitimate email not on their block list, PayPal, for example. -
Back again with more nothing to do when reporting
KNERD replied to mrpHil's topic in SpamCop Reporting Help
From this tracking URL, I am getting It presented a "Report spam" button so I went ahead and clicked it -
Back again with more nothing to do when reporting
mrpHil replied to mrpHil's topic in SpamCop Reporting Help
This header info seems to be similar on the messages giving the nothing to do response when submitting. Sometimes they submit, sometimes they don't even after multiple tries Received: from cisco.com (62-210-109-165.rev.poneytelecom.eu. [62.210.109.165]) by mx.google.com with ESMTP id r1si199129wrs.348.2021.02.09.17.40.42 for <delyani@gmail.com>; Tue, 09 Feb 2021 17:40:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of zani9zqhou4zaaa@be4xhu5yz2rraph----------------------------.62-210-109-165.rev.poneytelecom.eu designates 62.210.109.165 as permitted sender) client-ip=62.210.109.165; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@tV9QIoVeGg7KYgl.us header.s=smtp header.b=Mzw9AtT9; dkim=neutral (bad format) header.i=@tv9qiovegg7kygl.us; spf=pass (google.com: best guess record for domain of zani9zqhou4zaaa@be4xhu5yz2rraph----------------------------.62-210-109-165.rev.poneytelecom.eu designates 62.210.109.165 as permitted sender) smtp.mailfrom=ZANi9zqhou4ZaAa@be4xhu5yz2rraph----------------------------.62-210-109-165.rev.poneytelecom.eu DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=smtp; d=tV9QIoVeGg7KYgl.us; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding; i=ub1zWc4q6qPFAss.Hnwk5lqtBmHzyC3@tV9QIoVeGg7KYgl.us; bh=yZVQr8JqF/uoHOjr8G5s3a4jp1A=; b=Mzw9AtT9YcQ2uBQUMOIkaD60NLYeqfWghJOKbOMjPDkLTOa/5WVnzAT3b9Gqx1XMcgQ42RefVnnc iZr0fehUPxBwmppr21ZiUYjY4HJYiRSty17ayI4cWNe9vJHzRQOEYirR5500pFKQQInBQ+XVCXIu jZJMf6MdWR/LeeasEVI= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=smtp; d=tV9QIoVeGg7KYgl.us; b=HMayslVqSmu8iizzWXOHGCbhcKt/yuISjWw+VCic1yggvD13B3wuLgF0K1OpnKIoYnI0nLoNeNTQ JG1rTkUwfaKuUxBsJg5u6G0hA8c+RFGYZpLb3z/2PUKJMHIImQrtk2hZJAb4Z3YUX88chZyOCQYu Ow/sb3Xa8qwU29TrKLA=; Received: from njmta-53.sailthru.com (173.228.155.53) by dailybeast-a.sailthru.com id h1t86m1qqbs3 for <jj2582783@gmail.com>; [*date] (envelope-from <delivery@mx.sailthru.com>) Received: from nj1-madbrick.flt (172.18.20.7) by njmta-53.sailthru.com id h1t7vc1qqbsf for <jj2582783@gmail.com>; [*date] (envelope-from <delivery@mx.sailthru.com>) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; t=1578061810; s=Sailthru; d=thedailybeast.com; h=Date:From: 681oGPJ6Ux1a0Rv -
Back again with more nothing to do when reporting
mrpHil replied to mrpHil's topic in SpamCop Reporting Help
Another one today. Tried the same, to resubmit, but still get nothing to do https://www.spamcop.net/sc?id=z6702424637z0c18571c739c5cb7deb4b7475c29aab6z -
Back again with more nothing to do when reporting
mrpHil replied to mrpHil's topic in SpamCop Reporting Help
My apologies for not using the tracking URLs, I'll remember that, I also appreciate any help from this forum in helping the fight against the UCE onslaught. As I mentioned I tried both of those at least 4 times - reloading, clicking the tracking URL and resubmitting - and they came back each time with nothing to do. Maybe some change was recently made to the parsing logic? That seems to have happened for the previous e-mails I submitted and got that same message. Or the spammer stop sending them....oh waitm that doesn't happen Phil