vindicator

Members
  • Content count

    10
  • Joined

  • Last visited

Community Reputation

0 Neutral

About vindicator

  • Rank
    Member
  1. I had forgotten about that whole pharmacy deal. Feels like it was even longer ago than that to me. I did get a reply from ARIN regarding the unattached IP spam: But I have not yet heard back about the inaccuracy report. I had just gotten another spam from that range 23.175.189.83. It's disheartening to find that they still have the ability to continue using the IPs. There needs to be another cut-off method that involves whatever pipe they use. I should probably look more into how these addresses get used and piped out. It's like now that I know that range is (unattached?), that I could start broadcasting ownership of them. Or for that matter, any range. I'd have to see how the routing all plays into it. I tried tracing it from 2 locations and ended up in the void.
  2. Based on my new thread in the subtopic regarding an APNIC address, I tried running whois in linux for the IP address I mention in my OP. Interestingly, it came back that no match was found which is bizarre enough in it's own right. I don't even know what to think of that. When I used the -B and -a flags, I got more information, but still nothing usable: $ whois -B -a 23.170.165.40 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Information related to '23.0.0.0 - 23.252.65.255' % No abuse contact registered for 23.0.0.0 - 23.252.65.255 inetnum: 23.0.0.0 - 23.252.65.255 netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK descr: IPv4 address block not managed by the RIPE NCC remarks: ------------------------------------------------------ remarks: remarks: You can find the whois server to query, or the remarks: IANA registry to query on this web page: remarks: http://www.iana.org/assignments/ipv4-address-space remarks: remarks: You can access databases of other RIRs at: remarks: remarks: AFRINIC (Africa) remarks: http://www.afrinic.net/ whois.afrinic.net remarks: remarks: APNIC (Asia Pacific) remarks: http://www.apnic.net/ whois.apnic.nett remarks: remarks: ARIN (Northern America) remarks: http://www.arin.net/ whois.arin.net remarks: remarks: LACNIC (Latin America and the Carribean) remarks: http://www.lacnic.net/ whois.lacnic.net remarks: remarks: IANA IPV4 Recovered Address Space remarks: http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtml remarks: remarks: ------------------------------------------------------ country: EU # Country is really world wide admin-c: IANA1-RIPE tech-c: IANA1-RIPE status: ALLOCATED UNSPECIFIED mnt-by: RIPE-NCC-HM-MNT mnt-lower: RIPE-NCC-HM-MNT mnt-routes: RIPE-NCC-RPSL-MNT created: 2016-04-14T14:35:56Z last-modified: 2016-04-14T14:35:56Z source: RIPE role: Internet Assigned Numbers Authority address: see http://www.iana.org. e-mail: bitbucket@ripe.net admin-c: IANA1-RIPE tech-c: IANA1-RIPE nic-hdl: IANA1-RIPE remarks: For more information on IANA services remarks: go to IANA web site at http://www.iana.org. mnt-by: RIPE-NCC-MNT created: 1970-01-01T00:00:00Z last-modified: 2001-09-22T09:31:27Z source: RIPE % Information related to '23.170.128.0/18AS24091' route: 23.170.128.0/18 origin: AS24091 mnt-by: MAINT-MGR-RIPE created: 2017-03-08T14:30:56Z last-modified: 2017-03-08T14:30:56Z source: RIPE % This query was served by the RIPE Database Query Service version 1.88 (WAGYU)
  3. Abuse contact for '168.126.0.0 - 168.126.255.255' is hostmaster [at] nic.or.kr I hope I get this right. I'll need to take another look at my other thread that behaved similarly... @Lking if I did it wrong again, do let me know. I believe I followed the structure that seemed to have been set in place (while adding a bit more). I was about to contact the apnic folks. Their whois info is the same that spamcop pulls, but apparently it gets nested, though you wouldn't know it based on the information provided. https://www.apnic.net/manage-ip/using-whois/abuse-and-spamming/reporting-abuse-and-spam/ says to look at the "netname" and correlate to the NIR. Except that didn't help since the netname contained "ERX" which didn't match with any of the NIR. A search for ERX and NIR mentioned Japan... HOWEVER, a thought occurred to me to just run whois from linux and it pulled the information from the Korean NIR. I'm going to see if that also happens with the other thread I posted that I think related to ARIN instead. The whole system seems to be one big unkept cluster-*.
