One of the forums I moderate gets nailed with spam all the time (ain't mine or I'd update it).

So we get hit from this IP address that ARIN shows to be owned by Amazon.com. Normally I just banhammer the IP addy and forget about it, but being Amazon.com, I thought I'd be the good Samaritan and give them a heads up.

The email abuse[at]amazon.com bounces as an outgoing only, so I search through their helpfile for a form to fill in for abuse. There went 1/2 an hour




I get this reply:


Yadda, yadda, form letter with link from there on.

So I try and give more info:



I guess they think it's an email spam, because I get the following reply:


(Yadda, yadda, form letter with link from there on.)


Okayyyy! We're getting somewhere at least. So I offer them the info:



I think that hopefully they will get everything straight now.

NOT!

I get in reply:



Are they are full of idiots over there?

Has anyone else been able to get through to them?

*insert head banging on a brick wall smiley*

Cheers!

I think so.

Probably not.

If I don't hear from them soon, I will tell you my story!

Miss Betsy

WHOIS data includes data for 'network operatons' ... have you tried sending your complaint there? As most complaints of something other than e-mail, they would like more data, such as log contents.

Comment: This network is a member of a dynamic hosting
Comment: environment. See http://ec2.amazonaws.com/
Comment: All reports MUST include:
Comment: * src IP
Comment: * dest IP (your IP)
Comment: * dest port
Comment: * Accurate date/timestamp and timezone of activity
Comment: * Intensity/frequency (short log extracts)
Comment: * Your contact details (phone and email)
Comment: Without these we will be unable to identify
Comment: the correct owner of the IP address at that
Comment: point in time.

RAbuseHandle: AEA8-ARIN
RAbuseName: Amazon EC2 Abuse
RAbusePhone: +1-206-266-2187
RAbuseEmail: ec2-abuse[at]amazon.com

RNOCHandle: ANO24-ARIN
RNOCName: Amazon EC2 Network Operations
RNOCPhone: +1-206-266-2187
RNOCEmail: aes-noc[at]amazon.com

Hi Wazoo,

Thanks. But it's not my forum, so I have no log access.

Looks like Miss Betsy and I will just have to wait until some webmaster shows up at their front door with a tire iron

Cheers!

Geek,
I don't think you carefully read Wazoo's response, which contained an alternate abuse address for this particular branch of Amazon. Did you try sending to the "ec2-abuse" address? The IP in question is part of their "Amazon Web Services" cloud -- more specifically, the "Amazon Elastic Compute Cloud" (EC2), described here:

http://en.wikipedia.org/wiki/Amazon_Elastic_Compute_Cloud

I think part of the problem is the verbiage used in your complaints. You first told them that the IP was a "proxy relaying spam like a sonofagun" -- not very helpful, because to almost anyone in the world, "spam" is assumed to refer to email, and so you started off on the wrong foot.

I checked two of the best blocklist lookups, Robtex and OpenRBL, and they don't support your claim that the IP is on multiple lists. Robtex doesn't show the IP on *any* lists, and ObenRBL has it only on Spamhaus' Zen list, and then only due to a PBL listing, which simply means it's in a block of IPs that shouldn't be directly delivering email messages....which doesn't have to do with forum spam.

So, try contacting the correct division at Amazon, and instead of colorful and imprecise language, try simply stating the facts. It's very hard to get through to the "mega" online entities (Hotmail, Yahoo, etc.), but it probably doesn't help if you use unclear language and statements that don't seem to be supported by the evidence. Don't just tell them to look up the IP in Google....give them specific instances of abuse.

DT

(on edit) Never mind my suggestion about the "ec2-abuse" address...that was based on my initial research, and while it might be valid, I surfed through the EC2 site:

http://aws.amazon.com/ec2/

and found this page:

http://aws.amazon.com/contact-us/report-abuse/

Details are given there as to exactly what they need in reports of abuse, so just as I expected, you're "barking up the wrong tree." I think you'll be much more likely to get results if you follow the instructions found at the URL, above.

Hi,

I went by this:
http://www.reputationauthority.org/lookup....p;Submit=Search

As said before, is moot. I have no access to some of the things needed for the report:

Destination IP address
(I have a destination URL, the IP is dynamic)

Destination port
(That's not even part of the logging system as I understand)

Description and log extract
(No access again)

So next time I get spam from them as a moderator, I'm just going to forget being the good Sam and plonk it back into the "Honeypot" and "Stop Forum spam" places bins.

Thanks all!

