Jump to content
klappa

What do do with Amazon hosted spammers

Recommended Posts

Posted (edited)
5 hours ago, Lking said:

I don't see a suggestion to also send reports/forward spam to stop-spoofing[AT}amazon.com.I add that address to all spam that I quickly identify as relating to Amazon or often amazon.uk

Hey Master,

Very interesting. I previously raised (with SC Admin) "Request to add" stop-spoofingATamazonDOTcom, as so many amazon / SC reports resulted in /dev/null.

SCA replied:

quote

Adding an address just because it looks like it might be a good idea, isn't a good idea.  Stop-spoofingATamazonDOTcom is a specific address with a specific use.  spam from Amazon's IP space is not the purpose of that address.
It likely wouldn't take them long to start rejecting all SpamCop reports, even ones about spoofing, if we were to start throwing everything Amazon their way.

unquote

As a result of receiving that advice, I stopped manually adding stop-spoofingATamazonDOTcom, Amazon spam continued, when I add stop-spoofingATamazonDOTcom, spam reduces to an occasional, 1 a month, to none...

Your thoughts? (would be very much appreciated)

Cheers!

Edited by Lking
I stand corrected

Share this post


Link to post
Share on other sites
5 hours ago, Lking said:

I don't see a suggestion to also send reports/forward spam to stop-spoofing[AT}amazon.com

I stand corrected.  What I meant to say was that I add amazon[dot]com to the list of addresses when I submit said spam. So the copy of the spam comes from me not SC.  I do get the obligatory auto-response "Thank you"

Share this post


Link to post
Share on other sites

Greetings Master,

Thank you for clarifying! Much appreciated!

However, 🦗 is confused, (for me) SC parser classifies Amazon (amazon[dot]com) as /dev/null, are you suggesting manually adding amazon[dot]com to https://www.spamcop.net/ [User_Notification] field, irrespective of SC's determination?

Thanks in advance!

Share this post


Link to post
Share on other sites
2 hours ago, MIG said:

are you suggesting manually adding amazon[dot]com to https://www.spamcop.net/ [User_Notification] field, irrespective of SC's determination?

NO I am not.  That would result in a spam Report, from SC going to amazon. I am suggesting something like this header from MY email:

Quote

BCC: submit.xxxxxxxxxxxxxxxx@spam.spamcop.net
To: spam@uce.gov, Report@submit.spam.acma.gov.au, stop-spoofing@amazon.com
Subject: [HabuL Plugin] spam Report
From: XXX <x@xx.com>

with an amazon related spam attached; in this case

Quote

...
Date: Fri, 12 Apr 2019 09:55:17 +0000
To: "bigknow@xxxxx.com" <bigknow@xxxxx.com>
From: Amazon <reply@leneif.info>
Reply-To: Amazon <reply@leneif.info>
Subject: [Norton AntiSpam]TEXT ALERT: Winner, Winner John, is it you? >> Check Now

...

 

Note when I "Submit" the spam I BCC the email to SC to hide my private 16 char reporting account from Amazon.

Also note: Yes the FROM: is an obvious fake, but the sender is using the well known retailer's name to get "bigknow" to open the email.. I do the same for others common spam FROM UPS, American Express and others.

Share this post


Link to post
Share on other sites
1 hour ago, Lking said:

NO I am not.  That would result in a spam Report, from SC going to amazon. I am suggesting something like this header from MY email:

with an amazon related spam attached; in this case

Note when I "Submit" the spam I BCC the email to SC to hide my private 16 char reporting account from Amazon.

Also note: Yes the FROM: is an obvious fake, but the sender is using the well known retailer's name to get "bigknow" to open the email.. I do the same for others common spam FROM UPS, American Express and others.

Thank you Master!

Got it! 

Unfortunately (for me) using my (private 16 char reporting account) has never worked. And using https://outlook.live.com/owa/?path=/mail/ does not have the functionality to forward spam as "attachments". 

However, your information certainly clarifies the question I had specific to spam submitted via SC parser.

I'm curious about [red]:

To: spam@uce.gov, Report@submit.spam.acma.gov.au, stop-spoofing@amazon.com

Subject:   [blah, blah, blah] spam Report From: XXX <x@xx.com>

Acma spam reporting guidelines:

"Forward the email spam to report@submit.spam.acma.gov.au. When forwarding an email, don't change the subject line or add additional text."

