Peace Freak

spam from Google Hosted website??

17 posts in this topic

Am not sure if this is the right forum to be posting this...

I'm currently getting 80 to 120 spam a day from what appears to be a single spammer. 

I've been consistent in submitting the spam but there has been zero reduction in their number... Below is what I see in the SpamCop reporting window.

Google seems to be ignoring these reports.

Does anyone have any suggestions on getting google to do something about this?

Thanks!

Re: 151.150.58.94 (Administrator of network where email originates)
 To: clifford.vaughan@honeywell.com (Notes)

Re:http://trollssupportsshowstopper.site/7g5HwW8HF... (Administrator of network hosting website referenced in spam)
 To: google-cloud-compliance@google.com (Notes)

Re:http://trollssupportsshowstopper.site/NWv9mMy97... (Administrator of network hosting website referenced in spam)
 To: google-cloud-compliance@google.com (Notes)

 

 

 

 

Share this post


Link to post
Share on other sites

PF there are two reasons the spam reports you reference were sent.

  1. a report was sent to honeywell.com as the sender of the email/spam
  2. two reports were sent to google.com as the host of web pages referenced in the spam

Google can not control the sender of email that includes links to web pages in their domain.  In the pasted it was common for weight loss/nutrition supplement sellers to buy full page articles (advertisements) in papers like the New York Times.  They then reference the NYT in their spam.  Obviously the paper could not stop the spam.  They have stopped taking the ads.

Share this post


Link to post
Share on other sites

Thanks for helping me understand the situation. So from what your saying there is nothing further that I can do?

Share this post


Link to post
Share on other sites

Keep reporting.  Perhaps adding KnujOn.net, fda.gov, acma.gov.au uce.gov

Share this post


Link to post
Share on other sites

Thank you. Should I just add the addresses:

nonreg@knujon.net, spam@UCE.GOV, report@submit.spam.acma.gov.au, uce@ftc.gov

to Personal copies of outgoing reports in SpamCop Preferences?

Also, is there a reporting plugin available for Apple Mail or some other method to make reporting easier?

Thank you?

Share this post


Link to post
Share on other sites
On 12/21/2017 at 9:47 AM, Peace Freak said:

Thanks for helping me understand the situation. So from what your saying there is nothing further that I can do?

Try giving a "Tracking URL" at top of SpamCop reporting page BEFORE you submit.

Share this post


Link to post
Share on other sites

Not sure what you mean by "try giving a "Tracking URL". A tracking URL appears at the top of the spam reporting window. Should I copy it somewhere?

Share this post


Link to post
Share on other sites

Should I copy it somewhere?  Yes.

That was a gentle suggestion to include the Tracking URL of a spam report you are posting about.  That way all of us can see the full email & header, the information the parser found and what action the parser suggested.

 

 

Share this post


Link to post
Share on other sites
22 hours ago, Peace Freak said:

OK this is a redirection site put in comments
Just save BELOW as a text file, this should grab their attention also copy and paste, above porn spammer text, "IP(Administrator of network where email originates)" and "URL IP Resolves to 35.225.234.14"

Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS

>

Share this post


Link to post
Share on other sites

Thanks Petxl, I would definitely like to improve the reports I send but I don't fully understand your instructions.

Firstly, that spam was already submitted. So I guess you are you saying that for future spam of a similar nature I should write in the "Additional notes (optional - max 2000 characters)" section, the IP address, and also:

***
Child porn spammer 

pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS
***

Is this correct?

Share this post


Link to post
Share on other sites
2 hours ago, Peace Freak said:

Thanks Petxl, I would definitely like to improve the reports I send but I don't fully understand your instructions.

Firstly, that spam was already submitted. So I guess you are you saying that for future spam of a similar nature I should write in the "Additional notes (optional - max 2000 characters)" section, the IP address, and also:

***
Child porn spammer 

pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS
***

Is this correct?

Yes in additional notes  put that in plus the IP address of The spam source and the URL IP resolves to under that put ">" to stop SpamCop formating it different

Send a report to yourself so you see what a abuse desk does 

SpamCop without "additional notes" is just headers  and body text makes it hard below is what I put in

Quote

 SpamCop V4.8.6 ]
This message is brief for your comfort.  Please use links below for details.

