Jump to content

goldeneye

Members
  • Content Count

    15
  • Joined

  • Last visited

Community Reputation

0 Neutral

About goldeneye

  • Rank
    Member

Recent Profile Visitors

462 profile views
  1. I moved your post "have we figured out who this spam gang is?" to the lounge.  Reporting Help should be for request for help.  Your post doesn't really fall into that category IMHO.

    hope this does not cause you any problem.

  2. I think some of us have been getting spam from these bastards over the last few years - they used to use tiscali to host but then tiscali kicked them out earlier this year and have moved out to colocrossing (and some of these are now using the google link shortener as a new tactic)... Their MO seems to be "hijacking" IP addresses to attack port 25 to send this sh** and even a few of the IP addresses link to no one at all... I have noticed that they usually strike on Tuesdays and Fridays (or Mondays and Thursdays) typically... Here are some of the spam reports... https://www.spamcop.net/mcgi?action=gettrack&reportid=6512069801 https://www.spamcop.net/mcgi?action=gettrack&reportid=6512069793 https://www.spamcop.net/mcgi?action=gettrack&reportid=6512068051 https://www.spamcop.net/mcgi?action=gettrack&reportid=6512067953 Wonder who this spam gang is for that matter?
  3. This week alone, I've been getting hit with at least two dozen spamvertized links from an apparent botnet in the 87.239.156.0/24 range (located in Bulgaria)... http://www.spamcop.net/sc?id=z5880145661z6...c561125266ab57z http://www.spamcop.net/sc?id=z5880145346z2...2b1098cd9b1955z http://www.spamcop.net/sc?id=z5880134197z7...3761750eb14831z http://www.spamcop.net/sc?id=z5880133926z3...298697136c06b8z http://www.spamcop.net/sc?id=z5880133838zd...42f6c219f982cfz http://www.spamcop.net/sc?id=z5880133661z5...16f54a0d9eae9dz http://www.spamcop.net/sc?id=z5880096245zf...dbcfb9347cd114z http://www.spamcop.net/sc?id=z5880095907z2...d1e9d7260bc3f5z http://www.spamcop.net/sc?id=z5879984020z4...f49615e7a46fdcz http://www.spamcop.net/sc?id=z5879887574z1...365d27ca509bc4z http://www.spamcop.net/sc?id=z5879615043z7...31e7b21d6defbcz http://www.spamcop.net/sc?id=z5877928448za...f13b9c12feca29z http://www.spamcop.net/sc?id=z5876873845z3...6e933103889008z http://www.spamcop.net/sc?id=z5876731993z7...d83bed804e4559z http://www.spamcop.net/sc?id=z5876529309z9...a71f4f471e62b2z http://www.spamcop.net/sc?id=z5874861169z1...9bc182aad1d813z http://www.spamcop.net/sc?id=z5874339058z6...a0711e5a6af332z http://www.spamcop.net/sc?id=z5874339056zf...76c23e041e7c75z http://www.spamcop.net/sc?id=z5874337416z8...b14eb3c41074acz http://www.spamcop.net/sc?id=z5874337307zd...5d01d7abff66b8z http://www.spamcop.net/sc?id=z5874334112zb...8b269401aa5d8ez http://www.spamcop.net/sc?id=z5874334110z0...8419ed5b409befz http://www.spamcop.net/sc?id=z5871263934ze...6044bd2ea3d021z http://www.spamcop.net/sc?id=z5871263933z7...42b2eddfc03ca9z So far, the spamvertized IP's are: 87.239.156.99 87.239.156.100 87.239.156.101 87.239.156.102 87.239.156.114 87.239.156.118 87.239.156.121 87.239.156.123 87.239.156.126 Are we dealing with a potential botnet here?
  4. goldeneye

    Those Romanian bastards again!

