Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by RobiBue

  1. 15 minutes ago, RobiBue said:

    currently spamcop parses it as follows:


    apnic has:

    % Abuse contact for ' -' is 'abuse[at]phe.uk.com' <<---------- please fix to this correct abuse address

    while Rob.Urry address mentioned in the SC parse is somewhat listed, SC says:

    rob.urry[at]rapidwaters.net bounces (7 sent : 6 bounces)

    No good!

    in fact, the whole /19 range is!

    see http://wq.apnic.net/static/search.html?query=

    or actually the RIPE db: (sorry about that, not APNIC)


    still shows the same abuse address:

    Abuse contact info: abuse[at]phe.uk.com
    inetnum:   -


  2. currently spamcop parses it as follows:


    apnic has:

    % Abuse contact for ' -' is 'abuse[at]phe.uk.com' <<---------- please fix to this correct abuse address

    while Rob.Urry address mentioned in the SC parse is somewhat listed, SC says:

    rob.urry[at]rapidwaters.net bounces (7 sent : 6 bounces)

    No good!

  3. 19 hours ago, bolandross said:

    Hey and thanks for your help.

    In my recent reports section, the reports look like this:


    I noticed that clicking on the first link (69494888809) shows a site that doesn't contain the source code of the reported mail, but clicking on the other two links shows a site that does!

    To the time I asked the question, I only had tried the first one, thinking that all three would be the same. My case is therefore closed, thank you!

    That's correct, in your case, the first link is basically just a link parser equivalent, and nothing more, although the report to the telegram . org abuse desk will contain the complete spam for parsing (munged if your settings have it so selected)

    The next ones are targeting the source of the spam, and will contain the full, yet probably munged, headers and message body.

    Glad we could help 🙂



    @bolandross, have you clicked on [View Recent Reports] and tried yourself? Just curious.

    Anyway, there are different "forms" of reports

    the ones not yet filed:


    Submitted: 4/30/2019, 6:45:46 AM -0500:
    IRS Fresh Start Initiative Programs Before They Expire
    No reports filed

    as you can see, there's no link

    and then, filed:


    depending on how and what you clicked to report the spam, the links provided will vary

    • here, the first few links are just URL parses which point to the owner/administrator/abuse desk of the serving IP address of the spamvertised websites,
    • then you might have a personal link if you request one in [Preferences]. There you can add notes, or see how the spam was parsed (Tracking URL)
    • and then you might have one or more for the spam source ip address, where you can see
      a) the full spam (depending on your settings with the email address munged) and
      b) a link to how the spam was parsed (again, Tracking URL) (in the above, ending in 50, I replaced the link with the tracking URL because otherwise you wouldn't be able to see anything)

  5. 19 hours ago, MIG said:

    Hey Klappa, 

    Just going thru some old, "interesting" reading & noticed your question, did you ever get an answer that helped?

    Please let me know if you'd be so kind?



    Klappa had two posts.

    1. He mentioned you can add a recipient in settings (actually the [Preferences] tab/link) but he didn't mention that it's under Report Handling Options by adding an  email address to the Public standard report recipients field.
    2. In the 2nd post (the one you quoted) he asked where (about adding a recipient for every report independently), but just recently, we all found out, that you can do that only if you have either
      1. a paid account, or
      2. fuel added (until it runs out)


  6. 22 hours ago, salfordian said:

    Over the past few weeks from absolutely no where I've started getting loads of spam from this network, all the spammers seem to be flocking to them because they don't take any action, has anyone else noticed this?

    sorry, can't say I've noticed, but as Petzl mentioned, a tracking URL might be helpful.

    Petzl is not a troll, he might just have had a bad day with all the spam in the forum (it goes away after an admin browsed through it, but the TZ between OZ and US difference keeeps the spam visible much longer for him...)

    anyway, the past reports can be found here when logged in (same as the link/tab [Past Reports])

    (p.s. that's TZ for Time Zone, OZ for Down Under, and US for a Colorado/Rockies location or something like that ;))

  7. 8 hours ago, gnarlymarley said:

    There are a few options you have left when the adminstrator is useless if you really want to stop the spam.

    1. Keep reporting for two or three years and the spammer will give up.
    2. Block the whole IP range.  (this could be a problem as the emails from this forum appear to come from amazon, so this could block legitimate email.)
    3. Implement SPF checks on the MTA and hopes that blocks it (only works if you have the ability to control the MTA.)
    4. Use greylisting to make sure that only servers can connect and send you email (again, only works if you can change the MTA behavior.)

