Jump to content

What do do with Amazon hosted spammers


klappa

Recommended Posts

5 hours ago, Lking said:

I don't see a suggestion to also send reports/forward spam to stop-spoofing[AT}amazon.com.I add that address to all spam that I quickly identify as relating to Amazon or often amazon.uk

Hey Master,

Very interesting. I previously raised (with SC Admin) "Request to add" stop-spoofingATamazonDOTcom, as so many amazon / SC reports resulted in /dev/null.

SCA replied:

quote

Adding an address just because it looks like it might be a good idea, isn't a good idea.  Stop-spoofingATamazonDOTcom is a specific address with a specific use.  spam from Amazon's IP space is not the purpose of that address.
It likely wouldn't take them long to start rejecting all SpamCop reports, even ones about spoofing, if we were to start throwing everything Amazon their way.

unquote

As a result of receiving that advice, I stopped manually adding stop-spoofingATamazonDOTcom, Amazon spam continued, when I add stop-spoofingATamazonDOTcom, spam reduces to an occasional, 1 a month, to none...

Your thoughts? (would be very much appreciated)

Cheers!

Edited by Lking
I stand corrected
Link to comment
Share on other sites

  • Replies 94
  • Created
  • Last Reply

Top Posters In This Topic

5 hours ago, Lking said:

I don't see a suggestion to also send reports/forward spam to stop-spoofing[AT}amazon.com

I stand corrected.  What I meant to say was that I add amazon[dot]com to the list of addresses when I submit said spam. So the copy of the spam comes from me not SC.  I do get the obligatory auto-response "Thank you"

Link to comment
Share on other sites

2 hours ago, MIG said:

are you suggesting manually adding amazon[dot]com to https://www.spamcop.net/ [User_Notification] field, irrespective of SC's determination?

NO I am not.  That would result in a spam Report, from SC going to amazon. I am suggesting something like this header from MY email:

Quote

BCC: submit.xxxxxxxxxxxxxxxx@spam.spamcop.net
To: spam@uce.gov, Report@submit.spam.acma.gov.au, stop-spoofing@amazon.com
Subject: [HabuL Plugin] spam Report
From: XXX <x@xx.com>

with an amazon related spam attached; in this case

Quote

...
Date: Fri, 12 Apr 2019 09:55:17 +0000
To: "bigknow@xxxxx.com" <bigknow@xxxxx.com>
From: Amazon <reply@leneif.info>
Reply-To: Amazon <reply@leneif.info>
Subject: [Norton AntiSpam]TEXT ALERT: Winner, Winner John, is it you? >> Check Now

...

 

Note when I "Submit" the spam I BCC the email to SC to hide my private 16 char reporting account from Amazon.

Also note: Yes the FROM: is an obvious fake, but the sender is using the well known retailer's name to get "bigknow" to open the email.. I do the same for others common spam FROM UPS, American Express and others.

Link to comment
Share on other sites

1 hour ago, Lking said:

NO I am not.  That would result in a spam Report, from SC going to amazon. I am suggesting something like this header from MY email:

with an amazon related spam attached; in this case

Note when I "Submit" the spam I BCC the email to SC to hide my private 16 char reporting account from Amazon.

Also note: Yes the FROM: is an obvious fake, but the sender is using the well known retailer's name to get "bigknow" to open the email.. I do the same for others common spam FROM UPS, American Express and others.

Thank you Master!

Got it! 

Unfortunately (for me) using my (private 16 char reporting account) has never worked. And using https://outlook.live.com/owa/?path=/mail/ does not have the functionality to forward spam as "attachments". 

However, your information certainly clarifies the question I had specific to spam submitted via SC parser.

I'm curious about [red]:

To: spam@uce.gov, Report@submit.spam.acma.gov.au, stop-spoofing@amazon.com

Subject:   [blah, blah, blah] spam Report From: XXX <x@xx.com>

Acma spam reporting guidelines:

"Forward the email spam to report@submit.spam.acma.gov.au. When forwarding an email, don't change the subject line or add additional text."

Have Acma ever communicated with you regarding spam you've reported?

Curious?

