Snowbat

51.132.0.0 - 51.132.255.255 is Microsoft but SpamCop reports 51.132.220.203 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6693942163zc7ac658ce6e5c206330d702233efe297z Routing details for 51.132.220.203 [refresh/show] Cached whois for 51.132.220.203 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 51.132.220.203 (getting name) no name host 51.132.220.203 = v1v015.atrasofaturaviv0.com. (old cache) abuse net atrasofaturaviv0.com = postmaster@atrasofaturaviv0.com If reported today, reports would be sent to: Re: 51.132.220.203 (Administrator of IP block - statistics only) postmaster@atrasofaturaviv0.com

20.33.0.0 - 20.128.255.255 is Microsoft but SpamCop reports 20.73.0.72 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6692876685z0b26f07c4b20c3a2543ebe996cd74d4fz Routing details for 20.73.0.72 [refresh/show] Cached whois for 20.73.0.72 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 20.73.0.72 = vi44.viv0digital.com. (cached) abuse net viv0digital.com = postmaster@viv0digital.com In this case, the spammer is sending "invoice reminders" purporting to be from Brazilian carrier Vivo with "download/print" link that redirects to a java scri_pt-wrapped malware download.

Both Postfix and Sendmail insert text in parentheses at that point so I doubt that it's non-compliant. SpamCop's code to identify a valid IPv4 address is clearly flawed/incomplete though.

40.74.0.0 - 40.125.127.255 is Microsoft but SpamCop reports 40.78.83.67 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6642045732zc34f39654039de5566045cb551a1d653z Tracking message source: 40.78.83.67: Routing details for 40.78.83.67 [refresh/show] Cached whois for 40.78.83.67 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 40.78.83.67 = fim5.lotesecasasparafamilia.com. (cached) abuse net fim5.lotesecasasparafamilia.com = postmaster@lotesecasasparafamilia.com, postmaster@fim5.lotesecasasparafamilia.com

Could be. While reporting some spam to Microsoft myself, if it's hosted on Azure, I get a reply saying they've forwarded it to their CERT team for review and action but if it's a 365/Exchange Online tenant, they tell me to report it to junk@office365.microsoft.com myself. Needless to say, I don't bother. A trillion dollar tech company should be able to forward their own e-mail internally or organize their ARIN WHOIS entries to point to the correct abuse reporting mailboxes.

'51.120.0.0 - 51.120.255.255' is Microsoft but Spamcop reports 51.120.93.44 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6684582776z5cbae5f333ad4fcd75bb14237027b98dz Tracking message source: 51.120.93.44: Routing details for 51.120.93.44 [refresh/show] Cached whois for 51.120.93.44 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 51.120.93.44 = apps03.assistaemcasa.org. (cached) abuse net assistaemcasa.org = postmaster@assistaemcasa.org

52.132.0.0 - 52.143.255.255 is Microsoft but Spamcop reports 52.138.55.160 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6637276977z8c88d696b11a340247839b0d7a9a2c90z Tracking message source: 52.138.55.160: Routing details for 52.138.55.160 [refresh/show] Cached whois for 52.138.55.160 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 52.138.55.160 = user15.pj-santanderesfera.com. (cached) abuse net pj-santanderesfera.com = postmaster@pj-santanderesfera.com

168.61.0.0 - 168.63.255.255 is a Microsoft netblock. Why isn't SpamCop reporting this to abuse@microsoft.com? > Using rdns to route to correct Microsoft department Whatever SpamCop is trying to do here is clearly broken and likely to deliver reports directly to spammers hosted on Microsoft. https://www.spamcop.net/sc?id=z6688120180z0a1b0241c33ca6804206730ae435f1fbz Tracking message source: 168.61.170.142: Routing details for 168.61.170.142 [refresh/show] Cached whois for 168.61.170.142 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 168.61.170.142 = nago8.subnovoavisos.com. (cached) abuse net nago8.subnovoavisos.com = postmaster@nago8.subnovoavisos.com, postmaster@subnovoavisos.com

52.145.0.0 - 52.191.255.255 is a Microsoft netblock. Why is SpamCop not reporting this to abuse@microsoft? https://www.spamcop.net/sc?id=z6688108903z76b3e0f67ee7620d683a17e0735c5873z Tracking message source: 52.175.53.32: Routing details for 52.175.53.32 [refresh/show] Cached whois for 52.175.53.32 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 52.175.53.32 = w1.subnovoavisos.com. (cached) abuse net w1.subnovoavisos.com = postmaster@w1.subnovoavisos.com, postmaster@subnovoavisos.com > Using rdns to route to correct Microsoft department Whatever SpamCop is trying to do here is clearly broken and likely to deliver reports directly to spammers hosted on Microsoft.

