Does Spamcop send report directly to spammer itself?

[Appleseed]

The fake date email spam (Submitted: 8/4/2019, 1:07:01 PM +0300:) i reported. There is gmail address where Spamcop send the report. 

Isnt that the address of the spammer itself? Why Spamcop send the report there?

[Lking]

Sorry about the confusion with your post.

SpamCop does not sent spam reports to the spammer but to their ISP, etc.  If you could provide a Tracking URL it would help others see what the parser did with your spam.  It is hard to give an informed opinion based on just your post.

[gnarlymarley]

Appleseed,

As a user like you, I am not able to see the any spam you may have reported.  So I second Lking's request for a tracking link.

1 minute ago, Lking said:

If you could provide a Tracking URL it would help others see what the parser did with your spam.  It is hard to give an informed opinion based on just your post.

Appleseed, what I suspect you are seeing is some users have signed up for an IP range, but then don't use an abuse address.  Those seem to be using a personal address instead.

[Appleseed]

If you look that report by Anonymous 11 Jan 2019 https://www.abuseipdb.com/check/92.63.192.39?page=2

There is that gmail address im talking about. 

And here is my report from today  https://www.spamcop.net/sc?id=z6564775200zb0e68f15592a9b6948787f714e4ec177z

Edited August 10, 2019 by Appleseed

[Appleseed]

4 hours ago, Lking said:

Sorry about the confusion with your post.

No problem, things happen^^

[petzl]

12 minutes ago, Appleseed said:

No problem, things happen^^

https://www.spamcop.net/sc?id=z6564775200zb0e68f15592a9b6948787f714e4ec177z
The SpamCop tracking URL shows the Gmail abuse address is probably bogus (Bitbin)
the IP of URL is a botnet
https://www.abuseat.org/lookup.cgi?ip=92.63.192.124
Front for child porn phishing spam operator.
Send report to response[AT]cert-gib[DOT]ru no working abuse address.

Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS



>

 

[gnarlymarley]

17 hours ago, Appleseed said:

There is that gmail address im talking about. 

The address matches the cached entry returned from RIPE.  I am not sure I would trust the other RIPE email any more than the gmail address either.

SpamCop RIPE cached:

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '92.63.192.0 - 92.63.192.255'

% Abuse contact for '92.63.192.0 - 92.63.192.255' is 'vvsg180@gmail.com'

New RIPE query:

e-mail:          vigorv@mail.ru
e-mail:          hawk@diamondc.ru
upd-to:          stell_hawk@mail.ru
abuse: hawk@diamondc.ru

One quick note that you may not be aware of is that thanks to GDPR there might be times where the "-B" gets in the way and someone has performed a manual add.

SpamCop:

Reports routes for 92.63.192.124:
routeid: 78192297 92.63.192.0 - 92.63.192.255 to: vvsg180@gmail.com
Administrator interested in all reports
7/17/2019, 9:45:55 AM -0600 
[Note added by  (no name)]
Route added without comment

 

[lisati]

On 8/10/2019 at 5:34 PM, petzl said:

https://www.spamcop.net/sc?id=z6564775200zb0e68f15592a9b6948787f714e4ec177z
The SpamCop tracking URL shows the Gmail abuse address is probably bogus (Bitbin)
the IP of URL is a botnet
https://www.abuseat.org/lookup.cgi?ip=92.63.192.124
Front for child porn phishing spam operator.
Send report to response[AT]cert-gib[DOT]ru no working abuse address.

Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS



>

 

What I'm seeing at the tracking link is typical of mail I receive at an Outlook email account, where the top-most (most recent) Received header trips things up so that reports go to report_spam[at]hotmail.com - I usually delete or comment out the header in such situations, which is normally sufficient to get the report(s) sent to a more appropriate address.

[petzl]

3 hours ago, lisati said:

What I'm seeing at the tracking link is typical of mail I receive at an Outlook email account, where the top-most (most recent) Received header trips things up so that reports go to report_spam[at]hotmail.com - I usually delete or comment out the header in such situations, which is normally sufficient to get the report(s) sent to a more appropriate address.

My template attracts Russia's attention it applies to all porn spam/ Not seen one with "proof of age" on file.

[lisati]

10 hours ago, petzl said:

My template attracts Russia's attention it applies to all porn spam/ Not seen one with "proof of age" on file.

I've seen some with apparent connections to Russia. Thankfully my provider filters them out before they make it to my inbox or junk/spam folder.

[Appleseed]

This is same spam i get almost every day, but this one use google link instead of that russian site.

I dont know what that link does, but it is to google.com

https://www.spamcop.net/sc?id=z6566161130zd34619e4d85c8adc3716c597c9f69569z

[petzl]

5 hours ago, Appleseed said:

This is same spam i get almost every day, but this one use google link instead of that russian site.

I dont know what that link does, but it is to google.com

https://www.spamcop.net/sc?id=z6566161130zd34619e4d85c8adc3716c597c9f69569z

Google seem to of taken link down?

