Jump to content

petzl

Memberp
  • Content Count

    2,460
  • Joined

  • Last visited

Posts posted by petzl


  1. 12 hours ago, Olof said:

    We are seeing that someone is sending a lots of spam using a mail address (from and reply-to) that belongs to us (we've being spoofed). They are all sent from the same mailserver, and the content is classic spam in a lot of different variants. We are not the recievers of these mails, but we get all the autoreply (as the reply-to is spoofed too). We mainly see autoreplys from 2 targeted domains, that obviously lacking in checking DMARC and SPF, that would have stopped the mails as the origin mail server isn't an approved sender in our spf records. The sender is quite aggressive as we have received about 38.000 mails of this kind the last 7 days. I have blacklisted the mailserver that is sending the spam, so it is solved in that perspective for now, but it is of course not good for us that someone is sending out a lot of spam in our name.

    I have read the a bit here about how to report, but not sure if I can report this behavior? I don't have the original mails as they aren't targeted to me. It is not the spam itself i wish to report, but the MTA that is hammering out spam.

    Any suggestions?

    Thanks

    Olof 

    Report one to see what SpamCop makes of it, and submit
    Before submitting, at top of report page is a tracking link, copy it and save.
    spammers also use reply addresses 
    Spoof may well be from spammer


  2. 5 hours ago, Jericho said:

    S-CERT replied they are not concerned, because this problem has nothing to do with the German Sparkasse (financial business) IT.

    They did not give the nation cert contact? How German of them.
    Look up the right one from this list (click view all)
    https://www.first.org/members/teams/
    Very bureaucratic Germans are.
    maybe this one? EU I think?
    https://www.bsi.bund.de/EN/TheBSI/Contact/contact_node.html
    bsi[AT]bsi.bund[DOT]de


  3. 3 hours ago, Jericho said:

    Woukd a staff member please double-check this.
    spam from xsserver.gmbh is still increasing.

    I believe SpamCop does not work properly, at least for my account. As the servers won't appear on the blocking list, reporting them again and again is pointless.

    Just include "S-CERT[AT]S-CERT[DOT]de" in your reports. xsserver.gmbh seem crooked to me?
    The idea is to get better than SpamCop
    include in notes

    "Criminal  phishing, blackmail threat, abuse@xsserver.gmbh ignore abuse reports. no unsubscribe, bogus but valid reply address go to innocent parties"
    their reply address is valid but Bogus goes to innocent parties, eg. a restaurant
    It is a non-registered Website no registra?
    http://195.62.32.155/#contact  - contact@195.62.32.155 is bogus not valid


    If you own your own server try blocking  '195.62.32.0 - 195.62.33.255' IP range. bounce to abuse@xsserver.gmbh criminal activity!


  4. 6 hours ago, Jericho said:

    I already contacted xsserver via facebook and complained about spam. Messages are read but not replied.

    Why are the IPs not included in the Spamcop blocking lists?

    German ISP's are notorious for not replying!
    Facebook page is not that active
    SC blocklist is too forgiving
    Reports go back to "Submitted: 5/19/2020, 5:08:58 AM +1000:"
    But don't appear to be hitting spamtraps


  5. 13 hours ago, Jericho said:

    spam keeps coming in from these servers. Reporting them to Spamcop is pointless as long as the IP addresses won't show in the blocking lists.

    The German abuse desk is BlackHat ignoring many, many SpamCop reports
    Report to their CERT http://www.s-cert.de/eng/ email is in weblink tell in notes,
    "Criminal  phishing, blackmail threat spam, no unsubscribe, bogus valid reply address to innocent parties"
    their reply address is valid but Bogus goes to innocent party, a restaurant
    It is a non-registered Website no registra?
    http://195.62.32.155/#contact  - contact@195.62.32.155 is bogus not valid
    Include weblinks in report? which to me also seem bogus links to innocent parties
    Select TAB Preferences
    Show Technical Details during reporting
    Simple output
    Show technical data


    Their provider https://xsserver.eu 
    Seem dodgy as well?
    Registrant: NOT DISCLOSED! Visit www.eurid.eu for webbased WHOIS.
    has a facebook page 
    https://www.facebook.com/XSServer


  6. 11 hours ago, fnsp_stastny said:

    So what exactly should we do? We have like 3000 PCs in our network, it's time consuming to look for a PC in which could be some virus/spammer access.

    I right now cannot see you on any blacklist? Maybe your problems over?However some blacklists never remove one from their blacklist, until a lot of grovelling is done.  Hotmail GMail don't list their black lists! But your System is set up correctly, just high usage.
    SpamCops blocklist only lists a maximum of 24 hours if spam stops, sooner if one delists it.

    on your contact webpage change email addresses to images as "spamBots" scrape email addresses yes some spamBots can read images most cannot.

    Many companies do not allow personal email or downloads which stops malware, and have all email electronically read, if enough "strikes" it then is actually read, with security arriving unannounced to remove offender off site!
    The only course to if you are satisfied that all 3000 PC's are clean and kept that way but blocking is still happening is to change to a different IP for your email server.

