Jump to content
Sign in to follow this  
salamandir

leaseweb is allowing people to send spam, but their reporting addresses are disabled

Recommended Posts

now i'm getting the following message when LARTing "spamtool [at] eu.level3.net"

>>> 550 Invalid recipient

my guess is that they don't want to receive spam reports at this address any longer... :angry:

Include ""certbund [ AT ] bsi.bund.de"

In report also include the fact that abuse address bounces and "unsubscribe" link increase attacks simply confirms email address

http://www.first.org/members/teams/cert-bund

Share this post


Link to post
Share on other sites

Include ""certbund [ AT ] bsi.bund.de"

certbund [AT] bsi.bun.de gets /dev/null'ed...

/dev/null'ing report for certbund#bsi.bund.de[at]devnull.spamcop.net

Share this post


Link to post
Share on other sites

also, in a completely separate spam report that i submitted today, i got the following information:

i'm assuming that this is the same address... but why is it recommended for a manual LART if it bounces when i send automated ones?

As Leasweb are based in Netherlands send abuse reports to

https://www.ncsc.nl/english/organisation/contact

"Outside office hours, for emergencies you may contact NCSC: cert [ AT ] ncsc.nl. "

Been having trouble with a Brazil spam crime gang who have been with them some time

Include any listed links to CBL or PBL these can be got by clicking link to Sender base

http://mailsc.spamcop.net/bl.shtml (SC email users)

non

http://spamcop.net/bl.shtml

Share this post


Link to post
Share on other sites

As Leasweb are based in Netherlands send abuse reports to

https://www.ncsc.nl/english/organisation/contact

"Outside office hours, for emergencies you may contact NCSC: cert [ AT ] ncsc.nl. "

Been having trouble with a Brazil spam crime gang who have been with them some time

Include any listed links to CBL or PBL these can be got by clicking link to Sender base

http://mailsc.spamcop.net/bl.shtml (SC email users)

non

http://spamcop.net/bl.shtml

For spam sent from a server in the Netherlands, you could also use the offical spam reporting site of the Dutch Government: https://www.spamklacht.nl/klacht-indienen/klachtformulier/ (and use Google Translate to translate)

Edited by Leon

Share this post


Link to post
Share on other sites

For spam sent from a server in the Netherlands, you could also use the offical spam reporting site of the Dutch Government: https://www.spamklacht.nl/klacht-indienen/klachtformulier/ (and use Google Translate to translate)

Thanks the Brazil attacks dried up after I contacted cert Netherlands (they contacted me)

Share this post


Link to post
Share on other sites

i don't have to send LARTs myself all the time, just some of the time...

frequently i get an email that i can send from spamcop without any problem, but sometimes i get "Reports disabled for abuse[at]leaseweb.de... Nothing to do." instead, and these have been the ones that i'm LARTing manually.

occasionally, i get a response from security.feedback [at] level3.com or abusedesk [at] leaseweb.com that says they're looking into it, but nothing else ever happens, and i continue to get spam from leaseweb about which spamcop tells me there's nothing to do...

i would really like to find an email address to which i can send LARTs that will get the job done, rather than assuring me they're on the job, and then go back to sleep... :huh:

Share this post


Link to post
Share on other sites
sometimes i get "Reports disabled for abuse[at]leaseweb.de... Nothing to do."

...

i would really like to find an email address to which i can send LARTs that will get the job done, rather than assuring me they're on the job, and then go back to sleep... :huh:

Are you sure? When reports are disabled the message should be something like "Reports sent to abusedesk#leaseweb.com[at]devnul for statistical recording" or similar, which is very different to "nothing to do". That devnul business would indicate that SC continues to execute its main game, which is to "feed" the blocklist, even if the responsible abuse desk doesn't want to know or is spam-supportive or bounces reports, etc.

Yes it would be good to find an effective address - if level3 are not taking note I suspect there's not much more can be done (other than to keep them in the loop to ensure no deniability on their part). Maybe they're a bit like the FCC, they maybe save it up until some critical event or point is reached. They're not going to compromise "commerce" and revenue-streams without a huge prod.

