Sign in to follow this  
Followers 0
db17

Constantly receiving spam/apparently of same origin

47 posts in this topic

Short answer to my question. It doesn't work. Just got new spam after blocking badorcluelesshost.com (servermania.com)

Already reported, but sent new reports again. This is looking hopeless. Even if that hosting site bans them, which is very much in doubt, they'll just move on to another.

http://www.reddit.com/r/webhosting/comments/1s62ma

Servermania seems to have a serious spam problem, they have many 'commercial bulk email marketer' clients, aka spammers, who cross post email addresses across client lists in violation of current spam laws. Further, Servermania seems to intentionally disregard abuse reports sent to abuse[at]servermania, postmaster[at]servermania, noc[at]servermania, support[at]b2netsolutions. 43 Spamcop reports in the last 12 days, 3 emails per report, and 20 personalized reports to abuse[at]servermania.com from the affected email address. No response whatsoever from Servermania or B2NetSolutions and no abatement in the spam sent from their network. These folks are unable or unwilling to address their customers violating their own Terms of Service and refuse to even reply to 149 emails asking them to address the issue. Support in a timely fashion from Servermania seems impossible.

http://www.webhostingtalk.com/showthread.php?t=1252348

Except for AHBL, they don't appear to be blacklisted by SpamCop, or anyone else, for that matter.

http://i58.tinypic.com/2mf0s3l.png

Edited by db17

Share this post


Link to post
Share on other sites

SpamCop listing is highly dynamic, much more so than other listing services.

A spammer's IP will be listed based on, the number of different reporters (it takes more than one), how long ago they were listed before, if they hit a spam trap, among other factors.

Unlike other spam black listing services, SpamCop also de-list IPs after a given period of time, again depending on several factors.

That said, I would hope you would always report to SpamCop, if you have the time. Your single report may be the final one that gets the spammer listed (again) helping to establish a pattern for this spammer/IP. Even delayed reporting, up to two days, is helpful establishing a history for an IP. Although a delayed report may not get a spammer listed now, it will add to the history and hasten the spamcop listing the next time they start spamming.

Share this post


Link to post
Share on other sites

&nbsp &nbsp&nbsp&nbsp&nbsp Note that it isn't reporting spam to the abuse address that is where the most value of your reporting lies but, rather, that you report the IP addresses so that SpamCop sees them and adds your statistics to its database that it uses to decide whether to list the IP address as a spam source!

Share this post


Link to post
Share on other sites

       Note that it isn't reporting spam to the abuse address that is where the most value of your reporting lies but, rather, that you report the IP addresses so that SpamCop sees them and adds your statistics to its database that it uses to decide whether to list the IP address as a spam source!

I'm all in favor of getting spammers into the SC database, however, what I need is some more immediate relief. I would have thought that an abuse[at] report from SC might carry some weight, and hopefully get the spammer kicked off a (responsible, ahem) host. Not so? Nothing's going to happen until a host gets blocklisted? And still then maybe nothing?

Share this post


Link to post
Share on other sites

In a prefect world you are correct that is the way it would work, responsible host would take action to squash the source of their income thinking of the better good for the internet as a whole. But then in a prefect world there wouldn't be any spammers!

Coming back to the real world, we have spammers and also host that are willing to look the other way as long as the low life's pay the rent. As raised in another similar thread, even ICANN doesn't seem willing to take action against the spammers, wayward host, nor the registers that do not police the domain names they get paid to register.

So the fall back position is for white hats, like you and me, to report spammers to SpamCop and the like so that OUR host can use the resulting Block-List and other tools to try and filter the swarm of spam from the stream of email coming to our in-box(es). Assuming your incoming email is normal, 90-95% of the email destine for your inbox is spam. If you are not seeing that level of spam, 1) you are lucky - keep your head down, 2) you have a relitively new email address that just hasn't been added to all the spam list in circlation and/or 3) you current host is doing a fairly good job filtering spam from you inbox, hopefully without also blocking any of your real mail.

Share this post


Link to post
Share on other sites

Except for AHBL, they don't appear to be blacklisted by SpamCop, or anyone else, for that matter.

