Jump to content
Sign in to follow this  
Lking

Here is a switch

Recommended Posts

Got this one today.

Attention!!!

If you received spam with link to our website
https:/ /xxxxx.biz/pago.cgi, please immediately report abusive email
message to https://www.spamcop.net/anonsignup.shtml

Our site, xxxxx.BIZ, is not connected to spammers and we are just
victims of malicious fake phishing attack.

Spammers use hacked computers to send unsolicited bulk email. Please help
stopping abuse by reporting spam messages including email header to
spamcop.net.


Tracking URL https://www.spamcop.net/sc?id=z6192574058z81b0ca50cfa63c2f9b4ed58a67e6dc4bz

Share this post


Link to post
Share on other sites

Which my standard boiler plate (WOULD OF BEEN) reply also to CERT cert[at]cert.gov.ua

176.121.193.27 (Administrator of network where email originates) Ukraine 
abuse hostmaster[at]terra-line.net
BOTNET ATTACK HOST
http://cbl.abuseat.org/lookup.cgi?ip=176.121.193.27
This IP is infected (or NATting for a computer that is infected) with the slenfbot spambot.
TO REMOVE INFECTION
Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run.
https://security.symantec.com/nbrt/npe.aspx

BLOCK OUTBOUND PORT 25, 
RESERVE FOR LEGIT EMAIL SERVER
CHANGE TO SECURE PASSWORD 
SCAN INFECTED COMPUTER FOR MALWARE

A BOTNET infected computer/server means the all data passing through it may be compromised (bank details, log-on/password, email, etc). 
CBL lists those computers that are infected with instructions on how to remove BOTNET infections

The following Cisco site shows servers/computers with such infections
http://www.senderbase.org/lookup/ip/?search_string=176.121.193.27
spewing spam
https://www.spamcop.net/w3m?action=checkblock&ip=176.121.193.27
Edited by petzl

Share this post


Link to post
Share on other sites

I got one of these this morning.
Here is the tracking URL:

https://www.spamcop.net/sc?id=z6192680539z3e71881001ff276a5234d3c859906cb1z

Previous spams I've been getting have contained links to pay2us.biz, and the text in the message referred to in the above link has been lifted from their website.

The previous spams have all been about some kind of expired account with an amount to pay (amounts vary) and a link to pay2us.biz.

Here is the tracking URL to a recent example of this:

https://www.spamcop.net/sc?id=z6192381628z6c239d393d50bdf7033887b9b6cb7b96z

Here is the Netcraft Toolbar site report:

http://toolbar.netcraft.com/site_report?url=https://pay2us.biz

This report states that the domain is on the Spamhaus Domain Block List.

I've been getting spams like this every day for about the last 2 to 3 weeks, but the spam mentioned at the top of my post is the first time I have seen this particular variant.

There is a message about spamcop.net's ISP not wishing to receive reports (obviously to be expected), but what does worry me is that the SpamCop parser always shows the same message about pay2us.biz (I've tried my best to obfuscate the link):

"ISP does not wish to receive reports regarding [h|t|t|p|s]etc/ pay 2 us . [biz] no date available"

Does Cloudflare's ISP normally ignore complaints about sites hosted by them?

If I'm correctly understanding petzl's reply to the OP, pay2us.biz is hosting malware; is that correct?

If so, what can actually be done about this site?

Edited by csouter

Share this post


Link to post
Share on other sites

I got one of these this morning.

Here is the tracking URL:

https://www.spamcop.net/sc?id=z6192680539z3e71881001ff276a5234d3c859906cb1z

Previous spams I've been getting have contained links to pay2us.biz, and the text in the message referred to in the above link has been lifted from their website.

The previous spams have all been about some kind of expired account with an amount to pay (amounts vary) and a link to pay2us.biz.

Here is the tracking URL to a recent example of this:

https://www.spamcop.net/sc?id=z6192381628z6c239d393d50bdf7033887b9b6cb7b96z

Here is the Netcraft Toolbar site report:

http://toolbar.netcraft.com/site_report?url=https://pay2us.biz

This report states that the domain is on the Spamhaus Domain Block List.

I've been getting spams like this every day for about the last 2 to 3 weeks, but the spam mentioned at the top of my post is the first time I have seen this particular variant.

There is a message about spamcop.net's ISP not wishing to receive reports (obviously to be expected), but what does worry me is that the SpamCop parser always shows the same message about pay2us.biz (I've tried my best to obfuscate the link):

"ISP does not wish to receive reports regarding [h|t|t|p|s]etc/ pay 2 us . [biz] no date available"

Does Cloudflare's ISP normally ignore complaints about sites hosted by them?

If I'm correctly understanding petzl's reply to the OP, pay2us.biz is hosting malware; is that correct?

If so, what can actually be done about this site?

*IF* one has the time pays to try to be better than SpamCop

Even get better than me check SpamCop abuse addresses often wrong.

