Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by RobiBue

  1. On 4/12/2019 at 8:44 PM, MIG said:

    ..., (for me) SC parser classifies Amazon (amazon[dot]com) as /dev/null, are you suggesting manually adding amazon[dot]com to https://www.spamcop.net/ [User_Notification] field, irrespective of SC's determination?

    Thanks in advance!

    On 4/12/2019 at 11:37 PM, Lking said:

    NO I am not.  That would result in a spam Report, from SC going to amazon. I am suggesting something like this header from MY email:

    with an amazon related spam attached; in this case


    Note when I "Submit" the spam I BCC the email to SC to hide my private 16 char reporting account from Amazon.

    Also note: Yes the FROM: is an obvious fake, but the sender is using the well known retailer's name to get "bigknow" to open the email.. I do the same for others common spam FROM UPS, American Express and others.

    If amazon[dot]com is dev/null'ed, then placing it in the [User_Notification] field wouldn't change anything. It would still dev/null the address.

    @Lking, question about the "Note". Do I understand this correctly, that you send (apart from sending the spam to SC as "bcc") the spam (as attachment) to the three listed entities?

    How do you know where to send the spam before parsing it?

    When I send the spam to SC, it gets parsed and /* then */ I know whom to send it as well... (Color me confused)


  2. I'm seconding petzl. spam in my gmail inbox/spam folder has also dropped drastically.

    Currently I'm fighting a spammer that originally wasn't one, but has no idea -- clueless -- what it means when I unsubscribe, and weeks later, they start firing up a daily trivia email campaign...
    So now they are spamming me, and I have no remorse on telling their host about their newly turned spammer...

    Just a matter of time now. Either they'll figure it out, or their host will...

  3. 8 hours ago, MIG said:

    Hey RobiBue,

    Have you ever seen a 🦗 begging? Stand by to witness this miracle:

    If your "dirty"  scri_pt  is safe to share may I have a copy please?

    My litlle 🦗paws are fair worn out from modifying scummy spam urls...


    Uhmmm... scri_pt is safe, but I do have 2 confessions to make:

    1. Currently I have no access to the pc I wrote the scri_pt on, and
    2. The scri_pt is a vba scri_pt for win word where I just dropped the spam in, ran the scri_pt, and attached the resulting text files to an email addressed to my reporting SC address...

    The scri_pt works roughly as follows:

    search for an https?:// domain name with regex and replace the numerical path (or ?argument) with the —ID...— line

    that’s basically the idea.

    fun to play and test reg(ular) ex(pressions) https://regex101.com/r/wN6cZ7/478 (already set up for domain names)

    and SO has a nice answer for the whole URL: https://stackoverflow.com/questions/27745/getting-parts-of-a-url-regex

    sorry that I can’t be of more help atm... working these answers off a tablet...

  4. 5 hours ago, bobk said:

    Thanks RobiBue. That seems exactly right.  

    When I followed your "here" link, though, your examples of how you munged cloudflare would not load: https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez . I'm hoping it's easier than putting an x on 30+ instances of the name.

    What do you mean by deselecting the cloudflare report?  The only way I can tell it's from them now is to recognize the scri_pt in the header.

    Yeah, unfortunately the spam examples get removed by SC to conserve space (there are so many reports a DB can hold without having to add more HDD...) and when I checked my inbox, the spam from back then had already been deleted as well...

     but I found examples in my sent folder:


    <img alt="Droid or Apple? Find Your New Cell Phone Today! Fresh Deals!" border="0" height="176" src="http://airlinehop.com/?--ID-number-1-(munged)--" width="23"/></td> <td bgcolor="#FFFFFF" height="175" valign="top" width="276"> <span style="font-family: Bookman Old Style; color: #242424; font-weight: 700"> <font style="font-size: 12pt">Search: <a href="http://airlinehop.com/?--ID-number-8-(munged)--">Cell Phones</a></font></span><p> <span style="font-family: Bookman Old Style; color: #242424"> Ready For A New Phone? <br/> <i>ANDROID</i> or <i>APPLE</i>? <br/> Browse Newest Models NOW!<br/>

    I had written a quick and dirty scri_pt, which would replace the numbers after the host name with the text “?—ID-number-<n>-(munged)—“ where <n> is the last digit of the number... and then sent it off to SC for reporting...

