Jump to content

Multiple spam Emails Everyday From Cortez Data Services


Stomp

Recommended Posts

I am constantly receiveing multiple spam from an advertising service named Cortez Data Services PO BOX 515381 ECM# 16095 Los Angeles, CA 90051 , they are sending me many emails everyday from a different email adress with each one advertising a different service.

I have tried the unsubscibe option many times but obviously the agency named Cortez Data Services has no intentions to honor my request. Whats the purpose of continuing to send me emails other than to annoy and harass me when I am simply not interested and furthermore I live in a country outside of the USA where none of their services are avaliable to me. I have asked the company to stop over and over again via emails and the unsubscribe option without any sucess. Im frustrated and annoyed, furthermore there is no way to track or trace the company Cortez Data Services. I can not find any information about them on the web, I would very much appreciate any help....

Theres two unsubscribe options in every email they send me, one is for the company their advertising and the other one is from Cortez Data Services, the various services they advertise are weight loss, diet pills, credit report, reunion, which have their own unsubscribe option but then additionally every email also finishes off at the bottom by saying........

This advertisemnt was brought to you by Cortez Data Services

If you no longer wish to receive future updates from us click our

Instant Removal Link Here

or Write

Cortez Data Services

PO BOX 515381 ECM# 16095

Los Angeles, CA 90051

I have checked the message source and found every email originating from the same ip range from...

128.168.142.105

128.168.242.157

128.168.240.139

128.168.240.142

128.168.250.233

Ive checked who is and found its come up with various names like Gold Hill Computers, Sunny View Media and Struthers Media Group, I dont know who their isp is, I have wrote to one of the "abuse[at]." in the whois results but theres been no change, I dont know what to do please help, Thanks

Link to comment
Share on other sites

Theres two unsubscribe options in every email they send me, one is for the company their advertising and the other one is from Cortez Data Services, the various services they advertise are weight loss, diet pills, credit report, reunion, which have their own unsubscribe option but then additionally every email also finishes off at the bottom by saying........

I've had some success with spam such as this. You're right, trying to un-subscribe will do no good at all. Where does SpamCop want to send reports? In my experience SpamCop has wanted to send all reports to the abuse address of a web hosting company. I've sent copies to their support, sales and webmaster addresses with an explanation as to why I was doing that. I also followed up with emails directly to these addresses attaching a copy of the spam and adding a comment about how frequent the spam is. When that has failed I have sent a copy of the spam to the domain registrar. That's what has worked for me and I've seen at least one website become unreachable but as soon as I've stepped up the level of reports the spam has only lasted a few days. Of course, I soon started to get the same type of spam from a different source as no doubt the spammer moved on to a different spam campaign with a fresh list of email addresses and new domains to send spam from. :angry: I'll probably never rid myself of this type of spam completely but at least I'm getting some satisfaction by causing them some inconvenience as I believe I am getting some positive results even though the success is short lived. I don't know this for sure but I think I've seen one spammer move from one web host to another after sending reports in the way I have described.

The latest spam of this kind that I'm getting is being sent by nexusmaneuver.com who according to their website are "dedicated to developing creative and impactful marketing solutions that drive strong business results". In other words they send lots of spam!

Link to comment
Share on other sites

When that has failed I have sent a copy of the spam to the domain registrar. That's what has worked for me

How do I find their domain registrar ? When I type in their ip adress into http://www.who.is several different names come up and im not sure which one is the isp, which one is the domain and which is the company sending me the emails, can you please help me with this.

Also I got the ip adress directly from the message source so I dont know if its displaying the true ip of the sender or wether they are somehow routing it, but because all the emails from them have the same ip range I assumed it was genuine.

also if it helps here is one example from the emails message source...

