Jump to content
paulgj

ocn.ad.jp spam

Recommended Posts

Lately I don't get a huge amount of spam but it seems like almost all the spam I do get ends up being reported to abuse[at]ocn.ad.jp.    There seems to be no letup in the quantity though, so am wondering if ocn.ad.jp is actually a known spammer friendly provider of some kind?

Share this post


Link to post
Share on other sites

I don't know about ocn.ad.jp but it would seem so.

If you would go back to one of the spam you have reported and looking at the reports sent you will find their IP address (SpamCop tracks IP addresses not domains) you could then go to https://www.spamcop.net/w3m?action=map and find the reputation of their IP address.

Share this post


Link to post
Share on other sites

apparently this provider is a major spam gateway, seems like sending spam reports to them is an exercise in futility 

Share this post


Link to post
Share on other sites

Submitting spam does feed the blocklist though.

Share this post


Link to post
Share on other sites
6 hours ago, paulgj said:

apparently this provider is a major spam gateway, seems like sending spam reports to them is an exercise in futility 

 

6 hours ago, paulgj said:

apparently this provider is a major spam gateway, seems like sending spam reports to them is an exercise in futility 

Would help if you gave a trking url?
even a IP address.
In the mean time have no idea what you are on about?

Share this post


Link to post
Share on other sites

I get too many spams latelly from ocn.ad.jp Can we do anything to this provider? Just block all of their clients. That should make them think once their normal clients start complaining for non delivered emails.

Also it is kind of funny. Gmail delivers email from this forum into spam box. Just FYI

 

Edited by lepa71

Share this post


Link to post
Share on other sites

As you can tell from this year long thread, some spammers don't change.  Reporting all spam from ocn.ad.jp and their clients that use IP addresses controlled by them, will help keep their IPs on the SpamCop block list.

1 hour ago, lepa71 said:

Also it is kind of funny. Gmail delivers email from this forum into spam box. Just FYI

Yes, many ISP's use rather dumb filters, based on domain names - not IP addresses, to filter incoming email.  Why someone would think a spammer would include the word 'spam' in their domain name and use that to filter email, I do not know.  I believe you should be able to add SpamCop.net to your white list to over-ride the basic filtering.

Share this post


Link to post
Share on other sites

I also find that a major portion of my spams are coming from their servers and I don't think abuse@ goes anywhere but into their trash. 

The address that I received emails from when I contacted them directly regarding spams is 'abuse_support@ocn.ad.jp' of which the address is listed as the "OCN Internet Security Team".
 

Edited by skydealer
update the address data

Share this post


Link to post
Share on other sites

It's pretty clear this ISP is itself a criminal organization: I've reported an IP address of theirs for sending 419 scam message over 140 times during the past year and it still continues, 3-4 times a day.

Share this post


Link to post
Share on other sites

As a follow up on my post above, I've now filed 300+ reports on 419 scam messages sent from the ocn.ad.jp system.  The content of the messages varies but it's clearly coming from one spammer.  ocn.ad.jp does nothing about it--I get 1-4 scam messages from them every day.  And if you check the Spamcop statistics for the top targets of spam reports, ocn.ad.jp is almost always in the top ten.

 

There are only two logical explanations: either it is an utterly incompetent ISP or it is actively collaborating with 419 scam criminals.

I've begged ocn.ad.jp to block any outgoing mail to my Gmail account but they don't respond.  I've requested that Gmail blacklist them but didn't get a response to that either.  I have a Gmail filter to automatically send any incoming mail from ocn.ad.jp  to the trash but the irresponsibility of this slimeball ISP still annoys me.

Share this post


Link to post
Share on other sites

It is never a good idea or productive to ask a spammer to removed you address from their emailing list.  They view any contact from you as conformation that a real person does read their email and that is success for  them. See Spammer Rules, Rule #1, Finnell's Corollary.

A more direct way to keep these spam out of your inbox is have your ISP block them or use your email app to direct them to a spam folder.  I assume you are reporting your spam to SC.  This may not help you directly, depending on how your ISP handles incoming email, but it does help others filter their email.

Share this post


Link to post
Share on other sites
On 10/12/2017 at 10:24 PM, SteveMetz said:

As a follow up on my post above, I've now filed 300+ reports on 419 scam messages sent from the ocn.ad.jp system.  The content of the messages varies but it's clearly coming from one spammer.  ocn.ad.jp does nothing about it--I get 1-4 scam messages from them every day.  And if you check the Spamcop statistics for the top targets of spam reports, ocn.ad.jp is almost always in the top ten.

