Jump to content
Sign in to follow this  
chexmix

being crushed by yahoo and a few others -- advice?

Recommended Posts

Well our spammer is a busy one! And it doesn't look like leaseweb is prone to doing anything.

I'll just have to keep reporting, I guess ... unless someone else has some good ideas.

Thanks for all the help so far. I feel like I'm learning ...

Don't help when there are rogue providers like OVH.net leaseweb dot.tk ect

The Child porn reporting site I use often and have some in fact a lot of success

http://www.tinhat.com/children/report_pornography.html

Depends who you get they are harmless to use

But don't get worked up about spammers.

I report them when I can don't worry if you miss some

SpamCop also adds "interested parties" who may well be the authorities.

Edited by petzl

Share this post


Link to post
Share on other sites
I don't do Windows. I'm a Linux/OpenBSD guy.
Good, good - to put it more plainly, last thing you want is any indication in the "really hidden" files such as Windows has that you might ever have touched one of those bad sites. Victims, after all, are more easily prosecuted than are perpetrators because they are more easily found and "the law is the law" as some have found. Blind justice is the ideal, blind enforcement is the reality.

Share this post


Link to post
Share on other sites

Don't help when there are rogue providers like OVH.net leaseweb dot.tk ect

The Child porn reporting site I use often and have some in fact a lot of success

http://www.tinhat.com/children/report_pornography.html

Depends who you get they are harmless to use

But don't get worked up about spammers.

I report them when I can don't worry if you miss some

SpamCop also adds "interested parties" who may well be the authorities.

S/he appears to be jumping all over the place today.

I'm beginning to wonder whether the URLs in the emails (which for some reason disappear when I show headers, and are not registered by the Spamcop engine), and the IPs they resolve to, are real at all.

I just this morning read about TOR. I don't know much about it. Perhaps it is not involved here. But there is so much I don't know, and the spammer(s) probably have a whole crew of talented crackers working for him/them.

Share this post


Link to post
Share on other sites

S/he appears to be jumping all over the place today.

I'm beginning to wonder whether the URLs in the emails (which for some reason disappear when I show headers, and are not registered by the Spamcop engine), and the IPs they resolve to, are real at all.

I just this morning read about TOR. I don't know much about it. Perhaps it is not involved here. But there is so much I don't know, and the spammer(s) probably have a whole crew of talented crackers working for him/them.

Only got one this morning S/he is using redirection from 70.87.107.194 theplanet.com to S/he's old rogue OVH.net but a different OVH.net IP 70.87.107.194 tried abuse[at]ovh.co.uk as well as net?

Not had ovh.net respond until I reported them via

http://www.iwf.org.uk/

from the main link

http://www.tinhat.com/children/report_pornography.html

Been through this before S/he moves from one Euro provider to another. Traced the "credit card" site to florida but looks bogus (no certificate not secure) probably just after credit card numbers and blackmail

Share this post


Link to post
Share on other sites
...

I just this morning read about TOR. I don't know much about it. Perhaps it is not involved here. ...

TOR proxies should identify themselves at the exit of the "anonomyzing" network, they are applicable to browsing AFAIK (ports 80 & 443), messaging via webmail. Here's one, perfectly above-board

C:\WINDOWS\system32>nslookup -type=ptr 108.171.180.162 8.8.8.8

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:

162.180.171.108.in-addr.arpa name = tor-proxy1.distinctiveit.com

They are also recorded in one or two DNSbls for services wanting credentials or not wanting to deal with proxies (reversed quad lookup in this case 108.171.180.162 -> 162.180.171.108):

C:\WINDOWS\system32>nslookup 162.180.171.108.torexit.dan.me.uk 8.8.8.8

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:

Name: 162.180.171.108.torexit.dan.me.uk

Address: 127.0.0.100

C:\WINDOWS\system32>

127.0.0.100 means in the list, a "non-existent domain" response if not in list. Further detail in the text record:

C:\WINDOWS\system32>nslookup -type=txt 162.180.171.108.torexit.dan.me.uk 8.8.8.8

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:

162.180.171.108.torexit.dan.me.uk text =

"N:TorNode01/P:443,80/F:EFHRSDV"

Like anything else on the internet I suppose, subject to abuse.