Thanks & cheers!

 

Link to comment
Share on other sites

10 hours ago, MIG said:

I'm curious about [red]:

To: spam@uce.gov, Report@submit.spam.acma.gov.au, stop-spoofing@amazon.com

Subject:   [blah, blah, blah] spam Report From: XXX <x@xx.com>

Acma spam reporting guidelines:

"Forward the email spam to report@submit.spam.acma.gov.au. When forwarding an email, don't change the subject line or add additional text."

Have Acma ever communicated with you regarding spam you've reported?

Curious?

The attached spam is forwarded without change.  MY email, Subject: [blah...] spam Report, From: XXX  is not what ACMA is referring to. The Attached email "Subject: [Norton AntiSpam]TEXT ALERT: Winner, Winner John, is it you? >> Check Now" "From: Amazon <reply@leneif.info>"  is not changed, as required.

Link to comment
Share on other sites

On 4/12/2019 at 8:44 PM, MIG said:

..., (for me) SC parser classifies Amazon (amazon[dot]com) as /dev/null, are you suggesting manually adding amazon[dot]com to https://www.spamcop.net/ [User_Notification] field, irrespective of SC's determination?

Thanks in advance!

On 4/12/2019 at 11:37 PM, Lking said:

NO I am not.  That would result in a spam Report, from SC going to amazon. I am suggesting something like this header from MY email:

with an amazon related spam attached; in this case

 

Note when I "Submit" the spam I BCC the email to SC to hide my private 16 char reporting account from Amazon.

Also note: Yes the FROM: is an obvious fake, but the sender is using the well known retailer's name to get "bigknow" to open the email.. I do the same for others common spam FROM UPS, American Express and others.

If amazon[dot]com is dev/null'ed, then placing it in the [User_Notification] field wouldn't change anything. It would still dev/null the address.

@Lking, question about the "Note". Do I understand this correctly, that you send (apart from sending the spam to SC as "bcc") the spam (as attachment) to the three listed entities?

How do you know where to send the spam before parsing it?

When I send the spam to SC, it gets parsed and /* then */ I know whom to send it as well... (Color me confused)

 

Link to comment
Share on other sites

1 hour ago, RobiBue said:

How do you know where to send the spam before parsing it?

When I send the spam to SC, it gets parsed and /* then */ I know whom to send it as well... (Color me confused)

"Dear" Color me confused : ) The confusion is that we (you and I) are talking about two different things.

You (and I) use SC to parse the spam email header to identify the source and supporting ISPs of the spam and the spamvertised links in the body of the email. I understand that you /*then*/ use the information from SC to manually expand where the spam report is sent.

In addition to the basic results from SC, I also send all 'raw' spam to government databases, US and Australian (spam@uce.gov &  Report@submit.spam.acma.gov.au), for archival and whatever use.

When a quick visual scan of spam reveals that the name of an established company (Amazon, UPS, American Express...) is used to bate the spam receivers,  I also send the raw spam to those companies as a "FYI some spamming a**hole is using your 'good' name to defraud people." In my example above:

On 4/12/2019 at 10:37 PM, Lking said:

...
Date: Fri, 12 Apr 2019 09:55:17 +0000
To: "bigknow@xxxxx.com" <bigknow@xxxxx.com>
From: Amazon <reply@leneif.info>
Reply-To: Amazon <reply@leneif.info>
Subject: [Norton AntiSpam]TEXT ALERT: Winner, Winner John, is it you? >> Check Now

...

I noticed the From: Amazon displayed in the "Correspondents" column in Thunderbird so I single that spam out for special handling.  Depending on the time of day and other factors, I also take a quick look at the body of some spam scanning for besmirched company names.

{It is another discussion, whether or not these corporations have a 'good name'.  I am sure they think so and have the resources to defend it.}

I have chosen this less time intensive processing because of the volume of spam sent to the several domains I use (232 spam yesterday).  In addition to the domain I have had sense 1996, I also manage domains for two non-proffets.  I receive all email to these domains unfiltered (note To: bigknow{at}xxxx.com above).  For me I "Do not have the time" to do the hard work that @RobiBue does.We each do what we can do.