 

There are only two logical explanations: either it is an utterly incompetent ISP or it is actively collaborating with 419 scam criminals.

I've begged ocn.ad.jp to block any outgoing mail to my Gmail account but they don't respond.  I've requested that Gmail blacklist them but didn't get a response to that either.  I have a Gmail filter to automatically send any incoming mail from ocn.ad.jp  to the trash but the irresponsibility of this slimeball ISP still annoys me.

send a report to your email address then use the SECRET link contained in it

User-targeted report, see notes, if any.

this will show you replies to your reports if any 

Edited by petzl

Share this post


Link to post
Share on other sites

This OCN network is by far the biggest spam network in the world and they ignore every abuse email received even more so with Spamcop because they send the emails to a non existent email address, the one OCN use is abuse_support@ocn.ad.jp

Still wont do much good because I've reported to much to them they blocked me, still spamming me with hundreds of emails a week mind

Share this post


Link to post
Share on other sites
5 hours ago, salfordian said:

This OCN network is by far the biggest spam network

A tracking URL helps. I get the odd one but not many to escalate try JP Cert always in comment IP address if that IP is AN open PROXY

cirt [at] cyberdefense [ dot ] jp 

[ Additional comments from recipient ]
cncert@cert.org.cn
183.32.221.122 is an open proxy   BOTNET
SEE https://www.abuseat.org/lookup.cgi

SEE ALSO CisCo sites REPUTATION IP LOOKUP
https://www.talosintelligence.com

If Microsoft Windows Defender is available to you, use it!
THEN Change Password

Other BOTNET hosts in this "neighborhood" with spam reports
183.32.220.123 183.32.220.134 183.32.220.135 
183.32.220.137 183.32.220.168 183.32.220.190 
183.32.220.208 183.32.220.213 183.32.220.219 
183.32.220.235 183.32.220.241 183.32.220.243 
183.32.220.245 183.32.220.247 183.32.221.1 183.32.221.5 
183.32.221.74 183.32.221.124 183.32.221.136 183.32.221.145 
183.32.221.160 183.32.221.162 183.32.221.179 
183.32.221.182 183.32.221.186 183.32.221.204 
183.32.221.207 183.32.221.246 183.32.221.248 
183.32.221.255 183.32.222.0 183.32.222.24 183.32.222.29 
183.32.222.31 183.32.222.35 183.32.222.37 183.32.222.44 
183.32.222.57 183.32.222.75 183.32.222.76 183.32.222.92 
183.32.222.93 183.32.222.107 183.32.222.115

 

Share this post


Link to post
Share on other sites

I've reported several hundered spam messages with no let up in messages being sent from their network.

Here's a recent (January 8th) auto-reply email I got from sending a report to abuse [at] ocn.ad.jp through the reporting form: 

Quote

Dear "Steve" <6765033934@reports.spamcop.net>;

 This is auto reply mail.
 That site is one of our customers'.
  I advise the administrator of the site
  to fix this problem as soon as possible.

  Thank you for your patience.

Sincerely yours,
 ---
 NTT Communications(OCN)

 ---------- Begin Included Message ----------
 Date: Mon, 08 Jan 2018 06:18:12 -0800
 From: "Steve" <6765033934@reports.spamcop.net>
 To: abuse@ocn.ad.jp
 Subject: [SpamCop (153.149.230.3) id:6765033934]

[ SpamCop V4.8.6 ]
This message is brief for your comfort.  Please use links below for details.

Email from 153.149.230.3 / Mon, 08 Jan 2018 06:18:12 -0800
https://www.spamcop.net/w3m?i=z6765033934z388df03ed4b4e22c2ffbe7efd654f7b4z