Share this post


Link to post
Share on other sites

TOR is being abused so badly, I dumped it about five years ago.

My old ISP once encouraged TOR, now they are really nervous about it.

(though the recent Supreme Court ruling that ISP's are not content providers, but "cyber-taxi's", calmed them a bit)

Cheers!

Share this post


Link to post
Share on other sites

Only got one this morning S/he is using redirection from 70.87.107.194 theplanet.com to S/he's old rogue OVH.net but a different OVH.net IP 70.87.107.194 tried abuse[at]ovh.co.uk as well as net?

Not had ovh.net respond until I reported them via

http://www.iwf.org.uk/

from the main link

http://www.tinhat.com/children/report_pornography.html

Been through this before S/he moves from one Euro provider to another. Traced the "credit card" site to florida but looks bogus (no certificate not secure) probably just after credit card numbers and blackmail

... appears to be back with dot.tk today.

Share this post


Link to post
Share on other sites

... appears to be back with dot.tk today.

Yes redirecting some to 188.72.217.57 Germany abuse[at]leaseweb.de

From 93.170.52.31 Netherlands abuse[at]dot.tk

Had five this morning (Sydney Australia)

Had a look a the credit card skimming site it today is leaseweb germany also

188.72.217.57

Looked some time ago it was Florida

Share this post


Link to post
Share on other sites

Yes redirecting some to 188.72.217.57 Germany abuse[at]leaseweb.de

From 93.170.52.31 Netherlands abuse[at]dot.tk

Had five this morning (Sydney Australia)

Had a look a the credit card skimming site it today is leaseweb germany also

188.72.217.57

Looked some time ago it was Florida

No spams from this source for a few hours -- hope that continues, but I have my doubts.

Share this post


Link to post
Share on other sites

No spams from this source for a few hours -- hope that continues, but I have my doubts.

Getting spams again ... still via Yahoo! ... the links are back as embedded in the emails, so SpamCop picks them up correctly. Must have been losing too much money w/o clickable links ... (?)

S/he seems to be back sitting [at]dot.tk.

Will keep reporting. If I had a hammer ...

Share this post


Link to post
Share on other sites

Getting spams again ... still via Yahoo! ... the links are back as embedded in the emails, so SpamCop picks them up correctly. Must have been losing too much money w/o clickable links ... (?)

S/he seems to be back sitting [at]dot.tk.

Will keep reporting. If I had a hammer ...

"Adjectives deleted" Yahoo! :D

Share this post


Link to post
Share on other sites

Getting spams again ... still via Yahoo! ... the links are back as embedded in the emails, so SpamCop picks them up correctly. Must have been losing too much money w/o clickable links ... (?)

S/he seems to be back sitting [at]dot.tk.

Will keep reporting. If I had a hammer ...

Went upstream to Internode and made an objection to them hosting child-porn

https://secure2.internode.on.net/contact/online/feedback/

Also include

postmaster "at" [106.10.149.102]

this format sends to Yahoo server. Most seem to be going through their Singapore branch.

Now that everyone or most a paid subscribers you should be able to sign in and use the SCBL

http://www.spamcop.net/bl.shtml (think this is right?)

This now gives you much more options

put in 106.10.149.102 then "Trace IP" then "report history"

Gives one more ideas on how to attack

Edited by petzl

Share this post


Link to post
Share on other sites
...Now that everyone or most a paid subscribers you should be able to sign in and use the SCBL

http://www.spamcop.net/bl.shtml (think this is right?)

This now gives you much more options

put in 106.10.149.102 then "Trace IP" then report history

Gives one more ideas on how to attack

Good heavens petzl, you are quite correct - formerly free accounts, now endowed with the $15 free fuel - DO have access to "report history" for the IP address after logging in at the bl lookup page above. Had quite overlooked that, myself :blush:

Share this post


Link to post
Share on other sites

Spams coming in again, with URLs 'hidden' so they don't show up when headers are displayed and forwarded. So we're back to that. They're all .tk addresses.

I sent an email to Info[at]meldpunt-kinderporno.nl asking for help. They wrote back almost immediately and suggested I report the offending sites via their website. I will start doing that when I get home from work tonight.

