Jump to content

Snowbat

Membera
  • Content Count

    160
  • Joined

  • Last visited

Posts posted by Snowbat


  1. 40.74.0.0 - 40.125.127.255 is Microsoft but SpamCop reports 40.78.83.67 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers.

    https://www.spamcop.net/sc?id=z6642045732zc34f39654039de5566045cb551a1d653z

    Tracking message source: 40.78.83.67:

    Routing details for 40.78.83.67
    [refresh/show] Cached whois for 40.78.83.67 : abuse@microsoft.com
    Using best contacts abuse@microsoft.com
    Using rdns to route to correct Microsoft department
    host 40.78.83.67 = fim5.lotesecasasparafamilia.com. (cached)
    abuse net fim5.lotesecasasparafamilia.com = postmaster@lotesecasasparafamilia.com, postmaster@fim5.lotesecasasparafamilia.com


  2. 13.64.0.0 - 13.107.255.255 is Microsoft but Spamcop reports 13.76.230.92 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers.

    https://www.spamcop.net/sc?id=z6641771792z5771a00ed9c2fa22af1c6b531b432316zTracking message source: 13.76.230.92:

    Routing details for 13.76.230.92
    [refresh/show] Cached whois for 13.76.230.92 : abuse@microsoft.com
    Using best contacts abuse@microsoft.com
    Using rdns to route to correct Microsoft department
    host 13.76.230.92 = dizer6.lotesecasasparafamilia.com. (cached)
    abuse net dizer6.lotesecasasparafamilia.com = postmaster@lotesecasasparafamilia.com, postmaster@dizer6.lotesecasasparafamilia.com
    Message is 5 hours old


  3. 52.224.0.0-52.255.255.255 is Microsoft but Spamcop reports 52.243.34.34 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers.

    https://www.spamcop.net/sc?id=z6640814149z1c2164e3e761afd7d9d053e0ead1aef0z

     

    Tracking message source: 52.243.34.34:

    Routing details for 52.243.34.34
    [refresh/show] Cached whois for 52.243.34.34 : abuse@microsoft.com
    Using best contacts abuse@microsoft.com
    Using rdns to route to correct Microsoft department
    host 52.243.34.34 = id1.saudoemprimeirolugarfiqueemcasavendofilmes.com. (cached)
    abuse net id1.saudoemprimeirolugarfiqueemcasavendofilmes.com = postmaster@saudoemprimeirolugarfiqueemcasavendofilmes.com, postmaster@id1.saudoemprimeirolugarfiqueemcasavendofilmes.com


  4.  

    13.64.0.0 - 13.107.255.255 is Microsoft but Spamcop reports 13.67.72.254 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers.

    https://www.spamcop.net/sc?id=z6638070882z5bc61e892de0d6008e2b49d86b5592d4z

    Tracking message source: 13.67.72.254:

    Routing details for 13.67.72.254
    [refresh/show] Cached whois for 13.67.72.254 : abuse@microsoft.com
    Using best contacts abuse@microsoft.com
    Using rdns to route to correct Microsoft department
    host 13.67.72.254 = toca8.familiadesucessocsgoooooo.com. (cached)
    abuse net toca8.familiadesucessocsgoooooo.com = postmaster@familiadesucessocsgoooooo.com, postmaster@toca8.familiadesucessocsgoooooo.com


  5. 52.132.0.0 - 52.143.255.255 is Microsoft but Spamcop reports 52.138.55.160 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers.

    https://www.spamcop.net/sc?id=z6637276977z8c88d696b11a340247839b0d7a9a2c90z

    Tracking message source: 52.138.55.160:

    Routing details for 52.138.55.160
    [refresh/show] Cached whois for 52.138.55.160 : abuse@microsoft.com
    Using best contacts abuse@microsoft.com
    Using rdns to route to correct Microsoft department
    host 52.138.55.160 = user15.pj-santanderesfera.com. (cached)
    abuse net pj-santanderesfera.com = postmaster@pj-santanderesfera.com


  6. For the last couple of weeks, SpamCop has not been correctly parsing spam from my Hotmail account. Any idea what's going on here?

    Two days ago, I deleted and reran mailhosts for this service but the problem persists.