AHBL is blocking everyone because they've closed the list down..... :(

Share this post


Link to post
Share on other sites

Changing gears a bit. It may only be coincidence, but it seems like the more spam I report, the more I receive. Before I started reporting to SC, I would usually just delete the spam. In order to copy the raw headers I need to open the spam. I am certain there is no other way of getting those headers. Of course, I have remote images disabled in my Mail client, which I would have thought would eliminate web bugs or any other way a spammer could know that I had opened a message. Am I missing something? Is it possible that, even though I have remote images disabled, they are able to see if a message has been opened and from where through some means other than an embedded web bug or anything else from images?

And despite my SC reports to their abuse[at], the flurry of spam from servermania continues relentlessly and unabated.

Share this post


Link to post
Share on other sites

Looking at the full source of the example you provided via Tracking URL, blocking the display of remote images should prevent the several images which could work as web bugs (though that is somewhat unlikely) quite effectively. There could be tracking codes in the text (or even the headers) but none are obvious and for any such to work the spammer would need to have access to the reports you send to servermania. SC staff take a dim view of abuse desks that feed the spammers (or are part of the spam enterprise) and will discontinue reporting to them if there is any evidence.

There has been much discussion over the years of the "increased spam" some people observe when reporting, if you care to search that topic in these forums. Having seen those discussions as they took place, I keep coming back to "Why would the spammer bother?" The high-volume, scattergun operational model most use doesn't require either list maintenance or "pay-back"/revenge against reporters (and is reduced in effectiveness should the spammer resort to those). The Copernican principle would indicate you (or any of us) are unlikely to be a special target - mediocrity is our most likely lot in life.

No, I think it is most likely all part of the "spam cycle" and they will just go away in time. You could take a holiday from reporting to see if it makes any difference - some, doing that in past times, have sworn it does. Others have sworn it doesn't. To a statistician such mixed results would indeed indicate the cycle is most probably independent of reporting.

Share this post


Link to post
Share on other sites

As Steve said, this is a recurring "observation". Sometime back in the darkages, when I had nothing better to do, in response to a similar observation, I did a month(s) long study/count of my spam the spam I received. I can't find that thread but there were charts, analysis and comments.

Bottom line was that for the months I counted my spam for a month while reporting and a month not reporting, my total daily spam just increased. The level of spam tracked fairly well the level of spam reflected in spamCop reporting charts. At the time I was receiving 100s/day, the charts listed spam by type, for drugs, stocks, phishing, software, other. The data is ~10years old, but dought things have changed.

Found the graphs. I have taken them off the net. data was for Oct, Nov and Dec 2006

Share this post


Link to post
Share on other sites

Thanks for both replies. It was only a casual remark--didn't really think there was a correlation, but the replies--unexpected--have been quite interesting.

Tongue-in-cheek-post alert: I'm beginning to think that, maybe with the help of someone like Brian Krebs, who could search the dark net for all the spam lists for sale, I could just get it over with and offer the spammers some kind of wholesale ransom to guarantee that none of my email addresses will appear on any lists for the next five years. Might work better than any of the reporting I've been doing. :(

Edited by db17

Share this post


Link to post
Share on other sites

Just came across this in Preferences, and I am a bit puzzled by the following:

spam Munging

Obscure identifying information
Leave spam copies intact
Become a "mole" - Don't even send reports (mostly pointless)

SpamCop usually tries to obscure (munge) your email address and other identifying information from spam reports before they are sent. However, some ISPs will not accept this type of report.

If you select munging, SpamCop will not send to ISPs which refuse munged reports by default (you will be given a default-off option when using the web-interface). If you select intact spam copies, SpamCop will send all reports unmodified.

It has become painfully obvious that spammers are able to identify your email address by using tracking codes - even after SpamCop's attempts to munge them. It has also become plain that even the largest and most well-respected ISPs forward complaints intact to the accused.

In response, we now offer the ability to send reports silently. These reports are not emailed and are not available to anyone but SpamCop administrators and will not be shared (except as aggregate counts).

So, according to this, spammers are able, in theory, to see my email address by way of the tracking codes, even after they've been munged. (Thought Steve dispelled that one, above, so puzzled as to why it's here and just what the implications are). Or does this mean that reports used to be sent with the Tracking Code (is that the same as the Tracking URL?) but no longer are?

In response, we now offer the ability to send reports silently. These reports are not emailed and are not available to anyone but SpamCop administrators and will not be shared (except as aggregate counts).

