Jump to content
Appleseed

Does Spamcop send report directly to spammer itself?

Recommended Posts

The fake date email spam (Submitted: 8/4/2019, 1:07:01 PM +0300:) i reported. There is gmail address where Spamcop send the report. 

Isnt that the address of the spammer itself? Why Spamcop send the report there?

Share this post


Link to post
Share on other sites

Sorry about the confusion with your post.

SpamCop does not sent spam reports to the spammer but to their ISP, etc.  If you could provide a Tracking URL it would help others see what the parser did with your spam.  It is hard to give an informed opinion based on just your post.

Share this post


Link to post
Share on other sites

Appleseed,

As a user like you, I am not able to see the any spam you may have reported.  So I second Lking's request for a tracking link.

1 minute ago, Lking said:

If you could provide a Tracking URL it would help others see what the parser did with your spam.  It is hard to give an informed opinion based on just your post.

Appleseed, what I suspect you are seeing is some users have signed up for an IP range, but then don't use an abuse address.  Those seem to be using a personal address instead.

Share this post


Link to post
Share on other sites
12 minutes ago, Appleseed said:

No problem, things happen^^

https://www.spamcop.net/sc?id=z6564775200zb0e68f15592a9b6948787f714e4ec177z
The SpamCop tracking URL shows the Gmail abuse address is probably bogus (Bitbin)
the IP of URL is a botnet
https://www.abuseat.org/lookup.cgi?ip=92.63.192.124
Front for child porn phishing spam operator.
Send report to response[AT]cert-gib[DOT]ru no working abuse address.

Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS



>

 

Share this post


Link to post
Share on other sites
17 hours ago, Appleseed said:

There is that gmail address im talking about. 

The address matches the cached entry returned from RIPE.  I am not sure I would trust the other RIPE email any more than the gmail address either.

SpamCop RIPE cached:

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '92.63.192.0 - 92.63.192.255'

% Abuse contact for '92.63.192.0 - 92.63.192.255' is 'vvsg180@gmail.com'

New RIPE query:

e-mail:          vigorv@mail.ru
e-mail:          hawk@diamondc.ru
upd-to:          stell_hawk@mail.ru
abuse: hawk@diamondc.ru

One quick note that you may not be aware of is that thanks to GDPR there might be times where the "-B" gets in the way and someone has performed a manual add.

SpamCop:

Reports routes for 92.63.192.124:
routeid: 78192297 92.63.192.0 - 92.63.192.255 to: vvsg180@gmail.com
Administrator interested in all reports
7/17/2019, 9:45:55 AM -0600 
[Note added by  (no name)]
Route added without comment

 

Share this post


Link to post
Share on other sites
On 8/10/2019 at 5:34 PM, petzl said:

https://www.spamcop.net/sc?id=z6564775200zb0e68f15592a9b6948787f714e4ec177z
The SpamCop tracking URL shows the Gmail abuse address is probably bogus (Bitbin)
the IP of URL is a botnet
https://www.abuseat.org/lookup.cgi?ip=92.63.192.124
Front for child porn phishing spam operator.
Send report to response[AT]cert-gib[DOT]ru no working abuse address.


Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS



>

 

What I'm seeing at the tracking link is typical of mail I receive at an Outlook email account, where the top-most (most recent) Received header trips things up so that reports go to report_spam[at]hotmail.com - I usually delete or comment out the header in such situations, which is normally sufficient to get the report(s) sent to a more appropriate address.

Share this post


Link to post
Share on other sites
3 hours ago, lisati said:

What I'm seeing at the tracking link is typical of mail I receive at an Outlook email account, where the top-most (most recent) Received header trips things up so that reports go to report_spam[at]hotmail.com - I usually delete or comment out the header in such situations, which is normally sufficient to get the report(s) sent to a more appropriate address.

My template attracts Russia's attention it applies to all porn spam/ Not seen one with "proof of age" on file.

Share this post


Link to post
Share on other sites
10 hours ago, petzl said:

My template attracts Russia's attention it applies to all porn spam/ Not seen one with "proof of age" on file.

I've seen some with apparent connections to Russia. Thankfully my provider filters them out before they make it to my inbox or junk/spam folder.

Share this post


Link to post
Share on other sites
5 hours ago, Appleseed said:

This is same spam i get almost every day, but this one use google link instead of that russian site.