Share this post


Link to post
Share on other sites

Are you sure? When reports are disabled the message should be something like "Reports sent to abusedesk#leaseweb.com[at]devnul for statistical recording" or similar, which is very different to "nothing to do". That devnul business would indicate that SC continues to execute its main game, which is to "feed" the blocklist, even if the responsible abuse desk doesn't want to know or is spam-supportive or bounces reports, etc.

Yes it would be good to find an effective address - if level3 are not taking note I suspect there's not much more can be done (other than to keep them in the loop to ensure no deniability on their part). Maybe they're a bit like the FCC, they maybe save it up until some critical event or point is reached. They're not going to compromise "commerce" and revenue-streams without a huge prod.

You can just forward spam as attachment to that abuse address same as for spam[at]uce.gov

include anyother info in letter

Some want evidence and no chance of altered headers

Share this post


Link to post
Share on other sites
Are you sure?

yes. when it said "Reports disabled for abuse[at]leaseweb.de... Nothing to do." i copied it and pasted it here. if it had said something else, i would have pasted something different.

and i don't get "Nothing to do." all the time, just some of the time. when i don't get it, i let spamcop do the reporting. when i do get it, that's when i LART manually.

Share this post


Link to post
Share on other sites

I haven't seen "nothing to do" in a while, but I seem to recall it showed up when all possible abuse addresses for a given report were /dev/null'd.

If there was a single working address for any section of the report, then you would see the "statistical tracking" message.

My sense is that it is a bug.

Share this post


Link to post
Share on other sites
yes. when it said "Reports disabled for abuse[at]leaseweb.de... Nothing to do." i copied it and pasted it here. if it had said something else, i would have pasted something different. ...
Thanks for the confirmation, thanks too, techie. Sorry to query - it is easy to be a little muddled about the precise circumstance and sequencing of these things but copying and pasting the actual lines resolves any doubt about that!

When 'nothing to do' is encountered it is usually in the context that there is no parser analysis session, I think (I'm not sure) - so no Tracking URL to copy while the parser instance is still 'live'. I guess these would be the same? And no Report ID recorded in Past Reports. That would make the forensics/replication for SC staff pretty difficult, yet it sounds like something they might wish to pursue - as techie says, it smacks of a bug in the code. In effect, an inconsistent one from the sound, which is disturbing.

The inconsistency could be down to just a subset of the machines doing the parsing (almost never a factor but stranger things have happened). In which case resubmission might produce a different result (a probablility, not a certainty, if that were the case). At least in those cases where the parse happens it would be possible to record the successful machine(s), if you were interested. The 'page source' for a parse result shows something like one of the following comment lines, in the second top-most line:

<!-- SpamCop::Web::Look $Revision: #17 $ produced by prod-sc-www3 -->
<!-- SpamCop::Web::Look $Revision: #17 $ produced by prod-sc-www2 -->
<!-- SpamCop::Web::Look $Revision: #17 $ produced by prod-sc-www1 -->

Oh well, if they're interested/concerned no doubt they'll contact you for your help.

Share this post


Link to post
Share on other sites

I have made the suggestion several times in the past, but I will make it again.

Spamcop obviously knows which sites are refusing spamcop reports, for whatever reason, since they are reporting it as part of the parsing process. I would like to see that data made available as an extension of the spamcop bl. For starters, I would have a class for sites that feed data direct to spammers, or otherwise support spammers, another for sites where all the addresses are bouncing, and another for administrative refusal to accept reports. Use a different return code for each class, so you can decide which sites you want to refuse mail from, and what type of status code you want to return to the sender.

I mostly use spamcop as a feedback loop, as I see relatively little spam actually blocked by spamcop. Most is already blocked by one of the other bl's or sanity checks that I use on my server, including a ever growing local blocklist.

If I notice a site sending excessive spam, and spamcop shows reports disabled for that site, that site/ip block generally find their way into my local bl in short order. I treat my local bl as a spammer (roach) motel, with infinite capacity, and a write once register. IP blocks check in, and never check out. If the IP range looks like is used for dynamic assignments, then the whole range is added. If the provider appears to be ignoring spam in general, the entire range is added. If the range is assigned to an entity in certain countries, the entire range is entered.. you get the picture.. I block China and Korea on principle, as well of several of the large european ISP's and hosting providers. I also sanity check for valid domain names, and valid and matching reverse DNS.

