Jump to content
MDMesser001

Any point in reporting spam from AMAZONAWS?

Recommended Posts

14 hours ago, petzl said:

I always forward my Amazon spam to abuse [AT] amazon [DOT] com
 

I used to send to:

abuse@amazonaws.com,

ec2-abuse@amazon.com,

ipmanagement@amazon.com,

abuse@amazon.com

 

I have found that all except “ipmanagement” are now not sent in SpamCop. That’s ok if the ipmanagement one can work. I cannot say it reduced my spam in any way, but complaining directly to the “businesses”  might be working. I think, somehow, most of my spam is from an affiliate marketeer. One that follows many very bad practices in email marketing and is also terrible at managing opt outs.

Share this post


Link to post
Share on other sites
5 hours ago, Hanco said:

I have found that all except “ipmanagement” are now not sent in SpamCop.

I just forward to "abuse [AT] amazon [DOT] com" "stop-spoofing [AT] amazon [DOT] com"
From my Gmail account directly

Edited by petzl

Share this post


Link to post
Share on other sites
8 hours ago, Hanco said:

I have found that all except “ipmanagement” are now not sent in SpamCop. That’s ok if the ipmanagement one can work.

So, would it be worth us having someone point all the Amazon to ipmanagement or could it be possible that that group might not be in charge of all of their IPs?

Share this post


Link to post
Share on other sites
On 2/11/2020 at 4:38 PM, gnarlymarley said:

So, would it be worth us having someone point all the Amazon to ipmanagement or could it be possible that that group might not be in charge of all of their IPs?

Dunno.

One thing I did find today, and it seems to list a lot of what I have seen in terms of spam email topics:

https://www.maxbounty.com/campaigns.cfm?offer_id=14005&mbs=Mailer&mba=Click Link&mbo=Medicare Guide - CPL (US)&mbc=14005&mbx1=&mbx2=
 

Thinking of contacting those folks and asking to be added to do not mail list... not sure yet 🤔 

Edited by Hanco

Share this post


Link to post
Share on other sites

Well, now this is new.  I just got a bounce from amazon.  Hard to tell if gmail rejected my report to amazon or if amazon did.

 

Final-Recipient: rfc822; ec2-abuse@amazon.com
Action: failed
Status: 5.0.0
Diagnostic-Code: smtp; Message rejected.  See https://support.google.com/mail/answer/69585 for more information.
Last-Attempt-Date: Sun, 16 Feb 2020 15:23:11 -0800 (PST)

 

Share this post


Link to post
Share on other sites
6 minutes ago, gnarlymarley said:

Well, now this is new.  I just got a bounce from amazon.  Hard to tell if gmail rejected my report to amazon or if amazon did.

 


Final-Recipient: rfc822; ec2-abuse@amazon.com
Action: failed
Status: 5.0.0
Diagnostic-Code: smtp; Message rejected.  See https://support.google.com/mail/answer/69585 for more information.
Last-Attempt-Date: Sun, 16 Feb 2020 15:23:11 -0800 (PST)

 

I occasionally get similar bounces.  Gmail occasionally flags the account as being a spammer, even though we are actually trying to send spam complaints.  I was told it was because I had too many addresses in the Cc section of the email.  Gmail even starting bouncing the complaints sent to abuse@namecheapm phishing-report@us-cert. gov and even spam@uce.gov because I was filing so many complaints a day.

Share this post


Link to post
Share on other sites
9 minutes ago, goodnerd said:

I occasionally get similar bounces.  Gmail occasionally flags the account as being a spammer, even though we are actually trying to send spam complaints.  I was told it was because I had too many addresses in the Cc section of the email.

Yep, it did come from google.  I guess having one recipient is too much for them.  I submitted it to amazon using a different account and it went through.  Funny how the original email is not blocked, but attempts to report it are.

Share this post


Link to post
Share on other sites
1 minute ago, gnarlymarley said:

Yep, it did come from google.  I guess having one recipient is too much for them.  I submitted it to amazon using a different account and it went through.  Funny how the original email is not blocked, but attempts to report it are.

Because the spam affiliate scam artist is income maybe. And AWS does like to get its income (funds its effort to dominate the online retail space?)

Share this post


Link to post
Share on other sites

My spammer switched target sites again today. Cannot use the same domain/site in California (Google) for too many spams or it risks blacklist status and gets shut down. So it’s back to .RU or other Eastern Europe for a bit I guess.

