Jump to content
MIG

Recipient address rejected: User unknown in relay recipient table

Recommended Posts

I'm guessing that when the spam report was originally sent by the Tracking URL above the report was sent to onyschenko_pb{AT}techcom{DOT}kiev{DOT}ua  (Today it would have gone to abuse{AT}pcn{DOT}com{DOT}ua)

However, on the way to kiev{DOT}ua,  relay6...ru realized that the spam report was coming from SpamCop or maybe saw the word "spam" and rejected the message sending a bounce message back to SpamCop.

When the bounce message got back to SpamCop they looked at your < Report reply handling > preferences and forwarded the bounce to you as the spam reporter.

It has been awhile sense I have received a reply to a spam report, but if you look at the header you should (if I am right) see that the message came from or through SpamCop, not from relay6.hosting.reg.ru

If any of this is correct, " Forward replies from people and robots " option is selected on preferences tab.

The spam report bounce, maybe the reason that the report would now be sent to a different ISP or the change could be just a normal update.

Share this post


Link to post
Share on other sites
2 hours ago, Lking said:

I'm guessing that when the spam report was originally sent by the Tracking URL above the report was sent to onyschenko_pb{AT}techcom{DOT}kiev{DOT}ua  (Today it would have gone to abuse{AT}pcn{DOT}com{DOT}ua)

However, on the way to kiev{DOT}ua,  relay6...ru realized that the spam report was coming from SpamCop or maybe saw the word "spam" and rejected the message sending a bounce message back to SpamCop.

When the bounce message got back to SpamCop they looked at your < Report reply handling > preferences and forwarded the bounce to you as the spam reporter.

It has been awhile sense I have received a reply to a spam report, but if you look at the header you should (if I am right) see that the message came from or through SpamCop, not from relay6.hosting.reg.ru

If any of this is correct, " Forward replies from people and robots " option is selected on preferences tab.

The spam report bounce, maybe the reason that the report would now be sent to a different ISP or the change could be just a normal update.

Hey Lking,

Thank you, grass🦗hopper is grateful.

A clarification ( it was parsed today 19/02/19 09:11), I've run it thru the parser again,  now get same as you, abuse{AT}pcn{DOT}com{DOT}ua 😕'n, https://www.spamcop.net/mcgi?action=showadvanced, I don't have: 

" Forward replies from people and robots" option selected. My selection is: Forward only replies from sentient people & 🦗s.

And a question please: 194.5.250.154 results in "No reporting addresses found for 194.5.250.154, using devnull for tracking"

yet I get: zergrushsrlATgmailDOTcom

https://www.spamcop.net/sc?id=z6522763509z82aa2f32b8442c89e1e1df44dd3983f9z

194.5.250.154  / zergrushsrlATgmailDOTcom again, grass🦗hopperconfused, why is it so🤔?

Cheers.

 

 

 

 

Edited by MIG

Share this post


Link to post
Share on other sites
20 hours ago, MIG said:

And a question please: 194.5.250.154 results in "No reporting addresses found for 194.5.250.154, using devnull for tracking"

yet I get: zergrushsrlATgmailDOTcom

The parser is a black box for security reasons mostly.  When you get a "No reporting address" routing refresh the page once or twice (buffering can be an issue).  Sometimes a refresh will update the addressing to a better address.

Share this post


Link to post
Share on other sites
4 hours ago, Lking said:

 refresh will update the addressing to a better address.

grass🦗hopper did Master but grass🦗hopper got 6+ with zergrushsrlATgmailDOTcom, then I reach out on SCF & no more. Have you ever met a paranoid grass🦗hopper 👁️‍🗨️?

Edited by MIG

Share this post


Link to post
Share on other sites
1 hour ago, MIG said:

grass🦗hopper did Master but grass🦗hopper got 6+ with zergrushsrlATgmailDOTcom, then I reach out on SCF & no more. Have you ever met a paranoid grass🦗hopper 👁️‍🗨️?

This is a redirect to a porno site

Find the IP of that site and report it the following reply usually gets it taken down.
Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS

>

Share this post


Link to post
Share on other sites
11 minutes ago, petzl said:

This is a redirect to a porno site

Find the IP of that site and report it the following reply usually gets it taken down.
Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS

>

Thanks for the scri_pt Petzl. 

[Porn site] that's why grass🦗hopper  is so peeved!

Re [find the IP of that site] does that mean I have to go to that site? Rather not🤬

Why does everybody write scri_pt as scriunderscorept?