User-targeted report, see notes, if any.
  deleted
183.32.221.122 is open proxy, see: https://www.spamcop.net/mky-proxies.html

[ Additional comments from recipient ]
cncert@cert.org.cn 183.32.221.122 is an open proxy BOTNET SEE https://www.abuseat.org/lookup.cgi SEE ALSO CisCo sites REPUTATION IP LOOKUP https://www.talosintelligence.com If Microsoft Windows Defender is available to you, use it! THEN Change Password
Other BOTNEThosts in this "neighborhood" with spam reports 183.32.220.123 183.32.220.134 183.32.220.135 183.32.220.137 183.32.220.168 183.32.220.190 183.32.220.208 183.32.220.213 183.32.220.219 183.32.220.235 183.32.220.241 183.32.220.243 183.32.220.245 183.32.220.247 183.32.221.1 183.32.221.5 183.32.221.74 183.32.221.124 183.32.221.136 183.32.221.145 183.32.221.160 183.32.221.162 183.32.221.179 183.32.221.182 183.32.221.186 183.32.221.204 183.32.221.207 183.32.221.246 183.32.221.248 183.32.221.255 183.32.222.0 183.32.222.24 183.32.222.29 183.32.222.31 183.32.222.35 183.32.222.37 183.32.222.44 183.32.222.57 183.32.222.75 183.32.222.76 183.32.222.92 183.32.222.93 183.32.222.107 183.32.222.115

[ Offending message ] Return-Path: <277387642@qq.com> Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by sloti1d2t03 (Cyrus fastmail-fmjessie46427-15765-git-fastmail-15765) with LMTPA; Fri, 22 Dec 2017 15:26:25 -0500

 

Share this post


Link to post
Share on other sites

Have started to follow your suggestions. The IP addresses do not resolve to a URL. Here are 4 that I tried:

213.173.54.67
213.190.7.23
217.18.56.98
193.176.18.54

I wonder why?

Thank you for introducing CBL and Talos. Checked both IPs with them but they were not listed or neutral.

Would appreciate any comments and/or suggestions.

Share this post


Link to post
Share on other sites
5 hours ago, Peace Freak said:

213.173.54.67
213.190.7.23
217.18.56.98
193.176.18.54

Using https://whoisip.ovh identifies country of IP then send incident to relevant CERT https://www.first.org/members/teams/ (view all page bottom)
1  info@us-cert.gov no whois address?

2  info@us-cert.gov no whois address?

3 cert@ncsc.nl no whois address?

4 cert@ncsc.nl no whois address?

Aways in "Additional notes (optional - max 2000 characters): " I have created some templates saved in "notepad"  to copy and paste ALWAYS under text put in > or SpamCop format to one unreadable line send a copy to yourself to improve

Share this post


Link to post
Share on other sites

Thanks Petxl, I followed your advice about adding notes with the IP address as well as other information. This was the basic content:

***
This is a CHILD PORN spammer!
Pictures of girls under 18, or made to look under 18.
NO PROOF OF AGE available on the site! 
THIS spam WAS SENT TO MINORS!

IP Address: 

Please investigate and stop this disgusting spammer! Thank you!
***

For spam from amazonaws.com I manually sent a spam report with the full content of the email via my email application to (I copied everything in: "View full message" into the email):

ec2-abuse@amazon.com

This was effective as Amazon is very diligent, and within a day or two they'd get back to me and report:

...We've determined that an Amazon EC2 instance was running at the IP address you provided  in your abuse report. We have reached out to our customer to determine the nature and cause of this activity or content in your report... etc.

After about 10 or 15 of such submits, the spam from Amazon stopped!

Regardless, the spam from Google continued unabated.

At the beginning, all the spam from this spammer had different subjects and content, but then whoever it was started to send each spam out in duplicate or triplicate. I guess they were pushing me, thinking I would give up reporting, given the amount of spam they were sending... Nevertheless, I was relentless in reporting every single one, sometimes it would take me an hour or more each day!

But good news, finally, three of four days ago it all stopped! Who knows what happened, maybe whoever it was took a vacation... but for now there is no more spam from that entity!!

It may be a bit early, but thanks to everyone for their advice.

Share this post


Link to post
Share on other sites

Good work! Being relentless does work.  I know the effort is time consuming, I just spend 1/2 hour to clear the spam out of this forum and will not start on my private accounts. The fight goes on, Thanks.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now