52.132.0.0 - 52.143.255.255 is a Microsoft netblock. Why is SpamCop not reporting this to abuse@microsoft? > Using rdns to route to correct Microsoft department Whatever SpamCop is trying to do here is clearly broken and likely to deliver reports directly to spammers hosted on Microsoft.

13.64.0.0 - 13.107.255.255 is Microsoft but Spamcop reports 13.76.230.92 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6641771792z5771a00ed9c2fa22af1c6b531b432316zTracking message source: 13.76.230.92: Routing details for 13.76.230.92 [refresh/show] Cached whois for 13.76.230.92 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 13.76.230.92 = dizer6.lotesecasasparafamilia.com. (cached) abuse net dizer6.lotesecasasparafamilia.com = postmaster@lotesecasasparafamilia.com, postmaster@dizer6.lotesecasasparafamilia.com Message is 5 hours old

52.224.0.0-52.255.255.255 is Microsoft but Spamcop reports 52.243.34.34 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6640814149z1c2164e3e761afd7d9d053e0ead1aef0z Tracking message source: 52.243.34.34: Routing details for 52.243.34.34 [refresh/show] Cached whois for 52.243.34.34 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 52.243.34.34 = id1.saudoemprimeirolugarfiqueemcasavendofilmes.com. (cached) abuse net id1.saudoemprimeirolugarfiqueemcasavendofilmes.com = postmaster@saudoemprimeirolugarfiqueemcasavendofilmes.com, postmaster@id1.saudoemprimeirolugarfiqueemcasavendofilmes.com

13.64.0.0 - 13.107.255.255 is Microsoft but Spamcop reports 13.67.72.254 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6638070882z5bc61e892de0d6008e2b49d86b5592d4z Tracking message source: 13.67.72.254: Routing details for 13.67.72.254 [refresh/show] Cached whois for 13.67.72.254 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 13.67.72.254 = toca8.familiadesucessocsgoooooo.com. (cached) abuse net toca8.familiadesucessocsgoooooo.com = postmaster@familiadesucessocsgoooooo.com, postmaster@toca8.familiadesucessocsgoooooo.com

For the last couple of weeks, SpamCop has not been correctly parsing spam from my Hotmail account. Any idea what's going on here? Two days ago, I deleted and reran mailhosts for this service but the problem persists. https://www.spamcop.net/sc?id=z6378762559z9e42c80ad962a6642989b272eaee79eaz https://www.spamcop.net/sc?id=z6378762599z963fee002594ef1c3daff0952e466158z https://www.spamcop.net/sc?id=z6378762629z8baabe40e498cbe86c2260097091518bz https://www.spamcop.net/sc?id=z6378762639ze0cd6e76c908a12c1c8ca5553f342b84z https://www.spamcop.net/sc?id=z6378762644z410c37853971273a9de5f9f27ce6f8e3z https://www.spamcop.net/sc?id=z6378762902z2657a78dda3fef60e268f0981100b651z https://www.spamcop.net/sc?id=z6378762909z6c9d303ab453ac2154f15c00a5679f5az https://www.spamcop.net/sc?id=z6378762912z9d3975fe9be4f7d1c6aae30513c8722fz https://www.spamcop.net/sc?id=z6378762954zc9ad3fff16b35c0f4944d00e3fb863eez https://www.spamcop.net/sc?id=z6378763074z9b67a7250f57077a54fbe03e9fcd595az https://www.spamcop.net/sc?id=z6378763254zb4b48a0dd4f105809f20ede6ecdbf006z https://www.spamcop.net/sc?id=z6378763258z72c3b5dd2ea8860af33f5d3c0257f0c6z https://www.spamcop.net/sc?id=z6378763636z034beb54ac57c50dbf09508daa7ff4c5z https://www.spamcop.net/sc?id=z6378763925z449957c88a851d16252cee9de803b257z https://www.spamcop.net/sc?id=z6378951357z10d1d3e42ae81a1447647881d0d9e017z https://www.spamcop.net/sc?id=z6378951360zf352675756ac2d94503af4b8d321969bz https://www.spamcop.net/sc?id=z6378951467zb021e76dd1332491d92b8e3cd39f1cf9z https://www.spamcop.net/sc?id=z6378954042zfecb1df612b2cbecfb69cb4a2e92c512z https://www.spamcop.net/sc?id=z6378954113zdae910ce6dc7784fedef7b308453eb08z https://www.spamcop.net/sc?id=z6378954169z48b59cbf560c5792d41fbb8e0f1c9410z https://www.spamcop.net/sc?id=z6378954182zdb6fafd7f501cd173eb7dbcd62f506fez https://www.spamcop.net/sc?id=z6378955431ze937e7b255a9db4c853c1f339c5663d6z https://www.spamcop.net/sc?id=z6378955479zfb1ffb94829210c5e66876da6110d418z https://www.spamcop.net/sc?id=z6378955491z6bdb65fab486e93e5de4a0fed6b35bb0z https://www.spamcop.net/sc?id=z6378955496z10f110021ce8ffc0e5c9f30a198bebd8z https://www.spamcop.net/sc?id=z6378956202z2151ed96656ef09afbfbda82b5ba09c1z https://www.spamcop.net/sc?id=z6378956209z74e287b105ff93ad043b1e0fd1f06b4dz https://www.spamcop.net/sc?id=z6378956212zea7c1ea8733cbd45235f93381821b57fz https://www.spamcop.net/sc?id=z6379246945z4d4fa92acc977540ebed5abd01c2f5a9z https://www.spamcop.net/sc?id=z6379246996z00c07466cdb9fd55076080a68ac83ac9z https://www.spamcop.net/sc?id=z6379247042zd4cb115a1c92f198d367fc41348c12c3z https://www.spamcop.net/sc?id=z6379247072zd64fb2dbb49c22a46d0154e02375d0bbz