  5. 9 minutes ago, bobk said:

    Thanks all.

    I've had a spamcop account for 17 years and never before encountered well over 50 spams per day in my spam folder, and two dozen more within minutes of my reporting, all from the same source.  I wonder if their intention in sending so many right away would be to get me to get tired reporting those bogus ones and leave the other older ones alone.

    These are all from cloudflare dot com.  All until just recently were also from volia dot net from the Ukraine, I believe.  All of the spams are using the same scripted header, with various creative bodies. Several times I have even tried to eliminate whatever code I could from the emails when I report them; I'm not sure if that helped any.

    I even contacted cloudflare separately using a throwaway email address (hosted by cloudflare!), and got back a form letter response saying something about their notifying the sender if they could. 

    6936557925 and 6936557926 are examples of one such spam reported without any alteration other than spamcop's munging.


    Yep, just like I thought, those sigarpi.com links are some of those tracking links. Hitting them, triggers a scri_pt on their server that “assumes” that you’re interested in their products and they send a spew of their junk to the address linked to the number.

    At least that’s the way it looks.

    See here...

    unfortunately nothing has been done about it :(

    Deselect the cloudflare report and you should be ok...

    I know, it’s not perfect, but you’d get less spam and eventually they’ll die out. Haven’t had one since last October...

  6. 1. welcome to the spamcop forum. We're mainly just SC users trying to help others in the fight against spam. Sometimes we can, sometimes we can't...

    That said, some spam messages contain URLs which, if triggered, will cause more spam to be sent to you. Sometimes the ISP is "spammer friendly" and provides the spammer with your email address to "listwash" their DB or provides them with the email headers and they extrapolate your address through tracking codes they inserted in the headers.

    If you have a Tracking URL (see Jeff G's welcoming post) and would provide it, it would be easier to analyze the reasons for your "multiplying spam" problems and find out a way to alleviate it.

    I used to have similar problems with some spammers and by not reporting the links, only the source of the email, it reduced the spam volume drastically.

    I also went in manually to report the links to the hosting companies and removing the tracking extension from the report, to prevent anybody from triggering more spam if they accidentally (or purposely) click on the link.

  7. 1 hour ago, petzl said:

    Pretty sure these creeps are opening a new "free" amazon account when one is taken down.
    Seems Amazon are shutting them down when reported from the spammed email address, stating IP address and copy and pasting full headers with report. 
    status: 404 Not Found

    I never report from the spammed email address, and always munge the latter.

    Several providers have asked for full headers and I always tell them that the email address is of no concern to them as I do not wish retaliation or listwashing from their customers.

    They sometimes claim it would be easier with my address, but I insist that they can enforce their AUP solely by the email received headers and the email content. This last scenario happened only twice in my umpteen years of reporting ;)


  8. 4 hours ago, klappa said:

    Tired of reporting. Bit.ly won't take down the sex dating sites. They seem to ignore Spamcop reports altogether.

    Amazon promised to take action several times but nothing happens.

    I've given up. Will close my e-mail account. It's for the better.

    Oddly enough, I haven’t been getting any amazon/bit.ly spam as of a few days ago.

    In fact, I haven’t had any spam since Saturday 9th at noon. :) /me happy/ :) 

  9. 5 minutes ago, petzl said:

    Yes spammer already has your email.
    Got one from these scum this morning here are the notes
 (Administrator of network where email originates)
    abuse@amazonaws.com phishing-report@us-cert.gov
    https://bit.ly/2EPC64E?1819469901?DL4B7Sr6I8Unq8090859 abuse@bitly.com
    URL IP abuse@amazonaws.com phishing-report@us-cert.gov


    the info behind the ? in the links is what gives the spammer your info. those are the ones I don't add in the reports ...

    btw, got the same one today too... recognize the identical bit.ly address...