As an aside I am confused by the thinking(?) of spammers.  Looking at the "odd" mailboxes spam is sent to.  Instead of dropping mis addressed email on the floor, I receive and report it.  So I see these odd mailboxes. I can see guessing 'Bob@', 'John@' or "testemail@".  I do not understand "f***you@", "A**hole@", "whore@".  Who thinks someone would open an email addressed to "whore@"?

 

Link to comment
Share on other sites

On 4/12/2019 at 7:59 PM, klappa said:

I haven't received them for a while now except very sporadic. But next spam from them i will update this thread with SC Report URLs.

Just received two sex dating spams today however i haven't checked what domains the spamlinks resolve to. It could be Amazon hosted domains but i am not sure. Anyway care to inspect?

https://www.spamcop.net/sc?id=z6537755702z2a6c8c73f60568b083e173773e617c28z

https://www.spamcop.net/sc?id=z6537755185z923bf33a4c5c45f7af08454928e034dbz

On 4/12/2019 at 8:14 PM, Lking said:

I don't see a suggestion to also send reports/forward spam to stop-spoofing[AT}amazon.com

I add that address to all spam that I quickly identify as relating to Amazon or often amazon.uk

Thank you!

But i am pretty sure the domains are resolved to Amazon hosted domains however since Spamcop don't check redirects it's impossible to know without clicking the spamlinks. I have to manually forward the spam directly to Amazon's abuse address. Also every of these Sex spam phishing mail I've got have been sent using an Outlook account. It seems Microsoft doesn't care much. I don't how many reports I've sent them. Also since i don't trust report_spam at hotmail dot com which is being used by Spamcop I also forward the spam directly to abuse at microsoft dot com. Outlook is a spam service nowadays nothing more.

Edited by klappa
Link to comment
Share on other sites

3 hours ago, klappa said:

I've sent them. Also since i don't trust report_spam at hotmail dot com which is being used by Spamcop I also forward the spam directly to abuse at microsoft dot com. Outlook is a spam service nowadays nothing more.

Spammer  is using throwaway email accounts

AmazonAWS is offering free web trails this clown will stick there (probably has many) till AmazonAWS bother
They want full headers copy and pasted with IP's before even bothering. And they contact these criminals show your details.
Always report it as Child porn spam site. That gives Amazon an obligation and expense to remove it.
pictures under 18 or made to look under 18. NO PROOF OF AGE available! 
Include phishing-report[AT]us-cert[DOT]gov  in "to field" as well AWS can see this.

Edited by petzl
Link to comment
Share on other sites

10 hours ago, petzl said:

Spammer  is using throwaway email accounts

AmazonAWS is offering free web trails this clown will stick there (probably has many) till AmazonAWS bother
They want full headers copy and pasted with IP's before even bothering. And they contact these criminals show your details.
Always report it as Child porn spam site. That gives Amazon an obligation and expense to remove it.
pictures under 18 or made to look under 18. NO PROOF OF AGE available! 
Include phishing-report[AT]us-cert[DOT]gov  in "to field" as well AWS can see this.

I won't give up. Any instances i could forward these sex spams to to let them know Amazon gives leeway to child porn?

Link to comment
Share on other sites

On 4/15/2019 at 5:31 PM, klappa said:

I won't give up. Any instances i could forward these sex spams to to let them know Amazon gives leeway to child porn?

That's my attitude also this is their reply with my "preamble"
https://www.spamcop.net/sc?id=z6532210969z9e3601591d7bb95c694f6f8edf765dccz

Thank you for submitting your report to Amazon Web Services.

We have received your report and will investigate the issue. If you wish to provide additional information to us or our customer regarding this case, please reply to this email.

The details of your report are as follows:
52.10.94.116 (Administrator of network where email originates)
abuse[AT]amazonaws[DOT]com

Child porn spammer
pictures under 18 or made to look under 18
NO PROOF OF AGE available!
SENT TO MINORS

>


****************headers*******

 

Link to comment
Share on other sites

On 4/16/2019 at 12:47 PM, petzl said:

That's my attitude also this is their reply with my "preamble"
https://www.spamcop.net/sc?id=z6532210969z9e3601591d7bb95c694f6f8edf765dccz


Thank you for submitting your report to Amazon Web Services.

We have received your report and will investigate the issue. If you wish to provide additional information to us or our customer regarding this case, please reply to this email.

The details of your report are as follows:
52.10.94.116 (Administrator of network where email originates)
abuse[AT]amazonaws[DOT]com

Child porn spammer
pictures under 18 or made to look under 18
NO PROOF OF AGE available!
SENT TO MINORS

>


****************headers*******

 

They just give me a reply that i should report missing children cybertip dot org. Really the spam doesn't show naked children but it's obvious it is stolen pictures of women from around the net. Now the spammer (if it's the same that is) sent the same spam a dozen of times. I have now completely given up since the domains i reported weeks ago still are up.

American hosts can screw themselves, looks at Amazon. They don't care about anything but the money.

Edited by klappa
Link to comment
Share on other sites

15 minutes ago, klappa said:

Really the spam doesn't show naked children but it's obvious it is stolen pictures of women from around the net

https://www.spamcop.net/sc?id=z6540270015zc70d32edef3720992bb7f7c766540bebz
I also sent from my Gmail account to AmozonAWS and spam stopped

I don't decide if they are children or not.  I just report it as such let "them" show the proof
18 is the age of consent in Australia for naked photos to be shown on web or magazines/videos,
under 18 is child porn afaik.
US law requires proof of age also,
https://www.consumer.ftc.gov/blog/2015/07/faking-it-scammers-tricks-steal-your-heart-and-money?page=3

Link to comment
Share on other sites

12 hours ago, petzl said:

https://www.spamcop.net/sc?id=z6540270015zc70d32edef3720992bb7f7c766540bebz
I also sent from my Gmail account to AmozonAWS and spam stopped

I don't decide if they are children or not.  I just report it as such let "them" show the proof
18 is the age of consent in Australia for naked photos to be shown on web or magazines/videos,
under 18 is child porn afaik.
US law requires proof of age also,
https://www.consumer.ftc.gov/blog/2015/07/faking-it-scammers-tricks-steal-your-heart-and-money?page=3

Trust me i have forwarded and reported with Spamcop nothing helps. Now the sex spammer have a grudge against me. Been spamming me every ten minutes or so using different Amazon servers. I can't bring me together to report everyone of them.

Link to comment
Share on other sites

6 minutes ago, klappa said:

Trust me i have forwarded and reported with Spamcop nothing helps. Now the sex spammer have a grudge against me. Been spamming me every ten minutes or so using different Amazon servers. I can't bring me together to report everyone of them.

Well they seem to be burnt from me?
They always use free accounts doubt if they give AmazonAWS contact info
AmazonAWS  are not the only ones to stupid to fix this Google another.

Link to comment
Share on other sites

5 hours ago, petzl said:

They always use free accounts doubt if they give AmazonAWS contact info
AmazonAWS  are not the only ones to stupid to fix this Google another.

There are a few options you have left when the adminstrator is useless if you really want to stop the spam.

  1. Keep reporting for two or three years and the spammer will give up.
  2. Block the whole IP range.  (this could be a problem as the emails from this forum appear to come from amazon, so this could block legitimate email.)
  3. Implement SPF checks on the MTA and hopes that blocks it (only works if you have the ability to control the MTA.)
  4. Use greylisting to make sure that only servers can connect and send you email (again, only works if you can change the MTA behavior.)

The reason most businesses offer the free accounts is it falls under the idea of advertising.  If someone cannot check out the service, then they are less likely to use it.  Kind of problem as it pulls in the jerks, but also pulls in paid accounts as well......

Link to comment
Share on other sites

3 hours ago, gnarlymarley said:

The reason most businesses offer the free accounts is it falls under the idea of advertising.  If someone cannot check out the service, then they are less likely to use it.  Kind of problem as it pulls in the jerks, but also pulls in paid accounts as well......