    I would suggest you ask via email and or Blog. for all your 3000 PC network to change passwords to a secure one
    First letter of their (Capitalized) name, first 2 numbers of their street address, followed by a = sign, followed by a lower case, upper case Alphanumeric unforgettable password. 
    example; P77=BratiSlava 
    (this has 14 characters there may be a limit of characters one can use on a password?)
    Ask all to run on their Microsoft defender offline scan. THEN change password is best, but gets problematical with naive users, get them to ask for assistance from other colleagues if needed. Up to you but I don't recommend all 3000 users do this at same time, babysteps first say 5 first?
    https://support.microsoft.com/en-us/help/4027710/windows-using-windows-defender-offline
     

    Screen Capture of running Windows Defender offline scan

    https://ibb.co/2dLcPXP


  7. 6 hours ago, fnsp_stastny said:

    Can you give me information which e-mail address is sending spam mails to spamtraps?

    Nobody has access to spamtrap spam. spamtraps are kept secret sorry
    But I did look at your email server which shows is slow.
    indicates it is accessed by a or many a spammer
    https://mxtoolbox.com/SuperTool.aspx?action=smtp%3a193.87.56.3&run=toolpage

    220 mail.fnsppresov.sk ESMTP Server (Kerber Mail Server 3.0) ready at Fri, 26 Jun 2020 13:12:11 +0200
    Test	Result	
    	SMTP Connection Time	6.079 seconds - Warning on Connection time	 More Info
    	SMTP Transaction Time	8.734 seconds - Not good! on Transaction Time	 More Info
    	SMTP Reverse DNS Mismatch	OK - 193.87.56.3 resolves to mail.fnsppresov.sk	
    	SMTP Valid Hostname	OK - Reverse DNS is a valid Hostname	
    	SMTP Banner Check	OK - Reverse DNS matches SMTP Banner	
    	SMTP TLS	OK - Supports TLS.	
    	SMTP Open Relay	OK - Not an open relay.

    https://talosintelligence.com/reputation_center/lookup?search=193.87.56.3

    spam LEVEL
    The spam Level indicates how much spam that originated from this host, has been lately caught and archived. This statistics is not displayed for every spam sending host, because Talos Reputation Center is not storing every spam we encounter.


     


  8. 16 hours ago, fnsp_stastny said:

    We are using on every Pc Windows Deffender. At the moment, e-mail communication should be smooth?

    Someone had disabled windows defender or you have a spammer using your computers!
    To get listed by spamtraps means 1000's of emails were being sent through your email server

    Widows defender is very good at picking up malware.
    Right now your email server has dropped by 100%
    https://talosintelligence.com/reputation_center/lookup?search=193.87.56.3

                              LAST DAY    LAST MONTH
    spam LEVEL    Very High    Very High
    EMAIL VOLUME    0.0    3.5
    VOLUME CHANGE    -100%

    see check
    https://blog.mikrotik.com/security/winbox-vulnerability.html


  9. 5 hours ago, fnsp_stastny said:

    Oh, I'm sorry I forgot to write IP.

    193.87.56.3

    Not listed now, only one member report (child porn) so must of been hitting spamtrap addresses?
    SpamCop was sending abuse reports to old abuse address so refreshed it to "abuse-po[AT]sanet[DOT]sk"
    Important for your customers to use a virus/malware program Windows Defender is a good choice, but any would do.
    If malware detected they need to change password.
    only report was

    Submitted: 4/22/2020, 5:36:59 PM +1000:
    My dream is to try with you something that I have never done before.


     


     


  10. 14 hours ago, fnsp_stastny said:

    Hello,

    Our company was listed on blacklist for 1 day I guess. After successful delist we still cannot send e-mails to some domains. Have you guys any experience with something like this? 

    This error is showing:<<< 550 5.7.1 Remotehost is listed in the following RBL lists: SpamCop, NixSpam RBL

    Thanks for help.

    Need a IP to look?


  11. 3 hours ago, el_gallo_azul said:

    I logged in for the first time in a long time yesterday. My account credentials weren't recognised, so I successfully went through the "Forgot password?" process.

    I set a new password consisting of 12 characters, including uppercass and lowercase letters, numbers, and symbols.

    Yesterday's post received a reply, so I tried to login again. My new account credentials weren't recognised, so I successfully went through the "Forgot password?" process again. Thankfully,, I am logged in at the end of that process, which means that it is possible for me to write this post.

    I imagine that I will try to log in again tomorrow, and I strongly suspect that these new account credentials won't be recognised, either.

    Any suggestions? Sometimes, I have found (on other websites) that including symbols can render a password invalid, despite apparently being accepted.

    Try leaving Symbols out of password?


  12. On 6/5/2020 at 10:01 PM, Snowbat said:

    abuse net pj-santanderesfera.com = postmasterXpj-santanderesferaXcom

    Abuse net often get their addresses wrong putting postmaster@domain, that used to be the default address where no abuse address can be found.