[ Offending message ]
Delivered-To: x
Received: by 10.25.81.199 with SMTP id g68csp1495561lfl;
        Mon, 8 Jan 2018 06:18:12 -0800 (PST)
X-Google-Smtp-Source: ACJfBotDlAvDdTjcx3hJ5Wwh8Lihk5TaNEwnt3d6wkxhCAymYHKu4tp7EzP1kqZt2rV8yG7MfBXN
X-Received: by 10.99.116.82 with SMTP id e18mr3807706pgn.3.1515421092220;
        Mon, 08 Jan 2018 06:18:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1515421092; cv=none;
        d=google.com; s=arc-20160816;
        b=tPyZEhl98wyFIfwxRkQFLzwDXw0QH7YdnDCwlZJOX1dc27P60kS2tNT5sFhJvJgUXZ
         PbF0e9F33QN0Qjsm/8WAOzGISd6z5aYSkJPHirIzCEH9EHcci945cHWldtbO4pWgRdLb
         P27KsdoicEdI6SSmxrJb9u3lnbvHHar1cWhOHxQzUYnn/FWkk++b6PWuhvmJhngLtjba
         PKfnLPQkFvPuoglaW23ijg2TmqRUZXnMs5Hm0Z/P91b7/895gMQARFyZM9Ex55jc+6o1
         PQMnT+jFZPbEHFQS8prV040HPDOFCmdP3k8yETuPgUAqGL3WWWRDxJdzM/u25E+B4l64
         Lv1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=importance:date:subject:from:to:mime-version:message-id
         :arc-authentication-results;
        bh=Ce7aoijsgkaF6otzXyHekJBxp+CbaWNpalc+L5wvBPg=;
        b=BgaJ/BsRbpqMPylKi9KxzdoUHCuSaJTTF2SWlWVGlNakVEjXb6EGuxsmNS8vq+2GaQ
         Pyu+ImnWqQChRHdBp8k8QU8Lu2l+6CH1abOKiWKV14W10w2xUSfO/mJww6sCZ/vw341+
         7cctfj7xXYWf7sLC+cITPPXsyt8RONEpBQ+QMxvZZXTbhC+0FNhx2Wm1fkd72jFKIJnq
         bjYGdH6QMMoZ4tSmLHSmwvAgjR48eDXMRyoapWoirlwk5iyRaGuDzSmXBzWEp5rvlIG8
         idPvWJuwUy6zznNN/foEEgUzqgq7iAn1VHUdO84INHAISbPyIaInfT1S2Nx3Wc3Ghxgu
         zQ1w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of qqb65by9k@sunny.ocn.ne.jp designates 153.149.230.3 as permitted sender) smtp.mailfrom=qqb65by9k@sunny.ocn.ne.jp
Return-Path: <qqb65by9k@sunny.ocn.ne.jp>
Received: from mbkd0102.ocn.ad.jp (mbkd0102.ocn.ad.jp. [153.149.230.3])
        by mx.google.com with ESMTP id b2si7495207pgn.405.2018.01.08.06.18.11
        for <x>;
        Mon, 08 Jan 2018 06:18:12 -0800 (PST)
Received-SPF: pass (google.com: domain of qqb65by9k@sunny.ocn.ne.jp designates 153.149.230.3 as permitted sender) client-ip=153.149.230.3;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of qqb65by9k@sunny.ocn.ne.jp designates 153.149.230.3 as permitted sender) smtp.mailfrom=qqb65by9k@sunny.ocn.ne.jp
Received: from mf-smf-ucb013.ocn.ad.jp (mf-smf-ucb013.ocn.ad.jp [153.149.228.232]) by mbkd0102.ocn.ad.jp (Postfix) with ESMTP id 27259100D091; Mon,
  8 Jan 2018 23:18:10 +0900 (JST)
Received: from mf-smf-ucb013.ocn.ad.jp (mf-smf-ucb013 [153.149.228.232]) by mf-smf-ucb013.ocn.ad.jp (Postfix) with ESMTP id 0C595A00238; Mon,
  8 Jan 2018 23:18:10 +0900 (JST)
Received: from ntt.pod01.mv-mta-ucb027 (mv-mta-ucb027.ocn.ad.jp [153.149.142.101]) by mf-smf-ucb013.ocn.ad.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id w08EI9Yc049183; Mon, 8 Jan 2018 23:18:09 +0900
Message-Id: <2018___________________9183@mf-smf-ucb013.ocn.ad.jp>
Received: from smtp.ocn.ne.jp ([153.149.227.134]) by ntt.pod01.mv-mta-ucb027 with id vqJ21w0042ud8JZ01qJ2V8; Mon, 08 Jan 2018 14:18:09 +0000
Received: from smtp.ocn.ne.jp (unknown [113.190.137.50]) by smtp.ocn.ne.jp (Postfix) with ESMTPA; Mon,
  8 Jan 2018 23:18:01 +0900 (JST)
MIME-Version: 1.0
To: x <x>, x <x>, bmw x <x>, pandothis x <x>, PandoMovies TVShows x <x>, pando mine x <x>, PurrsPando x <x>, pando mega media x <x>, x <x>
From: crystal coleman <qqb65by9k@sunny.ocn.ne.jp>
Subject:
Date: Mon, 8 Jan 2018 04:17:59 -1000
Importance: normal
X-Priority: 3
Content-Type: multipart/alternative; boundary="_16A9152F-11C4-45CB-CD90-87F94A03CB8B_"

