Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About fritz2cat

  • Rank

Contact Methods

  • Website URL

Profile Information

  • Location
  1. fritz2cat

    Eonix.net helping spammers?

    Hello, I discover that my e-mail address is intact in the very first "Received" line from the bottom (I missed it when I munged some information by hand) in the following line Received: by mail.wefightgiants.com id h7vek40001g6 for <x>; Fri, 21 Aug 2020 10:29:25 -0400 (envelope-from <barbara_howard-me=mydomain.com@wefightgiants.com>) So I will not disclose the link to a public area. May be next time. Currently I block them at the perimeter with a CIDR blocklist so I have no material to report. Thank you for your help.
  2. fritz2cat

    Eonix.net helping spammers?

    Hi Petzl, As I said above, I am reluctant posting identifiable data when the hosting company may be suspected to be a member of the spam gang. Here is one report: 7079043030 Kind regards
  3. fritz2cat

    Eonix.net helping spammers?

    As Eonix appears to welcome spammers, I'm a bit reluctant to report the offending spam to Spamcop. Each piece of spam contains too many unique patterns, that render obfuscating useless and I risk being spammed more and more, or retialated. Spamcop and Spamhaus both fail regularly to block all those spams. I end up blocking their CIDR one by one as they are offending. I just want to automate it now...
  4. Thanks. Sorry for not having discovered the already-asked question. And also thanks for the Centralops link - useful when I don't have my 'whois' and 'dig' tools.
  5. Hello, Today I got a piece of spam for illegal medication, which contains a link in cyrillic. (the website is: hxxp:// бъюч.емнв.рф/ ) Spamcop did recognise only the "http://" part. The original source code shows: (tracking code replaced by x) when interpreted to UTF-8 becomes: and Spamcop does not understand anything when parsing:
  6. fritz2cat

    [Resolved] Do you know these ads^H^H^Hspams ?

    Problem solved. I sent couple of mails to their colo hosting services. I warned these people that I would start reporting all offending items to Spamcop the next day. So I did, messages processed in realtime. Those reported messages contained plenty of tracking data, so they obviously knew who was complaining. Two days later, all these hosts were then quiet. [but the reporting filter is still monitoring, and ready to shoot an extra ball] Frédéric
  7. Reports related to are directed to oc3[at]devnull.spamcop.net. I can understand this behaviour where the postmaster or abuse addresses bounce the complaints. Here the reason seems to be quite different and a bit historical:: http://www.spamcop.net/sc?action=showroute...typecodes=21,16 says that So, is there still a good reason no to send them the reports they merit ? Regards, Frederic
  8. fritz2cat

    [Resolved] Do you know these ads^H^H^Hspams ?

    Hello Wazoo, No, this person does as much as possible for keeping this address clean, he always uses other throw-away addresses when possible. I can trust him. But, as Farelf suggests, we may be in the presence of a spam gang operating in the "grey zone", barely legal... Dear turetzsr, the question was more in the subject of the thread: Do you know these ads^H^H^Hspams ? Have a nice week-end ! Frédéric
  9. Hello, I have several hosts that connect several times a day, all targeting one single user hosted in my server. They have in common: - they are using dedicated hosts - they set-up correctly their host name, and reverse, their MX and even their SPF - their hostname is named ssl.* - they send from an address within their domain. Didn't check whether the user part in the address is valid. - they send thru real MTA's, that defeat greylisting - the message itself is either in plaintext, html, or both (multipart/alternative) - all the links contain tracking data - usually, they have an unsubscribe link which is highly suspect. Here is the lists of hosts seen in the last 7 days: Some are operating since months ago. (hosted by iWeb) is blocked here since 4 months... Here is the e-mail addresses they have used (in the RFC_2821 envelope) , also during the 7 last days Most of these messages bear a postal address, e.g. Entertainment Publications, Inc., 1414 East Maple Road, Troy, MI 48083 1-866-826-1619 Pedi Paws is located at P.O Box 600991 San Diego, CA 92160 6965 El Camino Real Suite 105 - 698 La Costa, CA 92009 Consumer Service 9-334 Queen Street South, Suite 200, Bolton, Ontario, Canada L7E-2N9 Technical Support 30 East 23 rd. St. New York, NY 10010 Pure Play, 660 4TH Street, Ste 294, San Francisco, CA 94107 Sorry for this long post. But I would be glad to have your advice. Frédéric
  10. fritz2cat

    Reporting automatically ? (honeypot)

    Hello, I do (quick, automatic) sumbissions. When a mail comes in, addressed to one of the spamtraps, either I check the blacklist zen.spamhaus.org before letting the mail in, or I could whitelist the trap addresses. In the first case, the number of submissions is very low (~10 a day). These hosts are probably not yet listed in spamhaus. In the second case, this number will probably exceed 1500 msgs a day, thus helping in keeping statistics and retaining the offending IP's blacklisted. I have the choice. Any recommendation is welcome. Best Regards, Frédéric Brussels
  11. fritz2cat

    Reporting automatically ? (honeypot)

    OK, thank you a lot. Frédéric
  12. fritz2cat

    Reporting automatically ? (honeypot)

    Thank you for all the replies. I could feed around 1000 ~ 2500 mails a day ; however I am filtering the incoming connections against zen.spamhaus, which blocks a vast majority of unwanted messages. It lowers the figures to less than 20 a day. The reporting works just fine. (forward as attachment to quick...[at]...spamcop...). I am starting slowly with just a couple of traps. Now I have 2 questions: - do you recommend sending the reports to the whois/abuse contacts, or remain silent ? Did you experience countermeasures from angry spamgangs who could track you ? - what about the unwanted bounce messages you happen to catch (and report ?) when spammers (ab)use your trap address as sender in their spam messages ? Doing so, you would report sysadmins who are themselves victims of spam. These sysadmins should better issue 5xx for their inexistent users during the SMTP transaction, but the world is not perfect ... OTOH what can be done against that abuse ? Regards, Frédéric Brussels
  13. Hello, I run my own mail server, acting as an MX for a couple of domains. This server runs Postfix, and is configured to refuse connections from hosts listed in zen.spamhaus.org, and from refuse e-mail from addresses that have published an SPF record that lead to a HardFail status. Some addresses are heavily spammed, including addresses that have been harvested with mistakes (such as user[at]domain.com becoming 3duser[at]domain.com or smtpuser[at]domain.com). No human would ever prefix my surname with 3d. The aim would be to use 3duser[at]domain.com as a honeypot. Forwarding 3duser[at]domain.com to reports.xxxxx[at]spamcop as an attachment is quite simple and documented in the FAQ. (piece of perl code) Moreover these reports are highly valuable, as only the connections from IP adresses that are not (yet) blacklisted by zen.spamhaus are processed. This is far less than 1% of all e-mail connections trying to enter. The expected volume is less then 10 submissions a day. I would like to know whether these automatic submissions could be processed and validated without having to go to the website. Frédéric Brussels
  14. True... so I guess that the ISP says "resolved" although the spamming is still continuing (2 hours and 13 sec later) Thanks for the reply Fred
  15. Hello, Here is a recent reporting session ... So... A spam is deposited in my mailbox, and 13 seconds later (with or without 2 hours lag time), the ISP claims having resolved the issue... Either it is not resolved, or their bots are now clever enough to talk with spamcop ? Greetings from Belgium Fred