bobk Posted March 28, 2019 Share Posted March 28, 2019 Shortly after I report a spam I get eight or ten new spams right away. It's as if abuse@colocrossing.com is the spammer itself! Should I continue to report the spams? Are the new ones just there to track me? What to do? Quote Link to comment Share on other sites More sharing options...
RobiBue Posted March 28, 2019 Share Posted March 28, 2019 1. welcome to the spamcop forum. We're mainly just SC users trying to help others in the fight against spam. Sometimes we can, sometimes we can't... That said, some spam messages contain URLs which, if triggered, will cause more spam to be sent to you. Sometimes the ISP is "spammer friendly" and provides the spammer with your email address to "listwash" their DB or provides them with the email headers and they extrapolate your address through tracking codes they inserted in the headers. If you have a Tracking URL (see Jeff G's welcoming post) and would provide it, it would be easier to analyze the reasons for your "multiplying spam" problems and find out a way to alleviate it. I used to have similar problems with some spammers and by not reporting the links, only the source of the email, it reduced the spam volume drastically. I also went in manually to report the links to the hosting companies and removing the tracking extension from the report, to prevent anybody from triggering more spam if they accidentally (or purposely) click on the link. Quote Link to comment Share on other sites More sharing options...
Lking Posted March 28, 2019 Share Posted March 28, 2019 Yes Bob, welcome! As RobiBue suggested a Tracking URL would be helpful. It is quite possible that your spammer is clever enough to hide your email address in the spam AND dumb enough to send you more spam because you reported them to SpamCop. Not being a spammer I don't see how "asking" to be reported by sending more spam to a know reporter fits into a business model. But then I am not a dumb spammer; see Rule #3 "Spammer Rules." What RobiBue suggest is quite possible. Another possibility is that your email has made its way onto a list being passed/sold around among spammers and so your volume of spam is currently on the rise. I is also possible that your email ISP has somehow changed their spam filtering and as a result you are seeing more spam that slips through to your inbox. Be assured by things will change again. In the meantime, help the internet community by reporting all the spam you have time to report. Your good karma will be rewarded. Quote Link to comment Share on other sites More sharing options...
petzl Posted March 28, 2019 Share Posted March 28, 2019 (edited) 8 hours ago, bobk said: Should I continue to report the spams? Are the new ones just there to track me? What to do? Keep reporting, places like Facebook sell your email addresses to anyone who buys them. I doubt if colocrossing is dobbing you into spammer. Once your email address is taken it is then sold to other spammers so going from 1 spam to many is "normal" The best defense is attack. There is a bit of a learning curve. A good and easy effective tool for doing this is a free SpamCop account Once set-up you can simply send to SpamCop spam "forward as a attachment" for reporting You will be given a supersecret reporting address so do not divulge this to anyone, Always in this discussion group disable/change the @ to [AT] and . to [DOT] in email addies With malicious links change them so they don't work, For instance I change com to cxm as well as a few x's in other places SpamCop will default munge your email addy unless you tell it not to. spam sometimes has links in spam like invisible coded images to send a confirmation that email has been received. Most email now blocks images from automatically opening for this reason Edited March 28, 2019 by petzl Quote Link to comment Share on other sites More sharing options...
bobk Posted March 29, 2019 Author Share Posted March 29, 2019 Thanks all. I've had a spamcop account for 17 years and never before encountered well over 50 spams per day in my spam folder, and two dozen more within minutes of my reporting, all from the same source. I wonder if their intention in sending so many right away would be to get me to get tired reporting those bogus ones and leave the other older ones alone. These are all from cloudflare dot com. All until just recently were also from volia dot net from the Ukraine, I believe. All of the spams are using the same scripted header, with various creative bodies. Several times I have even tried to eliminate whatever code I could from the emails when I report them; I'm not sure if that helped any. I even contacted cloudflare separately using a throwaway email address (hosted by cloudflare!), and got back a form letter response saying something about their notifying the sender if they could. 6936557925 and 6936557926 are examples of one such spam reported without any alteration other than spamcop's munging. https://www.spamcop.net/sc?id=z6533678221z064eda6e37e20da61d4c35285b02f946z Quote Link to comment Share on other sites More sharing options...
