Jump to content

RobiBue

Membera
  • Content Count

    167
  • Joined

  • Last visited

Everything posted by RobiBue

  1. RobiBue

    No reporting -> Less spam

    I too dislike it when folks sign up on a mailing list and then mark it as spam instead of unsubscribing, but I dislike it even more, when an emailer, after me having unsubscribed from *ALL* their emails, decides that I might still be interested, regardless of my decision. WRT gmail blocking/rejecting legitimate email: I haven't had that encounter yet, or the person that got rejected never got in touch with me about it...
  2. If amazon[dot]com is dev/null'ed, then placing it in the [User_Notification] field wouldn't change anything. It would still dev/null the address. @Lking, question about the "Note". Do I understand this correctly, that you send (apart from sending the spam to SC as "bcc") the spam (as attachment) to the three listed entities? How do you know where to send the spam before parsing it? When I send the spam to SC, it gets parsed and /* then */ I know whom to send it as well... (Color me confused)
  3. RobiBue

    No reporting -> Less spam

    I'm seconding petzl. spam in my gmail inbox/spam folder has also dropped drastically. Currently I'm fighting a spammer that originally wasn't one, but has no idea -- clueless -- what it means when I unsubscribe, and weeks later, they start firing up a daily trivia email campaign... So now they are spamming me, and I have no remorse on telling their host about their newly turned spammer... Just a matter of time now. Either they'll figure it out, or their host will...
  4. RobiBue

    I am getting more spam when I report

    Uhmmm... scri_pt is safe, but I do have 2 confessions to make: Currently I have no access to the pc I wrote the scri_pt on, and The scri_pt is a vba scri_pt for win word where I just dropped the spam in, ran the scri_pt, and attached the resulting text files to an email addressed to my reporting SC address... The scri_pt works roughly as follows: search for an https?:// domain name with regex and replace the numerical path (or ?argument) with the —ID...— line that’s basically the idea. fun to play and test reg(ular) ex(pressions) : https://regex101.com/r/wN6cZ7/478 (already set up for domain names) and SO has a nice answer for the whole URL: https://stackoverflow.com/questions/27745/getting-parts-of-a-url-regex sorry that I can’t be of more help atm... working these answers off a tablet...
  5. Link removed due to giving out private information.... ? Sc admins? I was wondering if an admin, or someone with the ability to check the SC address entries can see and post here why the amazonAWS address is devnulled. When I report manually to abuse amazonaws com I get both sentient and robot replies. Can the devnull redirection be removed so that reports go again to their abuse desk? They seem to be taking care of their spammers, but only if the spam can be reported... I am not sure if abuse reports going to ipmanagement are actually going anywhere. I have seen 3 different abuse addresses listed for amazon aws and ec2, where ipmanagement seems like a fluke that ended up without an abuse address at amazon web services...
  6. RobiBue

    I am getting more spam when I report

    Yeah, unfortunately the spam examples get removed by SC to conserve space (there are so many reports a DB can hold without having to add more HDD...) and when I checked my inbox, the spam from back then had already been deleted as well... but I found examples in my sent folder: I had written a quick and dirty scri_pt, which would replace the numbers after the host name with the text “?—ID-number-<n>-(munged)—“ where <n> is the last digit of the number... and then sent it off to SC for reporting...
  7. RobiBue

    I am getting more spam when I report

    Yep, just like I thought, those sigarpi.com links are some of those tracking links. Hitting them, triggers a scri_pt on their server that “assumes” that you’re interested in their products and they send a spew of their junk to the address linked to the number. At least that’s the way it looks. See here... unfortunately nothing has been done about it Deselect the cloudflare report and you should be ok... I know, it’s not perfect, but you’d get less spam and eventually they’ll die out. Haven’t had one since last October...
  8. RobiBue