Relevant: http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/ Reports appear to be going directly to the spammers, not abuse[at]softlayer.com: https://www.spamcop.net/sc?id=z6191170532z028df85cc9922827b02277fed9187609z https://www.spamcop.net/sc?id=z6191170495z5839032c3aaa7681f719ce5870ba5c02z For some reason, SpamCop trusts the contents of the abuse-mailbox field while ignoring RIPE's % Abuse contact for $NETBLOCK is 'abuse[at]softlayer.com' at the top of the whois output.

eg. https://www.spamcop.net/sc?track=189.212.118.239 Assignee uses a gmail address for contact. SpamCop tries to report to Gmail abuse. Reports should go to axtelipmaster[at]gmail.com

Why are reports to Amazon being devnulled? ___ Re: 54.232.123.91 (Administrator of network where email originates) To: email-abuse#amazon.com.[at]devnull.spamcop.net (Notes) To: ec2-abuse[at]amazon.com (refuses to accept this type of report) To: ec2-abuse#amazon.com[at]devnull.spamcop.net (Notes) ___ Re: http://ge.tt/api/1/files/8FO0iO92/0/blob?download (Administrator of network hosting website referenced in spam) To: ec2-abuse[at]amazon.com (refuses to accept this type of report) To: email-abuse#amazon.com.[at]devnull.spamcop.net (Notes) To: ec2-abuse#amazon.com[at]devnull.spamcop.net (Notes) ___ Re: http://cl.ly/ZTua/download/NFE-7386.zip (Administrator of network hosting website referenced in spam) To: ec2-abuse[at]amazon.com (refuses to accept this type of report) To: email-abuse#amazon.com.[at]devnull.spamcop.net (Notes) To: ec2-abuse#amazon.com[at]devnull.spamcop.net (Notes)

http://www.spamcop.net/sc?id=z5469553896z6...a9d372c3147164z The header timestamps look normal to me. Parser bug?