Today’s fun fascinating final target spamvertized sites are 

rewardyoursurvey.com (I doubt the reward is enough for my time)

Any of you guys been seeing this in the hops from spam link to target site?

http://masscancel.site/r.php

or

mayattented.live site?

both hosted by DigitalOcean and both were created by the spam guy via Namecheap, before being used on the same day for the emails he sends.

Share this post


Link to post
Share on other sites
19 minutes ago, Hanco said:

My spammer switched target sites again today.

Mine has switched to using a new shortener of http ://owl.li/**********.

Share this post


Link to post
Share on other sites

Funny because all mine were either bit.ly or googleuser links (either way, it’s all about more redirects to hide behind)

Share this post


Link to post
Share on other sites

I use those sites that scan the url for the redirects and see where they end up (if I have the time)

Share this post


Link to post
Share on other sites

Well, I hope my spamming jerk of a friend is ok and did not get Coronavirus.... but today was pleasantly uninterrupted!

Yesterday I had a mail from them and for the first time in a LONG time it did not show SPF fail in the headers. In fact it reportedly associated itself with a well respected marketing outfit called ActiveCampaign.

Why do I rate AC so highly? Well they do at very least have an actually comprehensive guide on their long established site about how not to be classed as a spammer. All of which, I think I can truthfully say, my spammer friend(s) flaunt ignorance of!

https://www.activecampaign.com/legal/anti-spam-policy

Of course this may have been their last ditch attempt to list wash and maybe “Jason at ActiveCampaign d o t c o.m” was happy to give them my info to take me off their list. Who knows eh? At least it might be done with.

So what now? One day of nil spam does not maketh tranquility... it could be Coronavirus or something less scary. They may be back tomorrow. If they are, I’ll do everything I can to make their marketing ineffective and and as fruitless as can be. Alternatively, if that is my lot, I’ll dance a jig, pour something cool and clear to drink, and store the folder of junk they’ve sent me away until they mess up and restart.

Fingers and toes crossed. Good luck all you spam warriors!

Edited by Hanco

Share this post


Link to post
Share on other sites

And finally!

The source: strategiccompulytics.com

I may never know how they got my email address to send me periodic newsletters for these products or services.:

“We have the internet cornered in all categories, from solar power, to credit repair, to dating, financial services, to senior care, and even health, life and auto insurance – so there is no shortage of opportunities to get the latest savings and new products to the market. Our job is to serve you, so we will continue to find the best direct partners and match them to your needs.”

If they are so keen on “serving” why do NONE of their “periodic newsletters” (sometimes sent up to 27 times in a day) mention Strategic Compulytics on them? 

For anyone else getting the same junk, maybe these super friendly guys are the true source. 
 

I hope this is useful to folks who might be dealing with never ending email arrival on the topics above and others that they don’t mention (tinnitus, erectile dysfunction, fungal nails, all of which have miracle cures doctors wish they understood and pharmaceutical companies want to hide from the public - allegedly!!)


Note: Better Business Bureau says Strategic Compulytics they have not responded to their ask, to stop claiming BBB accreditation

My current spam levels are now down to <0.5 per day average. The ones I get now are 419 Scam emails. They will stop one the sender isolates who is reporting their junk and gets their gmail/yahoo accounts closed.

Share this post


Link to post
Share on other sites
On 10/28/2019 at 1:49 AM, Steve said:

I've also been getting amazonaws spam. It seems another IP address is included in the spam. It's 143.220.15.131 and registered to the Association of Medical Colleges (AAMC). I have tried reporting the IP address via SC to AAMC to both the dns AT aamc DOT org (which the SC parser forwards to postmaster AT aamc DOT org) and the postmaster address postmaster AT aamc DOT org on several occasions. with no response/effect. I was almost tempted a few times to write a letter and send it to them asking why their IP address appears in AmazonAWS spam. It's also ALWAYS the same content with the SAME links that aren't valid such as {spam link removed} (which the parser doesn't pick up. It only detects t.co/bit.ly links which even those get redirected and dev/nulled to twitterdoesntcareaboutspamreports@devnull.spamcop.net) or in the case of bit.ly links, sent to abuse AT bitly DOT com. Previous emails were coming from Parsec Cloud, Inc. Citrix is now being used as the bottom of the emails. Here's the original tracking url: https://www.spamcop.net/sc?id=z6585617008z355af39de650b47648e218409deb1a46z