Share this post


Link to post
Share on other sites

http://www.spamcop.net/sc?id=z5944506286zd...fd95f8feebcd83z

another instance of leaseweb.de being responsible, but "nothing to do"...

i haven't seen one of these in a couple of months, but they're definitely still out there...

Brazil crime gang have again resigned up with them

You have to forward as attachment the spam to their address INCLUDE in To: line

"certbund [ AT ] bsi.bund.de" abuse[at]leaseweb.de

Both addresses together makes them get attention.

Subject: spam source: 46.165.253.195

in body include

SpamCop TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5944506286zd...fd95f8feebcd83z

Brazil spam crime gang using spam "friendly" hosts from all over the world

"unsubscribes" don't work just worsen their attack

*NEVER EVER SUBSCRIBED*

I don't even speak Portuguese

Edited by petzl

Share this post


Link to post
Share on other sites
You have to forward as attachment the spam to their address INCLUDE in To: line

"certbund [ AT ] bsi.bund.de" abuse[at]leaseweb.de

when i have LARTed abuse[at]leaseweb.de and certbund[at]bsi.bund.de in the past, it has bounced. i currently have the following in the To: line:

technical[at]leaseweb.com, abusedeskl[at]easeweb.com, abuse[at]leaseweb.com, abuse[at]leaseweb.nl, abuse[at]eu.level3.net, cert[at]ncsc.nl

Share this post


Link to post
Share on other sites

when i have LARTed abuse[at]leaseweb.de and certbund[at]bsi.bund.de in the past, it has bounced. i currently have the following in the To: line:

technical[at]leaseweb.com, abusedeskl[at]easeweb.com, abuse[at]leaseweb.com, abuse[at]leaseweb.nl, abuse[at]eu.level3.net, cert[at]ncsc.nl

Got a reply from both early in year?

Their abuse address is abuse[at]leaseweb.com

Abuse address not .NET

From - Sat Jan 11 07:52:57 2014
X-Account-Key: account1
X-UIDL: UID19499-1066456927
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:																				 
Return-Path: <www-data[at]ocom.com>
Delivered-To: spamcop-net-XXXXl[at]spamcUp.nUt
Received: (qmail 29939 invoked from network); 10 Jan 2014 13:42:50 -0000
X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8
X-spam-Level: 
X-spam-Status: hits=0.0 tests=none version=3.2.4
Received: from unknown (192.168.1.108)
  by filter8.cesmail.net with QMQP; 10 Jan 2014 13:42:50 -0000
Received: from rt3.requesttracker.org (HELO rt36.requesttracker.org) (85.17.130.58)
  by mx71.cesmail.net with SMTP; 10 Jan 2014 13:42:45 -0000
Received: by rt36.requesttracker.org (Postfix, from userid 33)
	id BD6AC5F7C0; Fri, 10 Jan 2014 14:05:10 +0100 (CET)
Subject: [ts #3205442] Re: spam from Brazilian crime gang using you abuse[at]leaseweb.com as host  ip 85.17.249.245 
From: "LeaseWeb - Abuse Desk " <abusedesk[at]leaseweb.com>
Reply-To: abusedesk[at]leaseweb.com
In-Reply-To: 
References: <RT-Ticket-3205442[at]requesttracker>
Message-ID: <rt-3.6.5-14105-1389359110-391.3205442-14-0[at]requesttracker>
Precedence: bulk
X-RT-Loop-Prevention: ts
RT-Ticket: ts #3205442
To: XXXXl[at]spamcUp.nUt
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-RT-Original-Encoding: utf-8
Date: Fri, 10 Jan 2014 14:05:10 +0100
X-SpamCop-Checked: 

===========================================================================
This is an automated e-mail informing you we received your abuse complaint.
===========================================================================

Your abuse complaint has been processed by an automated system. We have
notified our customer to handle the complaint according to the applicable
laws.

In case your complaint is not handled correctly or you would like human 
intervention, please reply to this e-mail and leave the subject intact. 

Kind regards,

LeaseWeb Netherlands B.V. - Abuse Desk

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×