    I am getting more spam when I report

    1. welcome to the spamcop forum. We're mainly just SC users trying to help others in the fight against spam. Sometimes we can, sometimes we can't... That said, some spam messages contain URLs which, if triggered, will cause more spam to be sent to you. Sometimes the ISP is "spammer friendly" and provides the spammer with your email address to "listwash" their DB or provides them with the email headers and they extrapolate your address through tracking codes they inserted in the headers. If you have a Tracking URL (see Jeff G's welcoming post) and would provide it, it would be easier to analyze the reasons for your "multiplying spam" problems and find out a way to alleviate it. I used to have similar problems with some spammers and by not reporting the links, only the source of the email, it reduced the spam volume drastically. I also went in manually to report the links to the hosting companies and removing the tracking extension from the report, to prevent anybody from triggering more spam if they accidentally (or purposely) click on the link.
  9. I never report from the spammed email address, and always munge the latter. Several providers have asked for full headers and I always tell them that the email address is of no concern to them as I do not wish retaliation or listwashing from their customers. They sometimes claim it would be easier with my address, but I insist that they can enforce their AUP solely by the email received headers and the email content. This last scenario happened only twice in my umpteen years of reporting
  10. Oddly enough, I haven’t been getting any amazon/bit.ly spam as of a few days ago. In fact, I haven’t had any spam since Saturday 9th at noon. /me happy/
  11. the info behind the ? in the links is what gives the spammer your info. those are the ones I don't add in the reports ... btw, got the same one today too... recognize the identical bit.ly address...
  12. SC munges the headers (unless it's a ISP that requires full headers) for me when I report the message. usually the message ID looks something like this: Message-Id: <wecW_______________________________________________upLM@vevida.net> the underscore line is placed there by SC. and non-ISP headers are often used by the spammer to trace reported spam and retaliate... that's why I tend to do that. if the ISP wants more info, they can ask for it
  13. although they have your email, doesn't mean that if you report to their ISP that they know whodunit if you munge the name and address. of course, you'd also have to munge the message ID and a few other non-ISP headers that would/could reveal your info... Re: porn spam, amazon has AFAIU pretty strict guidelines and do not tolerate offenders.
  14. Hi klappa, 1) munged headers means that I copy the raw spam (with headers) into notepad (on win) or your editor of choice and change all entries of my email address or part thereof as well as my name into a fake email address and fake name: X-Apparently-To: me@example.com; Sat, 02 Mar 2019 18:48:09 +0000 Received: by mail-it1-f193.google.com with SMTP id d125so1436534ith.1 for <me@example.com>; Sat, 02 Mar 2019 10:48:08 -0800 (PST) To: me@example.com Subject: MY NAME: $15,000 Loan - Pay Back in 3 Years hello MY NAME, we have a loan for you with exorbitant interest. pay it back in three years and we will only charge you 115% interest Turns into: X-Apparently-To: x-x-x-x-x-x@x-xmail.com; Sat, 02 Mar 2019 18:48:09 +0000 Received: by mail-it1-f193.google.com with SMTP id d125so1436534ith.1 for <x-x-x-x-x-x@x-xmail.com>; Sat, 02 Mar 2019 10:48:08 -0800 (PST) To: me@example.com Subject: x-x-x-x-x-x: $15,000 Loan - Pay Back in 3 Years hello x-x-x-x-x-x, we have a loan for you with exorbitant interest. pay it back in three years and we will only charge you 115% interest And then I add the following at the top of the headers: Comments: The recipient of the email wishes to stay anonymous and therefore has munged his name and/or address for privacy reasons to strings like "x-x-x" or "x". Please respect his privacy. That’s “munging”. 2) alas it’s true that certain links can be “traced” by spammers, the link I started with, had no traceable info. http://se2. mogenromance-svenska. club/ is not traceable let me rephrase that before I get in trouble for making false statements ok, every link you click on, gives the host your IP address, therefore (per se) traceable, but what I mean, is, that it doesn’t give the spammer any clue of your e-mail address. Traceable links, the way I mean it, can be, for instance: http://www.example.com/907743add1337 <- this hex string could be your encoded address http://www.example.com/illgetyou?a=encodedaddresshere If the link already starts like that, then caution is warranted. Since the redirects originated from a “safe” link, the information passed has nothing to do with your info. The links in between can be either reported at the same time or at a later point in time when the spammer is scrambling to get his new site redirected Sometimes I complain to the registrar as well in the hopes that someone there is witty enough to catch the pattern and MO of the spammer.