Thanks in advance. 

grass🦗hopper 

 

 

Edited by MIG

Share this post


Link to post
Share on other sites
2 hours ago, MIG said:

Re [find the IP of that site] does that mean I have to go to that site? Rather not🤬

I use a windows program which is sort of free they no longer sell the program
http://www.netdemon.net/

Text browser shows the IP and the redirect sites the destination site is run by
Needs working out by copy/pasting sites it forwards to and searching with new page.
The end site is this one 
52.30.84.167 blackhats abuse[AT]amazonaws.com 
My "scri_pt" is accurate enforced in USA so they would/should worry

Edited by petzl

Share this post


Link to post
Share on other sites
4 hours ago, MIG said:

Why does everybody write scri_pt as scriunderscorept?

the SC forum software inserts the underscore to prevent spamers/scammers/hackers to run <java s c r i p t> either remotely or locally on the servers or the hosts.

it's a security feature ;)

Share this post


Link to post
Share on other sites
6 hours ago, RobiBue said:

the SC forum software inserts the underscore to prevent spamers/scammers/hackers to run <java s c r i p t> either remotely or locally on the servers or the hosts.

it's a security feature ;)

Oh! Therefore SCF-sw more evolved than grass🦗hopper ,

grass🦗hopper shattered!

🤣

 

Share this post


Link to post
Share on other sites

Hey Petzl, 

Re [http://www.netdemon.net/ "which is sort of free they no longer sell the program"], are you saying the component of netdemon (you use) to do [copy/pasting sites it forwards to and searching with new page] to get [IP and the redirect sites the destination site is run by] is not available on http://www.netdemon.net/ or via a registered netdemon account?

 

Cheers.

Edited by MIG

Share this post


Link to post
Share on other sites
7 hours ago, MIG said:

are you saying the component of netdemon (you use)

Mine is not registered (lost my registration) works well, but you need to work it out which is not hard.
If a site redirects to another, netdemon  show you the site it redirects to, this requires another "netdemon window" to go to that site,
which will include the reportable IP  of that redirected site. you can open many "panes" in netdemon 

Share this post


Link to post
Share on other sites
23 minutes ago, petzl said:

Mine is not registered (lost my registration) works well, but you need to work it out which is not hard.
If a site redirects to another, netdemon  show you the site it redirects to, this requires another "netdemon window" to go to that site,
which will include the reportable IP  of that redirected site. you can open many "panes" in netdemon 

Hey Petzl, 

Thank you. I entered the url into netdaemon, the resulting links were:

 Protocol:  http
     Host:  rrnntqutxtf.charlie-washington.info
     Path:  /
    Input:  ?eid=bWlnYWwwMEBob3RtYWlsLmNvbXwzMDcxNjM

--- Decoded URL:   [web-sniffer] - redirects to "This site can’t be reached"

http://rrnntqutxtf.charlie-washington.info/ -  The actual porn site - no way, no how.

Search newsgroups: charlie-washington.info - "This site can’t be reached"

OpenRBL Lookup:    rrnntqutxtf.charlie-washington.info http://openrbl.org/?i=rrnntqutxtf.charlie-washington.info&amp;b= 

Query IP-Address 209.237.238.224 (UNRESOLVED)

  • IP-Address: 
  • Host-Name:  WARNING: Reverse-DNS missing 

209.237.238.224 > Unitedlayer 🤔

Search ROKSO: charlie-washington.info > [Spamhaus][Error 404 - File not found]

Whois: rrnntqutxtf.charlie-washington.info > [http://www.geektools.com/cgi-bin/proxy.cgi?query=rrnntqutxtf.charlie-washington.info&amp;targetnic=auto] but where to from here?

Traceroute to: rrnntqutxtf.charlie-washington.info > [http://www.opus1.com/htbin/traceroute?debug=NO&amp;query=rrnntqutxtf.charlie-washington.info][Object not found! The requested URL was not found on the Opus One server]

Would you mind chking [ https://www.spamcop.net/sc?id=z6523578908zcac6aea9fd1baba2a0870f1bd3f87baez  ] very curious to know what you get?

Re [netdemon shows the site it redirects to] ? Netdaemon shows all of the above, unless it's a state secet, please share.

Re [you need to work it out which is not hard] Try being a grass🦗hopper  😂

Cheers!

 

 

 

Edited by MIG

Share this post


Link to post
Share on other sites
1 hour ago, MIG said:

ey Petzl, 

Thank you. I entered the url into netdaemon, the resulting links were:

 

I get 139.60.161.75  abuse[AT]hostkey.us bounces/bitbin try SALES[AT]HOSTKEY.COM
First URL
--- 02/22/19 05:27:49 AUS Eastern Daylight Time
--- reading URL http://rrnntqutxtf.charlie-washington.infx/?eid=bWlnYWwwMEBob3RtYWlsLmNvbXwzMDcxNjM
--- contacting host rrnntqutxtf.charlie-washington.info [139.60.161.75] on port 80

HTTP/1.1 302 Found
Server: nginx/1.10.2
Date: Thu, 21 Feb 2019 18:21:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
X-Powered-By: PHP/5.3.3
Location: http://www.geoearnings.cxm/lgtrack/OTcuMTY?email=bWlnYWwwMEBob3RtYWlsLmNvbQ%3D%3D


--- connection closed
THEN URL http://www.geoearnings.cxm/ gives me another redirection 52.71.44.153  abuse@amazonaws.com USA - Washington

Final redirection https://www.localflirtbuddies.cxm      52.48.235.139  abuse[AT]amazonaws.com Ireland

get Cert address from here
https://www.first.org/members/teams/

include

 

Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS

>

amazonaws.com send your complaints to spammer,
These are the  Cybercriminals amazon are contacting in this case
"Thank you for submitting your abuse report. We have begun our investigation into the source of the activity or content you reported.
We've determined that an Amazon EC2 instance was running at the IP address you provided in your abuse report. We have reached out to our customer to determine the nature and cause of this activity or content in your report."