I refuse to give up.

Share this post


Link to post
Share on other sites

Spams coming in again, with URLs 'hidden' so they don't show up when headers are displayed and forwarded. So we're back to that. They're all .tk addresses.

I sent an email to Info[at]meldpunt-kinderporno.nl asking for help. They wrote back almost immediately and suggested I report the offending sites via their website. I will start doing that when I get home from work tonight.

I refuse to give up.

www.dot.tk just give their abuse[at]dot.tk which seems to be bit binned

I went upstream not sure how I got their upstream address? (might not be correct?)

https://secure2.internode.on.net/contact/online/feedback/

They replied to me from their Australian quarters

We appreciate the time you have taken to contact us to raise these concerns. I will be passing this information on to our Abuse team for further review and investigations. However if you are further concerned with the content of these reports you may like to raise this matter with the Electronic Crimes unit of your local police station.

We understand that your time is important and we appreciate your diligence in bringing this matter to our attention. If you have any further enquiries regarding this please do not hesitate to contact me via reply email.

Edited by petzl

Share this post


Link to post
Share on other sites

www.dot.tk just give their abuse[at]dot.tk which seems to be bit binned

I went upstream not sure how I got their upstream address? (might not be correct?)

https://secure2.internode.on.net/contact/online/feedback/

They replied to me from their Australian quarters

We appreciate the time you have taken to contact us to raise these concerns. I will be passing this information on to our Abuse team for further review and investigations. However if you are further concerned with the content of these reports you may like to raise this matter with the Electronic Crimes unit of your local police station.

We understand that your time is important and we appreciate your diligence in bringing this matter to our attention. If you have any further enquiries regarding this please do not hesitate to contact me via reply email.

I took the step of reporting the sites to meldpunt-kinderporno.nl via their web interface -- they got back to me and said all the sites I'd passed along were "legal pornography" and did not involve children.

I may stop pursuing this, at least so vigorously. I might take the step of adding an entry to my .procmailrc file that will simply trash all emails coming from yahoo. Of course this will chew up some valid emails, but I am not aware that I get that much from yahoo addresses (other than spam) anyway.

Still interested to hear if anyone else has any luck with these. Thanks to everyone who contributed to this thread. I am older and (maybe a little) wiser, and a trifle depressed. :(

Share this post


Link to post
Share on other sites

I took the step of reporting the sites to meldpunt-kinderporno.nl via their web interface -- they got back to me and said all the sites I'd passed along were "legal pornography" and did not involve children.

I may stop pursuing this, at least so vigorously. I might take the step of adding an entry to my .procmailrc file that will simply trash all emails coming from yahoo. Of course this will chew up some valid emails, but I am not aware that I get that much from yahoo addresses (other than spam) anyway.

Still interested to hear if anyone else has any luck with these. Thanks to everyone who contributed to this thread. I am older and (maybe a little) wiser, and a trifle depressed. :(

You cant argue with them but the models to me and everyone else look to be well under 18?

With these people it is the luck of the draw who you get. they tend to err on the side of leniency for fear of "over-doing". They also don't want "us" getting trigger happy so take the "rejection" with a pinch of salt.

You tried and I bet they still do something. They are civilians without police powers but can/will contact the police.

"They" will go through your report later, make no error and with their police coordinator.

From their web page

What is illegal child pornography?

Illegal under Dutch penal law is "an image of a sexual act in which a person who clearly has not reached the age of eighteen (18) is involved", as stated in article 240b of the Criminal Code.

That description is what this scum is spamming me and 1000's of others with at any rate (SpamCop's "report history" shows quite a few reporting this site)

Sometimes the spammers web pages change. Once they were jumping country to country within Europe.

So far not had spam from this low-life since yesterday he used to send around 10 a day.

Could be "list-washed" or s/he will start spamming me again?

But don't get worked up about a spammer they are not worth it.

Thanks a lot from me for adding another shot at this scum

Just put in a report to kinderporno as well see what they say to me (probably the same as you?).

The last spam I got though redirected to America however a report I made a week ago shows the dot.tk still alive.

