Jump to content
Sign in to follow this  
Steve

No reporting addresses found for 103.1.12.91, using devnull for tracking.

Recommended Posts

https://www.spamcop.net/sc?id=z6519956282z3287af6539a13394828b32aaa4e4b1a7z

 

Tracking message source: 103.1.12.91:

Routing details for 103.1.12.91
[refresh/show] Cached whois for 103.1.12.91 : iptech@readyspace.com.sg
info@readyspace.com.hk bounces (31 sent : 16 bounces)
Using best contacts

No reporting addresses found for 103.1.12.91, using devnull for tracking.

Message is X hours old
103.1.12.91 not listed in cbl.abuseat.org
103.1.12.91 not listed in dnsbl.sorbs.net
103.1.12.91 not listed in accredit.habeas.com
103.1.12.91 not listed in plus.bondedsender.org
103.1.12.91 not listed in iadb.isipp.com

 

I have tried refreshing the page with no change in result. I went ahead and manually reported the spam to the ISP. 

Share this post


Link to post
Share on other sites

👍sounds good, would have sent it to both addresses myself :)

I do get these spams with the fake received line "s.okazik.pl" a lot. Looks like whoever wrote the spamming software is using it as something like a signature, as lots of fake "unsubscribe me" and "you have been successfully subscribed" spam contains that line.

Share this post


Link to post
Share on other sites
3 hours ago, Steve said:

NETWORK OWNER  
103.1.12.91 email server - compromised email account - change password
Warning - Does not support TLS.
cs[AT]readyspace.com.hk

not stamping recived IP spammer is adding this to headers
Received: from s.okazik.pl (s.okazik.pl. 216.244.76.116)  

Edited by petzl

Share this post


Link to post
Share on other sites
18 hours ago, petzl said:

not stamping recived IP spammer is adding this to headers
Received: from s.okazik.pl (s.okazik.pl. 216.244.76.116)  

Sorry, could you explain what you mean here? other language maybe? Deutsch? Español? Italiano? Français? Portugues?

I Know that the spammer is placing this there. or at least the software he uses. that's why I said that whoever wrote the spammer's software it is using it as some kind of a signature. maybe to see how many different spammers are using his software...

Share this post


Link to post
Share on other sites
5 hours ago, RobiBue said:

Sorry, could you explain what you mean here? other language maybe? Deutsch? Español? Italiano? Français? Portugues?

I Know that the spammer is placing this there. or at least the software he uses. that's why I said that whoever wrote the spammer's software it is using it as some kind of a signature. maybe to see how many different spammers are using his software...

The email server (probably infected) is not stamping a received line. Instead it's stamping 
Received: from s.okazik.pl (s.okazik.pl. 216.244.76.116)
 

Share this post


Link to post
Share on other sites
On 2/10/2019 at 6:59 PM, petzl said:

The email server (probably infected) is not stamping a received line. Instead it's stamping 
Received: from s.okazik.pl (s.okazik.pl. 216.244.76.116)
 

hehe :) I noticed, on google maps, that okazik.pl is a fully "blacked-out" 24h internet c@fe in a Polish city called Poznań, right between Berlin and Warsaw...

might even be the home of the original developer of the spamming malware...

Share this post


Link to post
Share on other sites
20 minutes ago, RobiBue said:

hehe :) I noticed, on google maps, that okazik.pl is a fully "blacked-out" 24h internet c@fe in a Polish city called Poznań, right between Berlin and Warsaw...

might even be the home of the original developer of the spamming malware...

I get the IP 216. 244.76.116 located in USA
https://www.talosintelligence.com/reputation_center/lookup?search=216. 244.76.116

most likely a infected/compromised server  

Edited by petzl

Share this post


Link to post
Share on other sites
1 hour ago, petzl said:

I get the IP 216. 244.76.116 located in USA
https://www.talosintelligence.com/reputation_center/lookup?search=216. 244.76.116

most likely a infected/compromised server  

yeah, that's why I'm saying, I believe that injected Received line acts somewhat as a signature placed there by the designer of the malware...

that IP might, at one time, have been assigned there... I don't know if there is a historical IP database available ;)

but I understand now what you meant. thanks.

Share this post


Link to post
Share on other sites
2 hours ago, RobiBue said:

yeah, that's why I'm saying, I believe that injected Received line acts somewhat as a signature placed there by the designer of the malware...

that IP might, at one time, have been assigned there... I don't know if there is a historical IP database available ;)

but I understand now what you meant. thanks.

Reporting the IP address results in this address coming up: abuse@wowrack.com

I have tried reporting this IP address several times last year and a few times an employee said they will "Null-route" the IP address. But it still shows up in spam.

Share this post


Link to post
Share on other sites
15 minutes ago, Steve said:

Reporting the IP address results in this address coming up: abuse@wowrack.com

I have tried reporting this IP address several times last year and a few times an employee said they will "Null-route" the IP address. But it still shows up in spam.

just checked 216. 244.76.116 is now "not a routeable IP address"

Edited by petzl

Share this post


Link to post
Share on other sites

FYI reporting that specific address (the one given in the "obviously" fake received s.okazik.pl header) is pointless and makes no sense.

all it is, is a fake injected header line by the spammer or by the spammer software.

the actual Received: header line is

Received: from fervently.site (fervently.site. [103.1.12.91])
        by mx.google.com with ESMTP id c16si308648pgh.545.2019.02.09.06.43.54
        for <x>;
        Sat, 09 Feb 2019 06:43:54 -0800 (PST)
Received-SPF: temperror (google.com: error in processing during lookup of return@asciidic.com: DNS error) client-ip=103.1.12.91;
Authentication-Results: mx.google.com;
       spf=temperror (google.com: error in processing during lookup of return@asciidic.com: DNS error) smtp.mailfrom=return@asciidic.com

but as you can see, even Google mail sees a DNS problem with that IP address.

everything below these headers in the original spam is injected by the spammer's software

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×