Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by knightshade

  1. Many moons ago, one of the forum admins was kind enough to tell me about the section on the Spamcop Reporting Preferences page, that allows you to add additional recipients to spam reports beyond those automatically determined by the Spamcop parser - this can be useful to go after registrars & when the payload URL is hidden behind redirects. As per the topic title, can anyone describe the differences between Personal copies of outgoing reports & Public standard report recipients options? Is the same info sent for each, or are they different? Additionally, is there anyway to retrieve any additional user-added notes from the Spamcop system, after the report has been submitted? Clicking on the individual report number links under Past Reports, only shows the spam message, but doesn't include any user-entered notes (although I was able to verify that these do get added to reports, by adding my own email to the Personal Copies field).
  2. Apologies for old thread resurrection, but I'd also really like a feature along these lines to be added - having a list of known devnull email abuse report addresses comes in very useful when you report to additional addresses (like registrars, or additional hosts where a spam contains multiple payload URLs (spamcop will only report to the first found), or where the real payload URL is hidden behind redirects). It's slightly irritating to craft a targeted spam report, only to find the reporting address(es) get devnulled only after you hit submit - if you knew beforehand, you could skip the hopeless address targets /find alternative reporting addresses. I've taken to making my own list of known devnull addresses, but it's painful to maintain & cannot account for addresses that were only temporarily devnulled (or is it a permanent thing?). Whilst I have the begging bowl out, it'd also be nice to extend the undocumented 100 character limit on additional report copy addresses a little - when a spammer is using multiple payload URLs/multiple hosts with short TTL times, you can fill the current limit fairly quickly.
  3. Useful to know - thanks. Gotcha. Actually, I think I may have played with that in the past.
  4. Thanks! I did not realize that addresses added to this field would then be offered as optional (defaulted off) copy-to forwards - I thought they'd just automatically be always forwarded, or that I'd have to keep clicking them off when not required. This option effectively achieves the goal, though (note for interested parties reading in the future) it requires a comma separated email address list, not a space separated one. It shows up on the cut'n'paste reporting form, but not on the form you get when you click on 'Use links to finish spam reporting' in the email from SC. I always use the link in the SC emails, so I've never messed with 'Show Technical Details' - what exactly does this provide? (Just sating my curiousity now - turetzr's suggestion does what was required.)
  5. Is there a way to add a recipient to individual spam reports? I already use the report handling functions to automatically forward a copy of every spam to knujon, but not every spam I get is connected to amazonaws - it would be nice if specfic email addresses could be included for individual spam reports (and even better if SC could offer a drop-down menu of previously selected addresses). Does SC have a suggestion box?
  6. I was going by Don's comment in this thread, which indicated it was Amazon's choice: http://forum.spamcop.net/forums/topic/14731-ec2-abuse-amazoncomatdevnullspamcopnet-email-abuse-amazoncomatdevnullspamcopnet/#entry91712 But forwarding to the spammer remains a good reason. Well, part of the reason for posting that detail was as a possible suggestion aimed at any SC admin that may come across the thread. I already do much outside of SC - it's only 1 tool in the arsenal... However, reporting within SC is still preferable, because doing so eliminates both a manual forward & any need to repeat the obscuring of trackable stuff like email addresses, which SC already does a reasonable job of.
  7. I'm seeing that one of my pet spammers has adopted using a redirect via an amazonaws web page, presumably because it adds another level of obsfucation to hide/protect their target URL (https & the URL in the spam uses POST to pass a name & id string if the recipient is unwise enough to click through)... This raised a couple of questions/observations: Currently, SC reports to ec2-abuse#amazon.com[at]devnull.spamcop.net (apparently devnulls at amazon's request) & email-abuse[at]amazon.com. Looking at amazon's own reporting page at portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse , this references abuse[at]amazonaws.com - I'm wondering if the latter email address is equivalent to email-abuse[at]amazon.com, or ought to be used instead of/as well as? The reporting form on that same page indicates that, if used, amazon forward the complaint details to the EC2 customer (aka the spammer), which 'aint such a good idea - *sighs*... Is there a way to safely follow the redirect (in order to try to manually report the destination URL)? The usual techniques (urlquery etc) don't work as that target URL is protected by whatever scripting sits behind the amazonaws URL in the spam... Here's the SC tracking URL for any folks so inclined to have poke around: spamcop.net/sc?id=z6139877106z19ab51f56290487899361dbdef5efc87z
  8. Whilst I have had my issues with them, yeah, I'd have to say that I've found them to be reputable. BTW, check your PMs - I sent you a couple of possible things to try,
  9. I understand your point - there's plenty of places I won't submit direct complaints to because they appear too dodgy - that's where spamcop fits in - however, IMHO and going by my own experiences, namecheap doesn't fit in that category.
