Jump to content
Sign in to follow this  
mrbungle

UCE from 184.22.119.205 not resolved

Recommended Posts

The domain administrator has not done anything to stop the flow of UCE from 184.22.119.205. I have been flooded with dozens more messages today. I'm also seeing UCE from 184.22.119.204 now that also claims to have been resolved that I am betting have not.

The whois information for that IP can be found at URL:

http://www.networksolutions.com/whois/resu...=184.22.119.205

Share this post


Link to post
Share on other sites

The domain administrator has not done anything to stop the flow of UCE from 184.22.119.205. I have been flooded with dozens more messages today. I'm also seeing UCE from 184.22.119.204 now that also claims to have been resolved that I am betting have not.

The whois information for that IP can be found at URL:

http://www.networksolutions.com/whois/resu...=184.22.119.205

Just forward as attachment all spams to spam[at]uce.gov and nic[at]hostnoc.net

Also pays to include SpamCop tracking URL if possible like

http://www.spamcop.net/sc?id=z5816892251ze...191e36e2e7570bz

Share this post


Link to post
Share on other sites

Like you, I see currently from SC "ISP believes this issue is resolved: 184.22.119.205 - no date available", not that I'm getting any of that spam in my inbox.

I don't see any SC member reports after 12 March 2014 ...

http://www.spamcop.net/w3m?action=map;mask...536;sort=ipsort (and go down to 184.22.119.0/24) indicates no "big picture" problems with the allocation - but does indicate mass-mailing hosts there. SenderBase is not so forgiving: http://www.senderbase.org/senderbase_queri...=184.22.119.205 with a "POOR" Email reputation and "Very High" spam volumes - but presumably masked by even higher legitimate mail volumes.

Very frustrating, but not destined for SCbl listing until you (and, necessarily, other reporters) consistently report it - or it hits SC spamtraps.

It is listed on other DNSBLs - http://multirbl.valli.org/dnsbl-lookup/184.22.119.205.html - with some of the more authoritative ones being Barracuda, SORBS and Spamhaus DBL. 184.22.119.205 is ns11.bluelightdeals.net but with no forward-reverse DNS match - which might limit the effectiveness of some detections and lookups. SenderScore.org gives that server a really lousy reputation score of just 8 (/100).

Hard to credit that any of the mail from 184.22.119.205 actually gets delivered anywhere with poor reputations and blocklist registrations. I guess bluelightdeals "solution" to the high rates of rejection and filtering is simply to pump out higher volumes.

Anyway, it should be easy to keep it out of your inbox - but don't just have it deleted, divert it and report it first.

Share this post


Link to post
Share on other sites

Like you, I see currently from SC "ISP believes this issue is resolved: 184.22.119.205 - no date available", not that I'm getting any of that spam in my inbox.

I don't see any SC member reports after 12 March 2014 ...

http://www.spamcop.net/w3m?action=map;mask...536;sort=ipsort (and go down to 184.22.119.0/24) indicates no "big picture" problems with the allocation - but does indicate mass-mailing hosts there. SenderBase is not so forgiving: http://www.senderbase.org/senderbase_queri...=184.22.119.205 with a "POOR" Email reputation and "Very High" spam volumes - but presumably masked by even higher legitimate mail volumes.

Very frustrating, but not destined for SCbl listing until you (and, necessarily, other reporters) consistently report it - or it hits SC spamtraps.

It is listed on other DNSBLs - http://multirbl.valli.org/dnsbl-lookup/184.22.119.205.html - with some of the more authoritative ones being Barracuda, SORBS and Spamhaus DBL. 184.22.119.205 is ns11.bluelightdeals.net but with no forward-reverse DNS match - which might limit the effectiveness of some detections and lookups. SenderScore.org gives that server a really lousy reputation score of just 8 (/100).

Hard to credit that any of the mail from 184.22.119.205 actually gets delivered anywhere with poor reputations and blocklist registrations. I guess bluelightdeals "solution" to the high rates of rejection and filtering is simply to pump out higher volumes.

Anyway, it should be easy to keep it out of your inbox - but don't just have it deleted, divert it and report it first.

It's being filtered with Spamassassin. I reported every one I received even though SpamCop kept telling me the issue has been resolved.

I am now dropping all traffic from those IPs to stop the flood.

pHil

Share this post


Link to post
Share on other sites

It's being filtered with Spamassassin. I reported every one I received even though SpamCop kept telling me the issue has been resolved.

I am now dropping all traffic from those IPs to stop the flood.

pHil

Oh, I see (I think). I'm at cross-purposes. It's been ages since I've seen one of those untruthful "issue resolved" cases. Reaching back - when that happens the parser doesn't offer to send reports (and presumably doesn't add the instance to the stats for the IP address). BUT it (used to) each time offer the opportunity to appeal against the notation (with the stern injunction "experienced users only"). HAVE YOU APPEALED? - you are experienced.

That's the way to have it reviewed. As said, no reports registered since 12 March. If they're still coming after even just several days since then, that would be sufficient to show the mail admin responsible was either lying through his teeth or hopelessly over-optimistic. In either case I don't think SC admin/deputies will readily forgive him. It may take more than one reporter to appeal, I don't know (but don't think so - surely that's why the stipulation of experienced reporters?).

Steve

Share this post


Link to post
Share on other sites

Oh, I see (I think). I'm at cross-purposes. It's been ages since I've seen one of those untruthful "issue resolved" cases. Reaching back - when that happens the parser doesn't offer to send reports (and presumably doesn't add the instance to the stats for the IP address). BUT it (used to) each time offer the opportunity to appeal against the notation (with the stern injunction "experienced users only"). HAVE YOU APPEALED? - you are experienced.

That's the way to have it reviewed. As said, no reports registered since 12 March. If they're still coming after even just several days since then, that would be sufficient to show the mail admin responsible was either lying through his teeth or hopelessly over-optimistic. In either case I don't think SC admin/deputies will readily forgive him. It may take more than one reporter to appeal, I don't know (but don't think so - surely that's why the stipulation of experienced reporters?).

Steve

I have not appealed - didn't even realize that was an option. No longer seeing UCE from those IPs since I started dropping all traffic.

There is another untruthful issue resolved admin out there, so far for the IPs

109.236.89.232

109.236.89.233

109.236.89.235

109.236.89.236

109.236.89.238 => this one was today

They are all between 6M and 8M in size with embedded JPG images, so the reports get truncated due to size.

I have not appealed - didn't even realize that was an option. No longer seeing UCE from those IPs since I started dropping all traffic.

There is another untruthful issue resolved admin out there, so far for the IPs

109.236.89.232

109.236.89.233

109.236.89.235

109.236.89.236

109.236.89.238 => this one was today

They are all between 6M and 8M in size with embedded JPG images, so the reports get truncated due to size.

After resubmitting the UCE from today I see no option to appeal when the pages refreshes to tell me the issue has been resolved. Am I looking in the wrong place?

Share this post


Link to post
Share on other sites

There is another block of IPs that continue sending me UCE daily. The messages are between 5M and 8M with embedded JOG images, so the reports get truncated through the web GUI.

Every one I have reported claims the issue has been resolved. So far the IPs I am now dropping all traffic from are:

109.236.89.232

109.236.89.233

109.236.89.235

109.236.89.236

109.236.89.238 => from this IP today

Share this post


Link to post
Share on other sites

There is another block of IPs that continue sending me UCE daily. The messages are between 5M and 8M with embedded JOG images, so the reports get truncated through the web GUI.

Every one I have reported claims the issue has been resolved. So far the IPs I am now dropping all traffic from are:

109.236.89.232

109.236.89.233

109.236.89.235

109.236.89.236

109.236.89.238 => from this IP today

Add another from today

109.236.89.21

Not yet showing up as issue resolved.

Share this post


Link to post
Share on other sites

Add another from today

109.236.89.21

Not yet showing up as issue resolved.

Better if you could show tracking URL

spammers are now using compromised email accounts

My Hotmail I get about 20 a day all compromised email accounts

IF the email server stamps the injection point they always are from Botnet attack hosts

This is tracking link from my SpamCop email

http://www.spamcop.net/sc?id=z5841572594zc...a7ab0b5a90da4bz

1.82.191.88 (Administrator of network where email originates)

But injection point is Botnet attack host

119.129.246.72

http://cbl.abuseat.org/lookup.cgi?ip=119.129.246.72

CBL will shut lookup if hit too many times!

SenderBase shows it is still spewing spam

http://www.senderbase.org/senderbase_queri...=119.129.246.72

Very much points out a NEED for TLS LOGIN

Edited by petzl

Share this post


Link to post
Share on other sites

Definitely looks like the folks who administer 1.82.191.88 need to tighten up who they accept mail from.

Open relay? Maybe, maybe not.

Share this post


Link to post
Share on other sites

Definitely looks like the folks who administer 1.82.191.88 need to tighten up who they accept mail from.

Open relay? Maybe, maybe not.

A Botnet is more than an open relay!

In fact I haven't seen an "open relay" used for years?

It is in effect a Zombie computer or a computer while on internet is taken over

Usually hackers scan that Botnet computer for credit card numbers, account passwords, even home addresses

Robberies do happen using this information!

Spamming is just a "value add" to their crime.

Share this post


Link to post
Share on other sites
... After resubmitting the UCE from today I see no option to appeal when the pages refreshes to tell me the issue has been resolved. Am I looking in the wrong place?

That's the right place as I recall it. Maybe things have changed.

And as petzl notes, it is always good for you to provide a Tracking URL when discussing report submissions and matters arising from them - that way we see exactly and all of what you are seeing and, if needed, some of us can even dummy a like submission to replicate the whole submission process (which would be subsequently cancelled of course).

Share this post


Link to post
Share on other sites

A Botnet is more than an open relay!

In fact I haven't seen an "open relay" used for years?

It is in effect a Zombie computer or a computer while on internet is taken over

Usually hackers scan that Botnet computer for credit card numbers, account passwords, even home addresses

Robberies do happen using this information!

Spamming is just a "value add" to their crime.

True about the botnet bit.

What I'd spotted was the reference to Postfix in the message headers, which is fairly easily configured to prevent unauthorised access from outside sources that might want to relay spam. When I was running my own email server, I was using Postfix as the MTA, the spam mentioned in the tracking link you provided would have either been caught by the cbl listing, or possibly rejected with a "relaying not allowed" message.

Share this post


Link to post
Share on other sites

True about the botnet bit.

What I'd spotted was the reference to Postfix in the message headers, which is fairly easily configured to prevent unauthorised access from outside sources that might want to relay spam. When I was running my own email server, I was using Postfix as the MTA, the spam mentioned in the tracking link you provided would have either been caught by the cbl listing, or possibly rejected with a "relaying not allowed" message.

I remember some using "blocklists" to prevent access to mail servers but not sure how it was done

The SCBL was used to give a" try again in 24 hours" message

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×