[datacorpore.com.br] reporting addresses

[Farelf]

... Were you saying that SC´s admins have broader view and past experience, etc?

I think it´s time for them to step in to light and clarify ordinary users like me about that.

Yes, we would all welcome more involvement and feedback, something expressed many times. There are obviously limits to what can be prudently said in public but there is much opportunity for our 'education and enlightenment'. But maybe the same can be said about any product or service provider, I think. We must do what we can to help one another - and be thankful we at least have venues for that ('here' and the newsgroups).

[Miss Betsy]

No IP seems to be blocked anywhere.

Are you saying that, in spite of your reporting, that these IP addresses have not been added to the spamcop blocklist? Nor, have they appeared on other blocklists that rely on other criteria? If that is what you mean, then, perhaps other people are not receiving spam from these people. I can't remember - have you posted some IP addresses that you think should be on blocklists, but are not?

They just laugh at us! Sometimes I'm forced to face the reality of SC being just a waste of time.

SC's purpose is not to force spammers out. The reports function of SC is to alert those server admins who are interested that there is a problem on their network. Since there are few mistakes on the part of responsible server admins and apparently fewer server admins who have not had adequate training to detect spamming activity on their servers, most reports go to unresponsive abuse addresses. Spamcop seems to handle these in two ways: one is to send reports to devnull (in other words, the reports are not sent) or to send reports to those upstream who may be interested. Since I am not very good at doing the kind of research that is necessary to show the deputies that the reports need to go somewhere else, I can't advise you on what the deputies require in order to change the abuse address.

Whether spamcop does, or does not, send reports, the IP address is added to the scbl. There is a complicated algorithm that determines when an IP address is listed. Reports, no matter how many, from one reporter will not list an IP address.

If you are not, in some way, using the spamcop blocklist to filter out spam, then you are wasting your time if you expect reporting to spamcop will reduce the amount of spam you receive.

It is not that people are not listening to your arguments. You need to provide technical evidence that reports need to go somewhere else.

What I have been trying to tell you is that where you send the reports is probably not important. The important thing is to add the IP addresses to the scbl. If these are as terrible spammers as you say they are, then the IP addresses they use to send the spam should be on several blocklists. If you are talking about a website that is found within a spam sent to you, then we are talking about something different. Spamcop is not the tool to report websites that advertise via spam.

If you have not emailed the deputies with your suggestions, then you should do so if you want something changed. I am a user like you and I cannot change anything that you can't change. If you don't get a satisfactory answer from the deputies, then you can tell us what they said. Depending on the user, some will be sympathetic with you; others may try to point out why the deputies answered as they did. If you do contact the deputies and you get a satisfactory answer, please let us know. Then, we can tell the next person who has an idea like yours, what will satisfy him or her.

Miss Betsy

[Emerson Prado]

This seems a long inactive topic, but it's closely related to another one I opened a few days ago:

http://forum.spamcop.net/forums/index.php?showtopic=11344#

I just want to add something on some questions above:

1.No address is blacklisted. I tried 201.33.16.109 (datacorpore.com.br) and 201.33.16.107 (hostgold.com.br).

2.The current upstream seems to be brasiltelecom.net.br (200.96.255.21), not blacklisted either.

3.I just wrote the deputies, as suggested.

Best regards

[SpamCop 98]

This seems a long inactive topic, but it's closely related to another one I opened a few days ago:

http://forum.spamcop.net/forums/index.php?showtopic=11344#

I just want to add something on some questions above:

1.No address is blacklisted. I tried 201.33.16.109 (datacorpore.com.br) and 201.33.16.107 (hostgold.com.br).

Listing is automatic based on rules described at the bottom of this page.

2.The current upstream seems to be brasiltelecom.net.br (200.96.255.21), not blacklisted either.

While Brasiltelecom AS8167 is datacorpore's only peer, it is also one of the largest telecommunications service providers in Brazil.

3.I just wrote the deputies, as suggested.

If you could identify a direct benefit to sc admin for cc'ing millions upon millions of spam emails to mail-abuse[at]nic.br or cert[at]cert.br I'm sure they would do it. Personally I believe it would be a monumental waste of resources.

[Emerson Prado]

Listing is automatic based on rules described at the bottom of this page.

Thanks for the info. Now I see that a possible cause for this spammer not be stopped is lack of reports. They are probably not being caught by spamtraps.

While Brasiltelecom AS8167 is datacorpore's only peer, it is also one of the largest telecommunications service providers in Brazil.