  10. If you've got a yahoo mail account, you can set up 'disposable' email addresses that can be handy for such situations - I've used one of these to make complaints directly to namecheap/enom & (so far) it's never been targeted for any additional abuse. The moment it does ever get targeted, I can blow it away & move on to a fresh disposable address,
  11. Interesting... the 2 subdomain URLs in those spams are both hosted at a namecheap IP, but the domain itself is hosted at softlayer. The registrar for the domain also appears to be namecheap (acting as a reseller for enom), according to enom.com/whois/default.aspx - it may be worth making a spam complaint outside of spamcop to the abuse emails for both enom & namecheap, noting in it that namecheap is acting both as hoster & registrar (and also noting the sheer volume of spam you're receiving related to that domain!).
  12. I just submitted some some more spam, so it's still working for me. If you haven't already tried, shut down/restart the browser completely & try again - clearing the cache alone didn't work for me (FF 28.0) There's also the possibility that yahoo run multiple distributed servers, not all of which have been updated - not sure, but if they're anything like ebay, then which server you get can completely change the page config that you end up seeing.
  13. Yup, something appears to be changing at Yahoo's end - shift-alt-f was working earlier today, but now I also get the regular fowarding window (which doesn't keep the spam intact).
  14. Acknowledged, but I usually find the dealing with the origination points, to be a pretty fruitless exercise - the IPs either change on each spam-run or are on networks that simply do nothing about it. I usually let spamcop's reporting deal entirely with that side of things (which it did well, until Yahoo messed with the header parsing), but find it productive to go after the registration and hosting* - hence my query about tracking the hosting company. * (Spamcop's parsing of link URLs within the email body has actually been working pretty well on the examples I've been recently feeding it.)
  15. I have loads filed away in spamcop - I suspect that they didn't show when you plugged the IPs in because these are host IPs, not IPs where the mail was sent from (with this spammer, those are usually a variety of Chinese IPs, though Gigaipnet IPs have also been in use recently). The current mess with yahoo headers, probably isn't helping either... Anyway, here's 3 (one for each currently active IP): spamcop.net/sc?id=z5895724677z2a75aaeb7ef9f553dec82f3592f88d55z spamcop.net/sc?id=z5897052359z2ed3838c7800a231cd88c9ea82c6b043z spamcop.net/sc?id=z5896859767z31fbb072edee35872009c9e3418fbd45z The domain that shows up on tcputils.com is interesting, but may be unconnected, since it was registered in 2013 before this spammer moved in.
  16. [at]Farelf: This spammer is currently active with spam-runs using domains (and their own DNS servers) on IPs There's 50-odd domains hosted on these 3 IPs which are cycled through randomly. The other IPs are mostly from older campaigns, some of which pointed at Blacklotus (an old haunt of this spammer). A couple of new domains were recently created on these other IPs, so I expect new activity from those again in the future. All the current spam domains are registered through Namecheap (acting as a reseller for eNom), so I routinely send both complaints for each spam-run. Tinet (formerly Tiscali) are the upstream announcer for this netblock, so I've also been sending them heads-ups. Also reported the invalid whois data on ICANN's new beta whois inaccuracy form. I did fire off a query (not a complaint) to reliablehostingservices.net - they opened a ticket, promising an update email when a response had been made, but a few hours later deleted the ticket without any response, so I'm guessing they're none too interested - that's why I asked if there might be a better way to track down the hosting company. [at]petzl: I'll have to take a look at the CERT approach, as it's not something I'd previously thought about. Not holding my breath on any of these approaches TBH, but you do what you can, no? I like that way of thinking!
  17. One particular spammer I track has recently setup home in a 1280 IP address wide netblock (, A couple of things (whois street address doesn't actually exist, ARIN have been unable to contact the POC for the netblock since 2010 & unresponsive abuse email address) lead me to suspect that admin control of the netblock may have been compromised. Now, the question I have is: Is there anyway to find who is actually hosting the servers of the spammer's domains? Inquiries to the abuse address in that netblock's whois are probably going straight to the spammer or the bitbucket, so that's presumably a no-go. The only way I could think of was to run a tracert on the IP's hosting the spammer's domains - these all ultimately end up in the suspect netblock, but always go through one particular external IP owned by a hosting company before going to private IP addresses/IPs in the suspect netblock. Is that IP likely to be of the actual hosting company? (Try tracert with these IPs used to host spam domains -,, - to see what I mean.)
  • Create New...