Jump to content

Steve

Members
  • Content Count

    50
  • Joined

  • Last visited

Posts posted by Steve


  1. 2 hours ago, RobiBue said:

    yeah, that's why I'm saying, I believe that injected Received line acts somewhat as a signature placed there by the designer of the malware...

    that IP might, at one time, have been assigned there... I don't know if there is a historical IP database available ;)

    but I understand now what you meant. thanks.

    Reporting the IP address results in this address coming up: abuse@wowrack.com

    I have tried reporting this IP address several times last year and a few times an employee said they will "Null-route" the IP address. But it still shows up in spam.


  2. https://www.spamcop.net/sc?id=z6519982075zb6dffaaf6c4dde062e506799464432dez

     

    Tracking message source: 188.40.69.215:

    Routing details for 188.40.69.215
    [refresh/show] Cached whois for 188.40.69.215 : pioklo@serveradmin.pl
    Using last resort contacts pioklo@serveradmin.pl

     

    Why when SC parses the IP Address, does it come up with a result for a Polish IP (pioklo@serveradmin.pl) as a last resort address?  But when I query it through whois.ripe.net does it come up registered to:

     

    Responsible organisation: Hetzner Online GmbH 
    Abuse contact info: abuse@hetzner.de
     
    
     
    • role: Hetzner Online GmbH - Contact Role
    • address: Hetzner Online GmbH
    • address: Industriestrasse 25
    • address: D-91710 Gunzenhausen
    • address: Germany
    • phone: +49 9831 505-0
    • fax-no: +49 9831 505-3
    • e-mail: ripe@hetzner.de
    • abuse-mailbox: abuse@hetzner.de
    • remarks: *************************************************
    • remarks: * For spam/abuse/security issues please contact *
    • remarks: * abuse@hetzner.de, not this address. *
    • remarks: * The contents of your abuse email will be *
    • remarks: * forwarded directly on to our client for *
    • remarks: * handling. *
    • remarks: *************************************************
    • remarks:
    • remarks: *************************************************
    • remarks: * Any questions on Peering please send to *
    • remarks: * peering@hetzner.de *
    • remarks: *************************************************
    • org: ORG-HOA1-RIPE
    • admin-c: MH375-RIPE
    • tech-c: GM834-RIPE
    • tech-c: SK2374-RIPE

  3. https://www.spamcop.net/sc?id=z6519956282z3287af6539a13394828b32aaa4e4b1a7z

     

    Tracking message source: 103.1.12.91:

    Routing details for 103.1.12.91
    [refresh/show] Cached whois for 103.1.12.91 : iptech@readyspace.com.sg
    info@readyspace.com.hk bounces (31 sent : 16 bounces)
    Using best contacts

    No reporting addresses found for 103.1.12.91, using devnull for tracking.

    Message is X hours old
    103.1.12.91 not listed in cbl.abuseat.org
    103.1.12.91 not listed in dnsbl.sorbs.net
    103.1.12.91 not listed in accredit.habeas.com
    103.1.12.91 not listed in plus.bondedsender.org
    103.1.12.91 not listed in iadb.isipp.com

     

    I have tried refreshing the page with no change in result. I went ahead and manually reported the spam to the ISP. 


  4.  
    Parsing header:
    host 2001:12f0:601:a902:0:0:0:150 = turquesa.dcc.ufmg.br (cached)
    turquesa.dcc.ufmg.br is 2001:12f0:601:a902:0:0:0:150
    0: Received: from smtp.dcc.ufmg.br (turquesa.dcc.ufmg.br. [2001:12f0:601:a902::150]) by mx.google.com with ESMTP id a44si116985qvh.91.2018.11.11.09.04.47; Sun, 11 Nov 2018 09:04:49 -0800 (PST)
    Hostname verified: turquesa.dcc.ufmg.br
    Gmail/Postini received mail from sending system 2001:12f0:601:a902:0:0:0:150
     