    Oh believe me, I've had to deal with snowshoe spams for several months from Romania back in 2009 or thereabouts and those spams had hyperlinks which traced to Romanian servers. I think I've sent countless, probably over 100 abuse reports on those spams with absolutely zero reply and maybe in fact encouragement from the abuse desks who were probably in cahoots with the spammers (or spam gangs) themselves who could be Romanian, but more likely Russian. The language barrier doesn't help either. They got flagged eventually by one of the BLs, but only after probably hundreds, if not thousands of reports on them. This is what colors my thought about Romanians on the at least the dealing with the spam front - and the apparent correct address in which spam complaints go to which now bounces does not help either in my assessment.
  5. Since about the end of March, I've been noticing spamming from Romania has picked up quite a bit and quite a few weren't caught on my ISP's spam filter, including 3 of the last 4 spams that weren't caught... Here are all of them dating back from March 29: http://www.spamcop.net/sc?id=z5306374619z5...6910d6c5467c72z http://www.spamcop.net/sc?id=z5306374341ze...0040397544f84cz http://www.spamcop.net/sc?id=z5302598049z5...a91720bba7731dz http://www.spamcop.net/sc?id=z5292060929z0...35c5aad5fa319fz http://www.spamcop.net/sc?id=z5291796617z5...341f81fcfa05e1z In all five of these cases, the reports that are apparently sent to aren't to a postmaster or abuse address - I wonder if the spammers themselves in Romania are setting them up so that spamcop reports go to them and then they revenge spam using spamcop reports. Romania is still one very lawless country that still hasn't gotten its act together when it comes to spam - it shouldn't even have been allowed to enter the EU in the first place.
  6. It seems that Spamcop's reporting address for these two pieces of crap redirects back to a devnull address... http://www.spamcop.net/sc?id=z5139957093z5...09607dea5df014z http://www.spamcop.net/sc?id=z5139958686z7...2bf0900e9cd400z I am wondering if there seems to be a theft of IP services there.
  7. This spammer is apparently insistent on breaking the parser - I really want to wish enough bad things on this spammer. There are links in the original message, but as you can see, the parser "ignores" it by at least one technique by that sh** spammer. http://www.spamcop.net/sc?id=z4970399465zd...a284d1b5eccb7az This is enough to make me want to throw a fifty-ton tantrum.
  8. Has anyone dealt with ISPs in Turkey recently - as I've gotten a pair of spams which point to a Turkish provider - and apparently the homepage of that provider is in Turkish only... http://www.spamcop.net/sc?id=z4967246657ze...c99a2f652a2031z http://www.spamcop.net/sc?id=z4966067162z9...a221fa2608ffd9z Also the abuse address for the server being misused to send the spam isn't pointing to an abuse mailbox - is this common? These types of spams were apparently started when Romanian servers were involved, but now it appears that Romania clamped down on them and they now have moved operations to Turkey apparently. Now, those damn spammers added at least one "Content-type: #" to screw up the damn parser, so I had to remove those lines so that Spamcop can properly parse it... Secondly, the damn spammers also fudged the URLs with apparent "blank" characters or things like "j" to screw with the parser - and in the first case, spamcop read the "blank" character as an extra forward slash in the URL which forced me to resubmit by editing and removing the "invisible character" or converting the "escaped" character. Anyone else dealt with those types of spams recently that forced them to resubmit?
  9. More of this POS... http://www.spamcop.net/sc?id=z4093747046zb...ce2ae216016ecdz This time with domain second9949.com - sent from 204.110.241.40. I think that entire 170.117.0.0/17 is rogue or stolen, especially that POS IP address 170.117.122.82.
  10. One more damn e-mail from this 170.117.122.82 POS... http://www.spamcop.net/sc?id=z4093407681z3...f5c669d8add6d0z with the domain savejava.com Now the connection they used to advertise that domain which translates into the POS IP 170.117.122.82 was from 209.66.157.232, which apparently is a connix.com connection.
  11. This is at least the third email I got with a URL that refers to that IP when parsed - and it isn't the IP block - it is the particular, specific IP. http://www.spamcop.net/sc?id=z4091158454zd...be4371c5ddac7fz Whatever that reporting e-mail that is (dgoulakos[at]optima.org), it doesn't sound right at all and it's bounced 6 out of 7. Not only that, but ARIN claims that the 170.117.0.0/17 block is that particular contact. Another snowshoe spam artist - such idiocy...