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MjtTQ0w9NA==

X-Message-Status: n:0

X-SID-PRA: FICOScore <importantupdate[at]grovellingresist.net>

X-Message-Info: 6sSXyD95QpVI6eC3326eKkw+pwif6waPdPemh+LKB1NizmcrD7KD6FPnyT/mZQEl6XyCsme938VSRnzAAgbcZccSVyxT1q7UIY1iw/I32e+dqVSP1j+pPw==

Received: from ovrexusoe157.converseexcursion.net ([128.168.242.157]) by bay0-mc11-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);

Fri, 21 Nov 2008 09:20:29 -0800

Received: from diego2 (127.0.0.1) by ovrexusoe157.converseexcursion.net (PowerMTA v3.5r7) id h4rn180mnfge for <alphatek[at]hotmail.com>; Fri, 21 Nov 2008 09:11:29 -0800 (envelope-from <importantupdate[at]grovellingresist.net>)

From: "FICOScore" <importantupdate[at]grovellingresist.net>

To: alphatek[at]hotmail.com

Subject: Check the important updates on your FICO Credit Report

X-UID: zokszgvp

MIME-Version: 1.0

Content-Type: text/html; charset=iso-8859-1

Content-Transfer-Encoding: 8bit

Return-Path: importantupdate[at]grovellingresist.net

Message-ID: <BAY0-MC11-F6YnsDFZ90008d8da[at]bay0-mc11-f6.bay0.hotmail.com>

X-OriginalArrivalTime: 21 Nov 2008 17:20:29.0697 (UTC) FILETIME=[73B74710:01C94BFD]

Date: 21 Nov 2008 09:20:29 -0800

Link to comment
Share on other sites

grovellingresist.net and converseexcursion.net are both registered to GO DATA 180 and that may be the name of the company behind the emails. The registrar is Moniker so I would try sending complaints to abuse[at]moniker.com. I can't quite work out the relevance of Gold Hill Computers and Struthers Media as Data102 also come into this. They may have seperate hosts for web and mail of course.

Hope that helps a little.

Link to comment
Share on other sites

How do I find their domain registrar ? When I type in their ip adress into http://www.who.is several different names come up and im not sure which one is the isp, which one is the domain and which is the company sending me the emails, can you please help me with this.

Looking at the header you posted, I see that the source appears to be 128.168.242.157.

What provider is responsible for this address? (Hint: put a "+" in front of the address to force ARIN to give you a full report)

rconner$ whois +128.168.242.157

OrgName:	Gold Hill Computers
OrgID:	  GHC-4
Address:	2175 Cloverdale Drive
City:	   Colorado Springs
StateProv:  CO
PostalCode: 80920
Country:	US

NetRange:   128.168.0.0 - 128.168.255.255
CIDR:	   128.168.0.0/16
NetName:	DATA102
NetHandle:  NET-128-168-0-0-1
Parent:	 NET-128-0-0-0-0
NetType:	Direct Allocation
NameServer: NS1.DATA102.COM
NameServer: NS2.DATA102.COM
Comment:
RegDate:	1986-10-02
Updated:	2007-03-05

OrgAbuseHandle: DAT13-ARIN
OrgAbuseName:   Data102 Abuse Team
OrgAbusePhone:  +1-719-578-8842
OrgAbuseEmail:  abuse[at]data102.com

OrgNOCHandle: DNO44-ARIN
OrgNOCName:   Data102 Network Ops
OrgNOCPhone:  +1-719-578-8842
OrgNOCEmail:  netops[at]data102.com

OrgTechHandle: RKO33-ARIN
OrgTechName:   Kohutek, Randal
OrgTechPhone:  +1-719-578-8842
OrgTechEmail:  randal[at]data102.com

OrgName:	Struthers Media Group
OrgID:	  STRUT
Address:	525 North Tryon St #1600
City:	   Charlette
StateProv:  NC
PostalCode: 28202
Country:	US

NetRange:   128.168.240.0 - 128.168.255.255
CIDR:	   128.168.240.0/20
OriginAS:   AS20445
NetName:	GLD01-128-168-240-0
NetHandle:  NET-128-168-240-0-1
Parent:	 NET-128-168-0-0-1
NetType:	Reallocated
Comment:
RegDate:	2008-10-28
Updated:	2008-10-28

RTechHandle: GLDNE-ARIN
RTechName:   GLD NetAdmin
RTechPhone:  +1-303-803-1893
RTechEmail:  admin[at]grandlakedata.net

OrgTechHandle: SMN6-ARIN
OrgTechName:   Struthers Media NOC
OrgTechPhone:  +1-866-966-9968
OrgTechEmail:  admin[at]struthersmediagroup.com

# ARIN WHOIS database, last updated 2008-11-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

This gives you an abuse contact (and other information) for the address.

