petzl
-
Content Count
2,460 -
Joined
-
Last visited
Posts posted by petzl
-
-
5 hours ago, Jericho said:S-CERT replied they are not concerned, because this problem has nothing to do with the German Sparkasse (financial business) IT.
They did not give the nation cert contact? How German of them.
Look up the right one from this list (click view all)
https://www.first.org/members/teams/
Very bureaucratic Germans are.
maybe this one? EU I think?
https://www.bsi.bund.de/EN/TheBSI/Contact/contact_node.html
bsi[AT]bsi.bund[DOT]de -
3 hours ago, Jericho said:Woukd a staff member please double-check this.
spam from xsserver.gmbh is still increasing.I believe SpamCop does not work properly, at least for my account. As the servers won't appear on the blocking list, reporting them again and again is pointless.
Just include "S-CERT[AT]S-CERT[DOT]de" in your reports. xsserver.gmbh seem crooked to me?
The idea is to get better than SpamCop
include in notes"Criminal phishing, blackmail threat, abuse@xsserver.gmbh ignore abuse reports. no unsubscribe, bogus but valid reply address go to innocent parties"
their reply address is valid but Bogus goes to innocent parties, eg. a restaurant
It is a non-registered Website no registra?
http://195.62.32.155/#contact - contact@195.62.32.155 is bogus not valid
If you own your own server try blocking '195.62.32.0 - 195.62.33.255' IP range. bounce to abuse@xsserver.gmbh criminal activity! -
6 hours ago, Jericho said:I already contacted xsserver via facebook and complained about spam. Messages are read but not replied.
Why are the IPs not included in the Spamcop blocking lists?
German ISP's are notorious for not replying!
Facebook page is not that active
SC blocklist is too forgiving
Reports go back to "Submitted: 5/19/2020, 5:08:58 AM +1000:"
But don't appear to be hitting spamtraps -
13 hours ago, Jericho said:spam keeps coming in from these servers. Reporting them to Spamcop is pointless as long as the IP addresses won't show in the blocking lists.
The German abuse desk is BlackHat ignoring many, many SpamCop reports
Report to their CERT http://www.s-cert.de/eng/ email is in weblink tell in notes,
"Criminal phishing, blackmail threat spam, no unsubscribe, bogus valid reply address to innocent parties"
their reply address is valid but Bogus goes to innocent party, a restaurant
It is a non-registered Website no registra?
http://195.62.32.155/#contact - contact@195.62.32.155 is bogus not valid
Include weblinks in report? which to me also seem bogus links to innocent parties
Select TAB Preferences
Show Technical Details during reporting
Simple output
Show technical data
Their provider https://xsserver.eu
Seem dodgy as well?
Registrant: NOT DISCLOSED! Visit www.eurid.eu for webbased WHOIS.
has a facebook page
https://www.facebook.com/XSServer -
11 hours ago, fnsp_stastny said:So what exactly should we do? We have like 3000 PCs in our network, it's time consuming to look for a PC in which could be some virus/spammer access.
I right now cannot see you on any blacklist? Maybe your problems over?However some blacklists never remove one from their blacklist, until a lot of grovelling is done. Hotmail GMail don't list their black lists! But your System is set up correctly, just high usage.
SpamCops blocklist only lists a maximum of 24 hours if spam stops, sooner if one delists it.
on your contact webpage change email addresses to images as "spamBots" scrape email addresses yes some spamBots can read images most cannot.
Many companies do not allow personal email or downloads which stops malware, and have all email electronically read, if enough "strikes" it then is actually read, with security arriving unannounced to remove offender off site!
The only course to if you are satisfied that all 3000 PC's are clean and kept that way but blocking is still happening is to change to a different IP for your email server.
I would suggest you ask via email and or Blog. for all your 3000 PC network to change passwords to a secure one
First letter of their (Capitalized) name, first 2 numbers of their street address, followed by a = sign, followed by a lower case, upper case Alphanumeric unforgettable password.
example; P77=BratiSlava
(this has 14 characters there may be a limit of characters one can use on a password?)
Ask all to run on their Microsoft defender offline scan. THEN change password is best, but gets problematical with naive users, get them to ask for assistance from other colleagues if needed. Up to you but I don't recommend all 3000 users do this at same time, babysteps first say 5 first?
https://support.microsoft.com/en-us/help/4027710/windows-using-windows-defender-offline
Screen Capture of running Windows Defender offline scan -
6 hours ago, fnsp_stastny said:Can you give me information which e-mail address is sending spam mails to spamtraps?
Nobody has access to spamtrap spam. spamtraps are kept secret sorry
But I did look at your email server which shows is slow.
indicates it is accessed by a or many a spammer
https://mxtoolbox.com/SuperTool.aspx?action=smtp%3a193.87.56.3&run=toolpage220 mail.fnsppresov.sk ESMTP Server (Kerber Mail Server 3.0) ready at Fri, 26 Jun 2020 13:12:11 +0200 Test Result SMTP Connection Time 6.079 seconds - Warning on Connection time More Info SMTP Transaction Time 8.734 seconds - Not good! on Transaction Time More Info SMTP Reverse DNS Mismatch OK - 193.87.56.3 resolves to mail.fnsppresov.sk SMTP Valid Hostname OK - Reverse DNS is a valid Hostname SMTP Banner Check OK - Reverse DNS matches SMTP Banner SMTP TLS OK - Supports TLS. SMTP Open Relay OK - Not an open relay.https://talosintelligence.com/reputation_center/lookup?search=193.87.56.3
spam LEVEL The spam Level indicates how much spam that originated from this host, has been lately caught and archived. This statistics is not displayed for every spam sending host, because Talos Reputation Center is not storing every spam we encounter.
-
16 hours ago, fnsp_stastny said:We are using on every Pc Windows Deffender. At the moment, e-mail communication should be smooth?
Someone had disabled windows defender or you have a spammer using your computers!
To get listed by spamtraps means 1000's of emails were being sent through your email serverWidows defender is very good at picking up malware.
Right now your email server has dropped by 100%
https://talosintelligence.com/reputation_center/lookup?search=193.87.56.3
LAST DAY LAST MONTH
spam LEVEL Very High Very High
EMAIL VOLUME 0.0 3.5
VOLUME CHANGE -100%
see check
https://blog.mikrotik.com/security/winbox-vulnerability.html -
5 hours ago, fnsp_stastny said:Oh, I'm sorry I forgot to write IP.
193.87.56.3
Not listed now, only one member report (child porn) so must of been hitting spamtrap addresses?
SpamCop was sending abuse reports to old abuse address so refreshed it to "abuse-po[AT]sanet[DOT]sk"
Important for your customers to use a virus/malware program Windows Defender is a good choice, but any would do.
If malware detected they need to change password.
only report wasSubmitted: 4/22/2020, 5:36:59 PM +1000: My dream is to try with you something that I have never done before.
-
18 hours ago, Jericho said:Is there something wrong? Please advise.
Need a Tracking URL to look before you submit it's on page top
SpamCop v 5.1.0 © 2020 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6638897535zab568c7aa78b449e543f0c2ef2712cf7z
Skip to Reports -
14 hours ago, fnsp_stastny said:Hello,
Our company was listed on blacklist for 1 day I guess. After successful delist we still cannot send e-mails to some domains. Have you guys any experience with something like this?
This error is showing:<<< 550 5.7.1 Remotehost is listed in the following RBL lists: SpamCop, NixSpam RBL
Thanks for help.
Need a IP to look?
-
3 hours ago, el_gallo_azul said:I logged in for the first time in a long time yesterday. My account credentials weren't recognised, so I successfully went through the "Forgot password?" process.
I set a new password consisting of 12 characters, including uppercass and lowercase letters, numbers, and symbols.
Yesterday's post received a reply, so I tried to login again. My new account credentials weren't recognised, so I successfully went through the "Forgot password?" process again. Thankfully,, I am logged in at the end of that process, which means that it is possible for me to write this post.
I imagine that I will try to log in again tomorrow, and I strongly suspect that these new account credentials won't be recognised, either.
Any suggestions? Sometimes, I have found (on other websites) that including symbols can render a password invalid, despite apparently being accepted.
Try leaving Symbols out of password?
-
3 hours ago, el_gallo_azul said:What does that mean?
This is a genuine question, as I'd really like to know how to go about it.Should be a option to "Forward as attachment " in your email
-
Forward as ATTACHMENT might give results?
-
On 6/5/2020 at 10:01 PM, Snowbat said:abuse net pj-santanderesfera.com = postmasterXpj-santanderesferaXcom
Abuse net often get their addresses wrong putting postmaster@domain, that used to be the default address where no abuse address can be found.
Doubt if it goes any where, pays to look-up abuse addresses yourself to check.
I use this windows APP from
http://www.nirsoft.net/utils/ipnetinfo.html -
18 hours ago, rdorsch said:Thanks for sharing the useful link.
Fortunately, so far my domain did not show in the pwned list 🙂
The relation to spam here is that one of my smtpauth passwords would show up, correct?
"smtpauth passwords would show up, correct?"
pwned is the term
https://monitor.firefox.com/breaches
I have a throwaway gmail address for facebook to read newspapers, seems pwned claims it gets breached often?
Bit of a pain to change all passwords Facebook, Gmail, cancel the "News account" clickbait I never wanted
pwned lists all that show compromised, my passwords are upper/lowercase, alphanumeric with symbols.
Put up a FaceBook page with REAL name to see if I could contact "lost friends"
before I even used it facebook appears to of sold my info to a Russian spam crime gang,
Still get phishing from them but has slowed to so far one a month. Reporting does work -
On 5/25/2020 at 4:58 PM, rdorsch said:I am not doubting that that virus checks are useful in particular if you are running a windows PC (which I do not 🙂 ).
