No reporting addresses found for 103.1.12.91, using devnull for tracking.

[Steve 0]

https://www.spamcop.net/sc?id=z6519956282z3287af6539a13394828b32aaa4e4b1a7z

 

Tracking message source: 103.1.12.91:

Routing details for 103.1.12.91
[refresh/show] Cached whois for 103.1.12.91 : iptech@readyspace.com.sg
info@readyspace.com.hk bounces (31 sent : 16 bounces)
Using best contacts

No reporting addresses found for 103.1.12.91, using devnull for tracking.

Message is X hours old
103.1.12.91 not listed in cbl.abuseat.org
103.1.12.91 not listed in dnsbl.sorbs.net
103.1.12.91 not listed in accredit.habeas.com
103.1.12.91 not listed in plus.bondedsender.org
103.1.12.91 not listed in iadb.isipp.com

 

I have tried refreshing the page with no change in result. I went ahead and manually reported the spam to the ISP. 

[RobiBue 0]

👍sounds good, would have sent it to both addresses myself

I do get these spams with the fake received line "s.okazik.pl" a lot. Looks like whoever wrote the spamming software is using it as something like a signature, as lots of fake "unsubscribe me" and "you have been successfully subscribed" spam contains that line.

[petzl 0]

3 hours ago, Steve said:

https://www.spamcop.net/sc?id=z6519956282z3287af6539a13394828b32aaa4e4b1a7z

 

Tracking message source: 103.1.12.91:

NETWORK OWNER  
103.1.12.91 email server - compromised email account - change password
Warning - Does not support TLS.
cs[AT]readyspace.com.hk

not stamping recived IP spammer is adding this to headers
Received: from s.okazik.pl (s.okazik.pl. 216.244.76.116)  

Edited February 10 by petzl

[RobiBue 0]

18 hours ago, petzl said:

not stamping recived IP spammer is adding this to headers
Received: from s.okazik.pl (s.okazik.pl. 216.244.76.116)  

Sorry, could you explain what you mean here? other language maybe? Deutsch? Español? Italiano? Français? Portugues?

I Know that the spammer is placing this there. or at least the software he uses. that's why I said that whoever wrote the spammer's software it is using it as some kind of a signature. maybe to see how many different spammers are using his software...

[petzl 0]

5 hours ago, RobiBue said:

Sorry, could you explain what you mean here? other language maybe? Deutsch? Español? Italiano? Français? Portugues?

I Know that the spammer is placing this there. or at least the software he uses. that's why I said that whoever wrote the spammer's software it is using it as some kind of a signature. maybe to see how many different spammers are using his software...

The email server (probably infected) is not stamping a received line. Instead it's stamping 
Received: from s.okazik.pl (s.okazik.pl. 216.244.76.116)
 

[RobiBue 0]

On 2/10/2019 at 6:59 PM, petzl said:

The email server (probably infected) is not stamping a received line. Instead it's stamping 
Received: from s.okazik.pl (s.okazik.pl. 216.244.76.116)
 

hehe I noticed, on google maps, that okazik.pl is a fully "blacked-out" 24h internet c@fe in a Polish city called Poznań, right between Berlin and Warsaw...

might even be the home of the original developer of the spamming malware...

[petzl 0]

20 minutes ago, RobiBue said:

hehe I noticed, on google maps, that okazik.pl is a fully "blacked-out" 24h internet c@fe in a Polish city called Poznań, right between Berlin and Warsaw...

might even be the home of the original developer of the spamming malware...

I get the IP 216. 244.76.116 located in USA
https://www.talosintelligence.com/reputation_center/lookup?search=216. 244.76.116

most likely a infected/compromised server  

Edited February 12 by petzl

[RobiBue 0]

1 hour ago, petzl said:

I get the IP 216. 244.76.116 located in USA
https://www.talosintelligence.com/reputation_center/lookup?search=216. 244.76.116

most likely a infected/compromised server  

yeah, that's why I'm saying, I believe that injected Received line acts somewhat as a signature placed there by the designer of the malware...

that IP might, at one time, have been assigned there... I don't know if there is a historical IP database available

but I understand now what you meant. thanks.

[Steve 0]

2 hours ago, RobiBue said:

yeah, that's why I'm saying, I believe that injected Received line acts somewhat as a signature placed there by the designer of the malware...

that IP might, at one time, have been assigned there... I don't know if there is a historical IP database available

but I understand now what you meant. thanks.

Reporting the IP address results in this address coming up: abuse@wowrack.com

I have tried reporting this IP address several times last year and a few times an employee said they will "Null-route" the IP address. But it still shows up in spam.

[petzl 0]

15 minutes ago, Steve said:

Reporting the IP address results in this address coming up: abuse@wowrack.com

I have tried reporting this IP address several times last year and a few times an employee said they will "Null-route" the IP address. But it still shows up in spam.

just checked 216. 244.76.116 is now "not a routeable IP address"

Edited February 12 by petzl

[RobiBue 0]

FYI reporting that specific address (the one given in the "obviously" fake received s.okazik.pl header) is pointless and makes no sense.

all it is, is a fake injected header line by the spammer or by the spammer software.

the actual Received: header line is

Received: from fervently.site (fervently.site. [103.1.12.91])
        by mx.google.com with ESMTP id c16si308648pgh.545.2019.02.09.06.43.54
        for <x>;
        Sat, 09 Feb 2019 06:43:54 -0800 (PST)
Received-SPF: temperror (google.com: error in processing during lookup of return@asciidic.com: DNS error) client-ip=103.1.12.91;
Authentication-Results: mx.google.com;
       spf=temperror (google.com: error in processing during lookup of return@asciidic.com: DNS error) smtp.mailfrom=return@asciidic.com

but as you can see, even Google mail sees a DNS problem with that IP address.

everything below these headers in the original spam is injected by the spammer's software