Lking Posted August 6, 2013 Share Posted August 6, 2013 I am one of the report everything types. With a new host I am able to open the doors wide and report all the spam send to my domains. In the current cycle of things, my domain seems to be the base for a directory approach to forged FROM: in 1 or 2 spam attacks. One spambot is in the "L" account names the other in the Rs. I of course am getting several hundreds of bounce emails a day like this http://www.spamcop.net/sc?id=z5543026339z9...3b1f331c0f5b13z and they all get reported. The question is, do the .ru ISPs really care? Most reports go to devnull so we know they don't care much. Is there a more efficient way to identify the bozos that don't have a well behaved mail server? Seems a wast to dump the bounce emails on the floor, with all those electrons dieing for no good reason. Link to comment Share on other sites More sharing options...
turetzsr Posted August 6, 2013 Share Posted August 6, 2013 <snip> The question is, do the .ru ISPs really care? Most reports go to devnull so we know they don't care much. <snip> ...We are probably safe in assuming not but I'd not worry unduly about that and just keep on reporting 'em and help keep 'em (or hopefully get them onto, if they're not already) on the SpamCop blacklist! <g> Link to comment Share on other sites More sharing options...
petzl Posted August 7, 2013 Share Posted August 7, 2013 ...We are probably safe in assuming not but I'd not worry unduly about that and just keep on reporting 'em and help keep 'em (or hopefully get them onto, if they're not already) on the SpamCop blacklist! <g> Everything Russian are on my SC email blocklist http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php "Block Russian: This option will block most Russian email (and other email in Cyrillic characters) and send it to your Held Mail, whether or not it is spam. Only select this if you do not receive any legitimate Russian emails." Most are typical cowardly Russian bully mentality. Where you don't matter. The IP 85.113.210.170 has no abuse address and just goes to "digital Hell" Link to comment Share on other sites More sharing options...
Farelf Posted August 7, 2013 Share Posted August 7, 2013 (I see Steve T has responded, and petzl, this is what I was writing anyway). So, you are being spoofed as the sender of a spam from China and the Russian network lazily bounces it back to you and you report it but the advice he shouldn't have, oughtn't have, hadn't have done that never gets back to him because he hasn't an abuse address or is otherwise unsuitable to receive the SC report? And presumably listing in the SCbl isn't a factor when it comes to the source of bounces (I forget - it would probably take a lot of reports even if they have the same weighting as direct spam). And that Chinese file include a suspicious Base64-encoded attachment, probably a .rar digest, even so you're not allowed to do anything about the real source via SC (because it's not "your" spam). Well, we used to have RFC-Ignorant.org which might have warned about no abuse address, sadly now extinguished (http://www.dnsbl.com/2012/09/status-of-rfc...tting-down.html). But lack of reporting address is only part of the story when it comes to SC devnulling reports. Anyway, there's supposedly another service addressing such RFC ignorance matters (inheriting and verifying the RFC-Ignorant.org databases and maintaining them), rfc-clueless.org (see http://rfcignorant.org/). Unfortunately, at the moment, with the subject domain ksu.edu.ru, I'm seeing different results for the webpage lookup and the DNS lookup. Perhaps it is explained in the FAQ there, if you wanted to investigate. Yes, they seem to do things differently in eastern Europe - spam (just about) seems to be accepted as just another advertising medium. Link to comment Share on other sites More sharing options...
petzl Posted August 7, 2013 Share Posted August 7, 2013 Yes, they seem to do things differently in eastern Europe - spam (just about) seems to be accepted as just another advertising medium. RFC-Ignorant.org became "political" or biased which make it useless JT when he was around stated he could just not answer Russian or "Cyrillic characters" tried using just that as my blacklist and it is very effective so sounds like a good way to clean the internet. China seems to of evolved into addressing complaints although you get the odd one. Dream host are clowns they host Child porn (Under 18 or made to look under 18) refuse SpamCop reports so advised them via their web page. Not the brightest crayons in the world. I just replied "What you do or don't is fine by me" I of course unknown to them also reported the issue to the USA Feds who are hot on issues like this! http://www.missingkids.com/CybertipLine "In partnership with the FBI, Immigration and Customs Enforcement, U.S. Postal Inspection Service, U.S. Secret Service, military criminal investigative organizations, U.S. Department of Justice, Internet Crimes Against Children Task Force program, as well as other state and local law enforcement agencies." In Australia the Police advertise all Child Porn Raids the Computers servers etc are taken and those under suspicion have their photos on local paper (not a good idea to not take it serious) Link to comment Share on other sites More sharing options...