RobiBue Posted March 29, 2019 Share Posted March 29, 2019 9 minutes ago, bobk said: Thanks all. I've had a spamcop account for 17 years and never before encountered well over 50 spams per day in my spam folder, and two dozen more within minutes of my reporting, all from the same source. I wonder if their intention in sending so many right away would be to get me to get tired reporting those bogus ones and leave the other older ones alone. These are all from cloudflare dot com. All until just recently were also from volia dot net from the Ukraine, I believe. All of the spams are using the same scripted header, with various creative bodies. Several times I have even tried to eliminate whatever code I could from the emails when I report them; I'm not sure if that helped any. I even contacted cloudflare separately using a throwaway email address (hosted by cloudflare!), and got back a form letter response saying something about their notifying the sender if they could. 6936557925 and 6936557926 are examples of one such spam reported without any alteration other than spamcop's munging. https://www.spamcop.net/sc?id=z6533678221z064eda6e37e20da61d4c35285b02f946z Yep, just like I thought, those sigarpi.com links are some of those tracking links. Hitting them, triggers a scri_pt on their server that “assumes” that you’re interested in their products and they send a spew of their junk to the address linked to the number. At least that’s the way it looks. See here... unfortunately nothing has been done about it Deselect the cloudflare report and you should be ok... I know, it’s not perfect, but you’d get less spam and eventually they’ll die out. Haven’t had one since last October... Quote Link to comment Share on other sites More sharing options...
bobk Posted March 29, 2019 Author Share Posted March 29, 2019 Thanks RobiBue. That seems exactly right. When I followed your "here" link, though, your examples of how you munged cloudflare would not load: https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez . I'm hoping it's easier than putting an x on 30+ instances of the name. What do you mean by deselecting the cloudflare report? The only way I can tell it's from them now is to recognize the scri_pt in the header. Quote Link to comment Share on other sites More sharing options...
RobiBue Posted March 29, 2019 Share Posted March 29, 2019 5 hours ago, bobk said: Thanks RobiBue. That seems exactly right. When I followed your "here" link, though, your examples of how you munged cloudflare would not load: https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez . I'm hoping it's easier than putting an x on 30+ instances of the name. What do you mean by deselecting the cloudflare report? The only way I can tell it's from them now is to recognize the scri_pt in the header. Yeah, unfortunately the spam examples get removed by SC to conserve space (there are so many reports a DB can hold without having to add more HDD...) and when I checked my inbox, the spam from back then had already been deleted as well... but I found examples in my sent folder: Quote <img alt="Droid or Apple? Find Your New Cell Phone Today! Fresh Deals!" border="0" height="176" src="http://airlinehop.com/?--ID-number-1-(munged)--" width="23"/></td> <td bgcolor="#FFFFFF" height="175" valign="top" width="276"> <span style="font-family: Bookman Old Style; color: #242424; font-weight: 700"> <font style="font-size: 12pt">Search: <a href="http://airlinehop.com/?--ID-number-8-(munged)--">Cell Phones</a></font></span><p> <span style="font-family: Bookman Old Style; color: #242424"> Ready For A New Phone? <br/> <i>ANDROID</i> or <i>APPLE</i>? <br/> Browse Newest Models NOW!<br/> I had written a quick and dirty scri_pt, which would replace the numbers after the host name with the text “?—ID-number-<n>-(munged)—“ where <n> is the last digit of the number... and then sent it off to SC for reporting... Quote Link to comment Share on other sites More sharing options...
