Jump to content

Steve

Membera
 View Profile  See their activity

  • Posts

    126

  • Joined

  • Last visited

 Content Type 

Posts posted by Steve

    Anyone receiving emails from IP address starting with 45.xx.xx.xxx?

    in SpamCop Reporting Help

    Posted 

    The Russian emails I was getting a while ago seem to have stopped. I am now getting emails from IP addresses registered to a Turkish ISP. Several a day (usually in a row). Is anyone else receiving emails like this? The content of the emails are similar in nature as are the subject lines. I am including several tracking URLs from the most recent spam for reference.

    https://www.spamcop.net/sc?id=z6720259818z887f0423809cc71a78701bf6302ad0a1z 

    https://www.spamcop.net/sc?id=z6720260001z67552e38a126f2fa95c67fbfca768cdbz

    https://www.spamcop.net/sc?id=z6720260172zf3d2e28345dca63be7a64e48c816e48fz

    https://www.spamcop.net/sc?id=z6720260251z86e6a32d216388d374cd131e8374fbfez

    https://www.spamcop.net/sc?id=z6720260318zb5b8734381d4bdc93de62693bba87d3cz

    SC identifies the offenders' ISP as Meric Internet Teknolojileri A.s. (Meric Internet Technologies Inc.) with the reporting address abuse AT meric DOT net DOT tr. So far, since receiving emails associated with this ISP via the IP addresses registered to the offenders I have reported 72 emails from various IP addresses registered to this ISP, the first one having been submitted to SC on 7/17 at 11:48PM. Why hasn't the ISP done anything to curb or stop the spam originating from their network?🤔😕🤨🤷🏼‍♂️

     

    Steve

    Sorry, no reporting addresses found for 195.208.155.243. Nothing to do.

    in Routing / Report Address Issues

    Posted

     
    This is the result I get from the SC parser upon trying to parse the email to report:
     
     
    Quote

     

    Tracking message source: 195.208.155.243:

    Routing details for 195.208.155.243
    Report routing for 195.208.155.243: ip-box@ripn.net
    I refuse to bother ip-box@ripn.net
    Message is 30 hours old
    195.208.155.243 not listed in cbl.abuseat.org
    195.208.155.243 not listed in dnsbl.sorbs.net
    195.208.155.243 not listed in accredit.habeas.com
    195.208.155.243 not listed in plus.bondedsender.org
    195.208.155.243 not listed in iadb.isipp.com

     

     
    Finding links in message body

    Recurse multipart:
       Parsing text part
       Parsing HTML part
       No html links found, trying text parse
    no links found

     

     
    Finding IP block owner:

    Routing details for 195.208.155.243
    Report routing for 195.208.155.243: ip-box@ripn.net
    I refuse to bother ip-box@ripn.net

     

    Sorry, no reporting addresses found for 195.208.155.243.
    Nothing to do.

     

     
    I went ahead and manually reported the email to the abuse address since SC basically refused to.
     
    Steve

    No reporting addresses found for 210.227.118.83, using devnull for tracking.

    in Routing / Report Address Issues

    Posted

    https://www.spamcop.net/sc?id=z6629778003z5e644dc4a48c7fddcdc37d472089d0f5z

    Tried refreshing the page several times and nothing worked to bring up the abuse contact for this IP Address. Upon running a check at whois.nic.ad.jp, I got this result:

     

    Quote 
    
[ JPNIC database provides information regarding IP address and ASN. Its use   ]
[ is restricted to network administration purposes. For further information,  ]
[ use 'whois -h whois.nic.ad.jp help'. To only display English output,        ]
[ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'.      ]

Network Information:            
a. [Network Number]             210.227.118.80/29
b. [Network Name]               BIHORO
g. [Organization]               Bihoro Town
m. [Administrative Contact]     JP00155955 (densan@town.bihoro.hokkaido.jp)
n. [Technical Contact]          JP00155955 (densan@town.bihoro.hokkaido.jp)
p. [Nameserver]
[Assigned Date]                 2017/11/20
[Return Date]                   
[Last Update]                   2017/11/20 14:11:04(JST)
                                
Less Specific Info.
----------
NTT COMMUNICATIONS CORPORATION
                     [Allocation]                               210.227.0.0/16
Open Computer Network
        SUBA-131-13P [Sub Allocation]                         210.227.118.0/24

More Specific Info.
----------
No match!!