     

    https://www.spamcop.net/sc?id=z6378762559z9e42c80ad962a6642989b272eaee79eaz
    https://www.spamcop.net/sc?id=z6378762599z963fee002594ef1c3daff0952e466158z
    https://www.spamcop.net/sc?id=z6378762629z8baabe40e498cbe86c2260097091518bz
    https://www.spamcop.net/sc?id=z6378762639ze0cd6e76c908a12c1c8ca5553f342b84z
    https://www.spamcop.net/sc?id=z6378762644z410c37853971273a9de5f9f27ce6f8e3z
    https://www.spamcop.net/sc?id=z6378762902z2657a78dda3fef60e268f0981100b651z
    https://www.spamcop.net/sc?id=z6378762909z6c9d303ab453ac2154f15c00a5679f5az
    https://www.spamcop.net/sc?id=z6378762912z9d3975fe9be4f7d1c6aae30513c8722fz
    https://www.spamcop.net/sc?id=z6378762954zc9ad3fff16b35c0f4944d00e3fb863eez
    https://www.spamcop.net/sc?id=z6378763074z9b67a7250f57077a54fbe03e9fcd595az
    https://www.spamcop.net/sc?id=z6378763254zb4b48a0dd4f105809f20ede6ecdbf006z
    https://www.spamcop.net/sc?id=z6378763258z72c3b5dd2ea8860af33f5d3c0257f0c6z
    https://www.spamcop.net/sc?id=z6378763636z034beb54ac57c50dbf09508daa7ff4c5z
    https://www.spamcop.net/sc?id=z6378763925z449957c88a851d16252cee9de803b257z
    https://www.spamcop.net/sc?id=z6378951357z10d1d3e42ae81a1447647881d0d9e017z
    https://www.spamcop.net/sc?id=z6378951360zf352675756ac2d94503af4b8d321969bz
    https://www.spamcop.net/sc?id=z6378951467zb021e76dd1332491d92b8e3cd39f1cf9z
    https://www.spamcop.net/sc?id=z6378954042zfecb1df612b2cbecfb69cb4a2e92c512z
    https://www.spamcop.net/sc?id=z6378954113zdae910ce6dc7784fedef7b308453eb08z
    https://www.spamcop.net/sc?id=z6378954169z48b59cbf560c5792d41fbb8e0f1c9410z
    https://www.spamcop.net/sc?id=z6378954182zdb6fafd7f501cd173eb7dbcd62f506fez
    https://www.spamcop.net/sc?id=z6378955431ze937e7b255a9db4c853c1f339c5663d6z
    https://www.spamcop.net/sc?id=z6378955479zfb1ffb94829210c5e66876da6110d418z
    https://www.spamcop.net/sc?id=z6378955491z6bdb65fab486e93e5de4a0fed6b35bb0z
    https://www.spamcop.net/sc?id=z6378955496z10f110021ce8ffc0e5c9f30a198bebd8z
    https://www.spamcop.net/sc?id=z6378956202z2151ed96656ef09afbfbda82b5ba09c1z
    https://www.spamcop.net/sc?id=z6378956209z74e287b105ff93ad043b1e0fd1f06b4dz
    https://www.spamcop.net/sc?id=z6378956212zea7c1ea8733cbd45235f93381821b57fz
    https://www.spamcop.net/sc?id=z6379246945z4d4fa92acc977540ebed5abd01c2f5a9z
    https://www.spamcop.net/sc?id=z6379246996z00c07466cdb9fd55076080a68ac83ac9z
    https://www.spamcop.net/sc?id=z6379247042zd4cb115a1c92f198d367fc41348c12c3z
    https://www.spamcop.net/sc?id=z6379247072zd64fb2dbb49c22a46d0154e02375d0bbz


  7. Relevant: http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/

    Reports appear to be going directly to the spammers, not abuse[at]softlayer.com:

    https://www.spamcop.net/sc?id=z6191170532z028df85cc9922827b02277fed9187609z

    https://www.spamcop.net/sc?id=z6191170495z5839032c3aaa7681f719ce5870ba5c02z

    For some reason, SpamCop trusts the contents of the abuse-mailbox field while ignoring RIPE's % Abuse contact for $NETBLOCK is 'abuse[at]softlayer.com' at the top of the whois output.


  8. Why are reports to Amazon being devnulled?

    ___

    Re: 54.232.123.91 (Administrator of network where email originates)
    To: email-abuse#amazon.com.[at]devnull.spamcop.net (Notes)
    To: ec2-abuse[at]amazon.com (refuses to accept this type of report)
    To: ec2-abuse#amazon.com[at]devnull.spamcop.net (Notes)

    ___

    Re: http://ge.tt/api/1/files/8FO0iO92/0/blob?download (Administrator of network hosting website referenced in spam)

    To: ec2-abuse[at]amazon.com (refuses to accept this type of report)

    To: email-abuse#amazon.com.[at]devnull.spamcop.net (Notes)