Lking Posted March 29, 2019 Share Posted March 29, 2019 6 hours ago, bobk said: What do you mean by deselecting the cloudflare report? The only way I can tell it's from them now is to recognize the scri_pt in the header. When you submit a spam, at the bottom of the screen you should see something like the following. By clicking on the checked boxes you can deselect a report and not sent a spam report to anyone of the suggested recepents. Quote Report spam to: Re: 146.111.121.4 (Administrator of network where email originates)To: security@mail.cuny.edu (Notes) Re: http://andreahumphrey.com/o_ultranationalist_ma... (Administrator of network hosting website referenced in spam)To: fbl-spamcop@ext.godaddy.com (Notes) Re: https://tigermail.qcc.cuny.edu/unsubscribe.html (Administrator of network hosting website referenced in spam)To: security@mail.cuny.edu (Notes) Re: User Notification (Notes)To: Quote Link to comment Share on other sites More sharing options...
bobk Posted March 29, 2019 Author Share Posted March 29, 2019 Thanks again! I might skip reporting altogether since voila dot net is in the Ukraine, and they have already gotten dozens of spamcop reports from me. Quote Link to comment Share on other sites More sharing options...
MIG Posted March 30, 2019 Share Posted March 30, 2019 10 hours ago, RobiBue said: I had written a quick and dirty scri_pt, which would replace the numbers after the host name with the text “?—ID-number-<n>-(munged)—“ where <n> is the last digit of the number... and then sent it off to SC for reporting... Hey RobiBue, Have you ever seen a 🦗 begging? Stand by to witness this miracle: If your "dirty" scri_pt is safe to share may I have a copy please? My litlle 🦗paws are fair worn out from modifying scummy spam urls... Cheers! Quote Link to comment Share on other sites More sharing options...
RobiBue Posted March 30, 2019 Share Posted March 30, 2019 8 hours ago, MIG said: Hey RobiBue, Have you ever seen a 🦗 begging? Stand by to witness this miracle: If your "dirty" scri_pt is safe to share may I have a copy please? My litlle 🦗paws are fair worn out from modifying scummy spam urls... Cheers! Uhmmm... scri_pt is safe, but I do have 2 confessions to make: Currently I have no access to the pc I wrote the scri_pt on, and The scri_pt is a vba scri_pt for win word where I just dropped the spam in, ran the scri_pt, and attached the resulting text files to an email addressed to my reporting SC address... The scri_pt works roughly as follows: search for an https?:// domain name with regex and replace the numerical path (or ?argument) with the —ID...— line that’s basically the idea. fun to play and test reg(ular) ex(pressions) : https://regex101.com/r/wN6cZ7/478 (already set up for domain names) and SO has a nice answer for the whole URL: https://stackoverflow.com/questions/27745/getting-parts-of-a-url-regex sorry that I can’t be of more help atm... working these answers off a tablet... Quote Link to comment Share on other sites More sharing options...
MIG Posted April 6, 2019 Share Posted April 6, 2019 (edited) Hey RobiBue, Thank you! What I've been doing is manually searching for any "http" Example: <a href=3D"https: // odnogrupniki.com.ua / =away.php?url=3Dhttp:// recover.wokdorkers/?10809809944215154550025261733"> , removing everything except https: // odnogrupniki.com.ua /, dropping the result in SC Parser. 2 outcomes, SC Parser recognises the links & I think, in another post, you provided info that each time full links were parsed the spammer got a positive hit, that urinated me off so any action I can take to limit benefits for spammers, is good for me😎 I think I need to 101 regular expressions/Regex to get my🦗head around your solution😉 Cheers! Edited April 6, 2019 by MIG Quote Link to comment Share on other sites More sharing options...
frustrated nyker Posted March 30 Share Posted March 30 yup. I had maybe 1500 spams a week before I started reporting. Now I am getting 2000 after 2 weeks of reporting. spamcop seems to tell the spammers that it's a monitored address, so it increases spam. It's a horrible place, this spamcop.net Quote Link to comment Share on other sites More sharing options...
ninth Posted March 30 Share Posted March 30 (edited) Are you opening the spam email triggering a read receipt? If yes try selecting to translate to raw message code and truncate links in the body before reporting. The modern day spammers are 3rd party sales and marketing sending out bulk spam through mailing lists using different addresses and an IP range so the more we report the more they find themselves on multiple blocklists. Our private details are out there on databases which are very hard to locate and delete, I have tried and failed. Edited March 30 by ninth sp Quote Link to comment Share on other sites More sharing options...