    Let's see what happens when I manually report it to densan@town.bihoro.hokkaido.jp.

     
    Quote

     

    Parsing header:
    0: Received: from anshin.town.bihoro.hokkaido.jp (anshin.town.bihoro.hokkaido.jp. [210.227.118.83]) by mx.google.com with ESMTP id 5si1319690pga.103.2020.04.21.02.20.23; Tue, 21 Apr 2020 02:20:24 -0700 (PDT)

    Hostname verified: anshin.town.bihoro.hokkaido.jp
    Gmail/Postini received mail from sending system 210.227.118.83
     

    1: Received: from [193.56.28.103] (unknown [193.56.28.103]) by anshin.town.bihoro.hokkaido.jp (Postfix) with ESMTPA id CDA9B20D474F; Tue, 21 Apr 2020 18:18:05 +0900 (JST)

    No unique hostname found for source: 193.56.28.103

    Possible forgery. Supposed receiving system not associated with any of your mailhosts

    Will not trust this Received line.

    Tracking message source: 210.227.118.83:

    "whois 210.227.118.83@whois.apnic.net" (Getting contact from whois.apnic.net mirror)
    Display data:
       Redirect to nic.ad.jp:
       Display data:
       "whois 210.227.118.83/e@whois.nic.ad.jp" (Getting contact from jpnic)
       Display data:
       "whois JP00155955/e@whois.nic.ad.jp" (Getting contact from jpnic)
       nothing found
       nothing found

    No reporting addresses found for 210.227.118.83, using devnull for tracking.

    Message is 17 hours old
    210.227.118.83 not listed in cbl.abuseat.org
    210.227.118.83 listed in dnsbl.sorbs.net ( 1 )
    210.227.118.83 not listed in accredit.habeas.com
    210.227.118.83 not listed in plus.bondedsender.org
    210.227.118.83 not listed in iadb.isipp.com

     

     

    abuse#sendgrid.com@devnull.spamcop.net ??

    in SpamCop Reporting Help

    Posted

    On 2/16/2020 at 11:39 AM, DiverDoc said:

    Look - I'm really sorry if this is a nuisance question and I have searched the forum for this topic, but nothing seems to quite match up. The first time I reported a certain spammer, I got the above message and subsequent reports of the same spammer show the identical message after I submit the spam: 

    Report spam To:

    RE: 167.89.80.93 (Administrator etc ...)

    To:abuse#sendgrid.com@devnull.spamcop.net

    Can one of you such bright people please advise me what this means and how I should proceed with future instances of spam from this sender?

     

    Thanks!!

    Just forward the email with full headers to abuse AT sendgrid DOT com (replace AT with @ and DOT with "."). They usually send an auto-reply email back letting you know they've received it and someone will handle the abuse report. Whether they actually take action, we'll never know.

     

    Steve

    Spamcop not parsing Gmail spam correctly?

    in SpamCop Reporting Help

    Posted

    3 hours ago, gnarlymarley said:

    Gmail works for my reports, but then I am using fetchmail (over ssl) and an scri_pt that encapsulates the spam in an attachment.  Are you using something like thunderbird or another mail client or the "Show Original" option found in the webmail?  When I click the Show Original, my emails seem intact.

    The "Show Original" option and then "Copy to clipboard" and then I paste into the submission field in SC and submit. Those emails are the only one I have problems with. All other emails go through fine.

    Spamcop not parsing Gmail spam correctly?

    in SpamCop Reporting Help

    Posted

    8 minutes ago, petzl said:

    This seems posted from within Gmail to Gmail which means it is intranet spam,
    there is also no body in spam, Seems the headers are incomplete also.
    With full headers and no body, just under headers, hit enter twice and write "No body in spam" for SpamCop to work.
    Just mark it in Gmail as phishing

    Tried that and got the same result as when I originally tried submitting the spam.