    To: ec2-abuse#amazon.com[at]devnull.spamcop.net (Notes)

    ___

    Re: http://cl.ly/ZTua/download/NFE-7386.zip (Administrator of network hosting

    website referenced in spam)

    To: ec2-abuse[at]amazon.com (refuses to accept this type of report)

    To: email-abuse#amazon.com.[at]devnull.spamcop.net (Notes)

    To: ec2-abuse#amazon.com[at]devnull.spamcop.net (Notes)


  9. APNIC whois:

    % Information related to '36.56.0.0 - 36.63.255.255'

    inetnum: 36.56.0.0 - 36.63.255.255

    netname: CHINANET-AH

    descr: CHINANET Anhui province network

    descr: Data Communication Division

    descr: China Telecom

    country: CN

    admin-c: JW89-AP

    tech-c: JW89-AP

    status: ALLOCATED PORTABLE

    notify: nmc[at]mail.hf.ah.cn

    remarks: service provider

    mnt-by: APNIC-HM

    mnt-lower: MAINT-CHINANET-AH

    mnt-routes: MAINT-CHINANET-AH

    mnt-irt: IRT-CHINANET-CN

    changed: hm-changed[at]apnic.net 20110120

    source: APNIC

    irt: IRT-CHINANET-CN

    address: No.31 ,jingrong street,beijing

    address: 100032

    e-mail: anti-spam[at]ns.chinanet.cn.net

    abuse-mailbox: anti-spam[at]ns.chinanet.cn.net

    admin-c: CH93-AP

    tech-c: CH93-AP

    auth: # Filtered

    mnt-by: MAINT-CHINANET

    changed: anti-spam[at]ns.chinanet.cn.net 20101115

    source: APNIC

    person: Jinneng Wang

    address: 17/F, Postal Building No.120 Changjiang

    address: Middle Road, Hefei, Anhui, China

    country: CN

    phone: +86-551-2659073

    fax-no: +86-551-2659287

    e-mail: ahdata[at]189.cn

    nic-hdl: JW89-AP

    mnt-by: MAINT-CHINANET-AH

    changed: wang[at]mail.hf.ah.cninfo.net 19990818

    changed: hm-changed[at]apnic.net 20140221

    source: APNIC

    SpamCop current:

    [refresh/show] Cached whois for 36.57.69.228 : wang[at]mail.hf.ah.cninfo.net

    Using last resort contacts wang[at]mail.hf.ah.cninfo.net

    wang[at]mail.hf.ah.cninfo.net bounces (360 sent : 186 bounces)

    Using wang#mail.hf.ah.cninfo.net[at]devnull.spamcop.net for statistical tracking.


  10. SpamCop:

    [refresh/show] Cached whois for 114.98.75.238 : wang[at]mail.hf.ah.cninfo.net

    Using last resort contacts wang[at]mail.hf.ah.cninfo.net

    wang[at]mail.hf.ah.cninfo.net bounces (360 sent : 186 bounces)

    Using wang#mail.hf.ah.cninfo.net[at]devnull.spamcop.net for statistical tracking

    > whois 114.98.75.238

    % [whois.apnic.net]

    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    % Information related to '114.96.0.0 - 114.103.255.255'

    inetnum: 114.96.0.0 - 114.103.255.255

    netname: CHINANET-AH

    descr: CHINANET Anhui PROVINCE NETWORK

    descr: China Telecom

    descr: No.31,jingrong street

    descr: Beijing 100032

    admin-c: JW89-AP

    tech-c: JW89-AP

    country: CN

    remarks: service provider

    status: ALLOCATED PORTABLE

    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    remarks: This object can only be updated by APNIC hostmasters.

    remarks: To update this object, please contact APNIC

    remarks: hostmasters and include your organisation's account

    remarks: name in the subject line.

    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    changed: hm-changed[at]apnic.net 20080516

    mnt-by: APNIC-HM

    mnt-lower: MAINT-CHINANET-AH

    mnt-routes: MAINT-CHINANET-AH

    source: APNIC

    person: Jinneng Wang

    address: 17/F, Postal Building No.120 Changjiang

    address: Middle Road, Hefei, Anhui, China

    country: CN

    phone: +86-551-2659073

    fax-no: +86-551-2659287

    e-mail: ahdata[at]189.cn

    nic-hdl: JW89-AP

    mnt-by: MAINT-CHINANET-AH

    changed: wang[at]mail.hf.ah.cninfo.net 19990818

    changed: hm-changed[at]apnic.net 20140221

    source: APNIC


  11. Here is another:

    http://www.spamcop.net/sc?action=refreshcm...0whois.ripe.net

    Cache refresh disabled to avoid rate-limiting of whois servers
    [refresh cache]
    
