Appleseed Posted August 4, 2019 Share Posted August 4, 2019 The fake date email spam (Submitted: 8/4/2019, 1:07:01 PM +0300:) i reported. There is gmail address where Spamcop send the report. Isnt that the address of the spammer itself? Why Spamcop send the report there? Quote Link to comment Share on other sites More sharing options...
Lking Posted August 10, 2019 Share Posted August 10, 2019 Sorry about the confusion with your post. SpamCop does not sent spam reports to the spammer but to their ISP, etc. If you could provide a Tracking URL it would help others see what the parser did with your spam. It is hard to give an informed opinion based on just your post. Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted August 10, 2019 Share Posted August 10, 2019 Appleseed, As a user like you, I am not able to see the any spam you may have reported. So I second Lking's request for a tracking link. 1 minute ago, Lking said: If you could provide a Tracking URL it would help others see what the parser did with your spam. It is hard to give an informed opinion based on just your post. Appleseed, what I suspect you are seeing is some users have signed up for an IP range, but then don't use an abuse address. Those seem to be using a personal address instead. Quote Link to comment Share on other sites More sharing options...
Appleseed Posted August 10, 2019 Author Share Posted August 10, 2019 (edited) If you look that report by Anonymous 11 Jan 2019 https://www.abuseipdb.com/check/92.63.192.39?page=2 There is that gmail address im talking about. And here is my report from today https://www.spamcop.net/sc?id=z6564775200zb0e68f15592a9b6948787f714e4ec177z Edited August 10, 2019 by Appleseed Quote Link to comment Share on other sites More sharing options...
Appleseed Posted August 10, 2019 Author Share Posted August 10, 2019 4 hours ago, Lking said: Sorry about the confusion with your post. No problem, things happen^^ Quote Link to comment Share on other sites More sharing options...
petzl Posted August 10, 2019 Share Posted August 10, 2019 12 minutes ago, Appleseed said: No problem, things happen^^ https://www.spamcop.net/sc?id=z6564775200zb0e68f15592a9b6948787f714e4ec177z The SpamCop tracking URL shows the Gmail abuse address is probably bogus (Bitbin) the IP of URL is a botnethttps://www.abuseat.org/lookup.cgi?ip=92.63.192.124 Front for child porn phishing spam operator. Send report to response[AT]cert-gib[DOT]ru no working abuse address. Child porn spammer pictures under 18 or made to look under 18 NO PROOF OF AGE available! SENT TO MINORS > Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted August 10, 2019 Share Posted August 10, 2019 17 hours ago, Appleseed said: There is that gmail address im talking about. The address matches the cached entry returned from RIPE. I am not sure I would trust the other RIPE email any more than the gmail address either. SpamCop RIPE cached: % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '92.63.192.0 - 92.63.192.255' % Abuse contact for '92.63.192.0 - 92.63.192.255' is 'vvsg180@gmail.com' New RIPE query: e-mail: vigorv@mail.ru e-mail: hawk@diamondc.ru upd-to: stell_hawk@mail.ru abuse: hawk@diamondc.ru One quick note that you may not be aware of is that thanks to GDPR there might be times where the "-B" gets in the way and someone has performed a manual add. SpamCop: Reports routes for 92.63.192.124: routeid: 78192297 92.63.192.0 - 92.63.192.255 to: vvsg180@gmail.com Administrator interested in all reports 7/17/2019, 9:45:55 AM -0600 [Note added by (no name)] Route added without comment Quote Link to comment Share on other sites More sharing options...