    Any point in reporting spam from AMAZONAWS?

    in SpamCop Lounge

    Posted

    I've also been getting amazonaws spam. It seems another IP address is included in the spam. It's 143.220.15.131 and registered to the Association of Medical Colleges (AAMC). I have tried reporting the IP address via SC to AAMC to both the dns AT aamc DOT org (which the SC parser forwards to postmaster AT aamc DOT org) and the postmaster address postmaster AT aamc DOT org on several occasions. with no response/effect. I was almost tempted a few times to write a letter and send it to them asking why their IP address appears in AmazonAWS spam. It's also ALWAYS the same content with the SAME links that aren't valid such as {spam link removed} (which the parser doesn't pick up. It only detects t.co/bit.ly links which even those get redirected and dev/nulled to twitterdoesntcareaboutspamreports@devnull.spamcop.net) or in the case of bit.ly links, sent to abuse AT bitly DOT com. Previous emails were coming from Parsec Cloud, Inc. Citrix is now being used as the bottom of the emails. Here's the original tracking url: https://www.spamcop.net/sc?id=z6585617008z355af39de650b47648e218409deb1a46z

    {Quote of spam Deleted} -- To view the deleted material follow the tracking URL above.
    Here's the parsing results for the AAMC IP address and the tracking URL: https://www.spamcop.net/sc?id=z6585618727zdf96eb88f2edb7ba97b2dad603fed48ez
     
    Tracking message source: 143.220.15.131:

    Routing details for 143.220.15.131
    [refresh/show] Cached whois for 143.220.15.131 : dnsadministrator@aamc.org
    Using abuse net on dnsadministrator@aamc.org
    No abuse net record for aamc.org
    Using default postmaster contacts postmaster@aamc.org

     

    Clicking on the calendly link results in this:

     

    Quote

     

    Event Temple Demo
    No openings at the moment.

    If you are the owner of this account, you can log in to find out more.

     

    with the links being reported to abuse AT cloudflare DOT com. Not that CF can do anything to take down the link.

     

     

    Steve

    Submission produces: No body text provided, check format of submission. spam must have body text.

    in SpamCop Reporting Help

    Posted

    On 10/25/2019 at 10:07 AM, dr_bobbs said:

    OK, now I am trying to submit spam from gmail that clearly DOES have a line of body text; but I still get this error message: 

    "

    SpamCop v 5.1.0 © 2019 Cisco Systems, Inc. All rights reserved.
    Here is your TRACKING URL - it may be saved for future reference:
    https://www.spamcop.net/sc?id=z6584873459z5344c0b39e5e54d496f00cfa617f17c6z

    No body text provided, check format of submission. spam must have body text.
    If reported today, reports would be sent to:

    Re: 209.85.220.65 (Administrator of network where email originates)

    network-abuse@google.com

    "

    I have tried inserting one or more blank lines, or extra lines of explanatory text. Still get the same error message.

    Submitting by pasting (since forwarding as an attachment looks like 1000x more effort than I wanted to spend to report one spam!)

    Same here. I have had problems with reporting gmail users sending spam to SC and getting the "No body text provided, check format of submission. spam must have body text."

    Reporting addresses bouncing?

    in SpamCop Reporting Help

    Posted

    https://www.spamcop.net/sc?id=z6571118445z3f089fb00c95557d5b0557565f4701efz

     

    Why do reporting addresses for either an IP address associated with an email or a link in the email that SC finds an IP to associate with bounce and why does the ISP/host do nothing to fix it? Here's an example of a recent email below:

     

     
    Quote

     

    [report history]
    Host lustergroup.com (checking ip) = 110.4.46.157
    Resolves to 110.4.46.157
    Routing details for 110.4.46.157
    [refresh/show] Cached whois for 110.4.46.157 : noc-abuse@mschosting.com noc@mschosting.com
    Using abuse net on noc-abuse@mschosting.com
    abuse net mschosting.com = tmcops@tm.net.my, postmaster@mschosting.com, postmaster@eastgate.net.my, postmaster@myloca.com, abuse@tm.net.my, hostmaster@mschosting.com, abuse@mschosting.com
    Using best contacts tmcops@tm.net.my postmaster@mschosting.com postmaster@eastgate.net.my postmaster@myloca.com abuse@tm.net.my hostmaster@mschosting.com abuse@mschosting.com
    tmcops@tm.net.my bounces (21 sent : 12 bounces)

    Using tmcops#tm.net.my@devnull.spamcop.net for statistical tracking.

    postmaster@mschosting.com bounces (261 sent : 131 bounces)

    Using postmaster#mschosting.com@devnull.spamcop.net for statistical tracking.

    postmaster@eastgate.net.my bounces (257 sent : 129 bounces)

    Using postmaster#eastgate.net.my@devnull.spamcop.net for statistical tracking.

    postmaster@myloca.com bounces (280 sent : 147 bounces)

    Using postmaster#myloca.com@devnull.spamcop.net for statistical tracking.

    abuse@tm.net.my redirects to abuse@tm.com.my
    hostmaster@mschosting.com bounces (261 sent : 131 bounces)

    Using hostmaster#mschosting.com@devnull.spamcop.net for statistical tracking.