  10. 3 minutes ago, klappa said:

    Yes that's true. But munging the Message ID and non-ISP headers is not recommended. They need all the details I can give them and those might be valuable. If Spamcop doesn't do it except the e-mail address I won't either. My e-mail is a lost cause. It's more a throwaway account for reporting spam nowadays.

    SC munges the headers (unless it's a ISP that requires full headers) for me when I report the message.

    usually the message ID looks something like this:

    Message-Id: <wecW_______________________________________________upLM@vevida.net>

    the underscore line is placed there by SC.

    and non-ISP headers are often used by the spammer to trace reported spam and retaliate... that's why I tend to do that.

    if the ISP wants more info, they can ask for it ;)


  11. 44 minutes ago, klappa said:

    Now i follow. Although i can't be bothered munging my e-mail anymore. It's to late for that. I guess you do it manually every time?

    Yes that one isn't traceable but sometimes my e-mail is in the spam link often with the word campaign to lure the unsuspected user even more into clicking it. But since the spammer already have my e-mail it doesn't. Never seen that string before though. The sex dating dating domains are all scam through and through. Spammers use bots to lure the user into believing they are real people and make them throw up their credit card which essentially make the spammers into phishers in the end. The pictures of the girls/boys are stolen and have an unverified age.

    although they have your email, doesn't mean that if you report to their ISP that they know whodunit if you munge the name and address. of course, you'd also have to munge the message ID and a few other non-ISP headers that would/could reveal your info...

    Re: porn spam, amazon has AFAIU pretty strict guidelines and do not tolerate offenders.

  12. 2 hours ago, klappa said:

    Thank you!

    What do you mean by offending message with munged headers follows? How do you mung the headers with your name and address?

    However the destination domain was hosted by either Key-Systems, RRProxy or Google i am not sure which is hosting which. I don't want to type down the domain as it would be traceable by the spammer. There's no trace routes services or functions i know of that would've showed the destination domain. 

    The domains you listed are hosted by Amazon and lies between the domain link found in the spam and the destination domain. I don't know their purpose though.

    Hi klappa,

    1) munged headers means that I copy the raw spam (with headers) into notepad (on win) or your editor of choice and change all entries of my email address or part thereof as well as my name into a fake email address and fake name:

    X-Apparently-To: me@example.com; Sat, 02 Mar 2019 18:48:09 +0000
    Received: by mail-it1-f193.google.com with SMTP id d125so1436534ith.1
            for <me@example.com>; Sat, 02 Mar 2019 10:48:08 -0800 (PST)
    To: me@example.com
    Subject: MY NAME: $15,000 Loan - Pay Back in 3 Years
    hello MY NAME,
    we have a loan for you with exorbitant interest. pay it back in three years and we will only charge you 115% interest

    Turns into:

    X-Apparently-To: x-x-x-x-x-x@x-xmail.com; Sat, 02 Mar 2019 18:48:09 +0000
    Received: by mail-it1-f193.google.com with SMTP id d125so1436534ith.1
            for <x-x-x-x-x-x@x-xmail.com>; Sat, 02 Mar 2019 10:48:08 -0800 (PST)
    To: me@example.com
    Subject: x-x-x-x-x-x: $15,000 Loan - Pay Back in 3 Years
    hello x-x-x-x-x-x,
    we have a loan for you with exorbitant interest. pay it back in three years and we will only charge you 115% interest

    And then I add the following at the top of the headers:

    Comments: The recipient of the email wishes to stay anonymous and therefore
            has munged his name and/or address for privacy reasons to strings like "x-x-x" or "x".
            Please respect his privacy.

    That’s “munging”.