{Quote of spam Deleted} -- To view the deleted material follow the tracking URL above.
Here's the parsing results for the AAMC IP address and the tracking URL: https://www.spamcop.net/sc?id=z6585618727zdf96eb88f2edb7ba97b2dad603fed48ez
 
Tracking message source: 143.220.15.131:

Routing details for 143.220.15.131
[refresh/show] Cached whois for 143.220.15.131 : dnsadministrator@aamc.org
Using abuse net on dnsadministrator@aamc.org
No abuse net record for aamc.org
Using default postmaster contacts postmaster@aamc.org

 

Clicking on the calendly link results in this:

 

with the links being reported to abuse AT cloudflare DOT com. Not that CF can do anything to take down the link.

 

 

Steve

Hi Steve

I have been getting unwanted crap from AAMC since many many months... they are recently using Azure spam hosts (from 1 to 3 different IP addresses each time).

After I immediately report them not only via SC (last reports are following)

https://members.spamcop.net/mcgi?action=gettrack&reportid=7093189629

https://members.spamcop.net/mcgi?action=gettrack&reportid=7093074814

https://members.spamcop.net/mcgi?action=gettrack&reportid=7093074009

but also via cert.microsoft.com they are stopping for a while then come back again).  Problem is when I am reporting the AAMC spamming address (same you all reported, always the same e.g. 143.220.15.131 )  never comes out and all reports go to Microsoft, meaning /dev/null. Isn't there a way to make reports go to the damned dnsadministrator@aamc.org or jbartell@aamc.org which is another contact reported by whois?

 

AAMC.txt

Share this post


Link to post
Share on other sites
1 hour ago, Thorin said:

Hi Steve

I have been getting unwanted crap from AAMC since many many months... they are recently using Azure spam hosts (from 1 to 3 different IP addresses each time).

After I immediately report them not only via SC (last reports are following)

https://members.spamcop.net/mcgi?action=gettrack&reportid=7093189629

https://members.spamcop.net/mcgi?action=gettrack&reportid=7093074814

https://members.spamcop.net/mcgi?action=gettrack&reportid=7093074009

but also via cert.microsoft.com they are stopping for a while then come back again).  Problem is when I am reporting the AAMC spamming address (same you all reported, always the same e.g. 143.220.15.131 )  never comes out and all reports go to Microsoft, meaning /dev/null. Isn't there a way to make reports go to the damned dnsadministrator@aamc.org or jbartell@aamc.org which is another contact reported by whois?

 

AAMC.txt

If it is Azure spam include reporting to cert[AT] microsoft[DOT]com
For ALL hotmail spam I do.
Also learn to include a Tracking URL, these are at top of page BEFORE you submit spam

Edited by petzl

Share this post


Link to post
Share on other sites
1 hour ago, Thorin said:

Isn't there a way to make reports go to the damned dnsadministrator@aamc.org or jbartell@aamc.org which is another contact reported by whois?

I believe this is what the forum subsection for reporting address issues is for.

http://forum.spamcop.net/forum/39-routing-report-address-issues/

Share this post


Link to post
Share on other sites
9 hours ago, petzl said:

If it is Azure spam include reporting to cert[AT] microsoft[DOT]com
For ALL hotmail spam I do.
Also learn to include a Tracking URL, these are at top of page BEFORE you submit spam

Ehm, I already told I am always reporting to Microsoft regarding Azure spam both via e-mail (junk@office365.microsoft.com, abuse@microsoft.com, secure@microsoft.com, msndcc@microsoft.com, IOC@microsoft.com, report_spam@hotmail.com), SC and cert.microsoft.com website but it's always just like writing to /dev/null, they don't seem to take it seriously since the AAMC spamming rats always come back with new IP addresses to spam from.

Share this post


Link to post
Share on other sites
11 hours ago, Thorin said:

Ehm, I already told I am always reporting to Microsoft regarding Azure spam both via e-mail (junk@office365.microsoft.com, abuse@microsoft.com, secure@microsoft.com, msndcc@microsoft.com, IOC@microsoft.com, report_spam@hotmail.com), SC and cert.microsoft.com website but it's always just like writing to /dev/null, they don't seem to take it seriously since the AAMC spamming rats always come back with new IP addresses to spam from.

spam stops when I report to Cert for me but takes microsoft around a month to reply?
I don't use SpamCop to report this they all need truncating. Microsoft claim they need full headers and body, I forward message name their IP and past headers and body a space below. 