Have Acma ever communicated with you regarding spam you've reported?

Curious?

Thanks & cheers!

 

Share this post


Link to post
Share on other sites
10 hours ago, MIG said:

I'm curious about [red]:

To: spam@uce.gov, Report@submit.spam.acma.gov.au, stop-spoofing@amazon.com

Subject:   [blah, blah, blah] spam Report From: XXX <x@xx.com>

Acma spam reporting guidelines:

"Forward the email spam to report@submit.spam.acma.gov.au. When forwarding an email, don't change the subject line or add additional text."

Have Acma ever communicated with you regarding spam you've reported?

Curious?

The attached spam is forwarded without change.  MY email, Subject: [blah...] spam Report, From: XXX  is not what ACMA is referring to. The Attached email "Subject: [Norton AntiSpam]TEXT ALERT: Winner, Winner John, is it you? >> Check Now" "From: Amazon <reply@leneif.info>"  is not changed, as required.

Share this post


Link to post
Share on other sites
On 4/12/2019 at 8:44 PM, MIG said:

..., (for me) SC parser classifies Amazon (amazon[dot]com) as /dev/null, are you suggesting manually adding amazon[dot]com to https://www.spamcop.net/ [User_Notification] field, irrespective of SC's determination?

Thanks in advance!

On 4/12/2019 at 11:37 PM, Lking said:

NO I am not.  That would result in a spam Report, from SC going to amazon. I am suggesting something like this header from MY email:

with an amazon related spam attached; in this case

 

Note when I "Submit" the spam I BCC the email to SC to hide my private 16 char reporting account from Amazon.

Also note: Yes the FROM: is an obvious fake, but the sender is using the well known retailer's name to get "bigknow" to open the email.. I do the same for others common spam FROM UPS, American Express and others.

If amazon[dot]com is dev/null'ed, then placing it in the [User_Notification] field wouldn't change anything. It would still dev/null the address.

@Lking, question about the "Note". Do I understand this correctly, that you send (apart from sending the spam to SC as "bcc") the spam (as attachment) to the three listed entities?

How do you know where to send the spam before parsing it?

When I send the spam to SC, it gets parsed and /* then */ I know whom to send it as well... (Color me confused)

 

Share this post


Link to post
Share on other sites
1 hour ago, RobiBue said:

How do you know where to send the spam before parsing it?

When I send the spam to SC, it gets parsed and /* then */ I know whom to send it as well... (Color me confused)

"Dear" Color me confused : ) The confusion is that we (you and I) are talking about two different things.

You (and I) use SC to parse the spam email header to identify the source and supporting ISPs of the spam and the spamvertised links in the body of the email. I understand that you /*then*/ use the information from SC to manually expand where the spam report is sent.

In addition to the basic results from SC, I also send all 'raw' spam to government databases, US and Australian (spam@uce.gov &  Report@submit.spam.acma.gov.au), for archival and whatever use.

When a quick visual scan of spam reveals that the name of an established company (Amazon, UPS, American Express...) is used to bate the spam receivers,  I also send the raw spam to those companies as a "FYI some spamming a**hole is using your 'good' name to defraud people." In my example above:

On 4/12/2019 at 10:37 PM, Lking said:

...
Date: Fri, 12 Apr 2019 09:55:17 +0000
To: "bigknow@xxxxx.com" <bigknow@xxxxx.com>
From: Amazon <reply@leneif.info>
Reply-To: Amazon <reply@leneif.info>
Subject: [Norton AntiSpam]TEXT ALERT: Winner, Winner John, is it you? >> Check Now

...

I noticed the From: Amazon displayed in the "Correspondents" column in Thunderbird so I single that spam out for special handling.  Depending on the time of day and other factors, I also take a quick look at the body of some spam scanning for besmirched company names.

{It is another discussion, whether or not these corporations have a 'good name'.  I am sure they think so and have the resources to defend it.}

I have chosen this less time intensive processing because of the volume of spam sent to the several domains I use (232 spam yesterday).  In addition to the domain I have had sense 1996, I also manage domains for two non-proffets.  I receive all email to these domains unfiltered (note To: bigknow{at}xxxx.com above).  For me I "Do not have the time" to do the hard work that @RobiBue does.We each do what we can do.