Who is operating this host?

rconner$ host 128.168.242.157
157.242.168.128.in-addr.arpa domain name pointer ovrexusoe157.converseexcursion.net.

Since the address and this name (ovrexusoe157.converseexcursion.net) both appear in the header you posted, we can presume that converseexcursion.net is responsible for sending the spam.

Who has registered the domain converseexcursion.net?

rconner$ whois converseexcursion.net

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: CONVERSEEXCURSION.NET
   Registrar: MONIKER ONLINE SERVICES, INC.
   Whois Server: whois.moniker.com
   Referral URL: http://www.moniker.com/whois.html
   Name Server: NS1.STRUTHERSMEDIA-DNS.COM
   Name Server: NS2.STRUTHERSMEDIA-DNS.COM
   Status: clientDeleteProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 18-nov-2008
   Creation Date: 09-jul-2008
   Expiration Date: 09-jul-2009

I have not reproduced the whole WHOIS printout here (you can do this yourself at http://www.geektools.com/whois.php, but we see that moniker.com is the registrar. I cannot find any obvious means to report abuse to moniker.com (which is sadly typical for many registrars), but you might find something useful here: http://www.moniker.com/contactus.jsp. I would not bother contacting the actual registrant, since the registrant info is likely to be fake (or if it is not, it belongs to a spammer who will not respond usefully).

You can go a step or two further. I imagine that the spam you get mentions websites where you are supposed to go in order to place orders, etc., You can also trace the IP addresses of these sites, and even their domain registrations. For example, if the spam mentions a website "xyz.captaincrunch.foo" you can look up the IP address of this host and complain to the provider of this address; you can also look up the domain registration info for the domain ("captaincrunch.foo") and complain to the registrar (which may be someone other than moniker.com).

Lastly, I'd encourage you to report these spams through SpamCop if you are not already doing so. This will not stop the spams from coming (at least not right away), but if you and enough other people report this spam often enough, the source addresses will be added to the SpamCop blocking list, which will limit the deliveries from this address to the many, many providers that use the SCBL. This will eventually get the attention of Gold Hill and force them to take action.

Hope this is helpful,

-- rick

Link to comment
Share on other sites

From: "Wazoo"

To: "SpamCop Deputies"

Subject: existing override for converseexcursion.net (128.168.242.157)

Date: Sat, 22 Nov 2008 01:10:34 -0600

Forum discussion at http://forum.spamcop.net/forums/index.php?showtopic=9910 although this probably isn't critical .. the poster does not appear to be using SpamCop. However, while researching some of the issues raised, I've got questions about the existing data seen in the parsing look-ups.

http://www.spamcop.net/sc?action=showroute...typecodes=21,16

Reports routes for 128.168.242.157:

routeid:38438244 128.168.0.0 - 128.168.255.255

to:abuse[at]twtelecom.net

Administrator interested in all reports

Friday, April 18, 2008 7:09:44 AM -0500

[Note added by 74.160.64.12 (adsl-160-64-12.asm.bellsouth.net)]

BGP routing table entry for 128.168.0.0/16, version 1153776

Paths: (37 available, best #29, table Default-IP-Routing-Table)

Not advertised to any peer

6939 4323 33302

216.218.252.164 from 216.218.252.164 (216.218.252.164)

Origin IGP, localpref 100, valid, external

2914 3356 33302

129.250.0.11 from 129.250.0.11 (129.250.0.51)

Origin IGP, metric 4, localpref 100, valid, external

Community: 2914:420 2914:2000 2914:3000 65504:3356

http://www.spamcop.net/sc?track=converseexcursion.net

Parsing input: converseexcursion.net

Routing details for 128.168.128.2

Report routing for 128.168.128.2: abuse[at]twtelecom.net

http://www.spamcop.net/sc?action=showroute...typecodes=21,16

Reports routes for 128.168.128.2:

routeid:38438244 128.168.0.0 - 128.168.255.255

to:abuse[at]twtelecom.net

Administrator interested in all reports

Friday, April 18, 2008 7:09:44 AM -0500

[Note added by 74.160.64.12 (adsl-160-64-12.asm.bellsouth.net)]