lisati Posted August 14, 2019 Share Posted August 14, 2019 On 8/10/2019 at 5:34 PM, petzl said: https://www.spamcop.net/sc?id=z6564775200zb0e68f15592a9b6948787f714e4ec177z The SpamCop tracking URL shows the Gmail abuse address is probably bogus (Bitbin) the IP of URL is a botnethttps://www.abuseat.org/lookup.cgi?ip=92.63.192.124 Front for child porn phishing spam operator. Send report to response[AT]cert-gib[DOT]ru no working abuse address. Child porn spammer pictures under 18 or made to look under 18 NO PROOF OF AGE available! SENT TO MINORS > What I'm seeing at the tracking link is typical of mail I receive at an Outlook email account, where the top-most (most recent) Received header trips things up so that reports go to report_spam[at]hotmail.com - I usually delete or comment out the header in such situations, which is normally sufficient to get the report(s) sent to a more appropriate address. Quote Link to comment Share on other sites More sharing options...
petzl Posted August 14, 2019 Share Posted August 14, 2019 3 hours ago, lisati said: What I'm seeing at the tracking link is typical of mail I receive at an Outlook email account, where the top-most (most recent) Received header trips things up so that reports go to report_spam[at]hotmail.com - I usually delete or comment out the header in such situations, which is normally sufficient to get the report(s) sent to a more appropriate address. My template attracts Russia's attention it applies to all porn spam/ Not seen one with "proof of age" on file. Quote Link to comment Share on other sites More sharing options...
lisati Posted August 14, 2019 Share Posted August 14, 2019 10 hours ago, petzl said: My template attracts Russia's attention it applies to all porn spam/ Not seen one with "proof of age" on file. I've seen some with apparent connections to Russia. Thankfully my provider filters them out before they make it to my inbox or junk/spam folder. Quote Link to comment Share on other sites More sharing options...
Appleseed Posted August 16, 2019 Author Share Posted August 16, 2019 This is same spam i get almost every day, but this one use google link instead of that russian site. I dont know what that link does, but it is to google.com https://www.spamcop.net/sc?id=z6566161130zd34619e4d85c8adc3716c597c9f69569z Quote Link to comment Share on other sites More sharing options...
petzl Posted August 16, 2019 Share Posted August 16, 2019 5 hours ago, Appleseed said: This is same spam i get almost every day, but this one use google link instead of that russian site. I dont know what that link does, but it is to google.com https://www.spamcop.net/sc?id=z6566161130zd34619e4d85c8adc3716c597c9f69569z Google seem to of taken link down? Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted August 16, 2019 Share Posted August 16, 2019 11 hours ago, petzl said: Google seem to of taken link down? The link still forwards. Apparently, the link is a search where it clicks the "I feel lucky button" and forwards directly to the first returned google search result. The "I feel lucky" button as being part of the URL: btnI=bQm4 Quote Link to comment Share on other sites More sharing options...
Appleseed Posted August 17, 2019 Author Share Posted August 17, 2019 On 8/16/2019 at 11:46 PM, gnarlymarley said: The link still forwards. Apparently, the link is a search where it clicks the "I feel lucky button" and forwards directly to the first returned google search result. The "I feel lucky" button as being part of the URL: btnI=bQm4 Thats good to know. The site where link goes, have again the same russian owner. Quote Link to comment Share on other sites More sharing options...
Appleseed Posted August 20, 2019 Author Share Posted August 20, 2019 So, is it a problem that Spamcop send reports to vvsg180@gmail.com, is it legit or not? Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted September 12, 2019 Share Posted September 12, 2019 On 8/20/2019 at 1:00 AM, Appleseed said: is it legit or not? I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore. I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server. I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit. Quote Link to comment Share on other sites More sharing options...
Appleseed Posted October 10, 2019 Author Share Posted October 10, 2019 (edited) On 9/12/2019 at 9:28 PM, gnarlymarley said: I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore. I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server. I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit. Ok, it seems that that guy is the same as OOO-Patent-Media etc. and their company Romanenko Stanislav Sergeevich are hosting those spamsite https://dnslytics.com/bgp/as47981 So vvsg180@gmail.com is their and also hawk@diamondc.ru and stell_hawk@mail.ru So it is impossible to stop that spam, if SPAMCOP report to them. Just like i was guessing in my first post. Spamcop report directly to spammer itself. If someone could find who is host behind of their IP range 92.63.192.0-92.63.192.255, then the report could send directly to that ISP. Edited October 10, 2019 by Appleseed Quote Link to comment Share on other sites More sharing options...