 

Edited by petzl

Share this post


Link to post
Share on other sites
31 minutes ago, petzl said:

I get 139.60.161.75  abuse[AT]hostkey.us bounces/bitbin try SALES[AT]HOSTKEY.COM
First URL
--- 02/22/19 05:27:49 AUS Eastern Daylight Time
--- reading URL http://rrnntqutxtf.charlie-washington.infx/?eid=bWlnYWwwMEBob3RtYWlsLmNvbXwzMDcxNjM
--- contacting host rrnntqutxtf.charlie-washington.info [139.60.161.75] on port 80

HTTP/1.1 302 Found
Server: nginx/1.10.2
Date: Thu, 21 Feb 2019 18:21:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
X-Powered-By: PHP/5.3.3
Location: http://www.geoearnings.cxm/lgtrack/OTcuMTY?email=bWlnYWwwMEBob3RtYWlsLmNvbQ%3D%3D

--- connection closed
THEN URL http://www.geoearnings.cxm/ gives me another redirection 52.71.44.153  abuse@amazonaws.com USA - WashingtonFinal redirection https://www.localflirtbuddies.cxm      52.48.235.139  abuse[AT]amazonaws.com Ireland
get Cert address from here
https://www.first.org/members/teams/
 

Hey Petzl,

Thank you.

The bit I don't understand is why SC parser doesn't also drag up amazonaws?

I do always report to Amazonaws when I know they're in the loop, I was relying on SC to detect... They've always been very responsive to every report I forwarded. 

Now with your advice it seems as if I'll have to do additional interrogation to find any buried related sources.

I'm happy to do the extra digging, just wish I'd known it was necessary. 

The last 30+-  have all had hostkey,  was starting to get po'd; happy now I can do something extra.

Cheers!

grass🦗hoppe

Share this post


Link to post
Share on other sites
6 minutes ago, MIG said:

The bit I don't understand is why SC parser doesn't also drag up amazonaws?

SC just looks at link provided the link in this case is a redirect link with a abuse address that bounces.
Try to be better than SpamCop is you have the time
In the case of porn spammers send to the CERT of that country as well.

Edited by petzl

Share this post


Link to post
Share on other sites
39 minutes ago, petzl said:

SC just looks at link provided the link in this case is a redirect link with a abuse address that bounces.
Try to be better than SpamCop is you have the time
In the case of porn spammers send to the CERT of that country as well.

SC, I see! Thanks. 

Time, I always have the time if it means pulverising a spammer. Even if they do mutate like ebola.

CERT of that country, cool, I did not know that. Thank you!

If you don't mind please chk [ https://www.spamcop.net/sc?id=z6523510515zc7e28a23652bcebaa6a110ff76938540z ] I'd like to make sure I understand your methodology please.

Cheers!

 

Edited by MIG

Share this post


Link to post
Share on other sites
On 2/22/2019 at 7:48 AM, petzl said:

just get the bogus abuse email address right "granatnetou[AT]gmail.com" Ukraine bogus address
https://www.first.org/members/teams/cert-ua

 URL abuse[AT]hostkey.us bounce try sales
https://www.us-cert.gov

 

[hostkey.us]sales I got that, I'm trying to understand NetDemon in relation to your posts.

Cheers.

Edited by MIG

Share this post


Link to post
Share on other sites
20 minutes ago, MIG said:

[hostkey.us]sales I got that, I'm trying to understand NetDaemonin relation to your posts.

netdemon offers a safe txt browser.
I use this to get IP's of URL's
I get spammed by Russian crime gang and not keen on clicking link.
They sometimes try to download ransomware to your computer.

Edited by petzl

Share this post


Link to post
Share on other sites
On 2/22/2019 at 8:13 AM, petzl said:

netdemon offers a safe txt browser.
I use this to get IP's of URL's
I get spammed by Russian crime gang and not keen on clicking link.
They sometimes try to download ransomware to your computer.

Hey Petzl, 

grass🦗hopper prefers VirusTotal, sames results without the dead links.

Cheers.

Edited by MIG

Share this post


Link to post
Share on other sites
6 hours ago, MIG said:

Hey Petzl, 

grass🦗hopper prefers VirusTotal, sames results without the dead links.

Cheers.

Netdemon gives the IP address.
Just tried it yes it works well thanks

https://www.virustotal.com/#/url/87a1133f47025b43f18b4af7431bc40fb324c2ca6ff58f922e98ea7093ce8d3e/detection

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×