Jump to content

Steve

Members
  • Content Count

    59
  • Joined

  • Last visited

Posts posted by Steve


  1. https://www.spamcop.net/sc?id=z6563416674z69d183e3fd56b1d4637b0d9020b3cee0z
    

    Why are sendgrid reports dev'nulled? SC gives no reason for it when parsing spam email. If I report it manually to SG, I get an auto-reply.

     

    Auto reply:

     

     

    Quote

     

    Subject: Thanks for reporting unsolicited email

     

    Hello!

    Thank you for the report of unwanted mail. Your complaint has now generated a ticket that will be reviewed by an actual human in the next 48 hours. If the complaint is a phishing message, it will be reviewed much sooner (usually within the hour during operational hours).

    SendGrid takes these reports of unwanted mail very seriously, and we will work to identify the offending sender and investigate their email practices. Please know that you will likely only hear back from us if we require more information on this case.

    If you would like to provide us any more detail, all you have to do is reply to this email, and additional information will be added to your ticket.

    Please note that due to security concerns we will not open attachments under any circumstance. You must provide any necessary information in plaintext in the body of your report.

    Have a great day,
    The SendGrid Compliance Team

     

     

     

     

    Steve

    Quote
    Tracking message source: 167.89.100.227:
    
    Routing details for 167.89.100.227
    [refresh/show] Cached whois for 167.89.100.227 : abuse{AT}sendgrid.com
    Using best contacts abuse#sendgrid.com@devnull.spamcop.net

     


  2. What address are you sending Amazon abuse reports to? abuse@amazonaws.com/ec2-abuse@amazon.com? If you do it through SC, they devnull the report as that address (abuse@amazonaws.com) is disabled for reports, but manually reporting it to abuse@amazonaws.com/ec2-abuse@amazon.com generates a confirmation email.

     

    Steve


  3. Has anyone gotten AmazonAWS spam originating from AAMC.org (American Association of Medical colleges) with the IP address 143.220.15.131?
    

    I've gotten several and when reporting this IP addy through SC, it parses the email and comes back with an abuse address of shammond@aamc.org. But if I perform a whois on the IP address, I get dnsadministrator@aamc.org. shammond@aamc.org does not appear anywhere in a whois query nor did I find it on the AAMC website. 

     

    Here's tracking URL for one of those emails:

    https://www.spamcop.net/sc?id=z6530651814zff918c1118d7372ee13d0545ccf2e9d3z

     

    Reporting it through SC to shammond@aamc.org or manually to dnsadministrator@aamc.org yields no response back that they've received it and/or have taken action against this IP address to stop/mitigate spam being sent from it.

     

    Quote
    Tracking message source: 143.220.15.131:

    Routing details for 143.220.15.131
    [refresh/show] Cached whois for 143.220.15.131 : shammond@aamc.org
    Using last resort contacts shammond@aamc.org
    Message is 12 hours old
    143.220.15.131 not listed in cbl.abuseat.org
    143.220.15.131 not listed in dnsbl.sorbs.net
    143.220.15.131 not listed in accredit.habeas.com
    143.220.15.131 not listed in plus.bondedsender.org
    143.220.15.131 not listed in iadb.isipp.com

    clicking on Routing details for 143.220.15.131
    [refresh/show] reveals this info:

    Tracking details

    Display data:
    "whois 143.220.15.131@whois.arin.net" (Getting contact from whois.arin.net )
    Found AbuseEmail in whois dnsadministrator@aamc.org
    143.220.0.0 - 143.220.255.255:dnsadministrator@aamc.org
    Routing details for 143.220.15.131
    Using abuse net on dnsadministrator@aamc.org
    No abuse net record for aamc.org
    Using default postmaster contacts postmaster@aamc.org

     

    If that's the case, why doesn't SC send reports to the postmaster address then?


  4. On 3/2/2019 at 2:11 PM, Lking said:

    I admit I do not know which of several reasons that amazonAWS reports are being devnulled.  But in general there are several possible reasons a spam report is not sent but directed to devnull.spamcop.net

    1. The intended recipient has ask SC not the send spam reports. (SC does not want to become a "spammer" sending unwanted email)
    2. spam Reports sent to the abuse address have bounced. (a report and bounce would just clutter the bandwidth)
    3. There is evidence that the recipient is in fact the spammer not a responsible ISP. (would serve no purpose)
    4. SC did not find a valid abuse address for the IP. (Record keeping only)

    The Tracking URL report section does provide an explanation

    "<<<<<<<<<<<<<<<<<" added

    I just manually report those emails to abuse(at)amazonaws.com and ec2-abuse(at)amazon.com I do get replies back once they've received the spam report and when they've taken action or mitigated the activity of their subscriber/customer.