Deeper research there shows that this IP Address 'reputation points" are based on a PBL listng, which is basically due to the IP Address not 'being' a recognzed (dedicated) e-mail server. This doesn't really factoir into your "posting spam to a Forum" situation at all.

Interesting that I just Banned a user based on the use of an e-mail address that fits this descripton ... also running a Forum application that relied on a Dynamic DNS server/service for connectivity.

Depends more on what OS is involved, configuration settings, which logs are being looked at. For instance, on a *NIX system, those web-Forum posts would normally be found under the (also asumed) Apache log files .. and with only an "http://" string for a connection, Port 80 is assumed. Other types of traffic would be found under "system" logs, the associated Ports would also be somewhat assumed based on the attempted type of connection, most services also have 'default' connection ports involved.

Yeah, but .... where's the site owner in all of this?

The whole point of my original post was to suggest that your complaints be sent to someone that actually deals with 'network' traffic, rather than folks that were set up to deal with issues of the Amazon web-sites and e-mail, reseller sites and e-mail, associated sites and e-mail, etc.

They are in here too:
http://www.projecthoneypot.org/ip_75.101.186.172
http://www.stopforumspam.com/search?q=75.101.186.172

Which are dedicated forum comment spam reporting places.

I'll give a shot with that email.

Delegated responsibility to a pair of us and only come if called for some BIG action.

Cheers!

Obviously, they didn't bother and are now hosting phishing sites with their infected computers

http://www.spamcop.net/sc?id=z3132540596z1...4e0a6c47721416z

Cheers!

Is that the link you meant to post? eBay hosting? Has there been some unnatural eBay-Amazon conjugation while I slept?

I don't understand either. The first IP address was 75.101.186.172 and this spamcop report is for 59. something.

Miss Betsy

The report you see changed from the link literally overnight.

http://www.scorpiorising.ca/images/spamcop_report.jpg

Someone please tell me what happened?

Ah yes, I see now. Going overboard on the explanation so it is clear for hypothetical other readers.

Firstly, your link indeed confirmed (botnet) hosting by Amazon, in the 'reports sent":

Reportid: 4388637584 To: abuse[at]amazon.com
Reportid: 4388637656 To: ec2-abuse[at]amazon.com

- those relating to cgi.ebay.com.jghtyu.com, which is to say jghtyu.com, domain registered by namebay.com which lives in the Principality of Monaco and has the proud, evidently true, claim "Registering a domain name with Namebay is as simple as eating pie !"

Now jghtyu.com is hosted on a fast-flux botnet (a quick nslookup or equivalent on the domain name will indicate that) which, currently resolves as:

canonical name cgi.ebay.com.jghtyu.com.
aliases
addresses
24.4.240.109
24.18.33.116
69.229.210.150
78.97.205.243
79.116.237.205
84.229.13.157
86.124.197.95
88.156.39.27
93.103.61.15
94.21.81.34
121.182.88.116
189.202.41.188
190.82.26.244
200.77.205.199
221.160.142.228

Now SpamCop, when it can resolve one of these things at all, can resolve only the "topmost" of the continually rotating list. When the parser handled 'your' report, it seems an Amazon IP was top of the stack. Repeat the process sometime later (even a few seconds) and something else might be on top. Apparently, or to all intents and purposes, whenever you or anyone else looks up a "past report" tracking link the data are reprocessed. But "reports sent" are 'writing on the wall', fixed.

(Heh - jghtyu.com - DNS records from DomainDossier:
IN HINFO
CPU: Casio
OS: Calculator
- very droll but I digress)

Now the good news - Amazon, no doubt stung by your past and trenchant criticism , seems to have been able to quickly wrench its IP(s) out of that botnet. The bad news is SC reporting can (usually) do next to nothing about botnets - you need Complainterator or manual reports for that, to get to the (jghtyu.com) domain registrar and/or nameservers (hosted on lock-kind.com) rather than the unsuspecting hosts who are usually less responsive than Amazon and whose individual IP addresses are redundant/easily replaced in the botnet any event. The surviving IPs are all the usual suspects in Romania, Korea, Israel, Slovenia, Chile, Columbia, Mexico and, of course, Comcast (oh, and there's an AT&T one in there too).

Sorry, I was a bit slow on the uptake on this one (I put it down to either a cerebral flatus or premature senescence, time will tell) - confused by the real e-Bay links which may be innocent, I haven't looked - but e-Bay thinks it doesn't need to know anyway.

Wow, serious thanks Farelf for the detailed reply!

Cheers!