--_16A9152F-11C4-45CB-CD90-87F94A03CB8B_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

http://now.yourprofitsunleashed.net
Crystal Coleman



--_16A9152F-11C4-45CB-CD90-87F94A03CB8B_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/of=
fice/2004/12/omml
" xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta ht=
tp-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta name=
=3DGenerator content=3D"Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
=09{font-family:"Cambria Math";
=09panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
=09{font-family:Calibri;
=09panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
=09{font-family:"Calibri Light";
=09panose-1:2 15 3 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
=09{margin:0in;
=09margin-bottom:.0001pt;
=09font-size:11.0pt;
=09font-family:"Calibri",sans-serif;}
p.MsoTitle, li.MsoTitle, div.MsoTitle
=09{mso-style-priority:10;
=09mso-style-link:"Title Char";
=09margin:0in;
=09margin-bottom:.0001pt;
=09mso-add-space:auto;
=09font-size:28.0pt;
=09font-family:"Calibri Light",sans-serif;
=09letter-spacing:-.5pt;}
p.MsoTitleCxSpFirst, li.MsoTitleCxSpFirst, div.MsoTitleCxSpFirst
=09{mso-style-priority:10;
=09mso-style-link:"Title Char";
=09mso-style-type:export-only;
=09margin:0in;
=09margin-bottom:.0001pt;
=09mso-add-space:auto;
=09font-size:28.0pt;
=09font-family:"Calibri Light",sans-serif;
=09letter-spacing:-.5pt;}
p.MsoTitleCxSpMiddle, li.MsoTitleCxSpMiddle, div.MsoTitleCxSpMiddle
=09{mso-style-priority:10;
=09mso-style-link:"Title Char";
=09mso-style-type:export-only;
=09margin:0in;
=09margin-bottom:.0001pt;
=09mso-add-space:auto;
=09font-size:28.0pt;
=09font-family:"Calibri Light",sans-serif;
=09letter-spacing:-.5pt;}
p.MsoTitleCxSpLast, li.MsoTitleCxSpLast, div.MsoTitleCxSpLast
=09{mso-style-priority:10;
=09mso-style-link:"Title Char";
=09mso-style-type:export-only;
=09margin:0in;
=09margin-bottom:.0001pt;
=09mso-add-space:auto;
=09font-size:28.0pt;
=09font-family:"Calibri Light",sans-serif;
=09letter-spacing:-.5pt;}
a:link, span.MsoHyperlink
=09{mso-style-priority:99;
=09color:#0563C1;
=09text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
=09{mso-style-priority:99;
=09color:#954F72;
=09text-decoration:underline;}
span.TitleChar
=09{mso-style-name:"Title Char";
=09mso-style-priority:10;
=09mso-style-link:Title;
=09font-family:"Calibri Light",sans-serif;
=09letter-spacing:-.5pt;}
..MsoChpDefault
=09{mso-style-type:export-only;}
@page WordSection1
=09{size:8.5in 11.0in;
=09margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
=09{page:WordSection1;}
--></style></head><body lang=3DEN-US link=3D"#0563C1" vlink=3D"#954F72"><di=
v class=3DWordSection1><p class=3DMsoTitle><a href=3D"http://now.yourprofit=
sunleashed.net"><span style=3D'font-size:11.0pt;font-family:"Calibri",sans-=
serif;letter-spacing:0pt'>http://now.yourprofitsunleashed.net</span></a></p=
><p class=3DMsoNormal>Crystal Coleman<span style=3D'font-size:14.0pt'><o:p>=
</o:p></span></p><p class=3DMsoTitleCxSpFirst><span style=3D'font-size:14.0=
pt;font-family:"Times New Roman",serif'><o:p>&nbsp;</o:p></span></p><p clas=
s=3DMsoTitleCxSpLast><span style=3D'font-size:14..0pt;font-family:"Times Ne=
w Roman",serif'><o:p>&nbsp;</o:p></span></p></div></body></html>
--_16A9152F-11C4-45CB-CD90-87F94A03CB8B_--

Whenever possible, instead of reporting emails to OCN (abuse [at] ocn.ad.jp) using the reporting from, I look for the X-Originating-IP at the end of the email and try to report it that way by replacing OCN's IP address in the 1st Received line such as the one below:

Received: from mbkd0102.ocn.ad.jp (mbkd0102.ocn.ad.jp. [153.149.230.3])

with the one in the X-Originating-IP which is usually a 41.xx.xxx.x and usually, the ISP's email address that comes up is netabuse [at] mtn.bj. 

