Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by gnarlymarley

  1. gnarlymarley

    godaddy spam source

    I don't think I have ever got any spam from godaddy. If the reports are not helping, at least the reports are feeding the block list. One thing you might want to try reporting to their ISP.
  2. gnarlymarley

    ovh.net spam source

    If the reports are not helping, at least the reports are feeding the block list. One thing you might want to try reporting to their ISP.
  3. gnarlymarley

    hetzner.de spam source

    If the reports are not helping, at least the reports are feeding the block list. One thing you might want to try reporting to their ISP.
  4. The address matches the cached entry returned from RIPE. I am not sure I would trust the other RIPE email any more than the gmail address either. SpamCop RIPE cached: % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to ' -' % Abuse contact for ' -' is 'vvsg180@gmail.com' New RIPE query: e-mail: vigorv@mail.ru e-mail: hawk@diamondc.ru upd-to: stell_hawk@mail.ru abuse: hawk@diamondc.ru One quick note that you may not be aware of is that thanks to GDPR there might be times where the "-B" gets in the way and someone has performed a manual add. SpamCop: Reports routes for routeid: 78192297 - to: vvsg180@gmail.com Administrator interested in all reports 7/17/2019, 9:45:55 AM -0600 [Note added by (no name)] Route added without comment
  5. gnarlymarley

    No links, but wait, there is!

    I don't know why they are not showing either. I keep thinking it has something to do with the multipart boundary lines, but Nothing is standing out. If I recall correctly, I think it used to say under the "Finding links in message body" something about parsing text/plain and also parsing text/html. Lately, I have only noticed it seems to parse the links from one multipart section.
  6. Appleseed, As a user like you, I am not able to see the any spam you may have reported. So I second Lking's request for a tracking link. Appleseed, what I suspect you are seeing is some users have signed up for an IP range, but then don't use an abuse address. Those seem to be using a personal address instead.
  7. gnarlymarley

    forum spam handling

    interesting, I have wondered if the spammers had a hidden account that was only created to verify that they the emails the forum sends out has their spam. Though, I would lean more toward an account they created about two years ago for that.
  8. gnarlymarley

    forum spam handling

    I am not even sure how the coders would detect how old an email is. I am not even sure this information is available. From what I recall, the forum is double opt-in. I don't think it lets them post until they verify their email. That verification could be why it takes 3 to 20 minutes between the post and the sign up. Spammers are grabbing both domains and abandoned email addresses and have been caught using those in their spams. What is there to stop them from using what is considered an old email address when they sign up? That does not leave any good way to block them.
  9. gnarlymarley

    forum spam handling

    What an interesting thought. Though I wonder if they have a stash of thousands of stolen accounts they have to use or if they might be using their hundred domains (like the ones I see in the URLs) for their signup email.
  10. gnarlymarley

    forum spam handling

    Richard had said he did this with the captcha on May 19, but I don't think I saw any change. I believe this entirely posted by humans. If it was a robot, the account creation would be around Sounds like they might be jumping around (if one person) the internet to avoid detection like they are with email spam. Also could be that someone is using a VPN service. I am fairly certain that it is at least two people posting the junk, but could be more. (The language style seems to be only two different types.) The source code of HMTL (from http://forum.spamcop.net/profile/46580-hhhmax85/ on Rob's original example) seems to offer a datetime that appears the spammer is returning back later. <h4 class='ipsType_minorHeading'>Joined</h4><time datetime='2019-07-18T09:51:20Z' title='07/18/2019 03:51 AM' data-short='Jul 18'>July 18</time> <h4 class='ipsType_minorHeading'>Last visited</h4><time datetime='2019-07-18T09:55:53Z' title='07/18/2019 03:55 AM' data-short='Jul 18'>July 18</time> I am not sure if the account has someone returning about four minutes later is robot. Other users I have looked at can be "returning" as much as 16 minutes later. They either have a good randomizer, or else this is surely human.
  11. gnarlymarley

    forum spam handling

    I don't like the forum spam because as soon as it is posted, gmail has all forum emails marked with spam reputation. At this point, I personally would prefer to thwart the spammers similar to bl.spamcop.net if possible. Ah, so maybe something automated. If this were possible, I am all for automating any part of it so to limit human mistakes. Seems like maybe some of the admins might be burning the candle at both ends at times. I have seen more than one person make mistakes when it comes to cleaning up the spam in the forums. Anything that might help out would be a plus. I am tempted to suggest that something similar to the SpamCop BL, where enough bad report and a user cannot post or sign up with a new account for 48 hours.
  12. Black Tiger, I see the period at the start of the domain name on the following line. The parser in the past has had problems with that if you have mailhosts enabled. If you submit it without the period (or put something in front or the period) or just remove that worthless Received line, it should submit. Received: from localhost ( by .jlU2KPHsGNpygo@Brief.me id IoLDL6FfG7GE
  13. gnarlymarley

    forum spam handling

    Rob, I like your solutions, but I don't think they apply here. As near as I can tell all accounts used in the spam appear to be mostly one and done. I have noticed that they have two posts at most, but most of them are created to post single content. Sometimes the same exact thing is posted twice, but it seems to be by different accounts. The account creation and the post appears to be within about ten minutes. The reason why I see only one post could be because Lking limits their posting, so they appear to create a new account and move on. I think Richard might be getting it late at night, while Lking has the daytime. The forum admins have also changed the captia, so I don't think it is automated spam. It appears to be fully human since they get through all the hoops that the admins have applied so far.
  14. gnarlymarley