What is a "silent" report? Is there an option somewhere for that ("we now offer the ability to send reports silently" would imply that there is such an option)? And if abuse[at] reports are not emailed, I assume they are still going out to abuse desks, so by what means do they get to an abuse desk?

Edited by db17

Share this post


Link to post
Share on other sites
...

So, according to this, spammers are able, in theory, to see my email address by way of the tracking codes, even after they've been munged. (Thought Steve dispelled that one, above, so puzzled as to why it's here and just what the implications are). Or does this mean that reports used to be sent with the Tracking Code (is that the same as the Tracking URL?) but no longer are? ...

Spammers could, hypothetically, put an identifying code of their own devising in the headers or the body of the original spam. That would be a "tracking code". There is no evidence that they currently do this. If they did, their next problem would be to get a copy of the report from the ISP/abuse desk to which the report is sent so they could decode it to identify the reporter (for some unlikely purpose). SC would regard report sharing with spammers as a hostile act and discontinue sending reports to any such complicit ISP/abuse desk if there was any evidence/hint of it happening. There is no way spammers could see your munged e-mail address/details directly, even if they did get a copy of the ISP/abuse desk report. Some ISP/abuse desks do not accept munged reports. You would be given the opportunity to forgo munging in those specific instances. Even with an unmunged report, the spammer would have a problem seeing a copy.

The Tracking URL is SC's link to the parsing and reporting page and is NOT to be confused with any hypothetical code which may or may not have been inserted in the original spam by the malefactors

...

What is a "silent" report? Is there an option somewhere for that ("we now offer the ability to send reports silently" would imply that there is such an option)? And if abuse[at] reports are not emailed, I assume they are still going out to abuse desks, so by what means do they get to an abuse desk?

Silent reports are not sent to anybody, ISP/abuse desks get nothing. They are like 'devnul' reports, they only affect the SCbl statistics for the IP address "reported". EXCEPT the mole reporter's "silent" reports are discounted - they do not have the same "weight" as an ordinary report (even a devnulled one). They do not contribute much to tipping an abused IP address into the SCbl. But they may help keep a listed IP in the sin bin, when spam is continuing.

Share this post


Link to post
Share on other sites

Morning Steve. I deleted my text to avoid being redundant. I would add that for a hypothetical tracking code to be useful would require (spam) email list maintenance. Looking at the volume of spam sent we would be talking about list of 1Ms of emails. Not to put a "Snowden" twist to this, but that would be a NSA sized task and they have a large 2-story basement full of super computers for the task. Additionally, there is no know evidence that any spammer has ever bothered to consider doing any list scrubbing or other list maintenance.

As an example, I have owned my privet domain for almost 20 years; There has never been a mailbox, bob[at], at my domain. That does not keep the spammers from sending "Bob" spam every day. And every day for 20 years all that spam has been reported to SpamCop and others. "People" do seem to thank Bob is a kinky guy based on the email he is continually sent.

The only evidence that any sender has ever looked at the reports was one case where I got a response, through SpamCop, from a real estate broker. Bottom line, the broker had paid one of these SEO people to push his website and "Bob" had signed up for the brokers emailing list as a result. When "Bob" get a email with info on vacation houses in Rhode Island. The newsletter got reported to SpamCop. Duh!! The broker complained by responding to the spam report, through SpamCop, claming the newsletter was not spam because Bob had signed up for the newsletter. After I explained who "Bob" was NOT, the broker tolded me the history.

Share this post


Link to post
Share on other sites

Thanks for the info Steve. So, do I assume that, if it was recommended to send a silent report (which I understand would only end up at SC), I would somehow be notified of that option before I sent out a regular one to an abusive abuse desk? That is, if an abuse desk was known to SC as being "abusive."

Edited by db17

Share this post


Link to post
Share on other sites

... do I assume that, if it was recommended to send a silent report (which I understand would only end up at SC), I would somehow be notified of that option before I sent out a regular one to an abusive abuse desk? That is, if an abuse desk was known to SC as being "abusive."

Haven't been there for ages but I think the way it works is - when you switch to mole status (via preferences) you stay a mole until you switch back. Such is entirely at your discretion, SC doesn't recommend anything (except to note that mole reporting is "mostly pointless").