As an aside I am confused by the thinking(?) of spammers.  Looking at the "odd" mailboxes spam is sent to.  Instead of dropping mis addressed email on the floor, I receive and report it.  So I see these odd mailboxes. I can see guessing 'Bob@', 'John@' or "testemail@".  I do not understand "f***you@", "A**hole@", "whore@".  Who thinks someone would open an email addressed to "whore@"?

 

Share this post


Link to post
Share on other sites
Posted (edited)
On 4/12/2019 at 7:59 PM, klappa said:

I haven't received them for a while now except very sporadic. But next spam from them i will update this thread with SC Report URLs.

Just received two sex dating spams today however i haven't checked what domains the spamlinks resolve to. It could be Amazon hosted domains but i am not sure. Anyway care to inspect?

https://www.spamcop.net/sc?id=z6537755702z2a6c8c73f60568b083e173773e617c28z

https://www.spamcop.net/sc?id=z6537755185z923bf33a4c5c45f7af08454928e034dbz

On 4/12/2019 at 8:14 PM, Lking said:

I don't see a suggestion to also send reports/forward spam to stop-spoofing[AT}amazon.com

I add that address to all spam that I quickly identify as relating to Amazon or often amazon.uk

Thank you!

But i am pretty sure the domains are resolved to Amazon hosted domains however since Spamcop don't check redirects it's impossible to know without clicking the spamlinks. I have to manually forward the spam directly to Amazon's abuse address. Also every of these Sex spam phishing mail I've got have been sent using an Outlook account. It seems Microsoft doesn't care much. I don't how many reports I've sent them. Also since i don't trust report_spam at hotmail dot com which is being used by Spamcop I also forward the spam directly to abuse at microsoft dot com. Outlook is a spam service nowadays nothing more.

Edited by klappa

Share this post


Link to post
Share on other sites
Posted (edited)
3 hours ago, klappa said:

I've sent them. Also since i don't trust report_spam at hotmail dot com which is being used by Spamcop I also forward the spam directly to abuse at microsoft dot com. Outlook is a spam service nowadays nothing more.

Spammer  is using throwaway email accounts

AmazonAWS is offering free web trails this clown will stick there (probably has many) till AmazonAWS bother
They want full headers copy and pasted with IP's before even bothering. And they contact these criminals show your details.
Always report it as Child porn spam site. That gives Amazon an obligation and expense to remove it.
pictures under 18 or made to look under 18. NO PROOF OF AGE available! 
Include phishing-report[AT]us-cert[DOT]gov  in "to field" as well AWS can see this.

Edited by petzl

Share this post


Link to post
Share on other sites
10 hours ago, petzl said:

Spammer  is using throwaway email accounts

AmazonAWS is offering free web trails this clown will stick there (probably has many) till AmazonAWS bother
They want full headers copy and pasted with IP's before even bothering. And they contact these criminals show your details.
Always report it as Child porn spam site. That gives Amazon an obligation and expense to remove it.
pictures under 18 or made to look under 18. NO PROOF OF AGE available! 
Include phishing-report[AT]us-cert[DOT]gov  in "to field" as well AWS can see this.

I won't give up. Any instances i could forward these sex spams to to let them know Amazon gives leeway to child porn?

Share this post


Link to post
Share on other sites
On 4/15/2019 at 5:31 PM, klappa said:

I won't give up. Any instances i could forward these sex spams to to let them know Amazon gives leeway to child porn?

That's my attitude also this is their reply with my "preamble"
https://www.spamcop.net/sc?id=z6532210969z9e3601591d7bb95c694f6f8edf765dccz

Thank you for submitting your report to Amazon Web Services.

We have received your report and will investigate the issue. If you wish to provide additional information to us or our customer regarding this case, please reply to this email.

The details of your report are as follows:
52.10.94.116 (Administrator of network where email originates)
abuse[AT]amazonaws[DOT]com

Child porn spammer
pictures under 18 or made to look under 18
NO PROOF OF AGE available!
SENT TO MINORS

>


****************headers*******

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×