    1: Received: from webmail.dcc.ufmg.br (xisto.dcc.ufmg.br [2001:12f0:601:a902::150]) by smtp.dcc.ufmg.br (Postfix) with ESMTPS id E90409F094; Sun, 11 Nov 2018 15:04:46 -0200 (-02)
    Hostname verified: xisto.dcc.ufmg.br
    Possible forgery. Supposed receiving system not associated with any of your mailhosts
    Will not trust this Received line.
    Tracking message source: 2001:12f0:601:a902:0:0:0:150:
    Display data:
    "whois 2001:12f0:601:a902:0:0:0:150@whois.lacnic.net" (Getting contact from whois.lacnic.net)
    Backup contact owner-c = rco217
    Using NS name gerencia.rede.ufmg.br to find domain and contact
       Display data:
       "whois rede.ufmg.br@whois.nic.br" (Getting contact from whois.nic.br)
       Backup contact owner-c = ura
       ura = r-admin@rede.ufmg.br
       urt = r-tecnic@rede.ufmg.br
       whois.nic.br rede.ufmg.br = r-admin@rede.ufmg.br, r-tecnic@rede.ufmg.br, mail-abuse@cert.br
    sic128 = cais@cais.rnp.br
    whois.lacnic.net found abuse contacts for 2001:12f0:601:a902:0:0:0:150 = cais@cais.rnp.br
    Cannot find ip range in whois output
    No reporting addresses found for 2001:12f0:601:a902:0:0:0:150, using devnull for tracking.
    Yum, this spam is fresh!
    Message is 2 hours old
    2001:12f0:601:a902:0:0:0:150 not listed in cbl.abuseat.org
    2001:12f0:601:a902:0:0:0:150 not listed in dnsbl.sorbs.net
    2001:12f0:601:a902:0:0:0:150 not listed in accredit.habeas.com
    2001:12f0:601:a902:0:0:0:150 not listed in plus.bondedsender.org
    2001:12f0:601:a902:0:0:0:150 not listed in iadb.isipp.com
    Finding links in message body
    Parsing text part
    no links found
    Reports regarding this spam have already been sent:
    Re: 2001:12f0:601:a902:0:0:0:150 (Administrator of network where email originates)
       Reportid: 6876124444 To: nomaster@devnull.spamcop.net
    If reported today, reports would be sent to:

    Re: 2001:12f0:601:a902:0:0:0:150 (Administrator of network where email originates)

    nomaster@devnull.spamcop.net

     
     
     
    2nd report using 3rd Rcvd line in header:
     
     
    Parsing header:
    0: Received: from smtp.dcc.ufmg.br (turquesa.dcc.ufmg.br. [150.164.0.133]) by mx.google.com with ESMTP id a44si116985qvh.91.2018.11.11.09.04.47; Sun, 11 Nov 2018 09:04:49 -0800 (PST)

    Hostname verified: xisto.dcc.ufmg.br
    Gmail/Postini received mail from sending system 150.164.0.133
     

    1: Received: from webmail.dcc.ufmg.br (xisto.dcc.ufmg.br [150.164.0.133]) by smtp.dcc.ufmg.br (Postfix) with ESMTPS id E90409F094; Sun, 11 Nov 2018 15:04:46 -0200 (-02)

    Hostname verified: xisto.dcc.ufmg.br

    Possible forgery. Supposed receiving system not associated with any of your mailhosts

    Will not trust this Received line.

     

    Cached whois for 150.164.0.133 : search-apnic-not-arin@apnic.net
    I refuse to bother search-apnic-not-arin@apnic.net.

    Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking.

    Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net


  5. 2 hours ago, Lking said:

    Yes I remember seeing spam similar to this.  Thank you for including a Tracking URL.

    I assume you did not follow the unsubscribe link, which confirmed for the spammer that a real person reads email sent to your email address.

    Nope. The unsubscribe link is a bunch of shady email addresses that I wouldn’t think twice of sending emails to! I received several more in my spam folder today. I have yet to do anything with them. Should I do something with them?


