klappa
-
Posts
119 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by klappa
-
-
14 hours ago, TiredOfYelp said:
Sendgrid is a false, injected signature.
I've successfully got 1 of their phishing domains suspended, I'm still reporting and engaging to whoever offers them any kind of service.
I've recently got a tons of spam from Amazon owned domains. Can't send or forward the spam manually since they ask for addition information, apparently send the whole spam e-mail and the send IP isn't enough for them.
-
On 1/11/2020 at 9:11 PM, petzl said:
spam [at] uce dot org
no longer accepts abuse reportsHow come? Recently a spammer again use Amazon owned domains to finance his spam campaign to send me tons of spam. Now i can't either send spam directly to Amazon and their abuse address (they want additional information ports, destination ports etc) nor the spamcop reports (since get thrown to the dump). And now the US government ignores that a big company in the US time after time send spam to millions of people worldwide and has done it for years and Amazon doesn't care.
-
Why is that?
Don't the US want to fight spam anymore?
-
On 9/12/2019 at 8:28 PM, gnarlymarley said:
I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore. I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server. I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit.
I don't think it's legit. I have myself reported to that e-mail many times and i still get plenty of spam and phishing e-mails that still get's reported to that abuse email and nothing happens. I think it's owned by the spammer himself.
On 10/20/2019 at 3:27 PM, Appleseed said:Thanks
BTW. This guy have is specialized to Smoke Loader and have a huge Necurs botnet.
Where can you find that information? Is there any other abuse address I can report to? This spammer have spammed me for years. The spammer hacks sites and e-mails and use them in a botnet.
-
On 1/24/2019 at 7:22 AM, MIG said:
Hey Klappa:
From SCAdmin:
quote:
"A couple of years ago Hotmail had to give up two /16 networks they were
using (33,554,432 IP addresses) as they were not assigned to them.
Microsoft had to quickly reconfigure their network and used IPv6 to do so.Unfortunately when doing so, they did not do it carefully and make sure
they had full name resolution through out the network, where the forward
and reverse dns on each server matches. This means SC can't trust their
headers and will often take them as the source of the spam.All is not lost though, as Hotmail's parsing engines when they receive
the report does pass through the report to the right party. It also
helps Hotmail block new spam from that source.Microsoft is working on resolving the issue, but it is a couple of
hundred thousand servers. They have told us (SC) though, the fix is measured
in years, not weeks or months."
UnquoteGiven the above & other "evidence", I'm not entirely sure MS's default position involves thinking😞
So we never have to delete the first receive header ever again? The problem is that if we don't the spam will always be passed to abuse at microsoft dot com. Do you think they manually pass through to the right ISP or host owner? I can't believe that, it would require to much work on their part.
-
On 4/27/2019 at 8:38 AM, MIG said:
This is a general observation:
How about SCF has a [pinned] topic/table: Email addresses, for the purpose of collecting all "helpful" email addresses that we can use (that the parser does not identify), and, given there's only one additional SC Parser To: field that an address can be manually added to, many of us, take further action on spam, (like forwarding to x & x & xxx ..) after, we utilised SCP?
I know I've been helped many times by finding email addresses in the SCF posts.
If all those addresses were collated in a table it would be most useful (imo).
Anyone?
GH happy to do the grunt work if anyone is warm to the idea but time poor.
Be kind x🦗
Yea that would be a great idea since Spamcop is to lazy to change dead abuse addresses by themselves.
-
12 hours ago, petzl said:
https://www.spamcop.net/sc?id=z6540270015zc70d32edef3720992bb7f7c766540bebz
I also sent from my Gmail account to AmozonAWS and spam stoppedI don't decide if they are children or not. I just report it as such let "them" show the proof
18 is the age of consent in Australia for naked photos to be shown on web or magazines/videos,
under 18 is child porn afaik.
US law requires proof of age also,
https://www.consumer.ftc.gov/blog/2015/07/faking-it-scammers-tricks-steal-your-heart-and-money?page=3Trust me i have forwarded and reported with Spamcop nothing helps. Now the sex spammer have a grudge against me. Been spamming me every ten minutes or so using different Amazon servers. I can't bring me together to report everyone of them.
-
On 4/16/2019 at 12:47 PM, petzl said:
That's my attitude also this is their reply with my "preamble"
https://www.spamcop.net/sc?id=z6532210969z9e3601591d7bb95c694f6f8edf765dcczThank you for submitting your report to Amazon Web Services. We have received your report and will investigate the issue. If you wish to provide additional information to us or our customer regarding this case, please reply to this email. The details of your report are as follows: 52.10.94.116 (Administrator of network where email originates) abuse[AT]amazonaws[DOT]com Child porn spammer pictures under 18 or made to look under 18 NO PROOF OF AGE available! SENT TO MINORS > ****************headers*******They just give me a reply that i should report missing children cybertip dot org. Really the spam doesn't show naked children but it's obvious it is stolen pictures of women from around the net. Now the spammer (if it's the same that is) sent the same spam a dozen of times. I have now completely given up since the domains i reported weeks ago still are up.
American hosts can screw themselves, looks at Amazon. They don't care about anything but the money.
-
10 hours ago, petzl said:
Spammer is using throwaway email accounts
AmazonAWS is offering free web trails this clown will stick there (probably has many) till AmazonAWS bother
They want full headers copy and pasted with IP's before even bothering. And they contact these criminals show your details.
Always report it as Child porn spam site. That gives Amazon an obligation and expense to remove it.
pictures under 18 or made to look under 18. NO PROOF OF AGE available!