If an abuse desk is known to SC as abusive, SC would not send reports. That is one of the several reasons why, in the reporting stage, some IP addresses/ranges might generate a message something like "No valid email addresses found, sorry!" (followed by a - partial - list of reasons). The main purpose of reporting is to build up statistics towards quickly listing an extensively abused IP address in the SCbl while the abuse is in progress. External reports to ISP/abuse desks are a courtesy - plus some ISPs are actually using those to control spam in their networks, the way it is intended. A double-barrelled approach but certainly there is no need for despondency if no ISP/abuse desk reports are sent, whatever the reason - "You can lead a horse to water, but you can't make him drink," eh? Feeding the SCbl is the "main game".

When you opt for munged reports, SC will alert you if the ISP is known to reject those and will not send a report to them unless you take the option (for that individual report) to send an un-munged report. I think. It is fairly rare but you will know it, if you stumble into such a case. Don't sweat it - there is more than enough to learn - if you are resolved to "look under the hood" - without moiling in the dark depths of the more esoteric realms. The reporting process itself is generally quite easy.

Share this post


Link to post
Share on other sites

Looks like the latest ones may be examples of what we've been talking about. Or it's simply that SC can't find a valid host?

Re: 104.140.95.174 (Administrator of network where email originates)
To: delwyn#tiburonhost.com[at]devnull.spamcop.net (Notes)

Re: http://treereadmastkenp.info/iqerdamna6d9/32387 (Administrator of network hosting website referenced in spam)
To: delwyn#tiburonhost.com[at]devnull.spamcop.net (Notes)

Re: http://treereadmastkenp.info/kao7u5nmrmn7/32387 (Administrator of network hosting website referenced in spam)
To: delwyn#tiburonhost.com[at]devnull.spamcop.net (Notes)

Using delwyn#tiburonhost.com[at]devnull.spamcop.net for statistical tracking.

Or maybe none of the above. The host for that spamvertised domain (treereadmastkenpdotinfo) resolves to serverhub.com (from 104.140.95.253).

http://forum.spamcop.net/forums/topic/14094-serverhubcom/

Plus lots of additional hits

https://encrypted.google.com/search?hl=en&output=search&sclient=psy-ab&q=serverhub.com+spam+from&btnG=&oq=&aq=&aqi=&aql=&gs_sm=&gs_upl=&gs_l=&pbx=1

So where does delwyn#tiburonhost.com, which can't be found anywhere, come from? What's going on here?

Edited by Farelf
kill live links (again)

Share this post


Link to post
Share on other sites

I don't know what's going on, the devnul addresses usually substitute hash for arroba thus the previous abuse address was delwyn[at]tiburonhost.com but is now devnulled, probably because ownership of that netbloc has changed. You can always add craig[at]modvismedia.com for 104.140.95.174 and 104.140.95.253, or abuse[at]eonix.net (from http://whois.arin.net/rest/nets;q=104.140.95.174?showDetails=true&showARIN=false&ext=netref2), which you have found, as a user-defined reporting address to your reports for 104.140.95.174 and treereadmastkenp.info. You could also report your findings in the Routing / Report Address Issues subforum I will leave it to others to explain how to do any of that if you can't work it out because, frankly, I have run out of patience because ...

Despite repeated requests, you continue to post spammer's live links - thus making this forum a spam host and yourself possibly a more effective spammer than the people you are reporting. The URIs in green in my edit of your last post were coming up as clickable links before I broke them. They may not have looked so in edit mode, but did you even review your post after you made it? I don't know what those links do but I do know they are supposedly the links the spammer wanted clicked or otherwise promulgated and which you continue to gleefully expose despite multiple exhortations to only reference spam content by pointing to the appropriate Tracking URLs.

Share this post


Link to post
Share on other sites
Despite repeated requests, you continue to post spammer's live links - thus making this forum a spam host and yourself possibly a more effective spammer than the people you are reporting. The URIs in green in my edit of your last post were coming up as clickable links before I broke them. They may not have looked so in edit mode, but did you even review your post after you made it? I don't know what those links do but I do know they are supposedly the links the spammer wanted clicked or otherwise promulgated and which you continue to gleefully expose despite multiple exhortations to only reference spam content by pointing to the appropriate Tracking URLs.

OMG, I was certain I had edited those from .info to dotinfo, so they couldn't be parsed. Deeply regret that. Won't happen again.