RobiBue Posted October 11, 2019 Share Posted October 11, 2019 4 hours ago, Appleseed said: Ok, it seems that that guy is the same as OOO-Patent-Media etc. and their company Romanenko Stanislav Sergeevich are hosting those spamsite https://dnslytics.com/bgp/as47981 So vvsg180@gmail.com is their and also hawk@diamondc.ru and stell_hawk@mail.ru So it is impossible to stop that spam, if SPAMCOP report to them. Just like i was guessing in my first post. Spamcop report directly to spammer itself. If someone could find who is host behind of their IP range 92.63.192.0-92.63.192.255, then the report could send directly to that ISP. looks like their IPv4 peer is AS 31343 ( Intertelecom Ltd ) (got it from your dnslytics link ) It seems that Intertelecom is the only peer Romanenko has, so it is likely that he is their customer... maybe they don't know what's going on in their "backyard/neighbourhood" and then again, maybe they do and the money they get is good enough for them... Quote Link to comment Share on other sites More sharing options...
Appleseed Posted October 20, 2019 Author Share Posted October 20, 2019 (edited) On 10/11/2019 at 5:34 AM, RobiBue said: looks like their IPv4 peer is AS 31343 ( Intertelecom Ltd ) (got it from your dnslytics link ) It seems that Intertelecom is the only peer Romanenko has, so it is likely that he is their customer... maybe they don't know what's going on in their "backyard/neighbourhood" and then again, maybe they do and the money they get is good enough for them... Thanks BTW. This guy have is specialized to Smoke Loader and have a huge Necurs botnet. Edited October 20, 2019 by Appleseed Quote Link to comment Share on other sites More sharing options...
klappa Posted October 31, 2019 Share Posted October 31, 2019 (edited) On 9/12/2019 at 8:28 PM, gnarlymarley said: I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore. I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server. I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit. I don't think it's legit. I have myself reported to that e-mail many times and i still get plenty of spam and phishing e-mails that still get's reported to that abuse email and nothing happens. I think it's owned by the spammer himself. On 10/20/2019 at 3:27 PM, Appleseed said: Thanks BTW. This guy have is specialized to Smoke Loader and have a huge Necurs botnet. Where can you find that information? Is there any other abuse address I can report to? This spammer have spammed me for years. The spammer hacks sites and e-mails and use them in a botnet. Edited October 31, 2019 by klappa Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted November 16, 2019 Share Posted November 16, 2019 On 10/31/2019 at 1:21 AM, klappa said: This spammer have spammed me for years. I have not seen any recent reports of mine for this spammer. I am not sure if they stopped or just moved on to other addresses for the time. Quote Link to comment Share on other sites More sharing options...
Appleseed Posted April 28, 2020 Author Share Posted April 28, 2020 (edited) On 10/31/2019 at 9:21 AM, klappa said: Where can you find that information? Is there any other abuse address I can report to? This spammer have spammed me for years. The spammer hacks sites and e-mails and use them in a botnet. I did find it from Google when i was looking information of this spammer. After i started to report him to that IPv4 peer company mentioned above (thanks RobiBue), they did change it to another one. Then i started to report those spams to that one also and now i havet got any spam from that spammer. That guy own fashion clothes store or modeling place. It could be that he is selling those poor girls irl. Now i keep getting new kind of spam what i cant report to Spamcop. Outlook wont allow copy that email source code. Edited April 28, 2020 by Appleseed Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted May 11, 2020 Share Posted May 11, 2020 On 4/27/2020 at 11:50 PM, Appleseed said: Now i keep getting new kind of spam what i cant report to spamcop. Outlook wont allow copy that email source code. That is why I prefer imap/ssl when possible because thunderbird always seems to work for me. Maybe a webmail version of outlook might work for you, if you have one. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.