petzl Posted March 30 Share Posted March 30 2 hours ago, frustrated nyker said: yup. I had maybe 1500 spams a week before I started reporting. Now I am getting 2000 after 2 weeks of reporting. spamcop seems to tell the spammers that it's a monitored address, so it increases spam. It's a horrible place, this spamcop.net Doubt if your email address has been gathered by reporting spam. More likely it has been scraped from the Internet by a Bot Webspider https://en.wikipedia.org/wiki/Web_crawler#Crawler_identification Would help to see a SpamCop track URL You best attack is report spam at lest your email address will be listwashed by spammers as poison Quote Link to comment Share on other sites More sharing options...
ninth Posted March 30 Share Posted March 30 It might seem like we get individual attention from the spammer but they are running automated programs and their main interest is when they get a click on the link. Noone is monitoring the mailbox for replies and they have virtually no overheads using free email and network services. They rely on most spam to go to spam or get deleted so they continue to get paid for sending newsletters etc. I'm not sure how listwashing works when SC is the reporter and if they don't get a sale they resell the address as a lead - no honor among thieves. When I was reporting manually I sent an abuse report to a company and they notified me recently about hackers stealing customer info. I asked to get my info deleted and they sent it to legal and agreed to delete it after several weeks but this slackness in system security is why we keep getting spammed. Quote Link to comment Share on other sites More sharing options...
petzl Posted April 1 Share Posted April 1 (edited) On 3/30/2024 at 5:39 PM, ninth said: It might seem like we get individual attention from the spammer Now sendgrid are offering spammers delight forging Foxnews email! don't recommending you use the bogus manual "add your email" to bogus optout (yes they have your email anyhow) But here you very likely get put on their spammer list (Pwned) and become one of spammer genuine verified email addresses! Which are then sold$$$ to other would be email "marketers" this is 12 months ago seems started again 167.89.86.241 was last scam email (now on reporting to the FED's as well) https://www.abuseipdb.com/check/167.89.86.241 before it was from https://www.abuseipdb.com/check/159.183.224.10 So take care emails that appear legit may not be Edited April 1 by petzl Quote Link to comment Share on other sites More sharing options...
ninth Posted April 4 Share Posted April 4 I received random spam from temu a new ultra cheap online superstore. I assumed it was legit but when I reported to SC it was forgery due to the popularity. I rarely get spam only scam these days and when I do get spammed I'm sus they were conned into buying my address because they stopped after I only get one email. What we should be more worried about if SC is not around to reduce spam, the blocklist users will just go to other blocklist services but if they disappear the increase in spam worldwide will be so astronomical that all networks will be clogged with junk messages and become unusable. Quote Link to comment Share on other sites More sharing options...
petzl Posted April 5 Share Posted April 5 (edited) On 4/4/2024 at 7:52 PM, ninth said: I received random spam from temu a new ultra cheap online superstore. I assumed it was legit but when I reported to SC it was forgery due to the popularity. I rarely get spam only scam these days and when I do get spammed I'm sus they were conned into buying my address because they stopped after I only get one email. What we should be more worried about if SC is not around to reduce spam, the blocklist users will just go to other blocklist services but if they disappear the increase in spam worldwide will be so astronomical that all networks will be clogged with junk messages and become unusable. Doubt if it was TEMU? TEMU are an American company trying to sell Chinese made quality (often at least) products at Chinese prices. Takes the less than a week for me to get what I buy (mainly underpants. socks, etc), so far no complaints. Scammers are using their name! Security reminder (By TEMU) Be wary of scam messages posing as customs or courier companies, which usually tell you that your package cannot be delivered for some reason and that you need to pay a fee for it to be delivered. TEMU do set a aggressive PUP on your Browser something Windows defender won't remove Try this free Windows PUP remover Contains nagware! Edited April 5 by petzl Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.