I dont know what that link does, but it is to google.com

https://www.spamcop.net/sc?id=z6566161130zd34619e4d85c8adc3716c597c9f69569z

Google seem to of taken link down?

Share this post


Link to post
Share on other sites
11 hours ago, petzl said:

Google seem to of taken link down?

The link still forwards.  Apparently, the link is a search where it clicks the "I feel lucky button" and forwards directly to the first returned google search result.

The "I feel lucky" button as being part of the URL:

btnI=bQm4

 

Share this post


Link to post
Share on other sites
On 8/16/2019 at 11:46 PM, gnarlymarley said:

The link still forwards.  Apparently, the link is a search where it clicks the "I feel lucky button" and forwards directly to the first returned google search result.

The "I feel lucky" button as being part of the URL:


btnI=bQm4

 

Thats good to know. The site where link goes, have again the same russian owner.

Share this post


Link to post
Share on other sites
On 8/20/2019 at 1:00 AM, Appleseed said:

is it legit or not?

I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore.  I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server.  I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit.

Share this post


Link to post
Share on other sites
On 9/12/2019 at 9:28 PM, gnarlymarley said:

I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore.  I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server.  I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit.

Ok, it seems that that guy is the same as OOO-Patent-Media etc. and their company Romanenko Stanislav Sergeevich are hosting those spamsite https://dnslytics.com/bgp/as47981

So vvsg180@gmail.com is their and also hawk@diamondc.ru and stell_hawk@mail.ru

So it is impossible to stop that spam, if SPAMCOP report to them. Just like i was guessing in my first post.  Spamcop report directly to spammer itself.

If someone could find who is host behind of their IP range 92.63.192.0-92.63.192.255, then the report could send directly to that ISP.

Edited by Appleseed

Share this post


Link to post
Share on other sites
4 hours ago, Appleseed said:

Ok, it seems that that guy is the same as OOO-Patent-Media etc. and their company Romanenko Stanislav Sergeevich are hosting those spamsite https://dnslytics.com/bgp/as47981

So vvsg180@gmail.com is their and also hawk@diamondc.ru and stell_hawk@mail.ru

So it is impossible to stop that spam, if SPAMCOP report to them. Just like i was guessing in my first post.  Spamcop report directly to spammer itself.

If someone could find who is host behind of their IP range 92.63.192.0-92.63.192.255, then the report could send directly to that ISP.

looks like their IPv4 peer is AS 31343 ( Intertelecom Ltd ) (got it from your dnslytics link ;) )

It seems that Intertelecom is the only peer Romanenko has, so it is likely that he is their customer... maybe they don't know what's going on in their "backyard/neighbourhood" and then again, maybe they do and the money they get is good enough for them...

 

Share this post


Link to post
Share on other sites
On 10/11/2019 at 5:34 AM, RobiBue said:

looks like their IPv4 peer is AS 31343 ( Intertelecom Ltd ) (got it from your dnslytics link ;) )

It seems that Intertelecom is the only peer Romanenko has, so it is likely that he is their customer... maybe they don't know what's going on in their "backyard/neighbourhood" and then again, maybe they do and the money they get is good enough for them...

 

Thanks

BTW. This guy have is specialized to Smoke Loader and have a huge Necurs botnet.

Edited by Appleseed

Share this post


Link to post
Share on other sites
On 9/12/2019 at 8:28 PM, gnarlymarley said:

I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore.  I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server.  I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit.

I don't think it's legit. I have myself reported to that e-mail many times and i still get plenty of spam and phishing e-mails that still get's reported to that abuse email and nothing happens. I think it's owned by the spammer himself.

On 10/20/2019 at 3:27 PM, Appleseed said:

Thanks

BTW. This guy have is specialized to Smoke Loader and have a huge Necurs botnet.

Where can you find that information? Is there any other abuse address I can report to? This spammer have spammed me for years. The spammer hacks sites and e-mails and use them in a botnet.

 

 

Edited by klappa

Share this post


Link to post
Share on other sites
On 10/31/2019 at 1:21 AM, klappa said:

This spammer have spammed me for years.

I have not seen any recent reports of mine for this spammer.  I am not sure if they stopped or just moved on to other addresses for the time.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×