Absolutely true. They even have special powers in the Brazilian Supreme Court - but this is a completely different issue... *

Even though, since the offending domain seems interested in spams somehow (they even spamvertise mailing lists), it would be a nice try to make the upstream provider aware. We might get somewhere or nowhere - but reporting to the offender only sure leads nowhere anyway.

If you could identify a direct benefit to sc admin for cc'ing millions upon millions of spam emails to mail-abuse[at]nic.br or cert[at]cert.br I'm sure they would do it. Personally I believe it would be a monumental waste of resources.

Sorry, but I didn't get you here. The suggestion was to notify the upstream provider (Brasil Telecom), not Nic or Cert.

Though, BTW, Cert encourages anyone reporting Brazilian spam to copy them, so they can keep track of the overall situation. Besides, Cert is tied to Registro.br, which controls Brazilian domains. Being Brazilian, I have Cert on my public reporting address by default.

What to do about these MF?

Best regards,

Emerson

*If one got curious, search "Daniel Dantas", "Gilmar Mendes" and "BrT Oi". Be seated and certain your heart is healthy before starting.

[SpamCop 98]

Sorry, but I didn't get you here. The suggestion was to notify the upstream provider (Brasil Telecom), not Nic or Cert.

Sorry, that was directed at the OP:

The whole point of this thread of mine is to convince SC´s admins to broaden the scope of some of their reports. In the case of [datacorpore.com.br] and their partners in crime, we should at least get mail-abuse[at]nic.br + cert[at]cert.br informed plus their datacenter operator, meaning, BrasilTelecom.

[cwg]

1. If I were a spammer, and didn't want my ISP to receive reports from SpamCop, it would be clever of me to get SC to send the reports somewhere other than the registered abuse address. Now if you have knowledge that the whois Abuse address is incorrect, that is a violation of the registration and should be reported.

To whom?

This is a quote I got from manually informing RIPE of an illegal and invalid email address:

Dear Sir or Madam,

Thank you for your email regarding out of date contact data in the RIPE

database.

There may be options we could pursue to check the validity of the contact

data in the objects in the RIPE Database. Where we have a direct

relationship with the owners of these objects we could request that they

update this information. But we do not have a mandate from the RIPE

community to allocate any resources to this activity. If you feel this

should have a higher priority then you may raise the issue on the Database

Working Group or Antispam Working Group or Address Policy Working Group

mailing lists. You can find information about the mailing lists here

http://www.ripe.net/ripe/wg/index.html

These are open working groups and views are welcomed from anyone who

wishes to discuss relevant issues.

If you have any more questions, please contact <ripe-dbm[at]ripe.net>.

Regards,

Ronen Preisler

____________________________

RIPE Database Administration.

So from that reply, I would suspect the general attitude is "So what?".

[Emerson Prado]

Just an update: the said deputies weren't of much help. They just said the blacklist is automatically generated, and just didn't answer yet about adding the upstream provider contact address in the abuse report recipient list.

I contacted the upstream provider. Brasil Telecom is being acquired by Oi (oi.com.br), and the Whois (https://registro.br/cgi-bin/whois/) contact is at the latter. Though Whois only indicates a support contact (mariana.bion[at]oi.net.br), I wrote them and they provided me an abuse contact (csirt[at]oi.net.br).

One sad issue is the lack of reports. If those were sent by more recipients, datacorpore/hostgold would be blacklisted for sure (they send spam almost daily).

Another sad issue is that those spammers sell addresses, and none seems interested in this violation. At least not SpamCop nor Cert.

But let's see what Oi does. It ain't over 'till it's over.

So long,

Emerson

[Emerson Prado]

I have just received spam from one spammer (GHR Marketing) who was always hosted at datacorpore. But, this time, the message came from China:

http://www.spamcop.net/sc?id=z4167494130z4...ce573e95f34930z

Let's see what I still receive from datacorpore (I got one spam from them this morning, not from GHR).

Best regards,

Emerson

[kmolloy]

One sad issue is the lack of reports. If those were sent by more recipients, datacorpore/hostgold would be blacklisted for sure (they send spam almost daily).

Another sad issue is that those spammers sell addresses, and none seems interested in this violation. At least not SpamCop nor Cert.

We can't do anything about the fact that the spammers sell addresses; we can only send reports. If the reports that you're sending to the upstream aren't having an effect, then more reports probably won't help.

The SCBL's automation is one of its strengths; it makes it harder to game. We're not going to violate our listing criteria for anyone. If you want to see the SCBL reflect the spam you receive, then donate a spamtrap to us (if you have one). Traps don't have to be high-volume but they do need to be an address that's never been used to send mail. (The odd addresses you find in catchalls that have been created by spammers are perfect for this. No one sent mail from bootkitewashingmachiine[at]my_domain, I'm certain).