    The reason most businesses offer the free accounts is it falls under the idea of advertising.  If someone cannot check out the service, then they are less likely to use it.  Kind of problem as it pulls in the jerks, but also pulls in paid accounts as well......

    I like Idea #2!, especially if everybody is on-board.

    a) it would convince amazon to clean up their act with spammers and hosting them,
    b) especially if they start losing legitimate clientele :)

  8. On 4/14/2019 at 10:45 PM, gnarlymarley said:

    For me, my spam is up and down.  I noticed that gmail is lately blocking a lot of the spam.  It is also rejecting some of my legitimate email as if it were spam too.  I dislike it went folks sign up on a mailing list and then mark it as spam instead of unsubcribing because I am fighting the gmail spam police who tend to block that instead of just putting it in my spam folder.

    I too dislike it when folks sign up on a mailing list and then mark it as spam instead of unsubscribing, but I dislike it even more, when an emailer, after me having unsubscribed from *ALL* their emails, decides that I might still be interested, regardless of my decision.

    WRT gmail blocking/rejecting legitimate email: I haven't had that encounter yet, or the person that got rejected never got in touch with me about it...

  9. On 4/12/2019 at 8:44 PM, MIG said:

    ..., (for me) SC parser classifies Amazon (amazon[dot]com) as /dev/null, are you suggesting manually adding amazon[dot]com to https://www.spamcop.net/ [User_Notification] field, irrespective of SC's determination?

    Thanks in advance!

    On 4/12/2019 at 11:37 PM, Lking said:

    NO I am not.  That would result in a spam Report, from SC going to amazon. I am suggesting something like this header from MY email:

    with an amazon related spam attached; in this case


    Note when I "Submit" the spam I BCC the email to SC to hide my private 16 char reporting account from Amazon.

    Also note: Yes the FROM: is an obvious fake, but the sender is using the well known retailer's name to get "bigknow" to open the email.. I do the same for others common spam FROM UPS, American Express and others.

    If amazon[dot]com is dev/null'ed, then placing it in the [User_Notification] field wouldn't change anything. It would still dev/null the address.

    @Lking, question about the "Note". Do I understand this correctly, that you send (apart from sending the spam to SC as "bcc") the spam (as attachment) to the three listed entities?

    How do you know where to send the spam before parsing it?

    When I send the spam to SC, it gets parsed and /* then */ I know whom to send it as well... (Color me confused)


  10. I'm seconding petzl. spam in my gmail inbox/spam folder has also dropped drastically.

    Currently I'm fighting a spammer that originally wasn't one, but has no idea -- clueless -- what it means when I unsubscribe, and weeks later, they start firing up a daily trivia email campaign...
    So now they are spamming me, and I have no remorse on telling their host about their newly turned spammer...

    Just a matter of time now. Either they'll figure it out, or their host will...

  11. 8 hours ago, MIG said:

    Hey RobiBue,

    Have you ever seen a 🦗 begging? Stand by to witness this miracle:

    If your "dirty"  scri_pt  is safe to share may I have a copy please?

    My litlle 🦗paws are fair worn out from modifying scummy spam urls...


    Uhmmm... scri_pt is safe, but I do have 2 confessions to make:

    1. Currently I have no access to the pc I wrote the scri_pt on, and
    2. The scri_pt is a vba scri_pt for win word where I just dropped the spam in, ran the scri_pt, and attached the resulting text files to an email addressed to my reporting SC address...

    The scri_pt works roughly as follows:

    search for an https?:// domain name with regex and replace the numerical path (or ?argument) with the —ID...— line

    that’s basically the idea.

    fun to play and test reg(ular) ex(pressions) : https://regex101.com/r/wN6cZ7/478 (already set up for domain names)

    and SO has a nice answer for the whole URL: https://stackoverflow.com/questions/27745/getting-parts-of-a-url-regex

    sorry that I can’t be of more help atm... working these answers off a tablet...

  12. 5 hours ago, bobk said:

    Thanks RobiBue. That seems exactly right.  

    When I followed your "here" link, though, your examples of how you munged cloudflare would not load: https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez . I'm hoping it's easier than putting an x on 30+ instances of the name.