  12. Except that this time, it now references to a set of IP address space with no contact info, which has now been sent to nomaster because of the lack of contact info... 8 out my last 13 sent submissions, and that has been since April 24 are for this Romanian snowshoe crap with The space 94.49.0.0/16 or better yet, the space 94.48.0.0/15 should be totally blocked until that snowshoe spam farm has been kicked out. The IP addresses (sending and referred) have been this list: 94.49.123.207 94.49.137.17 94.49.123.174 94.49.136.163 94.49.123.143 94.49.136.101 94.49.123.109 94.49.136.40 94.49.121.226 94.49.131.175 94.49.121.136 94.49.131.5 94.49.121.37 94.49.130.70 94.49.120.134 94.49.129.6 And according to robtex... All of these IP addresses belong to AS47931, ALE-NETWORK, apparently based out of (surprise, surprise) Romania. And they apparently own these netblocks... 94.48.160.0/24 ALE NETWORK 94.49.120.0/21 ALE NETWORK 94.49.128.0/18 ALE NETWORK The reason why I am calling for the entire 94.48.0.0/15 netblock to be blocked is every known registered IP block of either 94.48.0.0/16 and 94.49.0.0/16 are known Romanian snowshoe spam farm suspects. Spamcop - please block the entire 94.48.0.0/15 netblock for these reasons.
  13. Add three more spams, even tho one of these is probably not a Romanian one... http://www.spamcop.net/sc?id=z3723622044z1...906e1ce1cefb88z IPs of this first one: 188.209.23.242 and 188.209.24.127, from network ID AS15884, part of network 188.209.16.0/20 http://www.spamcop.net/sc?id=z3723660874z5...629178038cd806z IPs of this second one: 69.169.97.252, from network IDs AS20001, AS33597 and AS46801, part of networks 69.169.0.0/17, 69.169.96.0/19 and 69.169.96.0/20 (not sure which is the legitimate owner of these addresses, sounds like stolen IP space). 213.247.2.71, from network IDs AS28045 (), part of networks 213.247.0.0/19 and 213.247.0.0/20, probably another set of stolen IP space. http://www.spamcop.net/sc?id=z3723695986ze...39d75e9321a6c5z IPs of this third one: 188.209.23.251 and 188.209.24.253, AGAIN from network ID AS15884, part of network 188.209.16.0/20
  14. Add one more Romanian network to add to the idiocy... http://www.spamcop.net/sc?id=z3722879400z9...86fd3eb5ea25e0z New crap IPs... 109.199.112.48 109.206.7.7 First one is from the supernetwork 109.199.96.0/19, network ID AS50075 - probably a fake network set up just for spamming Second one is from the supernetwork 109.206.0.0/19, network ID AS50319 - yet again another fake network just to use for spam. Added - another piece of crap from Network ID AS48976 http://www.spamcop.net/sc?id=z3723080483z9...87956dcbb9474az New crap IP of 93.168.5.246 Note that the forged domain (hibr123picked.com) is from 93.168.64.11 - however, from the same Network ID AS48976, with supernetwork 93.168.0.0/17.
  15. As an update - I put in four more reports, but yet to submit... http://www.spamcop.net/sc?id=z3721076284z9...456d0ecaba7855z http://www.spamcop.net/sc?id=z3721166004zf...51f2602888ec1fz http://www.spamcop.net/sc?id=z3721191020z8...00cf8b8414f50az http://www.spamcop.net/sc?id=z3721233838z5...f949e3c8ba21cbz I put in two more earlier today, but submitted to my own address... http://www.spamcop.net/sc?id=z3719914935z0...45bf761cc786b5z http://www.spamcop.net/sc?id=z3719908895zf...8213a0487f93daz IPs so far identified... 93.168.88.78 93.168.88.80 95.157.91.129 95.157.91.157 95.157.91.185 95.177.155.136 188.170.209.232 188.208.50.166 188.208.50.168 188.229.96.130 The 93.168.88.x crap is apparently part of the supernetwork 93.168.0.0/17 from network ID AS48976, not blacklisted anywhere. Spamhaus has already blacklisted the 95.157.91.x crap from network 95.157.64.0/18, network ID AS47968 as a snowshoe spam operation according to http://www.spamhaus.org/sbl/sbl.lasso?query=SBL76453 The 188.170.209.x one comes from supernetwork 188.170.208.0/20, network ID AS50041, not blacklisted anywhere. The 188.208.50.x crap comes from supernetwork 188.208.48.0/20, network ID AS49436, not blacklisted anywhere. That 188.229.96.x one comes from supernetwork 188.229.96.0/21, network ID AS50068, not blacklisted anywhere either. I wonder if we should start rejecting anything coming from network IDs AS47968, AS48976, AS49436, AS50041 and AS50068 among others (a few more, and it includes AS50042). Some of those AS's are very suspicious too IMO. Another spam from those idiots just came in... http://www.spamcop.net/sc?id=z3721455893zd...f32198465e20e1z New crap IP from Romania again... 93.118.2.110 - from supernetwork 93.118.0.0/20, network ID AS44954
×