    Report Ends With "Parsing Header:"

    The first line is not supposed to have a colon. It is the mbox begin header that allows multiple emails messages to populate a single file (I believe this is RFC4155). I myself have submitted these in the past without the parser hanging, but I do not have an example of a good parse readily available. When I come across one, I can post the proof that the parser is okay with the first line. A little further down, I see the proper From: with the colon. From: Best deal Here is a good parse that has the mbox line intact: https://www.spamcop.net/sc?id=z6539474280z193289084e1307447d9bce67061eecfbz
  15. gnarlymarley

    [Resolved] SC parse incomplete

    Spamnophobic, The problem seems to be the existence of a dot at the start of the hostname that seems to be stopping the parser, as can be seen by the other forum link below. It appears to be the following line: Received: from localhost ( by .z2bozghMJqWR3w@amazonses.com Sounds like your options are to submit without mailhosts, or to just remove that dot before you submit.
  16. gnarlymarley

    Report Ends With "Parsing Header:"

    I have located "Reporting form not loading fully afterparsing spam" from 2018, so this issue is pre-V5.0. I don't see any solutions on that post. My solution was to have two account setup and if I see a dot at the beginning of the hostname, I send the spam to the non-mailhosts account. By this comment, I meant that it would be nice if the parser was fixed...
  17. gnarlymarley

    Report Ends With "Parsing Header:"

    Jelmer, I get this occasionally too. I had some communication with the SpamCop Admins in 2017, but I am not sure if that is when I first saw it. Being that some folks called it a dot or period or {DOT}, it does make searching the forum difficult. Since spammers do not always get the reports (their ISP does and doesn't always pass it on), they probably do not know for sure what is caught by spamcop.
  18. Another reason why I would prefer an automated solution over the manual one is that the current solution can override any whois lookup attempts. Once an entry is made manually, it will constantly need to be manually updated as it can prevent the fresh "whois" link from gathering new contacts. If an IP range is passed back and forth between (for example) APNIC and ARIN, each pass would require a manual update. If automated, The system can either expire the cached entry or else the refresh whois link could pull in the updated contacts.
  19. gnarlymarley

    email-abuse@amazon.com - is this spam

    MIG, This is one that does nearly sound legitimate and had me going for about 10 days now, but I think I have cracked it. It appears that the bounce should be coming from or and not The MX record for client76701.host appears to be namecheap.com, not amazon. The more I look at this, the more I think backscatter
  20. This is a new one. I have not yet seen one where ARIN says they have been trying to reach the POC since 2016. The abuse address is "nobody@example.com"? https://www.spamcop.net/sc?id=z6546231249z22b5463db59fac126490a5590b1b3bb0z
  21. gnarlymarley

    What do do with Amazon hosted spammers

    I will explain further. Yes, I believe this does need to be updated as long as SC is not identifying the proper email addys. I also believe we should be able to figure out "why SC is not identifying the proper source" and we should be able to fix it. The "NEVER will" part needs human intervention with "both" the programmers to fix SC and also putting manual entries. I believe if SC could be fixed, it would automatically determine "most of the proper addys", but there would still be a smaller percentage that needs to be manually entered (due to bad whois or some other circumstance).
  22. gnarlymarley

    Report Ends With "Parsing Header:"

    Yes. I suspect the function that they expect that rather than the parser dying, it would come up with something like "Not one of your mailhosts". Then they could continue their submissions with one account that has mailhosts enabled.
  23. The answer to the permissions question would be not solved by a permissions grant since SpamCop goes to ARIN and stops. It does not appear to be trying the other registrars. As near as I can tell, the "Redirect to ripe" or "Redirect to apnic" or "Redirect to lacnic" or "Redirect to afrinic" that shows up is manually made entry from http://forum.spamcop.net/forum/39-routing-report-address-issues/ and not automatic. "whois xx.xx.xx.xx@whois.arin.net" (Getting contact from whois.arin.net ) Redirect to ripe As a reminder here, this is happening with more than just RIPE as it is happening with all IP registrars. It is most notably with APNIC, which has granted full permissions. Also, I thought there was a whois copy at SpamCop using rsync that would be queried first, which would also
  24. I went through my logs and noticed I didn't have any from the the IP range of 2402:bc00::/32. The last time I had anything from 2402::/16 was in 2017. So I definitely missed this.
  25. gnarlymarley

    ripe whois -B

    If this does get looked at for implementation, then I would note that it appears AFRINIC is also doing this. It might be wise to look at an automatic implementation that could work for any registrar if they turn this on. % To receive output for a database update, use the "-B" flag. [refresh/show] Display data: