Jump to content

What do do with Amazon hosted spammers


klappa

Recommended Posts

On 3/8/2019 at 12:18 AM, klappa said:

Which three regulatory authorities?

https://www.scamwatch.gov.au/    reportATsubmitDOTspamDOTacmaDOTgovDOTau

https://www.idcare.org/contact/report-phishing  reportphishingATidcareDOTorg

https://www.consumer.ftc.gov/   spamATuceDOTgov

& Petzl has mentioned phishing-reportATusDASHcertDOTgov

  • Does it really help?

Scamwatch:

quote "The Australian Communications and Media Authority (ACMA) receives information about spam via complaints and reports.  This information informs the ACMA’s compliance and enforcement activities.

Reporting is as simple as forwarding the message you have received to the ACMA’s spam Intelligence Database. Forwarding spam reports does not automatically stop the receipt of unwanted emails or SMS messages.

Complaints, submitted by completing the ACMA’s online complaint form about a message you have received, allow you to provide important background information, as well as consent for the ACMA to disclose your electronic address to the sender in the course of any enquiries that the ACMA makes.

Where the ACMA has been able to identify the sender of an email or SMS message, once per month the ACMA sends businesses a letter advising them that that a complaint and/or report has been received about them.  This assists the company to review their business processes to ensure that they are meeting the requirements of the spam Act 2003 (spam Act).  

If the ACMA continues to receive reports and/or complaints about a company, the ACMA may commence a formal investigation. 

Under the Privacy Act, the ACMA cannot disclose a recipient’s email address without their consent. Because of the manner in which spam reports are received, the ACMA is unable to obtain appropriate consent to disclose a recipient’s address to the senders of those messages. As such, the ACMA is not able to request that your address be unsubscribed on the basis of spam reports alone. This is only possible when a complaint has been submitted to the ACMA, as submission of the complaint form establishes consent to disclose this information.

spam reports are stored in the spam Intelligence Database.   The ACMA advises consumers not to alter emails when forwarding them as reports as this may interfere with the results when filtering for particular emails during the course of an investigation.  If a consumer wishes to make specific comments about an email, we recommend that they lodge a complaint.

In addition, the information gathered from complaints and reports is used as part of a wider education process.  The ACMA:

provides consumers with information on how to reduce the amount of spam they receive informs Internet Service Providers (ISPs) about their obligations under the Act produces and distributes comprehensive print publications and online material that offer detailed information and practical tips on avoiding and reducing spam, meeting the requirements of the spam Act and reporting spam." unquote

FTC:

quote "The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.unquote

I'm sure there's others, as I come across them I post to the Forum.

Cheers!

Edited by MIG
Link to comment
Share on other sites

  • Replies 94
  • Created
  • Last Reply

Top Posters In This Topic

31 minutes ago, MIG said:

I'm sure there's others, as I come across them I post to the Forum.

Most USA Government agencies can't find their own ass!
However if you can hit a concerned party you are away. 

Link to comment
Share on other sites

11 hours ago, MIG said:

https://www.scamwatch.gov.au/    reportATsubmitDOTspamDOTacmaDOTgovDOTau

https://www.idcare.org/contact/report-phishing  reportphishingATidcareDOTorg

https://www.consumer.ftc.gov/   spamATuceDOTgov

& Petzl has mentioned phishing-reportATusDASHcertDOTgov

  • Does it really help?

Scamwatch:

quote "The Australian Communications and Media Authority (ACMA) receives information about spam via complaints and reports.  This information informs the ACMA’s compliance and enforcement activities.

Reporting is as simple as forwarding the message you have received to the ACMA’s spam Intelligence Database. Forwarding spam reports does not automatically stop the receipt of unwanted emails or SMS messages.

Complaints, submitted by completing the ACMA’s online complaint form about a message you have received, allow you to provide important background information, as well as consent for the ACMA to disclose your electronic address to the sender in the course of any enquiries that the ACMA makes.

Where the ACMA has been able to identify the sender of an email or SMS message, once per month the ACMA sends businesses a letter advising them that that a complaint and/or report has been received about them.  This assists the company to review their business processes to ensure that they are meeting the requirements of the spam Act 2003 (spam Act).  

If the ACMA continues to receive reports and/or complaints about a company, the ACMA may commence a formal investigation. 

Under the Privacy Act, the ACMA cannot disclose a recipient’s email address without their consent. Because of the manner in which spam reports are received, the ACMA is unable to obtain appropriate consent to disclose a recipient’s address to the senders of those messages. As such, the ACMA is not able to request that your address be unsubscribed on the basis of spam reports alone. This is only possible when a complaint has been submitted to the ACMA, as submission of the complaint form establishes consent to disclose this information.

spam reports are stored in the spam Intelligence Database.   The ACMA advises consumers not to alter emails when forwarding them as reports as this may interfere with the results when filtering for particular emails during the course of an investigation.  If a consumer wishes to make specific comments about an email, we recommend that they lodge a complaint.

In addition, the information gathered from complaints and reports is used as part of a wider education process.  The ACMA:

provides consumers with information on how to reduce the amount of spam they receive informs Internet Service Providers (ISPs) about their obligations under the Act produces and distributes comprehensive print publications and online material that offer detailed information and practical tips on avoiding and reducing spam, meeting the requirements of the spam Act and reporting spam." unquote

FTC:

quote "The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.unquote

I'm sure there's others, as I come across them I post to the Forum.

Cheers!

Thanks but since this doesn't involve phishing they aren't relevant? And all parties involved resides in the US not Australia.

10 hours ago, petzl said:

Most USA Government agencies can't find their own ass!
However if you can hit a concerned party you are away. 

Seems like it.

Unfortunately the spam from this sex spammer have increased. It comes in more regularly intervals now. I knew this would happen since I've clicked the spam links but there was no way to know the end resolving domain without doing so. There's no services or programs that follow all the way through his obfuscated domains to the end.

Namecheap just pretends they have nothing on him and their reply is

Quote

domain name is pointed to our URL forwarding server which means that we do not host the content in question, the server is used only for redirecting purposes. As for the sexyflirt.me domain name, it expired and is currently pointed to our parking page and will eventually be deleted.

You may also report the issue to the official authorities and ask them to investigate the issue. Namecheap Inc. regularly works with courts and law enforcement from the local to the international level. We will assist them any way we can.

Let us know if any additional questions arise.

Amazon abuse desk just replies with a short reply and urge me to go through National Center for Missing and Exploited Children

Seems pointless. I give up! The spammers always wins.

Edited by klappa
Link to comment
Share on other sites

5 hours ago, klappa said:

Amazon abuse desk just replies with a short reply and urge me to go through National Center for Missing and Exploited Children

Seems pointless. I give up! The spammers always wins.

They went away from me for a while, as Amazon refuse to take SpamCop reports
I send from the email it was sent to
These spammers have been kicked out of many "holes" before now reside with Amazon who have a incompetent abuse desk.
Amazon are offering free web space, which tells me there IT are causing them to go broke.
I will be adding "subpoena-criminal[x]amazon.cxm" to my reports to see if anyone in Amazon have brains or more pomposity
http://www.missingkids.org/gethelpnow/cybertipline    is a good link worth a try they can get a seizure order on Amazon sites 
Seem to be breaching "U.S. Department of Justice's Child Exploitation and Obscenity section"  (as usual U.S. agency that's broken, links are not updated)


Just checked seems Amazon are taking sites down. These creeps must be just signing up with a new free one as they get closed.

Edited by petzl
Link to comment
Share on other sites

On 3/10/2019 at 10:20 PM, petzl said:

They went away from me for a while, as Amazon refuse to take SpamCop reports
I send from the email it was sent to
These spammers have been kicked out of many "holes" before now reside with Amazon who have a incompetent abuse desk.
Amazon are offering free web space, which tells me there IT are causing them to go broke.
I will be adding "subpoena-criminal[x]amazon.cxm" to my reports to see if anyone in Amazon have brains or more pomposity
http://www.missingkids.org/gethelpnow/cybertipline    is a good link worth a try they can get a seizure order on Amazon sites 
Seem to be breaching "U.S. Department of Justice's Child Exploitation and Obscenity section"  (as usual U.S. agency that's broken, links are not updated)


Just checked seems Amazon are taking sites down. These creeps must be just signing up with a new free one as they get closed.

Tired of reporting. Bit.ly won't take down the sex dating sites. They seem to ignore Spamcop reports altogether.

Amazon promised to take action several times but nothing happens.

I've given up. Will close my e-mail account. It's for the better.

Link to comment
Share on other sites

4 hours ago, klappa said:

Tired of reporting. Bit.ly won't take down the sex dating sites. They seem to ignore Spamcop reports altogether.

Amazon promised to take action several times but nothing happens.

I've given up. Will close my e-mail account. It's for the better.

Oddly enough, I haven’t been getting any amazon/bit.ly spam as of a few days ago.

In fact, I haven’t had any spam since Saturday 9th at noon. :) /me happy/ :) 

Link to comment
Share on other sites

1 hour ago, RobiBue said:

Oddly enough, I haven’t been getting any amazon/bit.ly spam as of a few days ago.

In fact, I haven’t had any spam since Saturday 9th at noon. :) /me happy/ :) 

Glad for you. It has happened to me too but this sex spammer constantly spam me. He doesn't get any hits either when checking his bit.ly links. I don't know how he goes around.

I have other spammers, some Russian or Ukrainian drug pharmacy spam and a Chinese fake handbag spam but it's far as the sex spammer and a couple of phishing spam. I will close my account since it isn't one i use anymore anyway.

Link to comment
Share on other sites

8 hours ago, klappa said:

Amazon promised to take action several times but nothing happens.

Pretty sure these creeps are opening a new "free" amazon account when one is taken down.
Seems Amazon are shutting them down when reported from the spammed email address, stating IP address and copy and pasting full headers with report. 
https://www.virustotal.com/#/url/51cfab3c89b464ef6e07c89d13ae048eb6708dd49233bf740609da33f2834ea2/details
status: 404 Not Found

Edited by petzl
Link to comment
Share on other sites

53 minutes ago, petzl said:

Pretty sure these creeps are opening a new "free" amazon account when one is taken down.
Seems Amazon are shutting them down when reported from the spammed email address, stating IP address and copy and pasting full headers with report. 
https://www.virustotal.com/#/url/51cfab3c89b464ef6e07c89d13ae048eb6708dd49233bf740609da33f2834ea2/details
status: 404 Not Found

Which domain is that from? I don't recognize it. They usually use domains from Namecheap but mostly bit.ly links. But as said i don't know how they could get their business going? They only rarely get only a few hundred hits if even that. Then the unsuspected user have to throw up the wallet and i guess that's much less, maybe in the single digits? But maybe in the total would amount to several thousand dollars.

I know they're running their domains spread out among several hosts. Usually using third party e-mail services to send their spam so they don't go around and compromise servers or domains. I have gotten these sex dating spam for several years now.

Edited by klappa
Link to comment
Share on other sites

1 hour ago, petzl said:

Pretty sure these creeps are opening a new "free" amazon account when one is taken down.
Seems Amazon are shutting them down when reported from the spammed email address, stating IP address and copy and pasting full headers with report. 
https://www.virustotal.com/#/url/51cfab3c89b464ef6e07c89d13ae048eb6708dd49233bf740609da33f2834ea2/details
status: 404 Not Found

I never report from the spammed email address, and always munge the latter.

Several providers have asked for full headers and I always tell them that the email address is of no concern to them as I do not wish retaliation or listwashing from their customers.

They sometimes claim it would be easier with my address, but I insist that they can enforce their AUP solely by the email received headers and the email content. This last scenario happened only twice in my umpteen years of reporting ;)

 

Link to comment
Share on other sites

1 hour ago, RobiBue said:

I never report from the spammed email address, and always munge the latter.

Several providers have asked for full headers and I always tell them that the email address is of no concern to them as I do not wish retaliation or listwashing from their customers.