  6. Short of writing Google a letter to get them to stop these emails being sent  from IP address 209.85.220.69, what can I do to get them to take appropriate action against this and blacklist it so it can't be used for spam anymore? I have reported 13 emails to Google's abuse address about this in the last 2 days and 39 in total (I get 3-4 a day). They came from several different email addresses, usually the 1st one:

    Unsubscribe-me132 <unsubscribe-me132@mitindrhm.cf>, "Please Confirm <strapgr_213@hapt01cn.ml>" or variants/variations of it, such as this one: ("Please Confirm <strapgr_142@michellelafosse.ml>" or this one: "congratulations <strapgr_241@moriyama.ml>"), "Unsubscribe-me132 <unsubscribe-me132@denamarke.tk>" 

    Attempting to access any of the Group URLs (such as the one below and its variants/variations) in the emails results in the url redirecting to this 2nd link  as well displaying this when clicking on the 2nd link:

    https://groups.google.com/a/mitindrhm.cf/group/unsubscribe-me132




    icon_128.png Google Groups
    Authorization Failed
    This group is on a private domain.
    Please sign in with an authorized account to view this content.

    ----------------------------------------------------------------------------------------------------------------

    Here's tracking URL for one of the emails

     

    https://www.spamcop.net/sc?id=z6497296422zc7cd4be6fe49cdb5a13994e922e19258z


  7. 18 hours ago, petzl said:

    That's better "X-Originating-IP: [197.234.221.192]" is the botnet source all their IP's listed as a botnet, yes they are sent through a compromised  ocn computer "153.149.227.167" but not reported

    Other hosts in this "neighborhood" with spam reports
    197.234.221.1 197.234.221.4 197.234.221.5 197.234.221.12 197.234.221.13 197.234.221.42 197.234.221.43 197.234.221.46 197.234.221.47 197.234.221.54 197.234.221.66 197.234.221.68 197.234.221.69 197.234.221.70 197.234.221.80 197.234.221.91 197.234.221.105 197.234.221.108 197.234.221.120 197.234.221.161 197.234.221.170 197.234.221.172 197.234.221.183 197.234.221.188 197.234.221.192 197.234.221.193 197.234.221.205 197.234.221.224 197.234.221.232 197.234.221.236 197.234.221.238 197.234.221.243 197.234.221.245

    Are emails with this string of IP addresses originating from Benin and OCN is just used to send the emails?


  8. 7 hours ago, petzl said:

    That's better "X-Originating-IP: [197.234.221.192]" is the botnet source all their IP's listed as a botnet, yes they are sent through a compromised  ocn computer "153.149.227.167" but not reported

    Other hosts in this "neighborhood" with spam reports
    197.234.221.1 197.234.221.4 197.234.221.5 197.234.221.12 197.234.221.13 197.234.221.42 197.234.221.43 197.234.221.46 197.234.221.47 197.234.221.54 197.234.221.66 197.234.221.68 197.234.221.69 197.234.221.70 197.234.221.80 197.234.221.91 197.234.221.105 197.234.221.108 197.234.221.120 197.234.221.161 197.234.221.170 197.234.221.172 197.234.221.183 197.234.221.188 197.234.221.192 197.234.221.193 197.234.221.205 197.234.221.224 197.234.221.232 197.234.221.236 197.234.221.238 197.234.221.243 197.234.221.245

    Why is it only blacklisted at abuseat and nowhere else? Is there a reason for that?


  9. Of course it's an ocn.ne/ad.jp email. I don't bother reporting to them anymore because I find it pointless. 
    I also reported it to netabuse (at) mtn.bj, but as you all know, they're notorious for not dealing with spam very well. 
    I tried reporting to UBA's security email that I found doing a Google search and this is the result Gmail's mailer-daemon sent back:
    
    
    
     
    Quote

     

    Error Icon

    Message not delivered

    Your message couldn't be delivered to security@ubagroup.com because the remote server is misconfigured. See technical details below for more information.
    The response from the remote server was:

    550 5.4.1 [security@ubagroup.com]: Recipient address rejected: Access denied [AM5EUR03FT052.eop-EUR03.prod.protection.outlook.com]

     

    
    Final-Recipient: rfc822; security@ubagroup.com
    Action: failed
    Status: 5.4.1
    Remote-MTA: dns; ubagroup-com.mail.protection.outlook.com. (213.199.154.106,
     the server for the domain ubagroup.com.)
    Diagnostic-Code: smtp; 550 5.4.1 [security@ubagroup.com]: Recipient address rejected: Access denied [AM5EUR03FT052.eop-EUR03.prod.protection.outlook.com]
    Last-Attempt-Date: Tue, 22 May 2018 21:54:17 -0700 (PDT)

     

    
    Original email:
    
    
    
    Delivered-To: x
    Received: by 10.55.27.222 with SMTP id m20-v6csp390695lfi;
            Tue, 22 May 2018 04:17:36 -0700 (PDT)
    X-Google-Smtp-Source: AB8JxZpYbvb6tOhQ+iZm9i/WTdteOSq3c4khjtYYTyC0U88eDbOBeooA888yF+t/0UxRT/np7P7W
    X-Received: by 2002:a63:7c0b:: with SMTP id x11-v6mr18459486pgc.384.1526987856201;
            Tue, 22 May 2018 04:17:36 -0700 (PDT)
    ARC-Seal: i=1; a=rsa-sha256; t=1526987856; cv=none;
            d=google.com; s=arc-20160816;
            b=jotNUqh782Or1fxX2A+r16K8REfifvVQHUFk5z9gyfBJuv9fVGAP0qgRPnjo4mlJlm
             5YHfAR2j+kzg//ih9YB/fNpUmB729kKKSfQ5xmy85c9ocuiieMz1ecmflWftDgmq0zZt
             ua3SRaWu+/U51hn2R73K/de9iT02t1D57414RVDakaMz2x2Ff/mf+JjI+1+HSBH4ks0c
             Mt/Ch7XCfglJUNJl2qNlsBwzd2es8/8rWynsVjdv6BfyYMYTWc5Vda9xPSfUfZJZRTwM
             IoSDNFFFcgvewA9H8VXA04Cwoz9NY2SAysTZj9TyYRNJjI1C8zilRSMwrDytlSbZ9WoN
             7bpQ==
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
            h=content-transfer-encoding:mime-version:subject:message-id:reply-to
             :from:date:arc-authentication-results;
            bh=LpXfDxdLzWxwHrFw1Qk9sqc0koHX4eJzLDY8tHHwhoo=;
            b=hOlAaQ8hWmtbEqeXcXlD0sYdvmdc30qlaSZMbFzJ+6d2giVZqBMmbmBVpMHj4KoQiO
             RLPsiMKUgcmBnHz8CeqGeJIjU+Zx78n91u+2hJRwIlmsVz7DXdXoWouGMvFNVwdU0LQZ
             6GQehGfouDlQGGKOHI+XO4IvcWjgt94jseISgkqAPFx351PaFRYBpFlvnaOtYr8yD1Lc
             GYzktMwi0v9FVN1HZyX9lojZgz5fnqsJ0D/d1FjPiAdHQekp5QrcLfT1ehd161lEYL0P
             7IxJLb8dgGDSG+1BNCrAJffzoPYGyTsD+l7Qyl16mqbM9hNktalB1qTiXvluMpBaSpcj
             815Q==
    ARC-Authentication-Results: i=1; mx.google.com;
           spf=pass (google.com: domain of www.@miracle.ocn.ne.jp designates 153.149.233.15 as permitted sender) smtp.mailfrom=www.@miracle.ocn.ne.jp
    Return-Path: <www.@miracle.ocn.ne.jp>
    Received: from mbkd0214.ocn.ad.jp (mbkd0214.ocn.ad.jp. [153.149.233.15])
            by mx.google.com with ESMTP id z18-v6si16038914pfd.357.2018.05.22.04.17.23;
            Tue, 22 May 2018 04:17:36 -0700 (PDT)
    Received-SPF: pass (google.com: domain of www.@miracle.ocn.ne.jp designates 153.149.233.15 as permitted sender) client-ip=153.149.233.15;
    Authentication-Results: mx.google.com;
           spf=pass (google.com: domain of www.@miracle.ocn.ne.jp designates 153.149.233.15 as permitted sender) smtp.mailfrom=www.@miracle.ocn.ne.jp
    Received: from mf-smf-ucb035c3 (mf-smf-ucb035c3.ocn.ad.jp [153.153.66.232]) by mbkd0214.ocn.ad.jp (Postfix) with ESMTP id 0E1A418D8F6; Tue, 22 May 2018 20:17:23 +0900 (JST)
    Received: from ntt.pod01.mv-mta-ucb022 ([153.149.142.85]) by mf-smf-ucb035c3 with ESMTP id L5IAfKI3F3vLcL5IAf4CBa; Tue, 22 May 2018 20:17:23 +0900
    Received: from vcwebmail.ocn.ad.jp ([153.149.227.167]) by ntt.pod01.mv-mta-ucb022 with id pPHN1x00F3dLKTM01PHNBl; Tue, 22 May 2018 11:17:22 +0000
    Received: from mzcstore202.ocn.ad.jp (mz-cb202p.ocn.ad.jp [180.8.111.9]) by vcwebmail.ocn.ad.jp (Postfix) with ESMTP; Tue, 22 May 2018 20:17:22 +0900 (JST)
    Date: Tue, 22 May 2018 20:17:22 +0900 (JST)
    From: "Mr.Emanuela Guidobaldi" <www.@miracle.ocn.ne.jp>
    Reply-To: "Mr.Emanuela Guidobaldi" <ubabnk0012@live.fr>
    Message-ID: <114857748.28834412.1526987842427.JavaMail.root@miracle.ocn.ne.jp>
    Subject: Attention:My dear
    MIME-Version: 1.0
    Content-Type: text/plain; charset=ISO-2022-JP
    Content-Transfer-Encoding: 7bit
    X-Originating-IP: [197.234.221.192]
    