    2) alas it’s true that certain links can be “traced” by spammers, the link I started with, had no traceable info.

    http://se2. mogenromance-svenska. club/ is not traceable

    let me rephrase that before I get in trouble for making false statements ;)

    ok, every link you click on, gives the host your IP address, therefore (per se) traceable, but what I mean, is, that it doesn’t give the spammer any clue of your e-mail address.

    Traceable links, the way I mean it, can be, for instance:

    http://www.example.com/907743add1337 <- this hex string could be your encoded address

    If the link already starts like that, then caution is warranted.

    Since the redirects originated from a “safe” link, the information passed has nothing to do with your info.

    The links in between can be either reported at the same time or at a later point in time when the spammer is scrambling to get his new site redirected :)

    Sometimes I complain to the registrar as well in the hopes that someone there is witty enough to catch the pattern and MO of the spammer.

  13. 5 hours ago, klappa said:

    Thank you! That will help a lot. With this i can improve my reporting even more.

    Amazon promised to take action now in the last second when i threatened to report them to the government authorities. Now i see that the redirect URL service unfortunately didn't show the destination domain which was hosted by another domain host entirely from Amazon. These spammers are clever. IT's really a pain in the ass. It is also unfortunate that Spamcop isn't that much of a help when they are constantly changing from where they send the spam from and hosts their obfuscated domains. Spamcop will only report the responsible parties in the spam.

    I really do hope Spamcop does something though even if you have to dig further than what Spamcop does.

    to Amazon I would writethe following (adding the spam at the end):

    you are harboring a spamvertised porn site:

    spamvertised link:

    http://se2. mogenromance-svenska. club/

    redirects as follows:

    HTTP/1.1 302 Found =>
    Server => nginx
    Date => Sat, 09 Mar 2019 07:04:17 GMT
    Content-Type => text/html; charset=utf-8
    Content-Length => 75
    Connection => close
    Location => https:// crazytrackings. com/ ?a=100225&c=102723&s1=232
    X-Served-By => Namecheap URL Forward


    HTTP/1.0 302 Found =>
    Cache-Control => private
    Content-Length => 226
    Content-Type => text/html; charset=utf-8
    Date => Sat, 09 Mar 2019 07:04:42 GMT
    Location => https:// cyberblueberry. com/ ?a=100225&c=102723&s1=232&ckmguid=5eaf0d44-97f6-419a-bf50-4dc7daa946ba


    HTTP/1.0 302 Found =>
    Cache-Control => private
    Content-Length => 250
    Content-Type => text/html; charset=utf-8
    Date => Sat, 09 Mar 2019 07:05:03 GMT
    Location => https:// kewkr. girlstofu**. net/ c/da57dc555e50572d?s1=12951&s2=153430&s3=100225&s5=&click_id=22381729&j1=1&j3=1
    Set-Cookie => c100916=B0u1wB9CbYmmbLsSFz+i2AKhvFRakvmMJc94KAGrH+9633KgqJ4kxg==; domain=.cyberblueberry.com; expires=Mon, 08-Apr-2019 07:05:04 GMT; path=/; HttpOnly


    HTTP/1.1 200 OK =>
    Server => nginx
    Date => Sat, 09 Mar 2019 07:05:24 GMT
    Content-Type => text/html; charset=UTF-8
    Content-Length => 12475
    Connection => close
    Set-Cookie => scriptHash=49415_12951_153430; expires=Mon, 08-Apr-2019 07:05:24 GMT; Max-Age=2592000; path=/; HttpOnly
    X-Powered-By => PHP/7.0.32


    and this last redirect is on IP address
    Host kewkr. girlstofu**. net (checking ip) =

    whois -h whois.arin.net ...
    NetRange: -
    NetName:        AT-88-Z
    NetHandle:      NET-34-192-0-0-1
    Parent:         NET34 (NET-34-0-0-0-0)
    NetType:        Direct Allocation
    Organization:   Amazon Technologies Inc. (AT-88-Z)
    RegDate:        2016-09-12
    OrgAbuseHandle: AEA8-ARIN
    OrgAbuseName:   Amazon EC2 Abuse
    OrgAbusePhone:  +1-206-266-4064 
    OrgAbuseEmail:  abuse@amazonaws.com
    OrgAbuseRef:    https://rdap.arin.net/registry/entity/AEA8-ARIN