     

     

    Sendgrid reports dev'nulled?

    in SpamCop Reporting Help

    Posted 

    https://www.spamcop.net/sc?id=z6563416674z69d183e3fd56b1d4637b0d9020b3cee0z

    Why are sendgrid reports dev'nulled? SC gives no reason for it when parsing spam email. If I report it manually to SG, I get an auto-reply.

     

    Auto reply:

     

     

    Quote

     

    Subject: Thanks for reporting unsolicited email

     

    Hello!

    Thank you for the report of unwanted mail. Your complaint has now generated a ticket that will be reviewed by an actual human in the next 48 hours. If the complaint is a phishing message, it will be reviewed much sooner (usually within the hour during operational hours).

    SendGrid takes these reports of unwanted mail very seriously, and we will work to identify the offending sender and investigate their email practices. Please know that you will likely only hear back from us if we require more information on this case.

    If you would like to provide us any more detail, all you have to do is reply to this email, and additional information will be added to your ticket.

    Please note that due to security concerns we will not open attachments under any circumstance. You must provide any necessary information in plaintext in the body of your report.

    Have a great day,
    The SendGrid Compliance Team

     

     

     

     

    Steve

    Quote
    Tracking message source: 167.89.100.227: 
    
Routing details for 167.89.100.227
[refresh/show] Cached whois for 167.89.100.227 : abuse{AT}sendgrid.com
Using best contacts abuse#sendgrid.com@devnull.spamcop.net

     

    AWS spam source

    in SpamCop Reporting Help

    Posted

    What address are you sending Amazon abuse reports to? abuse@amazonaws.com/ec2-abuse@amazon.com? If you do it through SC, they devnull the report as that address (abuse@amazonaws.com) is disabled for reports, but manually reporting it to abuse@amazonaws.com/ec2-abuse@amazon.com generates a confirmation email.

     

    Steve

    Cached whois for 133.18.202.245 : search-apnic-not-arin@apnic.net

    in Routing / Report Address Issues

    Posted

    Ran an APNIC whois and cam up with these abuse contacts: 

    Kagoya Japan, Inc/KAGOYA Network Administrator Group
    
nss.ipadmin@kagoya.net & support.domain@kagoya.net

     

    Cached whois for 133.18.202.245 : search-apnic-not-arin@apnic.net
    I refuse to bother search-apnic-not-arin@apnic.net.

    Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking.

    Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net

     

    Tracking URL:

    https://www.spamcop.net/sc?id=z6530520464z62ab467a37e6b02a56ca327c58498ed7z

    Why does abuse@amazonaws.com get /dev/null?

    in SpamCop Lounge

    Posted

    On 10/1/2016 at 10:41 AM, Lking said:

    This is a situation where despair is all to easy to overcome you.  I submit all my spam to SpamCop, KnujOn and acma.gov.au.  This supports the work of KnujOn to change the effectiveness of ICANN (the long game) and help build the SpamCop block list to protect email users now (the short game).

    'Hang in there' is all I can suggest.

     

    Unfortunately, you can no longer use KnujOn to submit spam:

     

    Quote

    Dear KnujOn members, friends and visitors, 

    This project will cease accepting samples from the public on 22 May 2018. The knujon.net will stop accepting email samples and the server will be shut down. The servers at coldrain.net will stop forwarding email. knujon.org will cease accepting new memberships and donations as of 8 March 2018. knujon.com will remain active to maintain historical information about the project but no sample data will be accepted. All currently held samples and all samples accepted up until 22 May 2018 will be processed. 

    This research was started by Dr. Robert Bruen and Garth Bruen in 2003. After 15 years we have reached clear fundamental conclusions concerning the management of the Internet, findings which are neither pleasing nor surprising. We have taken this work as far as we can at this stage. A final comprehensive report of KnujOn findings will be published and maintained at knujon.com. 

    We thank everyone for their dedication and participation in this project and hope you will join us when we start our next project which will be based on KnujOn findings. The details of this further research will be announced on knujon.com.

     

×
×
  • Create New...