Share this post


Link to post
Share on other sites

I would like to make a few points. First, I did not do this "gleefully." Unwittingly, yes, and I will try to explain how that happened as best I can by trying to reconstruct what I was thinking at the time. And, second, although one warning should have been sufficient, there were no "multiple" exhortations, only one. As far as I know, there were no "repeated requests."

What I did--and will not do again-- was to paste some of the SC results that appear after processing. They were from the page that shows what look to be three ten digit reference numbers, only the third of which is an actual SC report ID (and which only shows as such after a report has been sent).

The URIs in green in my edit of your last post were coming up as clickable links before I broke them.

I did not see that I was posting any spam URls as live links. What I did not realize was that those first two ten digit numbers, which I took to be some kind of SC internal reference numbers, are in fact live links to the spam--live links in just the same way the third perfectly safe one does stay internal to SC. The URLs that appear inside the parenthesis next to the those numbers do not appear, themselves, to be live links (when I hover only on those they do not appear as links), and that was why I left those intact. I only edited one appearance of one of those, an excerpt, from .info to dotinfo, where I thought it was needed--but this does show that I am conscious of not wanting to link to a spammer.

Hindsight is 20/20: had I hovered on those first two ten digit numbers and looked at my Firefox Status Bar, I would have seen that they are direct links to the spam site. I'm not excusing myself, but the documentation at SC is scattered all over the place and often very confusing, especially to a beginner here, like myself. At least for me, a lot of using SC is trial and error, because searching for clear jargon-free explanations of things often ends quite fruitlessly. (One example of this was my question about the items in Preferences, which I asked above. Those items are listed in Preferences as if they are current and meaningful, but as it turns out, should just be ignored; my question was arcane and "under-the-hood." Usually ones selected Preferences have some meaningful impact on the way a site will work for one). Quite baffling much of this.

I would also point out that, although this was obviously a serious error, I did not murder or dismember anyone.

And still getting spammed by eonix.net. There are numerous reports about this, so no idea why it it does not appear to be in the SCBL.

Edited by db17

Share this post


Link to post
Share on other sites

Dealing with spam is an ongoing learning process for us all. My view about life in general has always been, 'If I didn't learn anything today, it has been a wast.'

Yes, much of the "under-the-hood" stuff is often baffling. In fact some of that is intentional. If the process and results was too obvious it would be worth the efforts of spammers or hackers-for-pay to learn how to game the system to avoid being listed. Check the archives in the lounge for past history of SpamCop and/or this forum being the target of attacks, so it is not a theoretical concern.

Share this post


Link to post
Share on other sites

I would like to make a few points. ...

Just review and try to assimilate the information you have been given already. There's an awful lot of it, no need to get defensive - you have been trying to soak up in a month more than most of us managed to come to grips with over a period of years.

... And still getting spammed by eonix.net. There are numerous reports about this, so no idea why it it does not appear to be in the SCBL.

You need to read and take onboard What is the SpamCop Blocking List (SCBL)?. A single reporter will never get any IP address listed - it takes several (nominally within the same 12/24 hour period) and/or spam from the subject address being detected by SC spamtraps (also within that short time frame). You are doing good in reporting even if it has not (yet) apparently resulted in listing. All it will take is one or a few other reporters to add their data ...

It appears that the administrators of eonix,net have not been responsive (that is the other "string to the bow" for SC reporters). There can be many reasons for that - we reporters tend to assume it is because they are effectively complicit in the spam operation (because we're mostly paranoid). That assumption may or may not be justified. It is hard for others here to tell without Tracking URLs to help test the conjecture - for instance if the parsing and reporting page (pulled up by the Tracking URL) shows the IP address of the e-mail source is participating in a botnet as indicated by listing in the CBL those administrators might benefit from a user note (completed before releasing reports) pointing them to that fact. Ideally that might have immediate effect (for a single IP address out of many) but in large networks it is usually more complicated than that. But it is a start.

But, in the examples you have shared, both the source of the e-mail and the hosting of the payload spam links (websites) are in the same network. That pattern is unlikely for botnets, it is more likely in a spam-friendly network and in that case we can't expect the administrators to be helpful in eliminating that spam. The only recourse is to keep reporting and trust that will contribute to a generally poor network reputation which might, in turn, have economic consequences that will eventually force the network owners to re-examine their business model.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0