    What do you mean by deselecting the cloudflare report?  The only way I can tell it's from them now is to recognize the scri_pt in the header.

    Yeah, unfortunately the spam examples get removed by SC to conserve space (there are so many reports a DB can hold without having to add more HDD...) and when I checked my inbox, the spam from back then had already been deleted as well...

     but I found examples in my sent folder:


    <img alt="Droid or Apple? Find Your New Cell Phone Today! Fresh Deals!" border="0" height="176" src="http://airlinehop.com/?--ID-number-1-(munged)--" width="23"/></td> <td bgcolor="#FFFFFF" height="175" valign="top" width="276"> <span style="font-family: Bookman Old Style; color: #242424; font-weight: 700"> <font style="font-size: 12pt">Search: <a href="http://airlinehop.com/?--ID-number-8-(munged)--">Cell Phones</a></font></span><p> <span style="font-family: Bookman Old Style; color: #242424"> Ready For A New Phone? <br/> <i>ANDROID</i> or <i>APPLE</i>? <br/> Browse Newest Models NOW!<br/>

    I had written a quick and dirty scri_pt, which would replace the numbers after the host name with the text “?—ID-number-<n>-(munged)—“ where <n> is the last digit of the number... and then sent it off to SC for reporting...

  13. 9 minutes ago, bobk said:

    Thanks all.

    I've had a spamcop account for 17 years and never before encountered well over 50 spams per day in my spam folder, and two dozen more within minutes of my reporting, all from the same source.  I wonder if their intention in sending so many right away would be to get me to get tired reporting those bogus ones and leave the other older ones alone.

    These are all from cloudflare dot com.  All until just recently were also from volia dot net from the Ukraine, I believe.  All of the spams are using the same scripted header, with various creative bodies. Several times I have even tried to eliminate whatever code I could from the emails when I report them; I'm not sure if that helped any.

    I even contacted cloudflare separately using a throwaway email address (hosted by cloudflare!), and got back a form letter response saying something about their notifying the sender if they could. 

    6936557925 and 6936557926 are examples of one such spam reported without any alteration other than spamcop's munging.


    Yep, just like I thought, those sigarpi.com links are some of those tracking links. Hitting them, triggers a scri_pt on their server that “assumes” that you’re interested in their products and they send a spew of their junk to the address linked to the number.

    At least that’s the way it looks.

    See here...

    unfortunately nothing has been done about it :(

    Deselect the cloudflare report and you should be ok...

    I know, it’s not perfect, but you’d get less spam and eventually they’ll die out. Haven’t had one since last October...

  14. 1. welcome to the spamcop forum. We're mainly just SC users trying to help others in the fight against spam. Sometimes we can, sometimes we can't...

    That said, some spam messages contain URLs which, if triggered, will cause more spam to be sent to you. Sometimes the ISP is "spammer friendly" and provides the spammer with your email address to "listwash" their DB or provides them with the email headers and they extrapolate your address through tracking codes they inserted in the headers.

    If you have a Tracking URL (see Jeff G's welcoming post) and would provide it, it would be easier to analyze the reasons for your "multiplying spam" problems and find out a way to alleviate it.

    I used to have similar problems with some spammers and by not reporting the links, only the source of the email, it reduced the spam volume drastically.

    I also went in manually to report the links to the hosting companies and removing the tracking extension from the report, to prevent anybody from triggering more spam if they accidentally (or purposely) click on the link.

  15. 1 hour ago, petzl said:

    Pretty sure these creeps are opening a new "free" amazon account when one is taken down.
    Seems Amazon are shutting them down when reported from the spammed email address, stating IP address and copy and pasting full headers with report. 
    status: 404 Not Found

    I never report from the spammed email address, and always munge the latter.

    Several providers have asked for full headers and I always tell them that the email address is of no concern to them as I do not wish retaliation or listwashing from their customers.

    They sometimes claim it would be easier with my address, but I insist that they can enforce their AUP solely by the email received headers and the email content. This last scenario happened only twice in my umpteen years of reporting ;)


  16. 4 hours ago, klappa said:

    Tired of reporting. Bit.ly won't take down the sex dating sites. They seem to ignore Spamcop reports altogether.

    Amazon promised to take action several times but nothing happens.

    I've given up. Will close my e-mail account. It's for the better.

