Jump to content
Hanco

October 2019 - A month different to others?

Recommended Posts

Has this happened before?

Look at that green “spam submitted” line in the screenshot I attached. Normally spam submitted leads to a higher volume of reports.

October though? We see a significant amount of spam reported with reports not sent.

If my experience is anything to go by, there was a major increase from one group of spammers (phishing activity actually, but not the overt fake Apple sites, Amazon, Walmart, Netflix etc login pages)

And it was mostly email coming from Amazon IP addressees, which I always see SpamCop track but not send reports. Instead, I send the reports directly myself.

But is that what this month’s driver was? The group behind these daily deals of loan offers, warranty offers, cures for bizarre conditions etc.? They seemed to be quiet, then boom, daily 12-25 emails. Mostly sites with domain names from Namecheap (they said to someone in response to a domain abuse report, that they have a “huge volume” of support requests at the moment)

It seems like volume is down now (or the jerks behind the flow do not work weekends) and Amazon are “caught up” on the backlog of reports. Maybe the green line will go back below the blue...

380D0FE1-610F-41B4-B62B-9E95F94BDFDC.jpeg

Share this post


Link to post
Share on other sites

I don't know, but as of late, I submit spams (to seekrit.email@spamcop.com) but only occasionally am able to submit the spam. the others are lost in limbo...

maybe that has to do with the green spikes?

Share this post


Link to post
Share on other sites

Such a high level of reports to a spammer's ISP might generate a high level of bounces. We know that spamcop won't keep sending reports that are bound to bounce (and only waste more email bandwidth). Maybe that's the reason for a high submitted:sent ratio?

Share this post


Link to post
Share on other sites

It’s even more pronounced now. From 29 Sept through about 10 days, then back to normal. It aligns with a huge spike of email abuse I saw from AWS and other Amazon IPs.

Share this post


Link to post
Share on other sites

I did notice on the source of spam page lately there are a lot of "ISP has indicated spam will cease" from IP ranges such as 89.34.26.0/24 and 195.29.0.0/16 where it appears that they are just marking the option to prevent reports from being submitted.  (It seems to be more than one IP in their range.)  It appears they have been doing this for more than 48 hours and marking this maybe every six hours as the time after the message seems to jump up by around six hours.  Could this be part of the why the spikes have changed?
 

Share this post


Link to post
Share on other sites

Seems like my email abuser has switched to using now-dns.com

Reports are sent by SpamCop to the host of the subdomains, but that is VPSVILLE.RU which doesn’t seem bothered to act with any level of pace.

That’s one source. The other..

Much of the email volume is repetitive and has links to a Google Storage API location... there I can view XML showing all the subject lines and outline content they generate. And ALL of them redirect to “hwManyMore.com” (how many more? Well at least the jerk has a sense of humour I suppose?

Share this post


Link to post
Share on other sites

A lot of the spams that I reported that were originating from the AmazonAWS servers were never sent to any address at Amazon but instead used addresses like  abuse#amazonaws.com@devnull.spamcop.net 

I also filed every spam complaint directly on the AmazonAWS reporting page, even when I was getting 50+ a day from this spammer.  Amazon took it a little more serious when the spammer started forging their name and logos in the fake Amazon Gift Card spam attack.  I got some virus spams from the spammer after getting that one shut down.  They always seem to point back to a common registrar.

 

Share this post


Link to post
Share on other sites
4 hours ago, goodnerd said:

A lot of the spams that I reported that were originating from the AmazonAWS servers were never sent to any address at Amazon but instead used addresses like  abuse#amazonaws.com@devnull.spamcop.net 

I also filed every spam complaint directly on the AmazonAWS reporting page, even when I was getting 50+ a day from this spammer.  Amazon took it a little more serious when the spammer started forging their name and logos in the fake Amazon Gift Card spam attack.  I got some virus spams from the spammer after getting that one shut down.  They always seem to point back to a common registrar.

 

Always helps with a SpamCop Track
https://www.spamcop.net/sc?id=z6594340561z125f42ee61982fdb92980529b765f19bz
always put in abuse report been going on for many many months.
Banned all Amazon and subsidiaries purchases because of inept AWS abuse responses to AmazonAWS DDoS multiple IP email attacks 
Criminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS 

52.45.175.153   abuse[AT]amazonaws.com

spam text headers and body

Share this post


Link to post
Share on other sites

I didn't bother posting any tracking links because I was not sure others could see historical data from reports I filed.

The party that utilizes AmazonAWS, numerous exposed Twitter accounts, Bit.ly and imgur image hostings now seems to be shrinking back to smaller country servers like vspnet.lt, home.pl, arax.md, and occasionally krypt.com. 

I've been dealing with this little man for quite a while now.  That spammer even set up a fake Twitter account under my Gmail email address and occasionally sends me direct virus spams but yet he still can't stop spamming me.  Go figure.  I guess it's like the old Robert Soloway case where the man thought he was untouchable and above the law.


Their account at digitalocean.com wasterminated on 11/22 (outlandisher.pw):
 

Quote

Hi there,

Thanks for making this report.  We identified and terminated the user responsible for this incident.

Regards,

Security Operations
Digital Ocean Security

 

Share this post


Link to post
Share on other sites
1 hour ago, goodnerd said:

Their account at digitalocean.com was terminated on 11/22 (outlandisher.pw):

They can get millions of different email accounts here
https://sendgrid.com/marketing/sendgrid-services-cro/
Try it out! Send 40,000 emails for 30 days, then 100/day forever.
Sign up for free. No credit card required.

Share this post


Link to post
Share on other sites

Pleased to see “hwManyMore.com” was shut down. That one wen on too long. There are so many domains in this racket though smh.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×