    $ whois 93.83.16.70[at]whois.ripe.net
    
    [whois.ripe.net]
    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf
    
    %ERROR:201: access denied for 184.94.240.95
    %
    % Sorry, access from your host has been permanently
    % denied because of a repeated excessive querying.
    % For more information, see
    % http://www.ripe.net/data-tools/db/faq/faq-db/why-did-you-receive-the-error-201-access-denied
    
    % This query was served by the RIPE Database Query Service version 1.75 (DB-2)
    
    
    


  12. Abuse contact for '194.165.26.0 - 194.165.27.255' is 'tiger.net.abuse[at]gmail.com'

    Routing details for 194.165.27.150

    [refresh/show] Cached whois for 194.165.27.150 : tiger.net.resources[at]gmail.com

    Using abuse net on tiger.net.resources[at]gmail.com

    abuse net gmail.com = gmail-abuse[at]google.com

    Using best contacts gmail-abuse[at]google.com

    Reports disabled for gmail-abuse[at]google.com

    Using gmail-abuse#google.com[at]devnull.spamcop.net for statistical tracking.


  13. Tracking message source: 200.186.136.163:

    Routing details for 200.186.136.163

    abuse[at]gblx.net bounces (99 sent : 99 bounces)

    Using abuse#gblx.net[at]devnull.spamcop.net for statistical tracking.

    Reports disabled for abuse[at]impsat.com.br

    Using abuse#impsat.com.br[at]devnull.spamcop.net for statistical tracking.

    Report routing for 200.186.136.163: mail-abuse[at]cert.br, abuse#gblx.net[at]devnull.spamcop.net, abuse#impsat.com.br[at]devnull.spamcop.net

    Message is 18 hours old

    Routing details for 200.186.136.163

    mail-abuse[at]cert.br has expressed an interest in 200.186.136.163

    200.186.136.163 not listed in cbl.abuseat.org

    200.186.136.163 listed in dnsbl.sorbs.net ( 1 )

    200.186.136.163 not listed in accredit.habeas.com

    200.186.136.163 not listed in plus.bondedsender.org

    200.186.136.163 not listed in iadb.isipp.com

    whois -h whois.nic.br 200.186.136.163 abuse-c field indicates the current reporting address for 200.186/16 is abuse[at]level3.com. There is a manual route addition above from 2007 to add mail-abuse[at]cert.br - perhaps this is preventing a cache refresh?

    whois -h whois.nic.br 200.186.136.163

    inetnum: 200.186/16

    aut-num: AS11415

    abuse-c: LEACO68

    owner: GLOBAL CROSSING COMUNICA��ES DO BRASIL LTDA.

    ...

    nic-hdl-br: LEACO68

    person: Level 3 Abuse Contact

    e-mail: abuse[at]level3.com

    created: 20120326

    changed: 20120327


  14. abuse[at]uk2group.com is working - I got a reply. Can the bounce counter be reset or was this marked bouncing "by administrative decision"?

    Routing details for 174.127.102.245

    [refresh/show] Cached whois for 174.127.102.245 : abuse[at]uk2group.com

    Using abuse net on abuse[at]uk2group.com

    abuse net uk2group.com = abuse[at]uk2group.com

    Using best contacts abuse[at]uk2group.com

    abuse[at]uk2group.com bounces (99 sent : 99 bounces)

    Using abuse#uk2group.com[at]devnull.spamcop.net for statistical tracking.


  15. Yes, Don's "non-mailhosted" parse picks up the date elsewhere, as we have been discussing.

    On a related note:

    http://www.spamcop.net/sc?id=z5484448620z2...7979b567171946z

    This one looks like it has been sitting in the outgoing mail queue at [222.252.202.104] for 11 years (!) until yesterday but is in fact part of a recent spam run (identical subject, link, and "zoo movies 2012" in the body).


  16. Another one:

    http://www.spamcop.net/sc?id=z5484387070z9...f2a4e91661f039z

    In an ideal world, esatclear.ie would not be accepting mangled garbage like that (or maybe it is they who are doing the mangling - but probably not if they are passing on other messages that parse okay). In any event they could be encouraged to look at their handling of those messages ...

    RFC1122

    "Be liberal in what you accept, and

    conservative in what you send"

    Exim and Postfix handle these messages without issue. If you can point out how accepting these messages for delivery is not RFC-compliant, I'll be happy to submit bug reports against Exim and Postfix. Otherwise, it's SpamCop who should be encouraged to look at their handling of these messages.

×