But that is only relevant here, if my systems are the spam source, not the spam destination.
Go here to see if your Email address is listed?
https://monitor.firefox.com/breaches -
3 hours ago, gnarlymarley said:(I think what petzl is talking about is where I have seen IP cameras and routers get hacked and the spam sent from there, but this does not appear to be coming directly from your server. If it was coming directly from your server, I would check the server and any devices that might be sharing the same IP for possible intrusions.)
Yes smart TV's, Amazon, google devises, mobile phones, baby monitors, security camera's, are now on the list for hackers
Internet of Things (LoT) is the new threat. -
14 hours ago, rdorsch said:I do not understand why I should run a virus scan if my server is not the source of the spam
Talking about your PC a virus check is a must. Could be you have been compromised.
I even use a VPN this encrypts my communications to and from Computer. Even my Skype calls are encrypted.
Win!0 here just use Windows defender which right now seems very good. -
16 hours ago, rdorsch said:Since the domain which is referenced in the spam email and my mail domain are the same, it should be trivial to catch such false positives by spamcop. I am just wondering if anything changed in the spamcop setup or if I can somewhere configure that spamcop never generates reports against my own domain submitted by me.
Seems strange a provider would shut down a website with one complaint?
Make sure it has not been compromised, change password.
Run a virus scan on your computer. If you are competing against a similar website you are possibly being attacked, often done for blackmail as well!
Your mailhosts are not necessarily the same as a domain. have a look
But then SpamCop only stops reporting your email "domain"Contact your provider
-
9 hours ago, Spamnophobic said:@Petzl, my mailhosts haven't changed, although just to be sure I'm re-running the mailhosts "app". However, 31[dot]onefourfive[dot]190<fullstop>66 is definitely not one of my mailhosts. It is the closest the parse gets to the original spam sending address. It is a mail server in Turkey. The parse quotes one more IP, called "User", 176<dot>thirtytwo[dot]25[dot]27, which I am unable to ping (times out).
My point is that SpamCop is unable to parse the spam mail ("No source IP address found") In the past spammers have tricked SpamCop into giving this error message. See my earlier posts in this forum. (This was eventually resolved with the help of a SpamCop administrator.)
Well 83.96.176.84 (proserve[DOT]nl, signet[DOT]nl) at a guess seems to be your email provider or network.
You seem to be picking your email from a internal network which probably changes?
AFTER deleting your mailhost entry try redoing.
If this don't update
Contact SpamCop support
logon and go here (there is email address but I forget it)
https://mailsc.spamcop.net/fom-serve/cache/401.html
or free user
https://www.spamcop.net/fom-serve/cache/401.html
Other reasons for contact (put in) "Mailhosts" -
3 hours ago, Spamnophobic said:OK I know we have been here before, but could somebody examine my tracking url:
https://www.spamcop.net/sc?id=z6634628358z460dafae0c54205ace1fe027dc2ff311z
perhaps forum seniors or SpamCop staff can suggest how to get these new ones reported?
spam came from IP 31.145.190.66 "abuse[AT]vodafone[DOT]net[DOT]tr"
Seems you need to check/update your mailhosts or you will be reporting yourself!
Logon to SpamCop then go here
https://www.spamcop.net/mcgi?action=mhedit
Paying member go here
https://mailsc.spamcop.net/mcgi -
1 minute ago, Outernaut said:Sorry, but that was gone after I posted the query. Yet reading everyone's response has helped me understand it better. I've no idea how, after email is checked for at minimum, 5 minutes and as for this one, as I've seen with as few others, show up two or three days late. Thanks for the help.
Without seeing a Tracking URL.
Sometimes a server is turned off when it is found spewing spamWhen turned on again it spews out remaining spam.
While you may just get it it can of been sitting on server for days.
That is the received date SpamCop goes by, not when you receive it. -
23 hours ago, Hatespam~~ said:Can not get mail from xxxx_1[X]spamcop.net to my web account at spectrum. Get error when reply to send to new hosts. Want my mail forwarded from spamcop to my spectrum account
Check your forwarding email address is correct and remove/edit your email address (spam BOTs scan for email addresses)
SpamCop email still Works for me
https://mailsc.spamcop.net/mcgi?action=wizard&stage=1 -
20 hours ago, gnarlymarley said:I have seen where the ISP/spammer marks "The issue is resolved" and by the time I go to report the spam, SpamCop doesn't let me further report as the issue has been "resolved"
That is annoying, I then manually report from my spammed email address.
Can SpamCop be used for...
in SpamCop Reporting Help
Posted
Report one to see what SpamCop makes of it, and submit
Before submitting, at top of report page is a tracking link, copy it and save.
spammers also use reply addresses
Spoof may well be from spammer