BGP routing table entry for 128.168.0.0/16, version 1153776

Paths: (37 available, best #29, table Default-IP-Routing-Table)

Not advertised to any peer

6939 4323 33302

216.218.252.164 from 216.218.252.164 (216.218.252.164)

Origin IGP, localpref 100, valid, external

2914 3356 33302

129.250.0.11 from 129.250.0.11 (129.250.0.51)

Origin IGP, metric 4, localpref 100, valid, external

Community: 2914:420 2914:2000 2914:3000 65504:3356

However, I'm not sure that this BGP is still the 'best' place???

11/22/08 00:51:48 IP block 128.168.242.157

Trying 128.168.242.157 at ARIN

Trying 128.168.242 at ARIN

Gold Hill Computers DATA102 (NET-128-168-0-0-1)

128.168.0.0 - 128.168.255.255

Struthers Media Group GLD01-128-168-240-0 (NET-128-168-240-0-1)

128.168.240.0 - 128.168.255.255

Trace 128.168.242.157 ...

10.0.72.1 RTT: 8ms TTL:170 (No rDNS)

12.215.9.225 RTT: 11ms TTL:170 (12-215-9-225.client.mchsi.com ok)

12.215.4.18 RTT: 21ms TTL:170 (12-215-4-18.client.mchsi.com ok)

12.122.99.34 RTT: 18ms TTL:170 (tbr1.cgcil.ip.att.net fraudulent rDNS)

12.122.87.245 RTT: 31ms TTL:170 (ggr6.cgcil.ip.att.net probable bogus rDNS: No DNS)

192.205.35.78 RTT: 34ms TTL:170 (No rDNS)

129.250.2.249 RTT: 25ms TTL:170 (xe-0-1-0.r20.chcgil09.us.bb.gin.ntt.net ok)

129.250.5.28 RTT: 62ms TTL:170 (p64-2-1-0.r20.sttlwa01.us.bb.gin.ntt.net ok)

129.250.4.158 RTT: 81ms TTL:170 (po-2.r01.sttlwa01.us.bb.gin.ntt.net ok)

209.168.94.242 RTT: 65ms TTL:170 (xe-3-3.r01.sttlwa01.us.ce.gin.ntt.net ok)

63.251.160.86 RTT: 71ms TTL:170 (border2.t8-1-bbnet2.sef003.pnap.net probable bogus rDNS: No DNS)

64.94.137.194 RTT: 92ms TTL:170 (fshnetworks-1.border2.sef003.pnap.net ok)

72.5.222.10 RTT: 79ms TTL:170 (No rDNS)

* * * failed

* * * failed

11/22/08 00:56:02 IP block 72.5.222.10

Trying 72.5.222.10 at ARIN

Trying 72.5.222 at ARIN

Internap Network Services Corporation PNAP-09-2004 (NET-72-5-0-0-1)

72.5.0.0 - 72.5.255.255

FSH Network Services INC INAP-SEF-FSHNETWORKS-22249 (NET-72-5-222-0-1)

72.5.222.0 - 72.5.222.255

I don't see twtelecom.net as anywhere obvious in this short analysis for either the IP Address or the Domain involved.

Link to comment
Share on other sites

.... they all appear to be from the same ip range the domain names are different on each one, how is that possible when all the ip adresses are from the same range?
The person sending the spam can 'forge' anything in the 'domain name', however, the receiving server identifies the IP address that the email is coming from. Spammers generally rotate among different email servers (I am not technically fluent, but I think they are called 'name servers' if they are sending email.) Most server admins now reject any mail that is not from an email server because so much spam is sent through infected computers. They know which computers are supposed to be sending email and which ones aren't.

What the spamcop parser does is to look at all the header lines and accepts those that the parser can figure out are 'real' headers. There may be numerous header lines that are placed there by the spammer. I can read a simple header, but most discussions about why the parser chooses a particular header line as the last 'true' header are way over my head.

