Jump to content
Sign in to follow this  
emanmb

Reply From Spammer or Victim?

Recommended Posts

I can't figure out if 2 emails today are spam or not.

I fwd spam to SC, knujon, uce.gov and phishing-report[at]us-cert.gov. Occasionally, actually rarely, I'll get an email from an abuse dept. thru SC saying something like this:

"Thank you for submitting your abuse complaint. One of our support engineers has picked it up and assigned it to the customer in question and it will be resolved as soon as possible.

Thanks so much,

DigitalOcean"

Today I got an email in my spam folder from 2 different addresses with the same subject, "Email spam for malekal.com"

Message for both emails say:

Theses emails spam are sent from a botnet (check the mails headers), im not

responsible of theses spam emails.

Someone is probably trying to get the site blacklisted or to get bad reputation

(called this "a Joe Job" - see :

http://blog.dynamoo.com/2013/08/malekalcom-joe-job.html)

The responsible is " Reveton Guy ", try to get revenge after a mass shutdown of

their malvertising :

http://www.malekal.com/2013/07/30/en-juicyads-reveton-malvertising/

http://www.malekal.com/2013/07/28/en-plugrush-reveton-malvertising/

http://www.malekal.com/2013/07/26/en-reveton-adxpansion-com-malvertising/

The August 11, they tried to get my website blacklisted using hacked website :

http://www.malekal.com/2013/08/12/en-reveton-go-now-by-hacked-website/

Just wondering if I should report this or if it's a legit complaint, BUT I think my answer is, since these 2 emails DID NOT come thru the SC system, they are probably spam.

In any case wondering what the pros here think of this. The message here I cut and paste and not necessarily accurate links as they are disabled in Yahoo spam folder fyi.

Eric

[edit] links broken anyway - Members don't paste links (even if you think they're already disabled), refer to the "Help" link just below the server statistics graphic at the top right of each and every page, the very first topic under that section. The (former) links above all respond to contact on port 80 and pasting unknown or suspect links in public to an anti-spam site is just about the last thing you want to do - the second last thing you want to do is to post ANY link "here" without considering the consequences most carefully.

Edited by Farelf

Share this post


Link to post
Share on other sites

I can't figure out if 2 emails today are spam or not.

I fwd spam to SC, knujon, uce.gov and phishing-report[at]us-cert.gov. Occasionally, actually rarely, I'll get an email from an abuse dept. thru SC saying something like this:

"Thank you for submitting your abuse complaint. One of our support engineers has picked it up and assigned it to the customer in question and it will be resolved as soon as possible.

Thanks so much,

DigitalOcean"

Today I got an email in my spam folder from 2 different addresses with the same subject, "Email spam for malekal.com"

Just wondering if I should report this or if it's a legit complaint, BUT I think my answer is, since these 2 emails DID NOT come thru the SC system, they are probably spam.

In any case wondering what the pros here think of this. The message here I cut and paste and not necessarily accurate links as they are disabled in Yahoo spam folder fyi.

Eric

It's spam! Please remove the links the abuse address for "blogs" bounces, the other is OVH.net who to my knowledge never read abuse reports

Also a reply to a SpamCop report would have a report ID in subject line

like "id:5981005803"

I'm getting this spam all the time

http://www.spamcop.net/sc?id=z5549961495z8...15730ab4fbf971z

Edited by petzl

Share this post


Link to post
Share on other sites

I have gotten a number of these messages as well. They appear to be "Joe Jobs," (spam made to look as though it came from someone else, someone that the real sender wishes to harass or damage). Apparently there is a "joe job for hire" service operating these days that sends spam to known complainers (like us) precisely so that the websites named get reported.

I usually just report the mail source in such cases, and leave off reporting the website (not because the website is lily-white innocent, but because they probably didn't send the spam). In the case you mention above, it appears that the malekal.com website is innocent.

If you get spam promoting clearly illegal activities (child porn, "carding," etc.) and it names a website directly, it's a safe bet that the spam is a Joe Job.

-- rick

Share this post


Link to post
Share on other sites

I have gotten a number of these messages as well.

...

In the case you mention above, it appears that the malekal.com website is innocent.

Yes, 6 this morning, several last week. All send to bad mailboxes [at] my domain. I'm not so sure how innocent malekal[dot]com is.

http://www.spamcop.net/sc?id=z5550185812zc...c10b6352cbc7fez

"ISP does not wish to receive report regarding http://www.malekal.com

It would seem to me, IMHO, that if they are white hats fighting malware as the blog clams, someone needs to bring to their attention that their parsing of email headers needs some work.