Edited by petzl

Share this post


Link to post
Share on other sites

You cant argue with them but the models to me and everyone else look to be well under 18?

With these people it is the luck of the draw who you get. they tend to err on the side of leniency for fear of "over-doing". They also don't want "us" getting trigger happy so take the "rejection" with a pinch of salt.

You tried and I bet they still do something. They are civilians without police powers but can/will contact the police.

"They" will go through your report later, make no error and with their police coordinator.

From their web page

What is illegal child pornography?

Illegal under Dutch penal law is "an image of a sexual act in which a person who clearly has not reached the age of eighteen (18) is involved", as stated in article 240b of the Criminal Code.

That description is what this scum is spamming me and 1000's of others with at any rate (SpamCop's "report history" shows quite a few reporting this site)

Sometimes the spammers web pages change. Once they were jumping country to country within Europe.

So far not had spam from this low-life since yesterday he used to send around 10 a day.

Could be "list-washed" or s/he will start spamming me again?

But don't get worked up about a spammer they are not worth it.

Thanks a lot from me for adding another shot at this scum

Just put in a report to kinderporno as well see what they say to me (probably the same as you?).

The last spam I got though redirected to America however a report I made a week ago shows the dot.tk still alive.

I sent an email directly to abuse[at]dot.tk and told them exactly what I thought of them. They wrote back acting all surprised. Bastards.

I added a procmail rule that sends all emails from yahoo addresses to /dev/null.

Share this post


Link to post
Share on other sites

I sent an email directly to abuse[at]dot.tk and told them exactly what I thought of them. They wrote back acting all surprised. Bastards.

I added a procmail rule that sends all emails from yahoo addresses to /dev/null.

You've done some good excellent work B)

Not a peep out of since you did sent them a email.

You have S/He on the run :ph34r:

Bit boring now my hotmail address has no spam at all

My set-up is my Computer is next to my armchair so I report spam like doodling while watching the young and the useless or something

Share this post


Link to post
Share on other sites

You've done some good excellent work B)

Not a peep out of since you did sent them a email.

You have S/He on the run :ph34r:

Bit boring now my hotmail address has no spam at all

My set-up is my Computer is next to my armchair so I report spam like doodling while watching the young and the useless or something

Wow. Really? :unsure:

It was sort of touch-and-go after I wrote them. I had told them I was going to block all email coming from yahoo.com, and not long after I had done so, I received AN IDENTICAL PORN spam from a yahoo.ca address!! So I had to massage my procmail rules a bit to exclude that as well -- but my paranoid hackles were up and (although I am now pretty sure this was just coincidence) the picture in my head had the dot.tk guys, all peeved at me, giving my address directly to the spammers so they could serve me more porn!

I've gotten a couple of scattered spams of the same formula (boy do I recognize it by now!) from other addresses, but the websites in them still seem to be on .tk. I haven't gotten one in a couple of days.

Thanks for following up, petzl. I want to think we all had an effect on the great juggernaut. But I expect to see him/her again.

Share this post


Link to post
Share on other sites

Wow. Really? :unsure:

It was sort of touch-and-go after I wrote them. I had told them I was going to block all email coming from yahoo.com, and not long after I had done so, I received AN IDENTICAL PORN spam from a yahoo.ca address!! So I had to massage my procmail rules a bit to exclude that as well -- but my paranoid hackles were up and (although I am now pretty sure this was just coincidence) the picture in my head had the dot.tk guys, all peeved at me, giving my address directly to the spammers so they could serve me more porn!

I've gotten a couple of scattered spams of the same formula (boy do I recognize it by now!) from other addresses, but the websites in them still seem to be on .tk. I haven't gotten one in a couple of days.

Thanks for following up, petzl. I want to think we all had an effect on the great juggernaut. But I expect to see him/her again.

Still nothing coming in for me. Had couple of enlargement spams since last wrote from Russia but not yahoo just botnet rubbish. Keeping away from that Child porn site now as if the police are involved they will gather IP addresses

Got a reply from the Dutch much the same reply you had

But I don't reckon they won't investigate and have police contact dot.tk. These org's keep their cards hidden. Had similar reply from their UK team and the site went down quick.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×