My boilerplate (please either copy or make it better) needed to be sent to mail-abuse[at]cert.br as well

187.86.72.188 (Administrator of network where email originates)
BOTNET ATTACK HOST  "mail-abuse[at]cert.br" no abuse address given" 
http://cbl.abuseat.org/lookup.cgi?ip=187.86.72.188
This IP is infected (or NATting for a computer that is infected) with the slenfbot spambot.
TO REMOVE INFECTION
Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run.
https://security.symantec.com/nbrt/npe.aspx

BLOCK OUTBOUND PORT 25,
RESERVE FOR LEGIT EMAIL SERVER
CHANGE TO SECURE PASSWORD
SCAN INFECTED COMPUTER FOR MALWARE

A BOTNET infected computer/server means the all data passing through it may be compromised (bank details, log-on/password, email, etc).
CBL lists those computers that are infected with instructions on how to remove BOTNET infections

The following Cisco site shows servers/computers with prior or existing BOTNET infections
http://www.senderbase.org/lookup/ip/?search_string=187.86.72.188

Share this post


Link to post
Share on other sites

*IF* one has the time pays to try to be better than SpamCop

Even get better than me check SpamCop abuse addresses often wrong.

My boilerplate (please either copy or make it better) needed to be sent to mail-abuse[at]cert.br as well

187.86.72.188 (Administrator of network where email originates)
BOTNET ATTACK HOST  "mail-abuse[at]cert.br" no abuse address given" 
http://cbl.abuseat.org/lookup.cgi?ip=187.86.72.188
This IP is infected (or NATting for a computer that is infected) with the slenfbot spambot.
TO REMOVE INFECTION
Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run.
https://security.symantec.com/nbrt/npe.aspx

BLOCK OUTBOUND PORT 25,
RESERVE FOR LEGIT EMAIL SERVER
CHANGE TO SECURE PASSWORD
SCAN INFECTED COMPUTER FOR MALWARE

A BOTNET infected computer/server means the all data passing through it may be compromised (bank details, log-on/password, email, etc).
CBL lists those computers that are infected with instructions on how to remove BOTNET infections

The following Cisco site shows servers/computers with prior or existing BOTNET infections
http://www.senderbase.org/lookup/ip/?search_string=187.86.72.188

Hello, petzl, and thank you for the information.

I do, however, have some questions, if you would be so kind as to answer them.

1. After a bit of Googling, I now know what a "boilerplate" is, but I have no idea how to use one, let alone how to use it in conjunction with SpamCop reporting. Should I ask you for advice in this thread, or ask everyone, by starting a new topic in the Lounge? (I have no wish to ask questions in the wrong place, and I suspect that asking such a question here could be seen as "thread hijacking.")

2. I understand why you say that an additional report needed to be sent to cert.br, (the spam originated from a Brazilian ISP), but what would CERT be able to do that the Brazilian ISP's abuse desk could not?

3. A bit more Googling led me to the CERT website, where I was hoping that I might find a list of CERT reporting addresses worldwide. Unfortunately, I was unable to find such a list anywhere on the site, but my Google search showed that there are many such agencies throughout the world. Could you possibly provide a link to such a list, or alternatively, give me some suggestions where to look?

4. Your boilerplate covers the spam source, but I would also like to report the spammed site. The SpamCop parser gives the ISP as Cloudflare, and states that they do not wish to receive reports about the spammed site, which is still up and running, and has been for several years, according to Netcraft. Do you have any suggestions as to what I might be able to do about pay2us.biz, in addition to reporting the site to KnujOn, as I normally do?

Edited by csouter

Share this post


Link to post
Share on other sites

Hello, petzl, and thank you for the information.

I do, however, have some questions, if you would be so kind as to answer them.

1. After a bit of Googling, I now know what a "boilerplate" is, but I have no idea how to use one, let alone how to use it in conjunction with SpamCop reporting. Should I ask you for advice in this thread, or ask everyone, by starting a new topic in the Lounge? (I have no wish to ask questions in the wrong place, and I suspect that asking such a question here could be seen as "thread hijacking.")

2. I understand why you say that an additional report needed to be sent to cert.br, (the spam originated from a Brazilian ISP), but what would CERT be able to do that the Brazilian ISP's abuse desk could not?

3. A bit more Googling led me to the CERT website, where I was hoping that I might find a list of CERT reporting addresses worldwide. Unfortunately, I was unable to find such a list anywhere on the site, but my Google search showed that there are many such agencies throughout the world. Could you possibly provide a link to such a list, or alternatively, give me some suggestions where to look?

4. Your boilerplate covers the spam source, but I would also like to report the spammed site. The SpamCop parser gives the ISP as Cloudflare, and states that they do not wish to receive reports about the spammed site, which is still up and running, and has been for several years, according to Netcraft. Do you have any suggestions as to what I might be able to do about pay2us.biz, in addition to reporting the site to KnujOn, as I normally do?