  4. https://www.spamcop.net/sc?id=z6365977357z8a69e9ff1345099192b9ce1d3523e8b9z EDIT (Sanitizing): You'll note that I sanitize anything that looks like it may link to me. I know of one way I don't sanitize that MAY still be used to identify me, but I won't mention it (no one knows who may be lurking).
  5. Again, I'm pretty new to reporting, but was shocked to find the sender 23.170.165.40 to be an ARIN-owned IP, which may be why SC gives "No reporting addresses found". But the POC IS found if searched (maybe this message should be in the sublisting): https://whois.arin.net/rest/net/NET-23-0-0-0-0/pft?s=23.170.165.40 https://whois.arin.net/rest/poc/ARIN-HOSTMASTER.html I REALLY find the timing of this email to be suspect considering I contacted them earlier today (though their reply came from a 199.43* address): (man, I like how this forum works, much like github)
  6. Sender IP: 103.75.37.204 The domain points to an unusable (fake) registrar site. Another address I won't be reporting to. On a side note, considering I'm just starting with reporting, are these fakes common? Somebod(y/ies) at the *NICs are asleep at the keyboard, with their nose pressing the 'Y' key, letting all these mooks in. I'm DEFINITELY glad I'm not blindly reporting via the SC-supplied email dump address. EDIT (More?): 103.73.174.80 = pravamconsulting.in isysmagic.in is the registrar for some of these, but their site only shows the folder listing of cgi-bin. How are people registering their sites? I don't know how long I'm going to keep submitting if the *NICs and registrars aren't going to keep the field clean (or aren't working altogether). On a few occasions in the past, I've read of raids against spammers and seen a dropoff of spam as a result. I wonder what it takes for any given gov/nic/registrar to take action they are capable of taking... (is that enough use of the word "take"?)
  7. Sender IP: 137.171.32.202 Part of AFRINIC and the (maintainer's?) listed address is inno_rr {at} yahoo That sends up a red flag for me. Maybe needs a devnull? If you google that username (assuming it's the same person), it's not someone who separates business from "pleasure". You can probably guess how (he?) became "rich, #$@*!" I don't intend on sending any reports to that address.
  8. I don't quite know how it all works, but can ARIN/APNIC/(whoever) revoke addresses if the provider cannot be reached? A spam IP of 148.178.197.3 shows the abuse contact of p01243 [at] psilink.com, but it's being devnull'd because of bounces. The domain itself is up for sale. ARIN info comes up with fake information: https://whois.arin.net/rest/org/AACS-1/pocs "There is no known POC for this organization..." for 7 years. The phone number listed goes to a fax/modem. Would it be fruit(ful/less) for me to notify ARIN and see about having the entire mask pulled? Maybe they can just sell the range to someone else.
  9. Got it. The term "munging" is just what I needed. I think I'll just pay more attention to the spam itself and sanitize anything that looks to be a direct identifier of me when I paste. God, I hope that link of corollaries is meant to be humorous, but really it seems to align with words that actually come out of peoples' mouths. The preferences look good, but I think I may want to make use of "Public standard report recipients". Would this be a good place to stick the spam';k,;lo [at] g9k/'0uce.gov (how's that for munging ) address, or do they seek the plain/clean/untouched header/email only? EDIT (SC Forum Safelist): I also meant to ask what domain whitelist I should use for SC forum replies. The one you sent went to junk and the domain associated wasn't "spamcop.net".
  10. Through manual reporting, I've come to the conclusion that I should never report via forwarding to the SC-supplied email address. I felt sketchy about reporting (not yet) this one spam when I previewed the report. I noticed that even though it contained the SC alias I set, the headers were still peppered with parts of my email, like in "Return-Path", "Errors-To", and "Received-SPF". I think this is EXACTLY what a spammer would hope would happen in a report sent to them. It would be just as bad as replying to the email. The SC-parsed/resolved reporting email addresses seemed sketchy as well. The ip network abuse domain is romanian and whois provides hardly anything, while the admin email for the linked site also seemed strange with the registrar's own site redirecting to another. I have no desire to submit a report to either address if there's any chance they are (unwittingly?) in cahoots.