In your initial post, you mentioned unsubscribing. The FTC says that a large majority of unsubscribes are fake and only mark your email address as a 'live one' The best rule to follow is to never unsubscribe from an email that you haven't subscribed to. Even emails I get legitimate companies who, for some reason, start sending me email (usually some dumbo in the marketing department insisted), I will not unsubscribe, but email someone else on their contact page and tell them that I never unsubscribe to any email I haven't subscribed to.

And, even though you are learning a lot - which, IMHO, makes you a better consumer of email service - you cannot stop a spammer until those who are giving him connectivity wake up and realize that consumers are on to their culpability in furthering the spam problem. Basically, one is either part of the problem because of greed or ignorance or part of the solution in demanding that their internet service providers are responsible netizens. Blocklists are the only responsible way to handle spam, IMHO.

Miss Betsy

Link to comment
Share on other sites

I was looking at all the other message source details from Cortez and I found that the domain name "converseexcursion.net" only appears on one of the emails, although they all appear to be from the same ip range the domain names are different on each one, how is that possible when all the ip adresses are from the same range? I'll show yous what I mean by posting the message source for 4 of the emails from Cortez....
Fiirst of all, before we go too far down this road, folks on this forum usually prefer that we post spam mails or headers in the form of SpamCop tracking links. THis requires that you submit the mail to SpamCop. You do not have to complete the reports, but you do have to get a tracking URL and then post the tracking URL here instead of the actual spam. This reduces the volume of the post but more importantly ensures that we are looking at an accurate and valid copy of the message. See http://forum.spamcop.net/scwik/TrackingURL. If you aren't currently a SpamCop member, you would have to register in order to do this.

As to your question, it is entirely possible that multiple hosts in multiple domains can have the same IP address. It is also possible for a single host name to resolve to multiple IP addresses. DNS is not a "one-to-one" situation. You should follow the process I gave above to work through each case.

-- rick

on edit: changed reference link for Tracking URL

Link to comment
Share on other sites

rconner, I'd like to post spam mails or headers in the form of SpamCop tracking links and submit the mail to SpamCop but Im a total noob at this and im not sure how to do all that, I followed the link you gave me and it has to many options in it, sorry but Im lost witha ll this :(

Link to comment
Share on other sites

rconner, I'd like to post spam mails or headers in the form of SpamCop tracking links and submit the mail to SpamCop but Im a total noob at this and im not sure how to do all that, I followed the link you gave me and it has to many options in it, sorry but Im lost witha ll this :(

I wish there were a Royal Road to Geometry here, but there is not. You simply need to work through the process. You seem to have the basic skill set for it. Here are some steps to follow.

  1. Register to use SpamCop (for free) if you are not already a member: http://www.spamcop.net/anonsignup.shtml
  2. Get the original, full, and unmodified SMTP packet of the spam mail you received. Follow these instructions if you need them: http://www.spamcop.net/fom-serve/cache/19.html
  3. Log in to the SpamCop website using your registration name and password.
  4. Paste the spam packet into the web form.
  5. Press the "Process spam" button and wait for the parser to analyze the message.
  6. On the results page, near the top, you will see "Here is your TRACKING URL..." this is the link you want to save and paste to the forums here.
  7. If you want to report the spam, click the "Send spam Report(s) Now" button, otherwise you can cancel them via the "Cancel" button. The tracking link is retained for your use even if you cancel the reports.

Can't make it much simpler or more linear than that.

-- rick

Link to comment
Share on other sites

Actually, it is rather simple:

In your firewall or router, block the offending ISP(s) and/or domain(s).

I use this for my company's entire server (globally blocking all offshore--from the US--IP addresses and individually blocking domestic IP addresses and domains), thus reducing our spam load by 95 percent and more.

Link to comment
Share on other sites

Actually, it is rather simple:

In your firewall or router, block the offending ISP(s) and/or domain(s).

Yes, that would work if you run your own mail host and it is behind the firewall with you. You could also set up hosts.deny filters or probably even Sendmail rules to the same effect. Most of us end-users don't have the ability to take advantage of it, however, since we get all our mail from an MDA run by our providers, and we don't receive mail directly via outside SMTP connections.

-- rick

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...