Jump to content
Sign in to follow this  
Lking

Reporting Bounced spam

Recommended Posts

I am one of the report everything types. With a new host I am able to open the doors wide and report all the spam send to my domains.

In the current cycle of things, my domain seems to be the base for a directory approach to forged FROM: in 1 or 2 spam attacks. One spambot is in the "L" account names the other in the Rs. I of course am getting several hundreds of bounce emails a day like this

http://www.spamcop.net/sc?id=z5543026339z9...3b1f331c0f5b13z

and they all get reported. The question is, do the .ru ISPs really care? Most reports go to devnull so we know they don't care much. Is there a more efficient way to identify the bozos that don't have a well behaved mail server?

Seems a wast to dump the bounce emails on the floor, with all those electrons dieing for no good reason.

Share this post


Link to post
Share on other sites
<snip>

The question is, do the .ru ISPs really care? Most reports go to devnull so we know they don't care much.

<snip>

...We are probably safe in assuming not but I'd not worry unduly about that and just keep on reporting 'em and help keep 'em (or hopefully get them onto, if they're not already) on the SpamCop blacklist! :) <g>

Share this post


Link to post
Share on other sites

...We are probably safe in assuming not but I'd not worry unduly about that and just keep on reporting 'em and help keep 'em (or hopefully get them onto, if they're not already) on the SpamCop blacklist! :) <g>

Everything Russian are on my SC email blocklist

http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php

"Block Russian: This option will block most Russian email (and other email in Cyrillic characters) and send it to your Held Mail, whether or not it is spam. Only select this if you do not receive any legitimate Russian emails."

Most are typical cowardly Russian bully mentality. Where you don't matter.

The IP 85.113.210.170 has no abuse address and just goes to "digital Hell"

Share this post


Link to post
Share on other sites

(I see Steve T has responded, and petzl, this is what I was writing anyway).

So, you are being spoofed as the sender of a spam from China and the Russian network lazily bounces it back to you and you report it but the advice he shouldn't have, oughtn't have, hadn't have done that never gets back to him because he hasn't an abuse address or is otherwise unsuitable to receive the SC report? And presumably listing in the SCbl isn't a factor when it comes to the source of bounces (I forget - it would probably take a lot of reports even if they have the same weighting as direct spam). And that Chinese file include a suspicious Base64-encoded attachment, probably a .rar digest, even so you're not allowed to do anything about the real source via SC (because it's not "your" spam).

Well, we used to have RFC-Ignorant.org which might have warned about no abuse address, sadly now extinguished (http://www.dnsbl.com/2012/09/status-of-rfc...tting-down.html). But lack of reporting address is only part of the story when it comes to SC devnulling reports. Anyway, there's supposedly another service addressing such RFC ignorance matters (inheriting and verifying the RFC-Ignorant.org databases and maintaining them), rfc-clueless.org (see http://rfcignorant.org/). Unfortunately, at the moment, with the subject domain ksu.edu.ru, I'm seeing different results for the webpage lookup and the DNS lookup. Perhaps it is explained in the FAQ there, if you wanted to investigate.

Yes, they seem to do things differently in eastern Europe - spam (just about) seems to be accepted as just another advertising medium.

Share this post


Link to post
Share on other sites

Yes, they seem to do things differently in eastern Europe - spam (just about) seems to be accepted as just another advertising medium.

RFC-Ignorant.org became "political" or biased which make it useless

JT when he was around stated he could just not answer Russian or "Cyrillic characters" tried using just that as my blacklist and it is very effective so sounds like a good way to clean the internet.

China seems to of evolved into addressing complaints although you get the odd one. Dream host are clowns they host Child porn (Under 18 or made to look under 18) refuse SpamCop reports so advised them via their web page. Not the brightest crayons in the world. I just replied "What you do or don't is fine by me" I of course unknown to them also reported the issue to the USA Feds who are hot on issues like this!

http://www.missingkids.com/CybertipLine

"In partnership with the FBI, Immigration and Customs Enforcement, U.S. Postal Inspection Service, U.S. Secret Service, military criminal investigative organizations, U.S. Department of Justice, Internet Crimes Against Children Task Force program, as well as other state and local law enforcement agencies."

In Australia the Police advertise all Child Porn Raids the Computers servers etc are taken and those under suspicion have their photos on local paper (not a good idea to not take it serious)

Share this post


Link to post
Share on other sites

petzl thanks for the missingkids link. Although it has been awhile sense I spotted spam of that type, that is a good link to have.

Except for the flood of misdirected bounce I've been getting mostly pump-'n-dump stock stuff, with spikes of "replacement windows" party drugs, and links to hacker sites.

Have not seen any Rx spam sense the sting in July.

Anyway thanks for the moral support. Yesterday was an unusually heavy day, 2K+ bounces, without actually counting. Even quick reporting 20 at a time, takes a while on a VSAT link.

Share this post


Link to post
Share on other sites

So, this bounce business with your domain(s) has been going on concurrently with a "perfect storm" of NDRs hitting CESmail/spamcop e-mail accounts1. and perhaps (just maybe) some rogue/compromised accounts in those domains in the mix as well (that question currently under investigation by both reporting and e-mail sides of SpamCop2.).

1.

http://forum.spamcop.net/forums/index.php?...ost&p=85352

http://forum.spamcop.net/forums/index.php?...amp;#entry85354

2.

http://forum.spamcop.net/forums/index.php?...c=13418&hl=

Joining the dots and recalling your original question ("do the .ru ISPs really care?") either the sods are complicit in this "bounce attack" business (and presumably not just the .ru TLDs) or someone is relying on their archaic and incorrect bounce process to deal out hurt to select domains. Either way, good cause for those that can to report them if it is going to feed to SCbl or at least put a little more load back their way and leave them trying to figure out what is significant and what might be not. Spare a thought for CESmail, dealing with many hundreds of thousands compared to your thousands ... :blink:

Or it's all just the by-product of a MONUMENTAL increase in botnet spam, not exactly sticking out in http://www.senderbase.org/static/spam#tab=1 yet but if increases are (also) being focussed that would make +46% in the past few days quite epic).

(Is it just me or are others bewildered by the plethora of new "update" topics in the SpamCop Email System & Accounts section? Initiated by Staff, even so the urge to merge grows minute by minute ...)

Share this post


Link to post
Share on other sites
<snip>

(Is it just me or are others bewildered by the plethora of new "update" topics in the SpamCop Email System & Accounts section? Initiated by Staff, even so the urge to merge grows minute by minute ...)

...It's not just you! I had the same urge but suppressed it, remembering earlier admonitions to not touch SpamCop admin posts.

Share this post


Link to post
Share on other sites

Interesting links Farelf. Being I do not use CESmail/spamcop mail/accounts I wonder how/why I got sucked into the deluge.

I does seem to have tapered off, at this point.

Share this post


Link to post
Share on other sites

Interesting links Farelf. Being I do not use CESmail/spamcop mail/accounts I wonder how/why I got sucked into the deluge. ...

I guess it shows SC was not the only target - though there is little/no commentary from the internet generally. Or you might have upset someone with access to a handy botnet. Hard not to be paranoid at times. As we speak, GorillaServers in scenic Los Angeles has been pinging my modem non-stop every three seconds for the past 3 hours. I may return the favour if they keep it up. Or I might have a cup of tea, a Bex powder and a good lie down.

Share this post


Link to post
Share on other sites

" Or you might have upset someone with access to a handy botnet. "

A personality trait :P

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×