    Oddly enough, I haven’t been getting any amazon/bit.ly spam as of a few days ago.

    In fact, I haven’t had any spam since Saturday 9th at noon. :) /me happy/ :) 

  17. 5 minutes ago, petzl said:

    Yes spammer already has your email.
    Got one from these scum this morning here are the notes
 (Administrator of network where email originates)
    abuse@amazonaws.com phishing-report@us-cert.gov
    https://bit.ly/2EPC64E?1819469901?DL4B7Sr6I8Unq8090859 abuse@bitly.com
    URL IP abuse@amazonaws.com phishing-report@us-cert.gov


    the info behind the ? in the links is what gives the spammer your info. those are the ones I don't add in the reports ...

    btw, got the same one today too... recognize the identical bit.ly address...

  18. 3 minutes ago, klappa said:

    Yes that's true. But munging the Message ID and non-ISP headers is not recommended. They need all the details I can give them and those might be valuable. If Spamcop doesn't do it except the e-mail address I won't either. My e-mail is a lost cause. It's more a throwaway account for reporting spam nowadays.

    SC munges the headers (unless it's a ISP that requires full headers) for me when I report the message.

    usually the message ID looks something like this:

    Message-Id: <wecW_______________________________________________upLM@vevida.net>

    the underscore line is placed there by SC.

    and non-ISP headers are often used by the spammer to trace reported spam and retaliate... that's why I tend to do that.

    if the ISP wants more info, they can ask for it ;)


  19. 44 minutes ago, klappa said:

    Now i follow. Although i can't be bothered munging my e-mail anymore. It's to late for that. I guess you do it manually every time?

    Yes that one isn't traceable but sometimes my e-mail is in the spam link often with the word campaign to lure the unsuspected user even more into clicking it. But since the spammer already have my e-mail it doesn't. Never seen that string before though. The sex dating dating domains are all scam through and through. Spammers use bots to lure the user into believing they are real people and make them throw up their credit card which essentially make the spammers into phishers in the end. The pictures of the girls/boys are stolen and have an unverified age.

    although they have your email, doesn't mean that if you report to their ISP that they know whodunit if you munge the name and address. of course, you'd also have to munge the message ID and a few other non-ISP headers that would/could reveal your info...

    Re: porn spam, amazon has AFAIU pretty strict guidelines and do not tolerate offenders.

  20. 2 hours ago, klappa said:

    Thank you!

    What do you mean by offending message with munged headers follows? How do you mung the headers with your name and address?

    However the destination domain was hosted by either Key-Systems, RRProxy or Google i am not sure which is hosting which. I don't want to type down the domain as it would be traceable by the spammer. There's no trace routes services or functions i know of that would've showed the destination domain. 

    The domains you listed are hosted by Amazon and lies between the domain link found in the spam and the destination domain. I don't know their purpose though.

    Hi klappa,

    1) munged headers means that I copy the raw spam (with headers) into notepad (on win) or your editor of choice and change all entries of my email address or part thereof as well as my name into a fake email address and fake name:

    X-Apparently-To: me@example.com; Sat, 02 Mar 2019 18:48:09 +0000
    Received: by mail-it1-f193.google.com with SMTP id d125so1436534ith.1
            for <me@example.com>; Sat, 02 Mar 2019 10:48:08 -0800 (PST)
    To: me@example.com
    Subject: MY NAME: $15,000 Loan - Pay Back in 3 Years
    hello MY NAME,
    we have a loan for you with exorbitant interest. pay it back in three years and we will only charge you 115% interest

    Turns into:

    X-Apparently-To: x-x-x-x-x-x@x-xmail.com; Sat, 02 Mar 2019 18:48:09 +0000
    Received: by mail-it1-f193.google.com with SMTP id d125so1436534ith.1
            for <x-x-x-x-x-x@x-xmail.com>; Sat, 02 Mar 2019 10:48:08 -0800 (PST)
    To: me@example.com
    Subject: x-x-x-x-x-x: $15,000 Loan - Pay Back in 3 Years
    hello x-x-x-x-x-x,
    we have a loan for you with exorbitant interest. pay it back in three years and we will only charge you 115% interest

    And then I add the following at the top of the headers:

    Comments: The recipient of the email wishes to stay anonymous and therefore
            has munged his name and/or address for privacy reasons to strings like "x-x-x" or "x".
            Please respect his privacy.