Share this post


Link to post
Share on other sites
On 11/6/2020 at 10:34 PM, petzl said:

spam stops when I report to Cert for me but takes microsoft around a month to reply?
I don't use SpamCop to report this they all need truncating. Microsoft claim they need full headers and body, I forward message name their IP and past headers and body a space below. 

Actually Microsoft did something: after reporting any of the spamming hosts hosted by Azure belonging to the AAMC house of spamming rats they may have taken down since every spam run I got after was originated from a different IP address.

Same goes for the spamming assholes at Wowrack.com, my old date spam companions since years (not over numbering, it is years they go on sending me their crap): the last one I reported  was this one

 

ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of nvrkhlhohoras@fantomiil-1.australiacentral.cloudapp.azure.com designates 13.79.243.243 as permitted sender) smtp.mailfrom=nvRkHLhoHOraS@fantomiil-1.australiacentral.cloudapp.azure.com
Return-Path: <nvRkHLhoHOraS@fantomiil-1.australiacentral.cloudapp.azure.com>
Received: from a7vp.j9glM2hEsnKgKqRD.COM (bqsqtintn-14.northeurope.cloudapp.azure.com. [13.79.243.243])
        by mx.google.com with ESMTP id z4si2987582wmi.27.2020.11.11.10.13.22
        for <xxx.xxx@gmail.com>;
        Wed, 11 Nov 2020 10:13:22 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of nvrkhlhohoras@fantomiil-1.australiacentral.cloudapp.azure.com designates 13.79.243.243 as permitted sender) client-ip=13.79.243.243;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of nvrkhlhohoras@fantomiil-1.australiacentral.cloudapp.azure.com designates 13.79.243.243 as permitted sender) smtp.mailfrom=nvRkHLhoHOraS@fantomiil-1.australiacentral.cloudapp.azure.com
Received: from efianalytics.com (efianalytics.com. 216.244.76.116)
List-Unsubscribe: <zMqRVfXQsini-hPIgoLQwVVoQ@[dom]>
From: "Melania" <xxx.xxx.zNDxUaxOIVsY@RpiLylERPzCP.edu.se>
Date: [Date]
Subject: CONFIRM YOUR "UNSUBSCIBE" PLEASE xxx.xxx.
 

and seemed to hit since on the following spam run they came back using their german spamming rats associates, xsserver.gmbh: this is a sample of two days ago

 