APNIC whois: % Information related to '36.56.0.0 - 36.63.255.255' inetnum: 36.56.0.0 - 36.63.255.255 netname: CHINANET-AH descr: CHINANET Anhui province network descr: Data Communication Division descr: China Telecom country: CN admin-c: JW89-AP tech-c: JW89-AP status: ALLOCATED PORTABLE notify: nmc[at]mail.hf.ah.cn remarks: service provider mnt-by: APNIC-HM mnt-lower: MAINT-CHINANET-AH mnt-routes: MAINT-CHINANET-AH mnt-irt: IRT-CHINANET-CN changed: hm-changed[at]apnic.net 20110120 source: APNIC irt: IRT-CHINANET-CN address: No.31 ,jingrong street,beijing address: 100032 e-mail: anti-spam[at]ns.chinanet.cn.net abuse-mailbox: anti-spam[at]ns.chinanet.cn.net admin-c: CH93-AP tech-c: CH93-AP auth: # Filtered mnt-by: MAINT-CHINANET changed: anti-spam[at]ns.chinanet.cn.net 20101115 source: APNIC person: Jinneng Wang address: 17/F, Postal Building No.120 Changjiang address: Middle Road, Hefei, Anhui, China country: CN phone: +86-551-2659073 fax-no: +86-551-2659287 e-mail: ahdata[at]189.cn nic-hdl: JW89-AP mnt-by: MAINT-CHINANET-AH changed: wang[at]mail.hf.ah.cninfo.net 19990818 changed: hm-changed[at]apnic.net 20140221 source: APNIC SpamCop current: [refresh/show] Cached whois for 36.57.69.228 : wang[at]mail.hf.ah.cninfo.net Using last resort contacts wang[at]mail.hf.ah.cninfo.net wang[at]mail.hf.ah.cninfo.net bounces (360 sent : 186 bounces) Using wang#mail.hf.ah.cninfo.net[at]devnull.spamcop.net for statistical tracking.

RIPE Whois: Abuse contact for '94.100.162.0 - 94.100.162.63' is 'noc[at]alionis.net' SpamCop current: [refresh/show] Cached whois for 94.100.162.23 : pveron[at]cyberbrain.net Using last resort contacts pveron[at]cyberbrain.net pveron[at]cyberbrain.net bounces (7 sent : 6 bounces)

SpamCop: [refresh/show] Cached whois for 114.98.75.238 : wang[at]mail.hf.ah.cninfo.net Using last resort contacts wang[at]mail.hf.ah.cninfo.net wang[at]mail.hf.ah.cninfo.net bounces (360 sent : 186 bounces) Using wang#mail.hf.ah.cninfo.net[at]devnull.spamcop.net for statistical tracking > whois 114.98.75.238 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '114.96.0.0 - 114.103.255.255' inetnum: 114.96.0.0 - 114.103.255.255 netname: CHINANET-AH descr: CHINANET Anhui PROVINCE NETWORK descr: China Telecom descr: No.31,jingrong street descr: Beijing 100032 admin-c: JW89-AP tech-c: JW89-AP country: CN remarks: service provider status: ALLOCATED PORTABLE remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: hm-changed[at]apnic.net 20080516 mnt-by: APNIC-HM mnt-lower: MAINT-CHINANET-AH mnt-routes: MAINT-CHINANET-AH source: APNIC person: Jinneng Wang address: 17/F, Postal Building No.120 Changjiang address: Middle Road, Hefei, Anhui, China country: CN phone: +86-551-2659073 fax-no: +86-551-2659287 e-mail: ahdata[at]189.cn nic-hdl: JW89-AP mnt-by: MAINT-CHINANET-AH changed: wang[at]mail.hf.ah.cninfo.net 19990818 changed: hm-changed[at]apnic.net 20140221 source: APNIC

RIPE Whois: % Abuse contact for '62.22.99.0 - 62.22.99.255' is 'abuse[at]es.verizon.com' Using abuse#es.uu.net[at]devnull.spamcop.net for statistical tracking.

Here is another: http://www.spamcop.net/sc?action=refreshcm...0whois.ripe.net Cache refresh disabled to avoid rate-limiting of whois servers [refresh cache] $ whois 93.83.16.70[at]whois.ripe.net [whois.ripe.net] % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf %ERROR:201: access denied for 184.94.240.95 % % Sorry, access from your host has been permanently % denied because of a repeated excessive querying. % For more information, see % http://www.ripe.net/data-tools/db/faq/faq-db/why-did-you-receive-the-error-201-access-denied % This query was served by the RIPE Database Query Service version 1.75 (DB-2)

Abuse contact for '85.10.239.32 - 85.10.239.63' is 'abuse[at]hetzner.de' SpamCop currently sending to legal#hospedagemgenial.com.br[at]devnull.spamcop.net (hardwired). Routing details for 85.10.239.42 legal[at]hospedagemgenial.com.br bounces (8 sent : 6 bounces) Using legal#hospedagemgenial.com.br[at]devnull.spamcop.net for statistical tracking.

Nic.br: inetnum: 186.233.144/21 aut-num: AS262790 abuse-c: CSL287 <<<< ... nic-hdl-br: CSL287 person: Central Server Inform�tica Ltda e-mail: registro[at]centralserver.com.br created: 20020130 changed: 20140414