    That’s “munging”.

    2) alas it’s true that certain links can be “traced” by spammers, the link I started with, had no traceable info.

    http://se2. mogenromance-svenska. club/ is not traceable

    let me rephrase that before I get in trouble for making false statements ;)

    ok, every link you click on, gives the host your IP address, therefore (per se) traceable, but what I mean, is, that it doesn’t give the spammer any clue of your e-mail address.

    Traceable links, the way I mean it, can be, for instance:

    http://www.example.com/907743add1337 <- this hex string could be your encoded address

    If the link already starts like that, then caution is warranted.

    Since the redirects originated from a “safe” link, the information passed has nothing to do with your info.

    The links in between can be either reported at the same time or at a later point in time when the spammer is scrambling to get his new site redirected :)

    Sometimes I complain to the registrar as well in the hopes that someone there is witty enough to catch the pattern and MO of the spammer.

  21. 5 hours ago, klappa said:

    Thank you! That will help a lot. With this i can improve my reporting even more.

    Amazon promised to take action now in the last second when i threatened to report them to the government authorities. Now i see that the redirect URL service unfortunately didn't show the destination domain which was hosted by another domain host entirely from Amazon. These spammers are clever. IT's really a pain in the ass. It is also unfortunate that Spamcop isn't that much of a help when they are constantly changing from where they send the spam from and hosts their obfuscated domains. Spamcop will only report the responsible parties in the spam.

    I really do hope Spamcop does something though even if you have to dig further than what Spamcop does.

    to Amazon I would writethe following (adding the spam at the end):

    you are harboring a spamvertised porn site:

    spamvertised link:

    http://se2. mogenromance-svenska. club/

    redirects as follows:

    HTTP/1.1 302 Found =>
    Server => nginx
    Date => Sat, 09 Mar 2019 07:04:17 GMT
    Content-Type => text/html; charset=utf-8
    Content-Length => 75
    Connection => close
    Location => https:// crazytrackings. com/ ?a=100225&c=102723&s1=232
    X-Served-By => Namecheap URL Forward


    HTTP/1.0 302 Found =>
    Cache-Control => private
    Content-Length => 226
    Content-Type => text/html; charset=utf-8
    Date => Sat, 09 Mar 2019 07:04:42 GMT
    Location => https:// cyberblueberry. com/ ?a=100225&c=102723&s1=232&ckmguid=5eaf0d44-97f6-419a-bf50-4dc7daa946ba


    HTTP/1.0 302 Found =>
    Cache-Control => private
    Content-Length => 250
    Content-Type => text/html; charset=utf-8
    Date => Sat, 09 Mar 2019 07:05:03 GMT
    Location => https:// kewkr. girlstofu**. net/ c/da57dc555e50572d?s1=12951&s2=153430&s3=100225&s5=&click_id=22381729&j1=1&j3=1
    Set-Cookie => c100916=B0u1wB9CbYmmbLsSFz+i2AKhvFRakvmMJc94KAGrH+9633KgqJ4kxg==; domain=.cyberblueberry.com; expires=Mon, 08-Apr-2019 07:05:04 GMT; path=/; HttpOnly


    HTTP/1.1 200 OK =>
    Server => nginx
    Date => Sat, 09 Mar 2019 07:05:24 GMT
    Content-Type => text/html; charset=UTF-8
    Content-Length => 12475
    Connection => close
    Set-Cookie => scriptHash=49415_12951_153430; expires=Mon, 08-Apr-2019 07:05:24 GMT; Max-Age=2592000; path=/; HttpOnly
    X-Powered-By => PHP/7.0.32


    and this last redirect is on IP address
    Host kewkr. girlstofu**. net (checking ip) =

    whois -h whois.arin.net ...
    NetRange: -
    NetName:        AT-88-Z
    NetHandle:      NET-34-192-0-0-1
    Parent:         NET34 (NET-34-0-0-0-0)
    NetType:        Direct Allocation
    Organization:   Amazon Technologies Inc. (AT-88-Z)
    RegDate:        2016-09-12
    OrgAbuseHandle: AEA8-ARIN
    OrgAbuseName:   Amazon EC2 Abuse
    OrgAbusePhone:  +1-206-266-4064 
    OrgAbuseEmail:  abuse@amazonaws.com
    OrgAbuseRef:    https://rdap.arin.net/registry/entity/AEA8-ARIN

    I believe this is your IP space.

    please enforce your AUP.

    offending message with munged headers follows (and I always munge the headers with my name and address since I send it from a dedicated spam reporting email address which is in name and address different from any other)

    and see if they say that it's not their IP space :)


  22. 2 hours ago, MIG said:

    Hey RobiBue, 

    Thanks! grasshopper jumping around excitedly, grasshopper loves new toys, 'n grasshoppers jump irrespective unless squashed. 