 Steve

Share this post


Link to post
Share on other sites
9 hours ago, Steve said:

I've reported several hundered spam messages with no let up in messages being sent from their network.

Here's a recent (January 8th) auto-reply email I got from sending a report to abuse [at] ocn.ad.jp through the reporting form: 

113.190.137.50 is where it came from "hm-changed [at] vnnic.vn" in notes put

compromised/forged web and or email accounts

BLOCK OUTBOUND PORT 25, 
RESERVE FOR LEGIT EMAIL SERVER
Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you)
FAQ see
https://www.spamhaus.org/faq/section/Spamhaus PBL
>

Share this post


Link to post
Share on other sites

Is there any surefire way to get ocn.ad/ne.jp emails to stop (of course, aside from setting a filter to send them to trash) because reporting to abuse (at) ocn.ad.jp seems like NTT doesn't give a crap despite the auto-reply email they send out. Also, why doesn't SC parse the originating IP address since that's where the emails originate from despite the spammer (scammer) using NTT's servers to send this crap?

Edited by Steve

Share this post


Link to post
Share on other sites

 abuse (at) ocn.ad.jp do deal with spammers just don't tell you

Share this post


Link to post
Share on other sites

Then why haven't they stopped all spam yet despite the hundreds if not thousands of reports sent?

Share this post


Link to post
Share on other sites
On 5/4/2016 at 11:21 AM, paulgj said:

Lately I don't get a huge amount of spam but it seems like almost all the spam I do get ends up being reported to abuse[at]ocn.ad.jp.    There seems to be no letup in the quantity though, so am wondering if ocn.ad.jp is actually a known spammer friendly provider of some kind?

Japanese have little English skills and tend to turn off malware programs like windows defender because it "nags" them

https://www.spamcop.net/sc?id=z6444739102zd3ea6cfa9f916bda689da0afcd930389z 

X-Originating-IP: [41.138.91.165] Etisalat Benin SA (SpamCop didn't pickup) in notes I put
compromised/forged web and or email accounts
If Microsoft Windows Defender is available to you, use it
Scan for Malware! THEN
Change log-on to a more secure password-Phrase! 


>

SpamCop reports to mail server 153.149.236.27  abuse (at) ocn.ad.jp

Other hosts in this "neighborhood" with spam reports

153.149.236.2 153.149.236.3 153.149.236.4 153.149.236.5 153.149.236.6 153.149.236.7 153.149.236.8 153.149.236.9 153.149.236.10 153.149.236.11 153.149.236.22153.149.236.23 153.149.236.24 153.149.236.25 153.149.236.26 153.149.236.27 153.149.236.28 153.149.236.29 153.149.236.30 153.149.236.31 153.149.236.32 153.149.236.33153.149.236.34 153.149.236.35 153.149.236.36 153.149.236.37 153.149.236.38 153.149.236.39 153.149.236.40

Edited by petzl

Share this post


Link to post
Share on other sites

SC NEVER picks X-Originating-IP up in ocn.ad/ne.jp emails. I almost always (99% of the time) have to re-report the emails and replace the 1st 153.xxx.xxx.x/153.xxx.xxx.xx IP address with the IP in the X-Originating-IP field so it goes to that respective ISP.

 

Steve


 
Edited by Steve

Share this post


Link to post
Share on other sites
12 hours ago, Steve said:

SC NEVER picks X-Originating-IP up in ocn.ad/ne.jp emails. I almost always (99% of the time) have to re-report the emails and replace the 1st 153.xxx.xxx.x/153.xxx.xxx.xx IP address with the IP in the X-Originating-IP field so it goes to that respective ISP.

 

Steve



 

SC will often stop at a mail server, as if in doubt it won't report, but you can take over

Share this post


Link to post
Share on other sites

That's why, whenever possible, I take the X-Originating-IP address and replace it with NTT's and then report the email again.

Share this post


Link to post
Share on other sites
15 hours ago, Steve said:

That's why, whenever possible, I take the X-Originating-IP address and replace it with NTT's and then report the email again.

I try to be better than SC and would add Botnet 41.138.91.165 abuse address (if any) to report [moov [at] moov.bj]

41.138.91.165    BOTNET
SEE https://www.abuseat.org/lookup.cgi

SEE ALSO CisCo sites REPUTATION IP LOOKUP
https://www.talosintelligence.com

If Microsoft Windows Defender is available to your customers, they need to  use it!
THEN Change Password


>

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×