  5. Ran an APNIC whois and cam up with these abuse contacts:

    Kagoya Japan, Inc/KAGOYA Network Administrator Group
    
    nss.ipadmin@kagoya.net & support.domain@kagoya.net

     

    Cached whois for 133.18.202.245 : search-apnic-not-arin@apnic.net
    I refuse to bother search-apnic-not-arin@apnic.net.

    Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking.

    Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net

     

    Tracking URL:

    https://www.spamcop.net/sc?id=z6530520464z62ab467a37e6b02a56ca327c58498ed7z


  6. 2 hours ago, RobiBue said:

    yeah, that's why I'm saying, I believe that injected Received line acts somewhat as a signature placed there by the designer of the malware...

    that IP might, at one time, have been assigned there... I don't know if there is a historical IP database available ;)

    but I understand now what you meant. thanks.

    Reporting the IP address results in this address coming up: abuse@wowrack.com

    I have tried reporting this IP address several times last year and a few times an employee said they will "Null-route" the IP address. But it still shows up in spam.


  7. https://www.spamcop.net/sc?id=z6519982075zb6dffaaf6c4dde062e506799464432dez

     

    Tracking message source: 188.40.69.215:

    Routing details for 188.40.69.215
    [refresh/show] Cached whois for 188.40.69.215 : pioklo@serveradmin.pl
    Using last resort contacts pioklo@serveradmin.pl

     

    Why when SC parses the IP Address, does it come up with a result for a Polish IP (pioklo@serveradmin.pl) as a last resort address?  But when I query it through whois.ripe.net does it come up registered to:

     

    Responsible organisation: Hetzner Online GmbH 
    Abuse contact info: abuse@hetzner.de
     
    
     
    • role: Hetzner Online GmbH - Contact Role
    • address: Hetzner Online GmbH
    • address: Industriestrasse 25
    • address: D-91710 Gunzenhausen
    • address: Germany
    • phone: +49 9831 505-0
    • fax-no: +49 9831 505-3
    • e-mail: ripe@hetzner.de
    • abuse-mailbox: abuse@hetzner.de
    • remarks: *************************************************
    • remarks: * For spam/abuse/security issues please contact *
    • remarks: * abuse@hetzner.de, not this address. *
    • remarks: * The contents of your abuse email will be *
    • remarks: * forwarded directly on to our client for *
    • remarks: * handling. *
    • remarks: *************************************************
    • remarks:
    • remarks: *************************************************
    • remarks: * Any questions on Peering please send to *
    • remarks: * peering@hetzner.de *
    • remarks: *************************************************
    • org: ORG-HOA1-RIPE
    • admin-c: MH375-RIPE
    • tech-c: GM834-RIPE
    • tech-c: SK2374-RIPE

  8. https://www.spamcop.net/sc?id=z6519956282z3287af6539a13394828b32aaa4e4b1a7z

     

    Tracking message source: 103.1.12.91:

    Routing details for 103.1.12.91
    [refresh/show] Cached whois for 103.1.12.91 : iptech@readyspace.com.sg
    info@readyspace.com.hk bounces (31 sent : 16 bounces)
    Using best contacts

    No reporting addresses found for 103.1.12.91, using devnull for tracking.

    Message is X hours old
    103.1.12.91 not listed in cbl.abuseat.org
    103.1.12.91 not listed in dnsbl.sorbs.net
    103.1.12.91 not listed in accredit.habeas.com
    103.1.12.91 not listed in plus.bondedsender.org
    103.1.12.91 not listed in iadb.isipp.com

     

    I have tried refreshing the page with no change in result. I went ahead and manually reported the spam to the ISP. 


  9.  
    Parsing header:
    host 2001:12f0:601:a902:0:0:0:150 = turquesa.dcc.ufmg.br (cached)
    turquesa.dcc.ufmg.br is 2001:12f0:601:a902:0:0:0:150
    0: Received: from smtp.dcc.ufmg.br (turquesa.dcc.ufmg.br. [2001:12f0:601:a902::150]) by mx.google.com with ESMTP id a44si116985qvh.91.2018.11.11.09.04.47; Sun, 11 Nov 2018 09:04:49 -0800 (PST)
    Hostname verified: turquesa.dcc.ufmg.br
    Gmail/Postini received mail from sending system 2001:12f0:601:a902:0:0:0:150
     