    Question re (https://www.webconfs.com/http-header-check.php) was your very last url: 




    • did you at any point get to one of your faves ( AmazonDOTcom ) ?


    • final  ?, I can't track how you got ( knownsrvDOTcom ), would you be so kind as to provide a tad more education for grasshopper  please?


    Hi MIG,

    with re to the first q, no, it wasn’t then. It is now, though, but bit.ly already removed their link shortcut, so the original spam link wouldn’t work anyway.

    i do have the feeling, hat my complaint to name.com, nforce and knownsrv was fruitful since the spammer had to change their link redirect :)

    to your latter q:

    Let’s start with sc on lintwor.com:


    there i get both, IP address and reporting/abuse address.

    now i’m Not done, as I want to make sure that I don’t just email the spammer, so I look up the ripe.net db:


    gives me more or less the same info, but at the end of the page, I see MNT-NFORCE entry, so I check there


    and in the end decide also to contact the admin-c entry listed.

    that’s how I got name.com, knownsrv and nforce :)

    And as you can see by the absence of the last redirect the way I had it at the beginning, something worked :)


  23. Ever wanted to follow the http or https headers but not visit potentially dangerous websites?

    here I found a perfect toy:


    for example, today I received a sex-spamvertised email (no need to post the tracking URL, as here I'm only interested in the redirects that the spammer goes through)

    so in the spam I have the following html line (without the spaces, so that nobody damages their computer by following the link):

    <a href="https: //bit.ly/ 2IQVHa2">

    I enter the address in the text box, and receive the following result:

    HTTP/1.1 301 Moved Permanently =>
    Server => nginx
    Date => Wed, 06 Mar 2019 05:00:02 GMT
    Content-Type => text/html; charset=utf-8
    Content-Length => 139
    Connection => close
    Cache-Control => private, max-age=90
    Content-Security-Policy => referrer always;
    Location => http: //trk.linoaura.com/ c/ 1a57c646b0bf375e?src=issam
    Referrer-Policy => unsafe-url
    Set-Cookie => _bit=j26502-4d7f647156d7ea24c4-00y; Domain=bit.ly; Expires=Mon, 02 Sep 2019 05:00:02 GMT

    oh,  Referrer-Policy => unsafe-url !!! (again, the location with spaces to prevent someone to inadvertently follow the link)

    so I enter that Location => link into the box and get:

    HTTP/1.1 302 Found =>
    Server => nginx
    Date => Wed, 06 Mar 2019 05:05:45 GMT
    Content-Type => text/html; charset=UTF-8
    Content-Length => 0
    Connection => close
    Location => https: //lintwor.com /198f1cdb040fb11800 //aijxs5c7f55298ff4e752045131/
    Set-Cookie => tid=aijxs5c7f55298ff4e752045131; path=/; HttpOnly
    Status => 302 Found

    yet another redirect (I again added spaces)

    so I follow that one:

    HTTP/1.1 200 OK =>
    Date => Wed, 06 Mar 2019 05:08:39 GMT
    Content-Type => text/html; charset=UTF-8
    Content-Length => 133
    Connection => close
    Server => Apache
    Set-Cookie => uid9599=814165625-20190305230839-05d567ed43eab684d1ec95bd5d3f4aff-; expires=Sat, 06-Apr-2019 04:08:39 GMT; Max-Age=2674800; path=/

    end station HTTP/1.1 200 OK =>

    so all I need to do now, is get the IP for the last domain with netDemon, SamSpade, or just a simple ping from the cmd line, and send manual complaints with my specific anti-spam email to abuse[at]name.com (since they are the registrar for the domain)
    and nforce.com:
    who is the administrative IP block owner of spamvertised IP address

    as well as knownsrv.com:
    who is the owner of IP block of spamvertised IP address

    the latter two found in the RIPE db with the IP address from the ping.