  15. I use (since recently because it handles https as well) https://www.webconfs.com/http-header-check.php for redirects... Used to use Sam Spade, but sadly, it doesn't handle https well, still use Sam Spade for other stuff, but just like NetDemon, it's not maintained anymore...
  16. to Amazon I would writethe following (adding the spam at the end): you are harboring a spamvertised porn site: spamvertised link: http://se2. mogenromance-svenska. club/ redirects as follows: HTTP/1.1 302 Found => Server => nginx Date => Sat, 09 Mar 2019 07:04:17 GMT Content-Type => text/html; charset=utf-8 Content-Length => 75 Connection => close Location => https:// crazytrackings. com/ ?a=100225&c=102723&s1=232 X-Served-By => Namecheap URL Forward HTTP/1.0 302 Found => Cache-Control => private Content-Length => 226 Content-Type => text/html; charset=utf-8 Date => Sat, 09 Mar 2019 07:04:42 GMT Location => https:// cyberblueberry. com/ ?a=100225&c=102723&s1=232&ckmguid=5eaf0d44-97f6-419a-bf50-4dc7daa946ba HTTP/1.0 302 Found => Cache-Control => private Content-Length => 250 Content-Type => text/html; charset=utf-8 Date => Sat, 09 Mar 2019 07:05:03 GMT Location => https:// kewkr. girlstofu**. net/ c/da57dc555e50572d?s1=12951&s2=153430&s3=100225&s5=&click_id=22381729&j1=1&j3=1 P3p => CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Set-Cookie => c100916=B0u1wB9CbYmmbLsSFz+i2AKhvFRakvmMJc94KAGrH+9633KgqJ4kxg==; domain=.cyberblueberry.com; expires=Mon, 08-Apr-2019 07:05:04 GMT; path=/; HttpOnly HTTP/1.1 200 OK => Server => nginx Date => Sat, 09 Mar 2019 07:05:24 GMT Content-Type => text/html; charset=UTF-8 Content-Length => 12475 Connection => close Set-Cookie => scriptHash=49415_12951_153430; expires=Mon, 08-Apr-2019 07:05:24 GMT; Max-Age=2592000; path=/; HttpOnly X-Powered-By => PHP/7.0.32 and this last redirect is on IP address Host kewkr. girlstofu**. net (checking ip) = 34.194.20.115 whois -h whois.arin.net 34.194.20.115 ... [...] NetRange: 34.192.0.0 - 34.255.255.255 CIDR: 34.192.0.0/10 NetName: AT-88-Z NetHandle: NET-34-192-0-0-1 Parent: NET34 (NET-34-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Amazon Technologies Inc. (AT-88-Z) RegDate: 2016-09-12 [...] OrgAbuseHandle: AEA8-ARIN OrgAbuseName: Amazon EC2 Abuse OrgAbusePhone: +1-206-266-4064 OrgAbuseEmail: abuse@amazonaws.com OrgAbuseRef: https://rdap.arin.net/registry/entity/AEA8-ARIN [...] I believe this is your IP space. please enforce your AUP. offending message with munged headers follows (and I always munge the headers with my name and address since I send it from a dedicated spam reporting email address which is in name and address different from any other) and see if they say that it's not their IP space
  17. Ever wanted to follow the http or https headers but not visit potentially dangerous websites? here I found a perfect toy: https://www.webconfs.com/http-header-check.php for example, today I received a sex-spamvertised email (no need to post the tracking URL, as here I'm only interested in the redirects that the spammer goes through) so in the spam I have the following html line (without the spaces, so that nobody damages their computer by following the link): <a href="https: //bit.ly/ 2IQVHa2"> I enter the address in the text box, and receive the following result: HTTP/1.1 301 Moved Permanently => Server => nginx Date => Wed, 06 Mar 2019 05:00:02 GMT Content-Type => text/html; charset=utf-8 Content-Length => 139 Connection => close Cache-Control => private, max-age=90 Content-Security-Policy => referrer always; Location => http: //trk.linoaura.com/ c/ 1a57c646b0bf375e?src=issam Referrer-Policy => unsafe-url Set-Cookie => _bit=j26502-4d7f647156d7ea24c4-00y; Domain=bit.ly; Expires=Mon, 02 Sep 2019 05:00:02 GMT oh, Referrer-Policy => unsafe-url !!! (again, the location with spaces to prevent someone to inadvertently follow the link) so I enter that Location => link into the box and get: HTTP/1.1 302 Found => Server => nginx Date => Wed, 06 Mar 2019 05:05:45 GMT Content-Type => text/html; charset=UTF-8 Content-Length => 0 Connection => close Location => https: //lintwor.com /198f1cdb040fb11800 //aijxs5c7f55298ff4e752045131/ Set-Cookie => tid=aijxs5c7f55298ff4e752045131; path=/; HttpOnly Status => 302 Found yet another redirect (I again added spaces) so I follow that one: HTTP/1.1 200 OK => Date => Wed, 06 Mar 2019 05:08:39 GMT Content-Type => text/html; charset=UTF-8 Content-Length => 133 Connection => close Server => Apache Set-Cookie => uid9599=814165625-20190305230839-05d567ed43eab684d1ec95bd5d3f4aff-; expires=Sat, 06-Apr-2019 04:08:39 GMT; Max-Age=2674800; path=/ end station HTTP/1.1 200 OK => so all I need to do now, is get the IP for the last domain with netDemon, SamSpade, or just a simple ping from the cmd line, and send manual complaints with my specific anti-spam email to abuse[at]name.com (since they are the registrar for the domain) and nforce.com: who is the administrative IP block owner of spamvertised IP address as well as knownsrv.com: who is the owner of IP block of spamvertised IP address the latter two found in the RIPE db with the IP address from the ping.
  18. RobiBue