They sometimes claim it would be easier with my address, but I insist that they can enforce their AUP solely by the email received headers and the email content. This last scenario happened only twice in my umpteen years of reporting ;)

 

And your absolutely right, however with me I don't want spam and never munge my reports!
Where SpamCop won't send to a abuse desk I then send direct from the address that received the spam

Link to comment
Share on other sites

9 hours ago, klappa said:

That would be quite useless because

Seem to have some success with it
Another Forrest Gump moment for me?
https://www.businessinsider.com.au/facebook-criminal-investigation-data-sharing-2019-3?r=US&IR=T
 

Criminal  phishing, bogus reply address, bogus unsubscribe
This/my email address I believe sold to this Russian (?) Crime gang by FaceBook
..
email source
94.100.177.97  abusexcorp.maxl.ru

 

Link to comment
Share on other sites

On 3/14/2019 at 1:25 AM, petzl said:

Seem to have some success with it
Another Forrest Gump moment for me?
https://www.businessinsider.com.au/facebook-criminal-investigation-data-sharing-2019-3?r=US&IR=T
 


Criminal  phishing, bogus reply address, bogus unsubscribe
This/my email address I believe sold to this Russian (?) Crime gang by FaceBook
..
email source
94.100.177.97  abusexcorp.maxl.ru

 

Yes good for you but you are dealing with obvious phishing spam i am not. It's a difference since i dealing with sex spam. The sex spammers are running a scam business but it's still not phishing e-mail. Everyone takes spam less seriously.

Edited by klappa
Link to comment
Share on other sites

2 hours ago, klappa said:

You are dealing with obvious phishing spam i am not. it's still not phishing e-mail. Everyone takes spam less seriously.

Hey  klappa,

As you receive the emails & process them via SpamCop can you post the tracking URLs to this forum please?

Cheers!

Link to comment
Share on other sites

On 3/15/2019 at 12:46 PM, klappa said:

Yes good for you but you are dealing with obvious phishing spam i am not. It's a difference since i dealing with sex spam. The sex spammers are running a scam business but it's still not phishing e-mail. Everyone takes spam less seriously.

These "sex sites" are sent via (untraceable by you)  botnet email or throwaway email addresses, the sites themselves start from a throwaway address then jump to another.
Always after credit card details!
(the ISP of that botnet can see where the source IP is)

Called phishing.
heres one
https://www.spamcop.net/sc?id=z6530436982z1d6d8d3d02831bdf4f781b2561e8282fz

notes were
22.224.69.173 antispamxdcb.hz.zj.cn bounces


malicious site URL
http://chinabdt.nxt/
52.5.250.89     abusexamazonaws.cxm 
proof see
https://www.virustotal.com/gui/url/600f2573dfc69fffdd57931eb33ec16698d1c613567dd4324f6b82d984349796/detection
 

Link to comment
Share on other sites

23 hours ago, MIG said:

Hey  klappa,

As you receive the emails & process them via SpamCop can you post the tracking URLs to this forum please?

Cheers!

Yes of course! This is the last one

https://www.spamcop.net/sc?id=z6530636585z175385238ef9c81fac2a7bbb91908ac0z

22 hours ago, petzl said:

These "sex sites" are sent via (untraceable by you)  botnet email or throwaway email addresses, the sites themselves start from a throwaway address then jump to another.
Always after credit card details!
(the ISP of that botnet can see where the source IP is)

Called phishing.
heres one
https://www.spamcop.net/sc?id=z6530436982z1d6d8d3d02831bdf4f781b2561e8282fz

notes were
22.224.69.173 antispamxdcb.hz.zj.cn bounces


malicious site URL
http://chinabdt.nxt/
52.5.250.89     abusexamazonaws.cxm 
proof see
https://www.virustotal.com/gui/url/600f2573dfc69fffdd57931eb33ec16698d1c613567dd4324f6b82d984349796/detection
 

You're right! However it isn't directly obvious for the hosts i send the spamreports to. They are aren't pretending to be Bank of America in the spam and wants you to login to a spoofed site. They are also depending on valid third party e-mails and domain providers. And sometimes also use third party URL shortener services but sometime doesn't. I don't know if it's the same spammer but it could be.

They however as evident in the spam report above almost in all cases rely on Outlook. MS doesn't seem to take action or unable to as they create throwaway accounts after another.

Should i instead of reporting them as sex spammer use phishing e-mail instead?

Link to comment
Share on other sites

Useful discussion.  Please be careful to NOT include active "malicious" links in your post.

Some suggestions for breaking links would be to

  • replace periods "." in the URL with a coma ',' or '{DOT}'
  • include spaces to break[ ]-[ ]up the URL as in http: // spamcop . net

When you do include a URL double check your post to make sure the system did not out smart you and generate a live link.