[gnarlymarley]

11 hours ago, petzl said:

Google seem to of taken link down?

The link still forwards.  Apparently, the link is a search where it clicks the "I feel lucky button" and forwards directly to the first returned google search result.

The "I feel lucky" button as being part of the URL:

btnI=bQm4

 

[Appleseed]

On 8/16/2019 at 11:46 PM, gnarlymarley said:

The link still forwards.  Apparently, the link is a search where it clicks the "I feel lucky button" and forwards directly to the first returned google search result.

The "I feel lucky" button as being part of the URL:

btnI=bQm4

 

Thats good to know. The site where link goes, have again the same russian owner.

[Appleseed]

So, is it a problem that Spamcop send reports  to vvsg180@gmail.com, is it legit or not?

[gnarlymarley]

On 8/20/2019 at 1:00 AM, Appleseed said:

is it legit or not?

I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore.  I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server.  I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit.

[Appleseed]

On 9/12/2019 at 9:28 PM, gnarlymarley said:

I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore.  I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server.  I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit.

Ok, it seems that that guy is the same as OOO-Patent-Media etc. and their company Romanenko Stanislav Sergeevich are hosting those spamsite https://dnslytics.com/bgp/as47981

So vvsg180@gmail.com is their and also hawk@diamondc.ru and stell_hawk@mail.ru

So it is impossible to stop that spam, if SPAMCOP report to them. Just like i was guessing in my first post.  Spamcop report directly to spammer itself.

If someone could find who is host behind of their IP range 92.63.192.0-92.63.192.255, then the report could send directly to that ISP.

Edited October 10, 2019 by Appleseed

[RobiBue]

4 hours ago, Appleseed said:

Ok, it seems that that guy is the same as OOO-Patent-Media etc. and their company Romanenko Stanislav Sergeevich are hosting those spamsite https://dnslytics.com/bgp/as47981

So vvsg180@gmail.com is their and also hawk@diamondc.ru and stell_hawk@mail.ru

So it is impossible to stop that spam, if SPAMCOP report to them. Just like i was guessing in my first post.  Spamcop report directly to spammer itself.

If someone could find who is host behind of their IP range 92.63.192.0-92.63.192.255, then the report could send directly to that ISP.

looks like their IPv4 peer is AS 31343 ( Intertelecom Ltd ) (got it from your dnslytics link )

It seems that Intertelecom is the only peer Romanenko has, so it is likely that he is their customer... maybe they don't know what's going on in their "backyard/neighbourhood" and then again, maybe they do and the money they get is good enough for them...

 

[Appleseed]

On 10/11/2019 at 5:34 AM, RobiBue said:

looks like their IPv4 peer is AS 31343 ( Intertelecom Ltd ) (got it from your dnslytics link )

It seems that Intertelecom is the only peer Romanenko has, so it is likely that he is their customer... maybe they don't know what's going on in their "backyard/neighbourhood" and then again, maybe they do and the money they get is good enough for them...

 

Thanks

BTW. This guy have is specialized to Smoke Loader and have a huge Necurs botnet.

Edited October 20, 2019 by Appleseed

[klappa]

On 9/12/2019 at 8:28 PM, gnarlymarley said:

I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore.  I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server.  I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit.

I don't think it's legit. I have myself reported to that e-mail many times and i still get plenty of spam and phishing e-mails that still get's reported to that abuse email and nothing happens. I think it's owned by the spammer himself.

On 10/20/2019 at 3:27 PM, Appleseed said:

Thanks

BTW. This guy have is specialized to Smoke Loader and have a huge Necurs botnet.

Where can you find that information? Is there any other abuse address I can report to? This spammer have spammed me for years. The spammer hacks sites and e-mails and use them in a botnet.

 

 

Edited October 31, 2019 by klappa

[gnarlymarley]

On 10/31/2019 at 1:21 AM, klappa said:

This spammer have spammed me for years.

I have not seen any recent reports of mine for this spammer.  I am not sure if they stopped or just moved on to other addresses for the time.

[Appleseed]

On 10/31/2019 at 9:21 AM, klappa said:

Where can you find that information? Is there any other abuse address I can report to? This spammer have spammed me for years. The spammer hacks sites and e-mails and use them in a botnet.

I did find it from Google when i was looking information of this spammer.

After i started to report him to that IPv4 peer company mentioned above (thanks RobiBue), they did change it to another one. Then i started to report those spams to that one also and now i havet got any spam from that spammer.

That guy own fashion clothes store or modeling place. It could be that he is selling those poor girls irl.

 

 

Now i keep getting new kind of spam what i cant report to Spamcop. Outlook wont allow copy that email source code.

Edited April 28, 2020 by Appleseed

[gnarlymarley]

On 4/27/2020 at 11:50 PM, Appleseed said:

Now i keep getting new kind of spam what i cant report to spamcop. Outlook wont allow copy that email source code.

That is why I prefer imap/ssl when possible because thunderbird always seems to work for me.  Maybe a webmail version of outlook might work for you, if you have one.