    I believe this is your IP space.

    please enforce your AUP.

    offending message with munged headers follows (and I always munge the headers with my name and address since I send it from a dedicated spam reporting email address which is in name and address different from any other)

    and see if they say that it's not their IP space :)


  14. 2 hours ago, MIG said:

    Hey RobiBue, 

    Thanks! grasshopper jumping around excitedly, grasshopper loves new toys, 'n grasshoppers jump irrespective unless squashed. 

    Question re (https://www.webconfs.com/http-header-check.php) was your very last url: 



    • did you at any point get to one of your faves ( AmazonDOTcom ) ?


    • final  ?, I can't track how you got ( knownsrvDOTcom ), would you be so kind as to provide a tad more education for grasshopper  please?


    Hi MIG,

    with re to the first q, no, it wasn’t then. It is now, though, but bit.ly already removed their link shortcut, so the original spam link wouldn’t work anyway.

    i do have the feeling, hat my complaint to name.com, nforce and knownsrv was fruitful since the spammer had to change their link redirect :)

    to your latter q:

    Let’s start with sc on lintwor.com:


    there i get both, IP address and reporting/abuse address.

    now i’m Not done, as I want to make sure that I don’t just email the spammer, so I look up the ripe.net db:


    gives me more or less the same info, but at the end of the page, I see MNT-NFORCE entry, so I check there


    and in the end decide also to contact the admin-c entry listed.

    that’s how I got name.com, knownsrv and nforce :)

    And as you can see by the absence of the last redirect the way I had it at the beginning, something worked :)


  15. Ever wanted to follow the http or https headers but not visit potentially dangerous websites?

    here I found a perfect toy:


    for example, today I received a sex-spamvertised email (no need to post the tracking URL, as here I'm only interested in the redirects that the spammer goes through)

    so in the spam I have the following html line (without the spaces, so that nobody damages their computer by following the link):

    <a href="https: //bit.ly/ 2IQVHa2">

    I enter the address in the text box, and receive the following result:

    HTTP/1.1 301 Moved Permanently =>
    Server => nginx
    Date => Wed, 06 Mar 2019 05:00:02 GMT
    Content-Type => text/html; charset=utf-8
    Content-Length => 139
    Connection => close
    Cache-Control => private, max-age=90
    Content-Security-Policy => referrer always;
    Location => http: //trk.linoaura.com/ c/ 1a57c646b0bf375e?src=issam
    Referrer-Policy => unsafe-url
    Set-Cookie => _bit=j26502-4d7f647156d7ea24c4-00y; Domain=bit.ly; Expires=Mon, 02 Sep 2019 05:00:02 GMT

    oh,  Referrer-Policy => unsafe-url !!! (again, the location with spaces to prevent someone to inadvertently follow the link)

    so I enter that Location => link into the box and get:

    HTTP/1.1 302 Found =>
    Server => nginx
    Date => Wed, 06 Mar 2019 05:05:45 GMT
    Content-Type => text/html; charset=UTF-8
    Content-Length => 0
    Connection => close
    Location => https: //lintwor.com /198f1cdb040fb11800 //aijxs5c7f55298ff4e752045131/
    Set-Cookie => tid=aijxs5c7f55298ff4e752045131; path=/; HttpOnly
    Status => 302 Found

    yet another redirect (I again added spaces)

    so I follow that one:

    HTTP/1.1 200 OK =>
    Date => Wed, 06 Mar 2019 05:08:39 GMT
    Content-Type => text/html; charset=UTF-8
    Content-Length => 133
    Connection => close
    Server => Apache
    Set-Cookie => uid9599=814165625-20190305230839-05d567ed43eab684d1ec95bd5d3f4aff-; expires=Sat, 06-Apr-2019 04:08:39 GMT; Max-Age=2674800; path=/

    end station HTTP/1.1 200 OK =>

    so all I need to do now, is get the IP for the last domain with netDemon, SamSpade, or just a simple ping from the cmd line, and send manual complaints with my specific anti-spam email to abuse[at]name.com (since they are the registrar for the domain)
    and nforce.com:
    who is the administrative IP block owner of spamvertised IP address

    as well as knownsrv.com:
    who is the owner of IP block of spamvertised IP address

    the latter two found in the RIPE db with the IP address from the ping.

  16. 4 hours ago, Scott_R said:

    FWIW, it's long past when I could have reported the spam, but now I get a "Unreported spam saved" message, but no way to cancel:


    if you click on the top [Report spam] "tab"


    it should reload the page without the current spam, just the empty report box but possibly with the following :


    is the Remove all unreported spam link missing, but the Report Now link there?

  17. I hear you MisterBill, and I understand the frustration when the fight with spammers is being hindered by the own tools that are supposed to help.

    I used to be adamant with regard to submitting the links, but eventually I realized that, even though most links are spammer's own links or redirects to them, or even redirects to redirects... and so on and so forth... some links are third party links that
    a) have nothing to do with the spam, or
    b) are being used as retaliatory measures to get them in trouble.

    why this spam isn't parsing the links, unfortunately, I do not know.

    entering the address directly into the SC parser works and gives you the abuse address if you want to submit it manually.


  18. The address is in the parsed email.

    Clicking on the link below the headers “View entire message” will reveal a base64 block which can be decoded with online tools like:



    Just paste the whole block (including the last = sign) and vióla! The entire body of the spam including those seemingly obfuscated addresses...

    148. 253. 73. 95ashlee . org . perske . club / 204 / 3-2-2019-clickersin
     ^    ^    ^      ^       ^       ^       ^     ^            ^
     |    |    |      |       |     domain   TLD    |            |
     •————————————————————————•                     •————————————•
             subdomains                                  paths

    But they aren’t really obfuscated addresses. They are real, the way they are written.

  19. Link removed due to giving out private information.... ? Sc admins? 

    I was wondering if an admin, or someone with the ability to check the SC address entries can see and post here why the amazonAWS address is devnulled.

    When I report manually to abuse amazonaws com I get both sentient and robot replies.

    Can the devnull redirection be removed so that reports go again to their abuse desk?

    They seem to be taking care of their spammers, but only if the spam can be reported...

    I am not sure if abuse reports going to ipmanagement are actually going anywhere. I have seen 3 different abuse addresses listed for amazon aws and ec2, where ipmanagement seems like a fluke that ended up without an abuse address at amazon web services...

  20. 5 hours ago, gnarlymarley said:

    Yeah, I am not sure if there is someone that has the ability to fix these cache entries.  It is a tragedy now that we are here, but at the same time it is at least populating the blacklist.

    Display data:
    "whois" (Getting contact from whois.arin.net )
       Redirect to ripe
       Display data:
       "whois" (Getting contact from whois.ripe.net)
       whois.ripe.net (nothing found)

    %ERROR:201: access denied for


    Oooh! This last part means that RIPE is blocking ironport/SpamCop/Cisco from accessing their Whois database...

    now that’s bad.

  21. Cache refresh disabled to avoid rate-limiting of whois servers

    [refresh cache]

    $ whois NET-3-128-0-0-1@whois.arin.net
    ERROR 503: Unable to service request due to high volume.

    hmmm interesting....

    in the end, although it would go to /dev/nul for amazonaws, it can't find an owner now...

    No reporting addresses found for, using devnull for tracking.