Lking Posted August 7, 2013 Author Share Posted August 7, 2013 petzl thanks for the missingkids link. Although it has been awhile sense I spotted spam of that type, that is a good link to have. Except for the flood of misdirected bounce I've been getting mostly pump-'n-dump stock stuff, with spikes of "replacement windows" party drugs, and links to hacker sites. Have not seen any Rx spam sense the sting in July. Anyway thanks for the moral support. Yesterday was an unusually heavy day, 2K+ bounces, without actually counting. Even quick reporting 20 at a time, takes a while on a VSAT link. Link to comment Share on other sites More sharing options...
Farelf Posted August 7, 2013 Share Posted August 7, 2013 So, this bounce business with your domain(s) has been going on concurrently with a "perfect storm" of NDRs hitting CESmail/spamcop e-mail accounts1. and perhaps (just maybe) some rogue/compromised accounts in those domains in the mix as well (that question currently under investigation by both reporting and e-mail sides of SpamCop2.). 1. http://forum.spamcop.net/forums/index.php?...ost&p=85352 http://forum.spamcop.net/forums/index.php?...amp;#entry85354 2. http://forum.spamcop.net/forums/index.php?...c=13418&hl= Joining the dots and recalling your original question ("do the .ru ISPs really care?") either the sods are complicit in this "bounce attack" business (and presumably not just the .ru TLDs) or someone is relying on their archaic and incorrect bounce process to deal out hurt to select domains. Either way, good cause for those that can to report them if it is going to feed to SCbl or at least put a little more load back their way and leave them trying to figure out what is significant and what might be not. Spare a thought for CESmail, dealing with many hundreds of thousands compared to your thousands ... Or it's all just the by-product of a MONUMENTAL increase in botnet spam, not exactly sticking out in http://www.senderbase.org/static/spam#tab=1 yet but if increases are (also) being focussed that would make +46% in the past few days quite epic). (Is it just me or are others bewildered by the plethora of new "update" topics in the SpamCop Email System & Accounts section? Initiated by Staff, even so the urge to merge grows minute by minute ...) Link to comment Share on other sites More sharing options...
turetzsr Posted August 7, 2013 Share Posted August 7, 2013 <snip> (Is it just me or are others bewildered by the plethora of new "update" topics in the SpamCop Email System & Accounts section? Initiated by Staff, even so the urge to merge grows minute by minute ...) ...It's not just you! I had the same urge but suppressed it, remembering earlier admonitions to not touch SpamCop admin posts. Link to comment Share on other sites More sharing options...
Lking Posted August 9, 2013 Author Share Posted August 9, 2013 Interesting links Farelf. Being I do not use CESmail/spamcop mail/accounts I wonder how/why I got sucked into the deluge. I does seem to have tapered off, at this point. Link to comment Share on other sites More sharing options...
Farelf Posted August 9, 2013 Share Posted August 9, 2013 Interesting links Farelf. Being I do not use CESmail/spamcop mail/accounts I wonder how/why I got sucked into the deluge. ...I guess it shows SC was not the only target - though there is little/no commentary from the internet generally. Or you might have upset someone with access to a handy botnet. Hard not to be paranoid at times. As we speak, GorillaServers in scenic Los Angeles has been pinging my modem non-stop every three seconds for the past 3 hours. I may return the favour if they keep it up. Or I might have a cup of tea, a Bex powder and a good lie down. Link to comment Share on other sites More sharing options...
Lking Posted August 9, 2013 Author Share Posted August 9, 2013 " Or you might have upset someone with access to a handy botnet. " A personality trait Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.