If in fact they are the victim of a joe-job telling me that a mailbox in my domain was forged doesn't do any good.

[edit] {sigh}

Edited by Farelf

Share this post


Link to post
Share on other sites

I'll restrict my definition of "innocent" to mean that they probably did not send the spam. Obviously I can't vouch for any other activities. I'm a little ticked at being recruited by crooks to help they make money by sending possibly spurious reports, so rather than have to investigate the websites in detail I have decided to just not report them if they look like Joe Jobs.

-- rick

Share this post


Link to post
Share on other sites
I'm a little ticked at being recruited by crooks to help they make money by sending possibly spurious reports,

-- rick

I would agree, however unless I'm missing something as a result of the emails I received similar to the OP reports I'm causing are NOT going to the "victim" but to where spamcop thinks the email (spam) came from, for example places like:

abuse[at]kornet.net

nw_pdsn[at]mtsindia.in

No reporting addresses found for 31.163.50.69, using devnull for tracking.

abuse[at]rr.com

postmaster[at]hinet.net

abuse[at]rr.com

None of those from today's collection look anything like the resolved links in the body of the emails (spam). And as you said Rick, already spent more time on these 6 then the rest of the ~400 reports today.

Share this post


Link to post
Share on other sites

I think we are in violent agreement.

The crooks are the ones sending the e-mail from whatever botnet they have (hence all the different reporting addresses you see). They appear to have acquired lists of known spam complainers, and they've hit on a clever way to "monetize" these lists.

Apparently they offer to send Joe Job spam for other crooks who want to make trouble for their competitors or enemies, and by sending them to the spam haters they figure they will make more trouble for the victim. The "victim" (innocent or no) is the webmaster whose site is named in the spam. Most of the spam I get now seems to be of this variety.

Accordingly, I choose to report the spam sources but NOT the website address that appear in the body.

Breaking news: Looking at http:// blog.dynamoo.com/2013/08/malekalcom-joe-job-part-ii.html (link is munged) I see that the OP's message seems to be a second level of Joe-Job recursion, in which new spam is being sent from a botnet to declare innocence of the old spam. Never seen this before! In any case, it is all spam, and it is safe to report the spam source, and strictly optional (for me) to report the web links.

-- rick

I would agree, however unless I'm missing something as a result of the emails I received similar to the OP reports I'm causing are NOT going to the "victim" but to where spamcop thinks the email (spam) came from, for example places like:

abuse[at]kornet.net

nw_pdsn[at]mtsindia.in

No reporting addresses found for 31.163.50.69, using devnull for tracking.

abuse[at]rr.com

postmaster[at]hinet.net

abuse[at]rr.com

None of those from today's collection look anything like the resolved links in the body of the emails (spam). And as you said Rick, already spent more time on these 6 then the rest of the ~400 reports today.

Share this post


Link to post
Share on other sites

I think we are in violent agreement.

The crooks are the ones sending the e-mail from whatever botnet they have (hence all the different reporting addresses you see). They appear to have acquired lists of known spam complainers, and they've hit on a clever way to "monetize" these lists.

-- rick

Just don't automatically think these sites are Innocent either

This site distributes malware and the "carding forum" writes it (looks for credit card Numbers and report back) !

All of the Botnet spam I'm getting are written in Cyrillic (Russian) and identified as such by SC email which stamps it "Blacklist" meaning the server handshake is in Russian. For some reason it is bypassing the Greylist so it is whitelisted not challenged? It does just get dumped in my spam folder but it is in the 1000's daily and growing as Botnet spreads

The immediate fix for this botnet is to just change their account password, as the existing has been hacked, allowing malware to be then installed on computer. Then do a malware scan

Share this post


Link to post
Share on other sites

I think they are innocent of sending me spam. Of their other sins, I know not.

Do you mean that the malekal site mentioned in the OP's post is distributing malware? I've been there a couple of times (with my Mac) and saw nothing of concern.

-- rick

Just don't automatically think these sites are Innocent either

This site distributes malware and the "carding forum" writes it (looks for credit card Numbers and report back) !