    Attention:My dear
    I waited for your message as you told me with none received. Remember,
    i supposed to have traveled last night but the weather is too bad. I
    will be leaving to Paraguay tomorrow.
    Meanwhile, contact the Bank manager with below address, i have kept
    the
    cheque with them at amount of USD4.5Million. They will either mail it to you
    or remit it for transfer depending on how you want it;
    Mr.Emanuela Guidobaldi
    united bank for Africa -(UBA) 
    E-EMAIL US:ubabnk0012@live.fr

     


  10. On 10/1/2016 at 10:41 AM, Lking said:

    This is a situation where despair is all to easy to overcome you.  I submit all my spam to SpamCop, KnujOn and acma.gov.au.  This supports the work of KnujOn to change the effectiveness of ICANN (the long game) and help build the SpamCop block list to protect email users now (the short game).

    'Hang in there' is all I can suggest.

     

    Unfortunately, you can no longer use KnujOn to submit spam:

     

    Quote

    Dear KnujOn members, friends and visitors, 

    This project will cease accepting samples from the public on 22 May 2018. The knujon.net will stop accepting email samples and the server will be shut down. The servers at coldrain.net will stop forwarding email. knujon.org will cease accepting new memberships and donations as of 8 March 2018. knujon.com will remain active to maintain historical information about the project but no sample data will be accepted. All currently held samples and all samples accepted up until 22 May 2018 will be processed. 

    This research was started by Dr. Robert Bruen and Garth Bruen in 2003. After 15 years we have reached clear fundamental conclusions concerning the management of the Internet, findings which are neither pleasing nor surprising. We have taken this work as far as we can at this stage. A final comprehensive report of KnujOn findings will be published and maintained at knujon.com. 

    We thank everyone for their dedication and participation in this project and hope you will join us when we start our next project which will be based on KnujOn findings. The details of this further research will be announced on knujon.com.

     

×