Delivered-To: xxx.xxx@gmail.com
Received: by 2002:ac9:686:0:0:0:0:0 with SMTP id o6csp292041oco;
        Tue, 10 Nov 2020 21:19:53 -0800 (PST)
X-Google-Smtp-Source: ABdhPJztzuLv5vnsJfVUnMWp3RtQyNHtoS7WajK+8o7FBtLUZRW3u29YCqyBD11SIxCZk0tk518g
X-Received: by 2002:adf:f246:: with SMTP id b6mr27298463wrp.111.1605071993246;
        Tue, 10 Nov 2020 21:19:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1605071993; cv=none;
        d=google.com; s=arc-20160816;
        b=bZNM3+3jdF4rkMz9lTocNi2BVWO3/gf+prBqKbx+TqakiDF2hxVGc2GBa/Devw/mAP
         ZEGwezR+ndZ9wENzeRUeRh1/EwpyoUOn9/pZi6E8FuwLHh6Pcjoen2KPj0lZOdKzJ679
         c71MTrZxgJwKt/R0ZfuOVuvwijXPPCapENDVMBEjZhlDRfbiJLKFbiqaRhTMJW0YkMTn
         PTCHgqaId7e6QsiJ+UGS9NpY1O+xNCzV01hUfq1AIUa2+ekTcinJXFxVTtNTaxkNnP5/
         lJ7P7pSrtg7MVt3HF3pVLA8W5BCnJoPpnZWPkwOySy2prcZxOg5AkRiM6iS9fAm/eFWe
         0ueg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=message-id:to:subject:date:from:list-unsubscribe
         :domainkey-signature:dkim-signature;
        bh=FcDs18rHaqo4LJ7x5Wp9kyyTbjq22dbZ7+yVDxCfJIo=;
        b=da6yXO+HBBgxvJqd22/cKrI0fjx6ge07ExSDX5EWJ13GhwroTnm3/P5sCwLmhbh1eU
         A+csULMWjSPniqdDsW0dHFHvhSM25I4mkQe509x6aqyX+E3Enf0uIAsUhPsBZnwjWRta
         VXj7Yb0Ofm0ZXd8nqKTjv5eMoIGklFR0Yaez1mSjyhHkvHB1CbpyFLHRESeXZDhXZ+f5
         rdWQxevaxOrmV8AG/a1f9zb+YkVAgIXzSTAg+D8ft01na1C8mNNlac+usfoI/Vn1FNmQ
         IYXz3IwgNXsK0m/uxpcnoPlaKK/Pxjjle2qMFqxbyvXcVqldI3mTJzJB4KBS8wf1o/Qt
         a/ZQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@spotnika.com header.s=mail header.b=jrWGr7Fx;
       spf=neutral (google.com: 195.62.46.23 is neither permitted nor denied by best guess record for domain of abuse@chacha.com) smtp.mailfrom=abuse@chacha.com
Return-Path: <abuse@chacha.com>
Received: from spotnika.com (spotnika.com. [195.62.46.23])
        by mx.google.com with ESMTP id x184si1107042wmx.89.2020.11.10.21.19.52
        for <xxx.xxx@gmail.com>;
        Tue, 10 Nov 2020 21:19:53 -0800 (PST)
Received-SPF: neutral (google.com: 195.62.46.23 is neither permitted nor denied by best guess record for domain of abuse@chacha.com) client-ip=195.62.46.23;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@spotnika.com header.s=mail header.b=jrWGr7Fx;
       spf=neutral (google.com: 195.62.46.23 is neither permitted nor denied by best guess record for domain of abuse@chacha.com) smtp.mailfrom=abuse@chacha.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; d=spotnika.com;
 h=List-Unsubscribe:From:Date:Subject:To:Message-Id:Content-Type; i=replyin@spotnika.com;
 bh=V07rnCA3cx7MJcl9lmTySlHt7EU=;
 b=jrWGr7FxYhiOm1OFdEwoF/lTpDPt16JdqW+phWTXcLn5Zh1GFNIaob1orlYXrLJiT3E1yYEUcimG
   fBhzb5vgGx5fMQMZMlNoPrqWnYOlBHLBqXZaOqje+y+SaLb+Tri9zRHq6NM4X7U8RQraJ0pl4xRR
   KBPzlAN5XRIG/7DTi9Q=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail; d=spotnika.com;
 b=f+PMNcWX1nExvD8FxJ2mi8A7KzpArc3JfPbg9avARBzePrxN4K1T0f5aOnbJX2GTFFsPRf0GnliJ
   ol0wFV/akOFWQcBfrdj7d2xwidZizqIHHWPnM84EaT4nAPpj8ci16v6FaBrVsUdvPZzYWte/2w7r
   /Hc5PXivOMp30zKPZng=;
Received: from efianalytics.com (efianalytics.com. 216.244.76.116)
List-Unsubscribe: <Ukvp3bFB8gLt3ZzBr-KLo7x3HcafaJ@spotnika.com>
From: LawsuitWinning <replyin@spotnika.com>
Date: Tue, 10 Nov 2020 14:35:58 -0600
Subject: Boy Scouts Abuse Victims, Read This! Free Legal Review and Potential Compensation
To: xxx.xxx@gmail.com
Message-Id: <Ukvp3bFB8gLt3ZzBr-KLo7x3HcafaJ@spotnika.com>
X-EMMAIL: xxx.xxx@spotnika.com
Content-Type: text/html; charset=utf-8
 

 

Share this post


Link to post
Share on other sites
10 hours ago, Thorin said:

and seemed to hit since on the following spam run they came back using their german spamming rats associates, xsserver.gmbh: this is a sample of two days ago

Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6690533908ze72fd31a4dff786edaf29eccae16c308z

Seeing forged headers! Hotmail never show originating IP.
With Gmail a powerful tool is to mark it as "Phishing"
Usually/often if you click unsubscribe it tries to get you to send a mail bomb to 50 reply addresses
Azure are offering spammers free throwaway cloud accounts, for couple of years now.
They need to get a valid credit card number to stop this spammer,
SpamCop parse picked up Azure in headers
spf=pass (google.com: best guess record for domain of nvrkhlhohoras@fantomiil-1.australiacentral.cloudapp.azure.com designates 13.79.243.243 as permitted sender) smtp.mailfrom=nvRkHLhoHOraS@fantomiil-1.australiacentral.cloudapp.azure.com

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×