    Doubt if it goes any where, pays to look-up abuse addresses yourself to check.
    I use this windows APP from
    http://www.nirsoft.net/utils/ipnetinfo.html


  13. 18 hours ago, rdorsch said:

    Thanks for sharing the useful link.

    Fortunately, so far my domain did not show in the pwned list 🙂

    The relation to spam here is that one of my smtpauth passwords would show up, correct?

    "smtpauth passwords would show up, correct?"
    pwned is the term
    https://monitor.firefox.com/breaches
    I have a throwaway gmail address for facebook to read newspapers, seems pwned claims it gets breached often?
    Bit of a pain to change all passwords Facebook, Gmail, cancel the "News account" clickbait I never wanted
    pwned lists all that show compromised, my passwords are upper/lowercase, alphanumeric with symbols.
    Put up a FaceBook page with REAL name to see if I could contact "lost friends"
    before I even used it facebook appears to of sold my info to a Russian spam crime gang,
    Still get phishing from them but has slowed to so far one a month. Reporting does work


  14. 3 hours ago, gnarlymarley said:

    (I think what petzl is talking about is where I have seen IP cameras and routers get hacked and the spam sent from there, but this does not appear to be coming directly from your server.  If it was coming directly from your server, I would check the server and any devices that might be sharing the same IP for possible intrusions.)

    Yes smart TV's, Amazon, google devises, mobile phones, baby monitors, security camera's, are now on the list for hackers
    Internet of Things (LoT) is the new threat.


  15. 14 hours ago, rdorsch said:

    I do not understand why I should run a virus scan if my server is not the source of the spam

    Talking about your PC a virus check is a must. Could be you have been compromised.
    I even use a VPN this encrypts my communications to and from Computer. Even my Skype calls are encrypted.
    Win!0 here just use Windows defender which right now seems very good.


  16. 16 hours ago, rdorsch said:

    Since the domain which is referenced in the spam email and my mail domain are the same, it should be trivial to catch such false positives by spamcop. I am just wondering if anything changed in the spamcop setup or if I can somewhere configure that spamcop never generates reports against my own domain submitted by me.

    Seems strange a provider would shut down a website with one complaint?
    Make sure it has not been compromised, change password.
    Run a virus scan on your computer. If you are competing against a similar website you are possibly being attacked, often done for blackmail as well!
    Your mailhosts are not necessarily  the same as a domain. have a look
    But then SpamCop only stops reporting your email "domain"

    Contact your provider


  17. 9 hours ago, Spamnophobic said:

    @Petzl, my mailhosts haven't changed, although just to be sure I'm re-running the mailhosts "app". However, 31[dot]onefourfive[dot]190<fullstop>66 is definitely not one of my mailhosts. It is the closest the parse gets to the original spam sending address. It is a mail server in Turkey. The parse quotes one more IP, called "User", 176<dot>thirtytwo[dot]25[dot]27, which I am unable to ping (times out).

    My point is that SpamCop is unable to parse the spam mail ("No source IP address found") In the past spammers have tricked SpamCop into giving this error message. See my earlier posts in this forum. (This was eventually resolved with the help of a SpamCop administrator.)

    Well 83.96.176.84 (proserve[DOT]nl, signet[DOT]nl) at a guess seems to be your email provider or network.
    You seem to be picking your email from a internal  network which probably changes?

    AFTER deleting your mailhost entry try redoing.
    If this don't update
    Contact SpamCop support
    logon and go here (there is  email address but I forget it)
    https://mailsc.spamcop.net/fom-serve/cache/401.html
    or free user
    https://www.spamcop.net/fom-serve/cache/401.html
    Other reasons for contact
     (put in) "Mailhosts"


  18. 3 hours ago, Spamnophobic said:

    OK I know we have been here before, but could somebody examine my tracking url:

    https://www.spamcop.net/sc?id=z6634628358z460dafae0c54205ace1fe027dc2ff311z

    perhaps forum seniors or SpamCop staff can suggest how to get these new ones reported?

    spam came from  IP 31.145.190.66  "abuse[AT]vodafone[DOT]net[DOT]tr"
    Seems you need to check/update your mailhosts or you will be reporting yourself!
    Logon to SpamCop then go here
    https://www.spamcop.net/mcgi?action=mhedit
    Paying member go here
    https://mailsc.spamcop.net/mcgi


  19. 1 minute ago, Outernaut said:

    Sorry, but that was gone after I posted the query. Yet reading everyone's response has helped me understand it better. I've no idea how, after email is checked for at minimum, 5 minutes and as for this one, as I've seen with as few others, show up two or three days late.  Thanks for the help.

    Without seeing a Tracking URL.
    Sometimes a server is turned off when it is found spewing spam

    When turned on again it spews out remaining spam.
    While you may just get it it can of been sitting on server for days.
    That is the received date SpamCop goes by, not when you receive it.


  20. 20 hours ago, gnarlymarley said:

    I have seen where the ISP/spammer marks "The issue is resolved" and by the time I go to report the spam, SpamCop doesn't let me further report as the issue has been "resolved"

    That is annoying, I then manually report from my  spammed  email address.

×