THANKS

Link to comment
Share on other sites

5 hours ago, klappa said:

Hey klappa.

Thanks!

1st , specific ONLY to MS Outlook mail, do you always REMOVE the ENTIRE 1st [Received >>>>> +0000] section BEFORE parsing?

Received: from BY2NAM03FT039.eop-NAM03.prod.protection.outlook.com
 (10.152.84.53) by BY2NAM03HT214.eop-NAM03.prod.protection.outlook.com
 (10.152.85.13) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1709.13; Sat, 16 Mar
 2019 15:51:29 
+0000

Specific to your submitted url https://www.spamcop.net/sc?id=z6530636585z175385238ef9c81fac2a7bbb91908ac0z, the [REMOVE] instruction wouldn't make much/any difference as this email has travelled via MS.

  • The rationale for the [REMOVE] instruction is well documented in Forum posts, I'll drag some up for you & post back. 

2nd : (My understanding was we were addressing: topic/35014-what-to-do-with-amazon-hosted-spammers) so, forgive me if I'm confused, but, are your concerns more to do with the process/reporting methodology or ?

3. "instead of reporting them as sex spammer use phishing e-mail instead?"

I agree with Petzl, use both

4. Do you add [Notes] to the addresses SC parser has identified?

5. When I forward the phishing/spam email, I always include,  in the subject line [offending ip address, offending ip address: "Network being used by criminals to distribute child porn"], or whatever the criminal activity is.

More soon, if you have more SC URLs please continue to post to Forum.

Cheers!

Edited by MIG
Link to comment
Share on other sites

  • 3 weeks later...
On 3/17/2019 at 1:15 AM, MIG said:

Hey klappa.

Thanks!

1st , specific ONLY to MS Outlook mail, do you always REMOVE the ENTIRE 1st [Received >>>>> +0000] section BEFORE parsing?

Received: from BY2NAM03FT039.eop-NAM03.prod.protection.outlook.com
 (10.152.84.53) by BY2NAM03HT214.eop-NAM03.prod.protection.outlook.com
 (10.152.85.13) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1709.13; Sat, 16 Mar
 2019 15:51:29 
+0000

Specific to your submitted url https://www.spamcop.net/sc?id=z6530636585z175385238ef9c81fac2a7bbb91908ac0z, the [REMOVE] instruction wouldn't make much/any difference as this email has travelled via MS.

  • The rationale for the [REMOVE] instruction is well documented in Forum posts, I'll drag some up for you & post back. 

2nd : (My understanding was we were addressing: topic/35014-what-to-do-with-amazon-hosted-spammers) so, forgive me if I'm confused, but, are your concerns more to do with the process/reporting methodology or ?

3. "instead of reporting them as sex spammer use phishing e-mail instead?"

I agree with Petzl, use both

4. Do you add [Notes] to the addresses SC parser has identified?

5. When I forward the phishing/spam email, I always include,  in the subject line [offending ip address, offending ip address: "Network being used by criminals to distribute child porn"], or whatever the criminal activity is.

More soon, if you have more SC URLs please continue to post to Forum.

Cheers!

1. Yes Spamcop can't correctly parse when the 1st Receive line is there. It will always go to abuse microsoft com instead of the correct host abuse department. I think it had to do with Microsoft using internal IPv6 addresses or something.

2. I don't follow. Since Spamcop can't follow the spam link it won't identify the Amazon hosted servers the spammers or phishers use and i have to report it manually.

3. Ok!

4. Yes. To every part that Spamcop can identify.

5. Thanks for input!

Edited by klappa
Link to comment
Share on other sites

On 4/6/2019 at 2:36 AM, MIG said:

All good Klappa & thank you!

Re 2. Please post more/new SC Report URLs that have embedded redirect links to Amazon.

Cheers!

I haven't received them for a while now except very sporadic. But next spam from them i will update this thread with SC Report URLs.

Link to comment
Share on other sites

I don't see a suggestion to also send reports/forward spam to stop-spoofing[AT}amazon.com

I add that address to all spam that I quickly identify as relating to Amazon or often amazon.uk

Edited by Lking
I stand corrected
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...