All of the Botnet spam I'm getting are written in Cyrillic (Russian) and identified as such by SC email which stamps it "Blacklist" meaning the server handshake is in Russian. For some reason it is bypassing the Greylist so it is whitelisted not challenged? It does just get dumped in my spam folder but it is in the 1000's daily and growing as Botnet spreads

The immediate fix for this botnet is to just change their account password, as the existing has been hacked, allowing malware to be then installed on computer. Then do a malware scan

Share this post


Link to post
Share on other sites

They appear to have acquired lists of known spam complainers, and they've hit on a clever way to "monetize" these lists.

You seem to be right about that. They have finely zeroed in on a good mailbox in my domain. Makes no difference, one spam folder is as good as another.

Share this post


Link to post
Share on other sites

Yeah, I just found two messages of the kind posted by the OP when I fired up the computer this morning. Oh well, grist for the mill...

-- rick

You seem to be right about that. They have finely zeroed in on a good mailbox in my domain. Makes no difference, one spam folder is as good as another.

Share this post


Link to post
Share on other sites

I think they are innocent of sending me spam. Of their other sins, I know not.

Do you mean that the malekal site mentioned in the OP's post is distributing malware? I've been there a couple of times (with my Mac) and saw nothing of concern.

-- rick

Yes had a look at non-english site myself and just the "com" address is a "forum" about malware

This is a post from someone saying they runthe carding site and are being blackmailed by spammer?

http://forum.spamcop.net/forums/index.php?...amp;#entry85045

Share this post


Link to post
Share on other sites

[ snip ]

All of the Botnet spam I'm getting are written in Cyrillic (Russian) and identified as such by SC email which stamps it "Blacklist" meaning the server handshake is in Russian.

No, it just means Spamcop mail detected Koi8-r in the header. Thus even a Pop'd email can be blocked.

(My file notes from 2008).

Share this post


Link to post
Share on other sites

No, it just means Spamcop mail detected Koi8-r in the header. Thus even a Pop'd email can be blocked.

(My file notes from 2008).

Not ever shown in headers?

It seems to be detected on "handshake" by server.

SC stamps it if you have "Block Russian" checked on filter

X-SpamCop-Disposition: Blacklist

http://www.spamcop.net/sc?id=z5551450482ze...74235c77d6e485z

Botnet

http://cbl.abuseat.org/lookup.cgi?ip=185.23.12.8

Share this post


Link to post
Share on other sites

Thanks to everyone who posted about this. I just started receiving these today, and it was very helpful to be able to find out more.

I found it interesting that the blog post actually says:

If you are getting these, it is because you have been flagged up via a "reverse listwashing" process as somebody who is likely to complain about spam. Reporting the originating IP of the spam email would probably be helpful, reporting malekal.com on the other hand will only help the bad guys to remove a useful resource.

Also that two people have commented on the blog post saying that malekal is a malware site not a useful resource, but whoever created the blog didn't even bother to come back and remove the comments. IMHO, that makes the blogger even less believable.

Last but not least, I do NOT recommend visiting the sites listed in these emails unless you have a very secure setup. When curiosity compels me to check such things, I do so from a read-only linux system. It froze for the first time ever, which I can only assume was some kind of malware trying to get in. Point being, don't go there unless you're sure you can do it without putting your computer at risk.

Share this post


Link to post
Share on other sites

Thanks to everyone who posted about this. I just started receiving these today, and it was very helpful to be able to find out more.

I found it interesting that the blog post actually says:

Also that two people have commented on the blog post saying that malekal is a malware site not a useful resource, but whoever created the blog didn't even bother to come back and remove the comments. IMHO, that makes the blogger even less believable.

Last but not least, I do NOT recommend visiting the sites listed in these emails unless you have a very secure setup. When curiosity compels me to check such things, I do so from a read-only linux system. It froze for the first time ever, which I can only assume was some kind of malware trying to get in. Point being, don't go there unless you're sure you can do it without putting your computer at risk.

Just don't believe or trust ANYTHING in spam

Best defense is attack report all spam

I think these "Carders" and Malware forums get into spats with each other, hence the flood of Botnet spam

So easy to pick-up Trojans/Malware a good idea to cange passwords often (Monthly)

Share this post


Link to post
Share on other sites

Just don't believe or trust ANYTHING in spam

Best defense is attack report all spam

I think these "Carders" and Malware forums get into spats with each other, hence the flood of Botnet spam

So easy to pick-up Trojans/Malware a good idea to cange passwords often (Monthly)

Good point not to trust anything in spam. The only reasons I look into them is to try to avoid reporting anything that isn't really spam, and a serious case of curiosity killed the cat. For example, with the links in the emails that started this thread, I had my answer by the time I finished reading here, but curiosity compelled me to see that blog for myself.