1 A "boilerplate" is just something you save on your computer as a text instead of having to re-write everything again and again

2 Brazilian ISP's had a notoriety of doing nothing. Brazil became the spam capital of the world. Most blacklisted email coming from Brazil. Cert Brazil seem to of fixed this.

3 https://www.first.org/members/teamsis where you can get CERT email address a lot won't take SpamCop reports? The USa for instance has a site but are completely useless except to themselves!

4 Spammed sites (Domains) can be reported to registrars of such sites this free windows program is good for this

http://www.gena01.com/win32whois/

KnujOn you need to read about but they are best at "spamvertised" urls

For Cloudfare they are a worlwide provider and are reluctant to give abuse address

However for porn spam Iuse this boiler plate which gets them worried

(age of those shown is not for you to determine, if its porn this is the boilerplate complaint "they get)

**********************

Child porn spammer

pictures under 18 or made to look under 18

NO PROOF OF AGE available!

SENT TO MINORS

********************

I post this from my email address to cloudfare and to USA (spam[at]uce.gov)

That usually gets the site down after a number of reports I don't get them anymore probably the spammer cleaned his mailing list?

Share this post


Link to post
Share on other sites

1 A "boilerplate" is just something you save on your computer as a text instead of having to re-write everything again and again

OK, thanks for that.

2 Brazilian ISP's had a notoriety of doing nothing. Brazil became the spam capital of the world. Most blacklisted email coming from Brazil. Cert Brazil seem to of fixed this.

So if it's from Brazil, I can use cert.br as well as the ISPs own abuse desk, right?

3 https://www.first.org/members/teams is where you can get CERT email address a lot won't take SpamCop reports. The USA for instance has a site but are completely useless except to themselves!

So, I guess I would have to research each one of them and try to build up a database of who will & who won't accept SpamCop reports.

Sounds rather time-consuming, doesn't it? :(

4 Spammed sites (Domains) can be reported to registrars of such sites this free windows program is good for this http://www.gena01.com/win32whois/

Downloaded and installed already! :D

KnujOn you need to read about but they are best at "spamvertised" urls

I've been reporting to SpamCop since about 2004, I think.

I started using KnujOn after the BlueFrog fiasco, around the middle of 2006, IIRC. I can't remember how I found out about them, but maybe it was through CastleCops, where I was a member until they closed down in the face of the massive DDoS attacks of 2008. KnujOn had a forum on CastleCops, but when they closed down, he moved to LinkedIn, and I didn't follow; as a retired person, I have no interest in furthering business connections.

For Cloudfare they are a worldwide provider and are reluctant to give abuse address

However for porn spam I use this boiler plate which gets them worried

(age of those shown is not for you to determine, if its porn this is the boilerplate complaint they get)

**********************

Child porn spammer

pictures under 18 or made to look under 18

NO PROOF OF AGE available!

SENT TO MINORS

********************

I post this from my email address to cloudfare and to USA (spam[at]uce.gov)

That usually gets the site down after a number of reports I don't get them anymore probably the spammer cleaned his mailing list?

That would certainly get their attention, ;) but I couldn't use that for the pay2us site: I doubt if they're child porn spammers; from what I can find out about them, it's most likely a phishing site.

Do you think it's any use for me to send reports to the FTC? I'm not a US citizen; I'm an Australian citizen, (obviously, also living in Australia). I seem to remember reading somewhere that the FTC is not interested in reports from outside the US, but please correct me if I'm wrong. :)

Many thanks for all your info!

Edited by csouter

Share this post


Link to post
Share on other sites

So if it's from Brazil, I can use cert.br as well as the ISPs own abuse desk, right?

"mail-abuse[at]cert.br" and yes the abuse desk as well

So, I guess I would have to research each one of them and try to build up a database of who will & who won't accept SpamCop reports.
Sounds rather time-consuming, doesn't it? []

No https://www.first.org/members/teams

just open the countries page and it will show cert address the US one

SpamCop won't post to,(I use Ctrl/F US and "match case")

https://www.first.org/members/teams/cert-cc

You can send from your own account

Downloaded and installed already! [] 

the others good for checking SC abuse addresses

http://www.nirsoft.net/utils/ipnetinfo.html

hat would certainly get their attention, [] but I couldn't use that for the pay2us site: I doubt if they're child porn spammers; from what I can find out about them, it's most likely a phishing site.

I use "spam crime gang phishing site" it helps to get evidence from senderbase

http://www.senderbase.org/lookup/ip/?search_string=95.31.22.193

Follow the SBL if listed the follow it to see why (proof of cybercrimes)

http://www.spamhaus.org/sbl/query/SBL243537

Do you think it's any use for me to send reports to the FTC?  I'm not a US citizen; I'm an Australian citizen, (obviously, also living in Australia).  
I seem to remember reading somewhere that the FTC is not interested in reports from outside the US, but please correct me if I'm wrong. [] 

I'm Australian too, but see where FTC takes you?

This is what I call "brain storming" getting better ideas to become more effective at reporting spam

spam victims learn more from asking and answering questions

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×