    http/https header check

    Hi MIG, with re to the first q, no, it wasn’t then. It is now, though, but bit.ly already removed their link shortcut, so the original spam link wouldn’t work anyway. i do have the feeling, hat my complaint to name.com, nforce and knownsrv was fruitful since the spammer had to change their link redirect to your latter q: Let’s start with sc on lintwor.com: https://www.spamcop.net/sc?track=lintwor.com there i get both, IP address and reporting/abuse address. now i’m Not done, as I want to make sure that I don’t just email the spammer, so I look up the ripe.net db: https://apps.db.ripe.net/db-web-ui/#/query?searchtext=194.145.208.166%23resultsSection gives me more or less the same info, but at the end of the page, I see MNT-NFORCE entry, so I check there https://apps.db.ripe.net/db-web-ui/#/lookup?source=RIPE&key=MNT-NFORCE&type=mntner and in the end decide also to contact the admin-c entry listed. that’s how I got name.com, knownsrv and nforce And as you can see by the absence of the last redirect the way I had it at the beginning, something worked
  19. if you click on the top [Report spam] "tab" it should reload the page without the current spam, just the empty report box but possibly with the following : is the Remove all unreported spam link missing, but the Report Now link there?
  20. I hear you MisterBill, and I understand the frustration when the fight with spammers is being hindered by the own tools that are supposed to help. I used to be adamant with regard to submitting the links, but eventually I realized that, even though most links are spammer's own links or redirects to them, or even redirects to redirects... and so on and so forth... some links are third party links that a) have nothing to do with the spam, or b) are being used as retaliatory measures to get them in trouble. why this spam isn't parsing the links, unfortunately, I do not know. entering the address directly into the SC parser works and gives you the abuse address if you want to submit it manually. https://www.spamcop.net/sc?track=http://148.253.73.95ashlee.org.perske.club/204/3-2-2019-clickersin
  21. The address is in the parsed email. Clicking on the link below the headers “View entire message” will reveal a base64 block which can be decoded with online tools like: https://www.base64decode.org/ Just paste the whole block (including the last = sign) and vióla! The entire body of the spam including those seemingly obfuscated addresses... 148. 253. 73. 95ashlee . org . perske . club / 204 / 3-2-2019-clickersin ^ ^ ^ ^ ^ ^ ^ ^ ^ | | | | | domain TLD | | •————————————————————————• •————————————• subdomains paths But they aren’t really obfuscated addresses. They are real, the way they are written.
  22. I am thinking that spamcop has disabled the parsing of links in the newest update. Not sure about it though, but I haven't had any links parsed by SC since then.
  23. Cache refresh disabled to avoid rate-limiting of whois servers [refresh cache] $ whois NET-3-128-0-0-1@whois.arin.net [whois.arin.net] ERROR 503: Unable to service request due to high volume. hmmm interesting.... in the end, although it would go to /dev/nul for amazonaws, it can't find an owner now... No reporting addresses found for 3.208.7.29, using devnull for tracking.
  24. that, as far as I know, is no longer needed to be done since the SC v5 update. The gmail problem was solved with the update. Outlook (hotmail, et.al.) is still not fixed though, but that is definitely on their end...
  25. Oooh! This last part means that RIPE is blocking ironport/SpamCop/Cisco from accessing their Whois database... now that’s bad.
×