If the free account would just get a validated credit card number it would confirm identity.
Dealing with spammer accounts can't be "free"

Link to comment
Share on other sites

1 hour ago, petzl said:

If the free account would just get a validated credit card number it would confirm identity.
Dealing with spammer accounts can't be "free"

It better not be one of those cards that I sometimes get offered by spammers and scammers! :D

Link to comment
Share on other sites

37 minutes ago, lisati said:

It better not be one of those cards that I sometimes get offered by spammers and scammers! :D

As long as a payment say US$2 is made should validate it and customer. This should be a mandate with Gmail Hotmail Yahoo also.

Years  ago I opened a account with Godaddy which was good, What I  couldn't take was the harassment they try to get you to buy more and more, dumped them but the harassment continued for years.
Another good product was readers digest products bought Australian road guide, the harrasment adterwards was terrible, mailbox jammed with their junk adverts.

 

 


 

Edited by petzl
Link to comment
Share on other sites

8 hours ago, gnarlymarley said:

There are a few options you have left when the adminstrator is useless if you really want to stop the spam.

  1. Keep reporting for two or three years and the spammer will give up.
  2. Block the whole IP range.  (this could be a problem as the emails from this forum appear to come from amazon, so this could block legitimate email.)
  3. Implement SPF checks on the MTA and hopes that blocks it (only works if you have the ability to control the MTA.)
  4. Use greylisting to make sure that only servers can connect and send you email (again, only works if you can change the MTA behavior.)

The reason most businesses offer the free accounts is it falls under the idea of advertising.  If someone cannot check out the service, then they are less likely to use it.  Kind of problem as it pulls in the jerks, but also pulls in paid accounts as well......

I like Idea #2!, especially if everybody is on-board.

a) it would convince amazon to clean up their act with spammers and hosting them,
b) especially if they start losing legitimate clientele :)

Link to comment
Share on other sites

In response to SPAMCOP report i got an email from <nobody@bounces.amazon.com>

Quote

Hello,

We are sorry to hear that you received unwanted email through Amazon SES.

Please note, this reporting address is only for mail sent via Amazon SES (emails originated from 54.240.0.0/18). If you have a complaint about other AWS abuse (e.g. EC2), please submit your complaint here: https://aws.amazon.com/forms/report-abuse

If you did not provide the following information, please contact email-abuse@amazon.com again with:

1. The full headers of the objectionable email message. For examples of how to find email headers, see https://support.google.com/mail/answer/22454?hl=en .

2. The type of abuse you are experiencing. For example, you didn't sign up to receive emails from the sender, the sender doesn’t have an opt-out option, etc.

Thank you for the report!

Sincerely,

The Amazon SES Team

 

what do you make of this ?

is this a generic reply they send to all reports ? 

Link to comment
Share on other sites

2 hours ago, HeatherReid43 said:

Is this a generic reply they send to all reports ? 

Hello HeatherReid43,

Yes, it's a generic response, just checked back thru some very old Amazon responses. Not sure about "all", if I remember correctly, I got a swathe of them before I began to (as well as processing via SC), forward every email to ec2DASHabuseATamazonDOTcom (if you're not doing this already?)

From: Amazon.com <nobody@bounces.amazon.com>
Sent: Thursday, 10 January 2019 05:39
Subject: Re: Fw: Your new profile is confirmed and already has video messages.
Hello,
We are sorry to hear that you received unwanted email through Amazon SES.
Please note, this reporting address is only for mail sent via Amazon SES (emails originated from 54.240.0.0/18). If you have a complaint about other AWS abuse (e.g. EC2), please submit your complaint here: https://aws.amazon.com/forms/report-abuse

Cheers!
 
 
Edited by MIG
Link to comment
Share on other sites

1 hour ago, HeatherReid43 said:

in addition to the above email i am email address that i am reporting to are generally as follows

  • email-abuse at amazon.com 
  • ipmanagement at amazon.com

if the content is hosted on AWS then

  • abuse at amazonaws.com

Hey HeatherReid43,

I think you've covered all bases. There's also an online but (imo) it's painful, much easier to forward the email  to those address & any reporting authorities you choose...
Cheers!

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...