They can spat all they want, but it seems to me their botnet would last longer if they didn't send their junk to those of us who've been reporting spam for years. That is, unless things have got to the point where their botnet consists of users who can't keep their system clean and ISPs who don't do anything when they get reports. That's fine though. I might think something was broken if I logged on in the morning and didn't have half a dozen spams to report. :)

Yes changing passwords on a regular basis is a good idea. You probably already know this, but in case it will get read by anyone who may not: Also don't use the same password on multiple sites (especially important ones) in case one password gets compromised.

Share this post


Link to post
Share on other sites

Good point not to trust anything in spam. The only reasons I look into them is to try to avoid reporting anything that isn't really spam, and a serious case of curiosity killed the cat. For example, with the links in the emails that started this thread, I had my answer by the time I finished reading here, but curiosity compelled me to see that blog for myself.

They can spat all they want, but it seems to me their botnet would last longer if they didn't send their junk to those of us who've been reporting spam for years. That is, unless things have got to the point where their botnet consists of users who can't keep their system clean and ISPs who don't do anything when they get reports. That's fine though. I might think something was broken if I logged on in the morning and didn't have half a dozen spams to report. :)

Yes changing passwords on a regular basis is a good idea. You probably already know this, but in case it will get read by anyone who may not: Also don't use the same password on multiple sites (especially important ones) in case one password gets compromised.

"but it seems to me their botnet would last longer if they didn't send their junk to those of us who've been reporting spam for years."

Spammers are dumb. In this case attract attention and go to Jail a Russian one :D I reckon you can buy a cheap kidney there

Share this post


Link to post
Share on other sites

"but it seems to me their botnet would last longer if they didn't send their junk to those of us who've been reporting spam for years."

Spammers are dumb. In this case attract attention and go to Jail a Russian one :D I reckon you can buy a cheap kidney there

Well right now I'm not feeling too smart. How could I forget all the spammer foolishness I've seen over the years? I'm sure there's plenty more I missed not keeping up with the SpamCop forums as much as I would have liked to.

Share this post


Link to post
Share on other sites

Well right now I'm not feeling too smart. How could I forget all the spammer foolishness I've seen over the years? I'm sure there's plenty more I missed not keeping up with the SpamCop forums as much as I would have liked to.

The forum died a fair bit since it became a web-forum

Occasionally I get fooled by spam looking legit so you are not alone

But I've ALWAYS reported criminals never sure if it gets acted on (I did and do to the Ukraine about their Botnet :excl: )

SpamCop will also post reports to interested parties so not a good idea to get reported

Edited by petzl

Share this post


Link to post
Share on other sites

The forum died a fair bit since it became a web-forum

Occasionally I get fooled by spam looking legit so you are not alone

But I've ALWAYS reported criminals never sure if it gets acted on (I did and do to the Ukraine about their Botnet :excl: )

SpamCop will also post reports to interested parties so not a good idea to get reported

Yeah I liked the newsgroups, but never was that good at keeping up with them. I'm finally getting used to having to log into a website instead of just using a newsreader. :) I do really like the fact I can set it to email me when a new post is added to a topic I'm interested in. I'm sure I still miss a lot, but at least I don't miss replies to those topics like I might have before. Anyway I'm probably going off topic for this thread...

It sounds like we've established that it's sometimes not easy, but we mustn't let spammers fool us. Maybe I'm dreaming, but I still hope that between those of us who report it and those that just filter it out, things reach a point where it's not worth their effort to even send spam.

Share this post


Link to post
Share on other sites

things reach a point where it's not worth their effort to even send spam.

Dream on. Their business module is based on the reality that 'a sucker is born ever minute.' The supply of new fools is endless. I think I remember correctly, Einstein noted that there is an upper limit to how smart a person can be. There is no limit to how dumb.

Share this post


Link to post
Share on other sites

Dream on. Their business module is based on the reality that 'a sucker is born ever minute.' The supply of new fools is endless. I think I remember correctly, Einstein noted that there is an upper limit to how smart a person can be. There is no limit to how dumb.

That reminds me of the Peter Principle: people tend to rise to their level of incompetence.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×