[Emerson Prado]

I'm afraid you didn't get the whole issue. I'll address each point:

We can't do anything about the fact that the spammers sell addresses; we can only send reports.

The violation I'm talking about, and is the topic, is spam being sent from datacorpore.com.br. The address selling remark intent is to illustrate how serious is the issue - not being able to block an offending domain.

If the reports that you're sending to the upstream aren't having an effect, then more reports probably won't help.

The reports are being sent to datacorpore.com.br, not its upstream provider. Adding the upstream provider for such a case is exactly what's being requested.

The SCBL's automation is one of its strengths; it makes it harder to game. We're not going to violate our listing criteria for anyone.

That was said more than once and long understood. The manual action being requested is adding the upstream provider's abuse address to the recipient list of a domain which refuses to take action by itself.

If you want to see the SCBL reflect the spam you receive, then donate a spamtrap to us (if you have one).

Good idea. How does that work? Can it be a free mail, like GMail or Yahoo?

(The odd addresses you find in catchalls that have been created by spammers are perfect for this. No one sent mail from bootkitewashingmachiine[at]my_domain, I'm certain).

Great hint! We just have to make sure the address is really invalid. Though, if it's valid, we won't be able to create an account anyway. The only drawback is to choose an invalid address which was already owned...

BTW: it's been 3 days since I received my last spam from datacorpore.com.br, and one spammer previously hosted there (GHR Marketing) moved to a Chinese provider. I wrote datacorpore's upstream provider - oi.com.br - 6 days ago. Before so, I used to receive around 2 spams per day from this server. Is it a coincidence or did the upstream really step in?

Best regards,

Emerson

[Wazoo]

Good idea. How does that work? Can it be a free mail, like GMail or Yahoo?

Frequently Asked Question .... there is an answer already existing in the FAQs linked to at the top of this very page.

[Emerson Prado]

I see SC isn't interested in accounts with less than 2000 spam messages per day. I'll skip this one, since I don't get that in an year.

The party was short about datacorpore and Oi. I'm receiving spam from datacorpore again, though at a very lower pace. I guess they're trying to avoid blocking by limiting the number of messages. This probably indicates the spammer domain could have been notified by Oi.

Could someone share thoughts on copying reports to the upstream address?

Best regards,

Emerson

[Emerson Prado]

It seems datacorpore.com.br moved to another host. I tracerouted it and found their IP (201.33.16.104) routes back to gvt.net.br (189.59.244.182), not to oi.net.br anymore. In Registro.br Whois, I only found and admin contact, not an abuse one. I'll contact them and see what we can get.

Best regards,

Emerson

[petzl]

It seems datacorpore.com.br moved to another host. I tracerouted it and found their IP (201.33.16.104) routes back to gvt.net.br (189.59.244.182), not to oi.net.br anymore. In Registro.br Whois, I only found and admin contact, not an abuse one. I'll contact them and see what we can get.

Aside from spam Brazil loses credibility in all other ventures

I for one white-ant any and all tenders from Brazil mainly because I don't like spammers or countries that support them! Potential loss to Brazil just from me nearing the billion dollar mark

[Emerson Prado]

Now the MF seems to have moved to a domain other than datacorpore.com.br. I received spam from him today, and the tracerouting points to two addresses: hospedagem-de-site.info and hostlocation.com.br. I can't tell the stream order - the routing is too confusing to my current knowledge. Even though, it seems the .info address is just a fooling route. But the contact addresses are the same as ever: abuse, postmaster and marcelo[at]hospedagemdesite.com.br, as well as the owner: Marcelo Safatle.

Anyway, the upstream is now backbone-br.com.br. Let's get back to the rat and cat chase...

Note: I don't know if there's still a way for SC to do something about this drifting spammer. But I'm bringing some feedback here just in case anyone wants it.

Best regards,

Emerson

[Emerson Prado]

From what I observed, this spammer is simultaneously subscribed in three providers: oi.net.br, gvt.com.br and backbone-br.com.br. I receive alternating messages from each provider (less from oi).

What I'm doing, and intend to keep doing, is reporting all messages to SC and to the upstream provider, which I manually check for every new message :angry: .

I still think there should be a way to include upstreams in SC notification. But I don't know if it's feasible, because it'd probably require tracerouting each individual message.

So I ran out of ideas . Anyway, I leave the information here for the record and just in case it becomes useful.

Best regards all,

Emerson