Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by gnarlymarley

  1. On 9/7/2019 at 11:49 PM, RobiBue said:

    hostmaster and postmaster addresses are AFAIR quite old (10+ years) and often not used anymore... therefore the bounces.


    This is in part why I have to check my whois for my domain every few months to make sure it is correct.  I am not sure if they have the same requirement for the whois for IP addresses.

  2. On 9/5/2019 at 7:27 PM, RobiBue said:

    On a certain date, sendgrid probably asked SC not to send spam reports. On that date, or soon after, somebody manually devnulled the sendgrid abuse address. That date would be interesting to know, as well as the reason the address was devnulled.

    Might be good to have this as a new feature since most of these reports are not going any where any way.

  3. On 9/2/2019 at 8:53 PM, petzl said:

    The log-in IP is not a Bot'; 
    Namecheap runs 1000's of Bot's from their domains, all with different IP's.
     Domain blocklisting is now the most effective way of stopping forum spam.

    This is in part why I try to put a note for the reports going to legitimate hosters such as "You might want to work with your customer to clean up their compromised system."

  4. On 8/27/2019 at 2:49 PM, petzl said:

    These links produce a "Gateway Timeout" message for me.


    Interesting.  I still see the same thing too with both of your links, but all mine work fine.

    On 8/27/2019 at 2:49 PM, petzl said:

    parsing is working? Check text not word-wrapped, spam size (truncate) etc

    If you have not had any luck figuring this out, I would suggest to contact the deputies:


  5. On 8/20/2019 at 1:00 AM, Appleseed said:

    is it legit or not?

    I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore.  I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server.  I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit.

  6. On 8/14/2019 at 2:33 PM, Black Tiger said:

    Seemed that these messages arrived in the gmail spambox and I just moved to gmail and I don't use imap. So I did not see the spam folder.

    Yep, the admins are trying to resolve that issue by curbing some spam that seems to be affecting gmail's rules.

    On 8/14/2019 at 2:33 PM, Black Tiger said:

    I will try next time if this happens to pass this report. I just use the headers from Outlook 2013 and paste them in the box. This was the only time I had issues with reporting spam, and only with this message.

    This thread appears to be related to: 


  7. On 8/17/2019 at 7:38 PM, petzl said:

    Used to be postmaster@ then as that address spammed to oblivion became abuse@ that also is now spammed to oblivion,
    when abuse.net can't find a abuse address they use abuse@ as default. Wish SpamCop would stop using Abuse.net

    It has been a long time since I got spam at my abuse address.  With mine being an alias, I still like the ability to know what address the email was sent to.

    It sure would be nice if the whois cache could  be sync'ed and be more accurate.

  8. On 8/5/2019 at 11:04 PM, petzl said:

    spam reporting started in 1998 and had some hiccups, some providers believed SpamCop was buggy so did not want reports they couldn't rely on.

    Yes.  Also, if I remember correctly, some ISPs were not happy about the munged reports and turned it off because of that.

  9. On 8/26/2019 at 6:39 PM, Lking said:

    If my anecdotal test is true, a human gets passed the first one, and the bot can do the rest.

    I can cut and paste from wordpad almost faster than running a scri_pt anymore these days.  A few months ago, we had some duplicates where the email subject (or the post's title) where one started with "http" and the other started with " http".  So if a bot is posting it, would the bot randomly add a space in the title?  (Either at the beginning or the middle.)

    On 8/26/2019 at 9:02 PM, Lking said:

    (15min - hr between join and spam)

    I think the quickest one I saw a few months ago was between three and four minutes.  If I was going to automate any part of this (via a bot), the sign up portion would be what I would automate.  Most of the providers have imap or pop and the fetchmail command can output the email directly to a scri_pt.  I expect that if I were to do this, the posts would show around the first 10 seconds of every minute.  (It could be they do a randomized sleep, but cron starts at the top of the minute.)

  10. 31 minutes ago, petzl said:

    Not working it seems?

    Nope, the capcha is not working.  I think it was only about two months ago that Richard increased the capcha challenge level.  Due to the typos and spaces, I don't think this is done by computer.  I think it is done by one or two humans.  If it is humans and you try to stop them with a capcha, you will  also stop legitimate forum users.

    But then they have already developed AI on computers that can read any capcha more accurately than humans, so maybe it is a computer.  The "typos" as I call them appear to be when copying from a microsoft product where a space is sometimes added at the beginning or end.

  11. 2 hours ago, petzl said:

    nayon.isnpAT[bangla.net.bd seems is the correct address

    Interesting that the cached whois says it is from the mirror and the format of it is slightly different.  Also interesting that APNIC and RIPE seem to have abandoned the separate abuse handle in favor of the following line:

    % Abuse contact for ' -' is 'nayon.isn@bangla.net.bd'

    If I recall correctly, everyone used to use something similar to the following:

    OrgAbuseEmail:  abuse@example.com


  12. On 7/24/2019 at 8:41 PM, HeatherReid43 said:

    I did find an email address info{AT}us-cert.gov and phishing-report{AT}us-cert.gov but i want to be doubly sure that this is the correct email address to send the report to.

    Though, I believe you have some good addresses, I am not sure it will help.  After me seeing the joke of the do not call list for the past decade (more than the current administration), I would suspect that amazon.AWS thinks these addresses would be nothing more than an external rating system.  I do not believe they would actually stop the spam.  I use the SpamCop blocking list for that.  Each time you report, it feeds the algorithm behind the block list.

  13. 17 hours ago, Appleseed said:

    There is that gmail address im talking about. 

    The address matches the cached entry returned from RIPE.  I am not sure I would trust the other RIPE email any more than the gmail address either.

    SpamCop RIPE cached:

    % Note: this output has been filtered.
    %       To receive output for a database update, use the "-B" flag.
    % Information related to ' -'
    % Abuse contact for ' -' is 'vvsg180@gmail.com'

    New RIPE query:

    e-mail:          vigorv@mail.ru
    e-mail:          hawk@diamondc.ru
    upd-to:          stell_hawk@mail.ru
    abuse: hawk@diamondc.ru

    One quick note that you may not be aware of is that thanks to GDPR there might be times where the "-B" gets in the way and someone has performed a manual add.


    Reports routes for
    routeid: 78192297 - to: vvsg180@gmail.com
    Administrator interested in all reports
    7/17/2019, 9:45:55 AM -0600 
    [Note added by  (no name)]
    Route added without comment


  14. On 8/7/2019 at 6:58 PM, RobiBue said:

    I don't know why the links don't appear in the report. I see them both, in the text/plain part, as well as in the text/html part

    I don't know why they are not showing either.  I keep thinking it has something to do with the multipart boundary lines, but  Nothing is standing out.

    If I recall correctly, I think it used to say under the "Finding links in message body" something about parsing text/plain and also parsing text/html.  Lately, I have only noticed it seems to parse the links from one multipart section.

  15. Appleseed,

    As a user like you, I am not able to see the any spam you may have reported.  So I second Lking's request for a tracking link.

    1 minute ago, Lking said:

    If you could provide a Tracking URL it would help others see what the parser did with your spam.  It is hard to give an informed opinion based on just your post.

    Appleseed, what I suspect you are seeing is some users have signed up for an IP range, but then don't use an abuse address.  Those seem to be using a personal address instead.

  16. 5 hours ago, RobiBue said:

    2 of them didn't post anything

    interesting, I have wondered if the spammers had a hidden account that was only created to verify that they the emails the forum sends out has their spam.  Though, I would lean more toward an account they created about two years ago for that.