    1: Received: from webmail.dcc.ufmg.br (xisto.dcc.ufmg.br [2001:12f0:601:a902::150]) by smtp.dcc.ufmg.br (Postfix) with ESMTPS id E90409F094; Sun, 11 Nov 2018 15:04:46 -0200 (-02)
    Hostname verified: xisto.dcc.ufmg.br
    Possible forgery. Supposed receiving system not associated with any of your mailhosts
    Will not trust this Received line.
    Tracking message source: 2001:12f0:601:a902:0:0:0:150:
    Display data:
    "whois 2001:12f0:601:a902:0:0:0:150@whois.lacnic.net" (Getting contact from whois.lacnic.net)
    Backup contact owner-c = rco217
    Using NS name gerencia.rede.ufmg.br to find domain and contact
       Display data:
       "whois rede.ufmg.br@whois.nic.br" (Getting contact from whois.nic.br)
       Backup contact owner-c = ura
       ura = r-admin@rede.ufmg.br
       urt = r-tecnic@rede.ufmg.br
       whois.nic.br rede.ufmg.br = r-admin@rede.ufmg.br, r-tecnic@rede.ufmg.br, mail-abuse@cert.br
    sic128 = cais@cais.rnp.br
    whois.lacnic.net found abuse contacts for 2001:12f0:601:a902:0:0:0:150 = cais@cais.rnp.br
    Cannot find ip range in whois output
    No reporting addresses found for 2001:12f0:601:a902:0:0:0:150, using devnull for tracking.
    Yum, this spam is fresh!
    Message is 2 hours old
    2001:12f0:601:a902:0:0:0:150 not listed in cbl.abuseat.org
    2001:12f0:601:a902:0:0:0:150 not listed in dnsbl.sorbs.net
    2001:12f0:601:a902:0:0:0:150 not listed in accredit.habeas.com
    2001:12f0:601:a902:0:0:0:150 not listed in plus.bondedsender.org
    2001:12f0:601:a902:0:0:0:150 not listed in iadb.isipp.com
    Finding links in message body
    Parsing text part
    no links found
    Reports regarding this spam have already been sent:
    Re: 2001:12f0:601:a902:0:0:0:150 (Administrator of network where email originates)
       Reportid: 6876124444 To: nomaster@devnull.spamcop.net
    If reported today, reports would be sent to:

    Re: 2001:12f0:601:a902:0:0:0:150 (Administrator of network where email originates)

    nomaster@devnull.spamcop.net

     
     
     
    2nd report using 3rd Rcvd line in header:
     
     
    Parsing header:
    0: Received: from smtp.dcc.ufmg.br (turquesa.dcc.ufmg.br. [150.164.0.133]) by mx.google.com with ESMTP id a44si116985qvh.91.2018.11.11.09.04.47; Sun, 11 Nov 2018 09:04:49 -0800 (PST)

    Hostname verified: xisto.dcc.ufmg.br
    Gmail/Postini received mail from sending system 150.164.0.133
     

    1: Received: from webmail.dcc.ufmg.br (xisto.dcc.ufmg.br [150.164.0.133]) by smtp.dcc.ufmg.br (Postfix) with ESMTPS id E90409F094; Sun, 11 Nov 2018 15:04:46 -0200 (-02)

    Hostname verified: xisto.dcc.ufmg.br

    Possible forgery. Supposed receiving system not associated with any of your mailhosts

    Will not trust this Received line.

     

    Cached whois for 150.164.0.133 : search-apnic-not-arin@apnic.net
    I refuse to bother search-apnic-not-arin@apnic.net.

    Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking.

    Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net


  10. 2 hours ago, Lking said:

    Yes I remember seeing spam similar to this.  Thank you for including a Tracking URL.

    I assume you did not follow the unsubscribe link, which confirmed for the spammer that a real person reads email sent to your email address.

    Nope. The unsubscribe link is a bunch of shady email addresses that I wouldn’t think twice of sending emails to! I received several more in my spam folder today. I have yet to do anything with them. Should I do something with them?


  11. Short of writing Google a letter to get them to stop these emails being sent  from IP address 209.85.220.69, what can I do to get them to take appropriate action against this and blacklist it so it can't be used for spam anymore? I have reported 13 emails to Google's abuse address about this in the last 2 days and 39 in total (I get 3-4 a day). They came from several different email addresses, usually the 1st one:

    Unsubscribe-me132 <unsubscribe-me132@mitindrhm.cf>, "Please Confirm <strapgr_213@hapt01cn.ml>" or variants/variations of it, such as this one: ("Please Confirm <strapgr_142@michellelafosse.ml>" or this one: "congratulations <strapgr_241@moriyama.ml>"), "Unsubscribe-me132 <unsubscribe-me132@denamarke.tk>" 

    Attempting to access any of the Group URLs (such as the one below and its variants/variations) in the emails results in the url redirecting to this 2nd link  as well displaying this when clicking on the 2nd link:

    https://groups.google.com/a/mitindrhm.cf/group/unsubscribe-me132




    icon_128.png Google Groups
    Authorization Failed
    This group is on a private domain.
    Please sign in with an authorized account to view this content.

    ----------------------------------------------------------------------------------------------------------------

    Here's tracking URL for one of the emails

     

    https://www.spamcop.net/sc?id=z6497296422zc7cd4be6fe49cdb5a13994e922e19258z

×