How do you stop a spammer who has his own IP and is spamming from his own server

[Cutsnake88]

I have been getting spammed by the same jerk for about a year now. He's been rubbed out of three hosts, that I know of - most recently iWeb. He has now secured his own IP address for his company and is spamming with impunity.

How do we stop a spammer who owns his own server? I have been reporting him to CERT India, but it continues unabated.

Company: Brainpulse

Nameserver: indianemailmarketers.co.in

Owner: Tarun Gupta

Address:

A-4 sector 27

Noida

Uttar Pradesh 201301

India

Phone:+91.1204730400

Email: support[at]brainpulse.com

[petzl]

I have been getting spammed by the same jerk for about a year now. He's been rubbed out of three hosts, that I know of - most recently iWeb. He has now secured his own IP address for his company and is spamming with impunity.

How do we stop a spammer who owns his own server? I have been reporting him to CERT India, but it continues unabated.

Would clue "us" in better if you included a tracking URL or even IP

Top of the SpamCop report page is tracking URL

SpamCop v 4.8.1.007 © 2013 Cisco Systems, Inc. All rights reserved.

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5625210793z9...aa37d48c0f0962z

[turetzsr]

<snip>

How do we stop a spammer

<snip>

...The short answer is that we can't, any more than we can stop any other kind of criminal behavior outside of our direct reach. Only law enforcement agencies have any hope of doing that and they tend to show no interest unless it is clear either that financial damages have exceeded a certain threshold or harmed the agency or an important member.

[petzl]

...The short answer is that we can't, any more than we can stop any other kind of criminal behavior outside of our direct reach. Only law enforcement agencies have any hope of doing that and they tend to show no interest unless it is clear either that financial damages have exceeded a certain threshold or harmed the agency or an important member.

I can't fid any reports made?
Parsing input: 223.130.5.34
No recent reports, no history available
abusgestion[at]iweb.com
Administrator interested in all reports

The actual listed abuse address is

network[at]brainpulse.com

Their

website (email marketing)

http://www.shooturmail.com/contact-us.html

would like to see headers

Live link to supposed spammer removed. Don't give these people oxygen (indexable back links), please!

[Cutsnake88]

I can't fid any reports made?
Parsing input: 223.130.5.34
No recent reports, no history available
abusgestion[at]iweb.com
Administrator interested in all reports

The actual listed abuse address is

network[at]brainpulse.com

Their

website (email marketing)

http://www.shooturmail.com/contact-us.html

would like to see headers

Brainpulse.com is the website of the company doing the spamming, so you're essentially reporting the spam to the spammer, thus confirming your email address.

I have been reporting it to incident[at]cert-in.org.in, but clearly they don't give a damn.

The most recent Spamcop reports were just now:

Submitted: 11/14/2013 12:03:19 PM +1100:

Increase your Website or products Sale within 12 weeks

6032781074 ( z_User_Notification ) To: incident[at]cert-in.org.in

6032781073 ( 223.130.4.87 ) To: abusgestion[at]iweb.com

I know iWeb isn't the host anymore - they booted him. That's why I asked the question.

Header of the most recent report:

Return-Path: <ask[at]hostbirds.co.in>

Received: from sm17.indianemailmarketers.co.in (sm17.indianemailmarketers.co.in [223.130.4.87]) by mail.wildchildweb.com with SMTP;

Wed, 13 Nov 2013 20:23:56 +1100

Received: from WS68 (unknown [192.168.0.68])

by host.indianemailmarketers.co.in (Postfix) with ESMTPA id 6CF971F385FA

for <admin[at]powersponsorship.com>; Wed, 13 Nov 2013 13:31:49 +0530 (IST)

From: "Sarah Blake" <ask[at]hostbirds.co.in>

To: <admin[at]powersponsorship.com>

Subject: Increase your Website or products Sale within 12 weeks

Date: Wed, 13 Nov 2013 14:35:54 +0530

Message-ID: <45f401cee04f$8fdb5f80$af921e80$[at]hostbirds.co.in>

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_45F5_01CEE07D.A9960C80"

X-Mailer: Microsoft Outlook 14.0

Thread-Index: Ac7gT40/oIE9sZgwQi2/3Pru0kabXQ==

Content-Language: en-us

X-SmarterMail-spam: SPF_Pass, SpamCop, ISpamAssassin 5 [raw: 3], DK_None, DKIM_None, Custom Rules [scam:60]

X-SmarterMail-TotalSpamWeight: 67

[petzl]

Brainpulse.com is the website of the company doing the spamming, so you're essentially reporting the spam to the spammer, thus confirming your email address.

I have been reporting it to incident[at]cert-in.org.in, but clearly they don't give a damn.

Cert-in seem your best bet

I would include in notes

Turn the heat up?

IP: 223.130.4.87  network[at]brainpulse.com
spam crime gang
"unsubscribes" don't work just worsen their attack
http://spamcop.net/w3m?action=checkblock&ip=223.130.4.87
Other hosts in this "neighborhood" with spam reports
223.130.4.81 223.130.4.82 223.130.4.83 223.130.4.84 223.130.4.86 223.130.4.88 223.130.4.89 223.130.4.90 223.130.5.2 223.130.5.3 223.130.5.4 223.130.5.5 223.130.5.7 223.130.5.17 223.130.5.18 223.130.5.30

[Cutsnake88]

Cert-in seem your best bet

I would include in notes

Turn the heat up?

IP: 223.130.4.87  network[at]brainpulse.com
spam crime gang
"unsubscribes" don't work just worsen their attack
http://spamcop.net/w3m?action=checkblock&ip=223.130.4.87
Other hosts in this "neighborhood" with spam reports
223.130.4.81 223.130.4.82 223.130.4.83 223.130.4.84 223.130.4.86 223.130.4.88 223.130.4.89 223.130.4.90 223.130.5.2 223.130.5.3 223.130.5.4 223.130.5.5 223.130.5.7 223.130.5.17 223.130.5.18 223.130.5.30

Great idea. Thank you very much.

[petzl]

Great idea. Thank you very much.

Getting bombed by india myself mainly stock "recommendations

Cert India are proving useless so gave their email and every other Indian governments email address to spammer"

In all probability the spammer may not be Indian the links go to phising sites in US of A

Which you report here

http://www.google.com/safebrowsing/report_phish/Captcha

If looking at spam sites you need to heighten browser security

example

on Firefox I have Java on ask and a good free "Add-on" is

https://adblockplus.org/en/firefox

Do security scans regularly

[Cutsnake88]

UPDATE

I actually got an email back from CERT India! (Never thought that would happen!)

They said they were taking action against Brainpulse, the Noida IN-based owner of the spam server. Lo and behold, the spam has stopped... at least for now.

[Farelf]

Very well done!

[petzl]

Very well done!

Yes mine seem to of stopped as well

http://www.spamcop.net/sc?id=z5631827269z8...1048dc0d59492cz

[Cutsnake88]

The reporting address for these people has now been updated on Spamcop to be network[at]brainpulse.com. In other words, spam reports are going to the spammer - confirming all of our email addresses are live.

Spamcop is not reporting to CERT-India (incident[at]cert-in.org.in, although I've been adding that to the reports, along with the "spam Crime Gang" wording suggested above.

Screenshot: http://screencast.com/t/wjx3aBMZI5

CERT India actually did email me back a few weeks ago and said they were taking action, but nothing has happened and they're still spamming.

The nameserver is indianemailmarketers.co.in.

Now what?

[turetzsr]

<snip>

In other words, spam reports are going to the spammer - confirming all of our email addresses are live.

<snip>

...Generally, not so! SpamCop attempts to "munge" your e-mail address, unless you tell it to not do so or it misses a place where it appears, as it sometimes does. See the last paragraph of SCWiki entry "Mung / Munge / Obfuscate."

[petzl]

The reporting address for these people has now been updated on Spamcop to be network[at]brainpulse.com. In other words, spam reports are going to the spammer - confirming all of our email addresses are live.

Spamcop is not reporting to CERT-India (incident[at]cert-in.org.in, although I've been adding that to the reports, along with the "spam Crime Gang" wording suggested above.

Screenshot: http://screencast.com/t/wjx3aBMZI5

CERT India actually did email me back a few weeks ago and said they were taking action, but nothing has happened and they're still spamming.

The nameserver is indianemailmarketers.co.in.

Now what?

Has there been a resurrection of spam from India?

Not yet getting it

Getting a lot of "Hard Drive drive encryption sites"

Screen capture showing Splash page image

https://dl.dropboxusercontent.com/u/50667687/MAL04.jpg

[Cutsnake88]

...Generally, not so! SpamCop attempts to "munge" your e-mail address, unless you tell it to not do so or it misses a place where it appears, as it sometimes does. See the last paragraph of SCWiki entry "Mung / Munge / Obfuscate."

If the spammer is also the server admin, it would be easy to trace the original email using the email ID etc in the header. I have to assume that information - added by the originating server on the way out - wouldn't be munged, allowing reputable ISPs to track spammer activity and complaints.

If that's the case, munging the email and other ID stuff included in the original email doesn't help when the spammer is also the server admin.

[turetzsr]

<snip>

If the spammer is also the server admin, it would be easy to trace the original email using the email ID etc in the header. I have to assume that information - added by the originating server on the way out - wouldn't be munged, allowing reputable ISPs to track spammer activity and complaints.

<snip>

...And your assumption, while reasonable, would be wrong. <g>

...But you don't have to take my word for it, just click the "Preview Reports" button after parsing; if you don't like what you see, click the "Cancel" button. If you are so inclined, you can re-submit, first editing the internet header to remove the offending content, provided that you change only the information that identifies you, personally, not any IP addresses or other header information that the parser uses to find the spam source (and replace the edited-out information with a comment that indicates that you made the edit). The only remaining concern would be that the spammer may have hidden some information in the spam internet header or the spam body that you could not recognize as identifying your e-mail address. If you fear that might be the case then, yes, you should uncheck all the boxes next to the abuse addresses for the spam source to which SpamCop offers to send the complaint, then click the (now mislabeled) "Send spam Report(s) Now" button, which will submit the information only to the statistics database used by SpamCop to determine whether a spam source should be included on the SpamCop blacklist.

[Cutsnake88]

...And your assumption, while reasonable, would be wrong. <g>

Ah, well... I've been wrong before!

I've got so I know many of the tracking IDs embedded in the body of my repeated spammers and mung those myself. That's a sad state of affairs, really!

[turetzsr]

Ah, well... I've been wrong before!

<snip>

...And I strongly resemble that remark, m'self! <g>

[petzl]

If the spammer is also the server admin, it would be easy to trace the original email using the email ID etc in the header. I have to assume that information - added by the originating server on the way out - wouldn't be munged, allowing reputable ISPs to track spammer activity and complaints.

If that's the case, munging the email and other ID stuff included in the original email doesn't help when the spammer is also the server admin.

Police in India say they have arrested six foreign nationals suspected

http://www.bbc.co.uk/news/technology-16392960