Include phishing-report[AT]us-cert[DOT]gov in "to field" as well AWS can see this.I won't give up. Any instances i could forward these sex spams to to let them know Amazon gives leeway to child porn?
-
On 4/12/2019 at 7:59 PM, klappa said:
I haven't received them for a while now except very sporadic. But next spam from them i will update this thread with SC Report URLs.
Just received two sex dating spams today however i haven't checked what domains the spamlinks resolve to. It could be Amazon hosted domains but i am not sure. Anyway care to inspect?
https://www.spamcop.net/sc?id=z6537755702z2a6c8c73f60568b083e173773e617c28z
https://www.spamcop.net/sc?id=z6537755185z923bf33a4c5c45f7af08454928e034dbz
On 4/12/2019 at 8:14 PM, Lking said:I don't see a suggestion to also send reports/forward spam to stop-spoofing[AT}amazon.com
I add that address to all spam that I quickly identify as relating to Amazon or often amazon.uk
Thank you!
But i am pretty sure the domains are resolved to Amazon hosted domains however since Spamcop don't check redirects it's impossible to know without clicking the spamlinks. I have to manually forward the spam directly to Amazon's abuse address. Also every of these Sex spam phishing mail I've got have been sent using an Outlook account. It seems Microsoft doesn't care much. I don't how many reports I've sent them. Also since i don't trust report_spam at hotmail dot com which is being used by Spamcop I also forward the spam directly to abuse at microsoft dot com. Outlook is a spam service nowadays nothing more.
-
On 4/6/2019 at 2:36 AM, MIG said:
All good Klappa & thank you!
Re 2. Please post more/new SC Report URLs that have embedded redirect links to Amazon.
Cheers!
I haven't received them for a while now except very sporadic. But next spam from them i will update this thread with SC Report URLs.
-
Can someone confirm if report_spam@hotmail.com really works?
-
On 4/4/2019 at 12:07 AM, petzl said:
If SpamCop did not truncate everyone would be in a queue so it will only target source of spam to speed up processing for others
Of course you can forward as attachment to abuse desk from your email account which I often do (spammers have my email address at anyrate)
https://mailsc.spamcop.net/spamgraph.shtml?spamstats
At bottom of report I put this in as a signatureoffending email forwarded also, can be read as text attachment with a text/ASCII editor like notepad or eml text readerIf you already forward your spam to their abuse department why do you also use that signature?
-
On 3/17/2019 at 1:15 AM, MIG said:
Hey klappa.
Thanks!
1st ❔, specific ONLY to MS Outlook mail, do you always REMOVE the ENTIRE 1st [Received >>>>> +0000] section BEFORE parsing?
Received: from BY2NAM03FT039.eop-NAM03.prod.protection.outlook.com
(10.152.84.53) by BY2NAM03HT214.eop-NAM03.prod.protection.outlook.com
(10.152.85.13) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1709.13; Sat, 16 Mar
2019 15:51:29 +0000Specific to your submitted url https://www.spamcop.net/sc?id=z6530636585z175385238ef9c81fac2a7bbb91908ac0z, the [REMOVE] instruction wouldn't make much/any difference as this email has travelled via MS.
- The rationale for the [REMOVE] instruction is well documented in Forum posts, I'll drag some up for you & post back.
2nd ❔: (My understanding was we were addressing: topic/35014-what-to-do-with-amazon-hosted-spammers) so, forgive me if I'm confused, but, are your concerns more to do with the process/reporting methodology or ?
3. "instead of reporting them as sex spammer use phishing e-mail instead?"
I agree with Petzl, use both.
4. Do you add [Notes] to the addresses SC parser has identified?
5. When I forward the phishing/spam email, I always include, in the subject line [offending ip address, offending ip address: "Network being used by criminals to distribute child porn"], or whatever the criminal activity is.
More soon, if you have more SC URLs please continue to post to Forum.
Cheers!
1. Yes Spamcop can't correctly parse when the 1st Receive line is there. It will always go to abuse microsoft com instead of the correct host abuse department. I think it had to do with Microsoft using internal IPv6 addresses or something.
2. I don't follow. Since Spamcop can't follow the spam link it won't identify the Amazon hosted servers the spammers or phishers use and i have to report it manually.
3. Ok!
4. Yes. To every part that Spamcop can identify.
5. Thanks for input!
-
23 hours ago, MIG said:
Hey klappa,
As you receive the emails & process them via SpamCop can you post the tracking URLs to this forum please?
Cheers!
Yes of course! This is the last one
https://www.spamcop.net/sc?id=z6530636585z175385238ef9c81fac2a7bbb91908ac0z
22 hours ago, petzl said:These "sex sites" are sent via (untraceable by you) botnet email or throwaway email addresses, the sites themselves start from a throwaway address then jump to another.
Always after credit card details!
(the ISP of that botnet can see where the source IP is)
Called phishing.
heres one
https://www.spamcop.net/sc?id=z6530436982z1d6d8d3d02831bdf4f781b2561e8282fz
notes were
22.224.69.173 antispamxdcb.hz.zj.cn bounces
malicious site URL
http://chinabdt.nxt/
52.5.250.89 abusexamazonaws.cxm
proof see
https://www.virustotal.com/gui/url/600f2573dfc69fffdd57931eb33ec16698d1c613567dd4324f6b82d984349796/detection
You're right! However it isn't directly obvious for the hosts i send the spamreports to. They are aren't pretending to be Bank of America in the spam and wants you to login to a spoofed site. They are also depending on valid third party e-mails and domain providers. And sometimes also use third party URL shortener services but sometime doesn't. I don't know if it's the same spammer but it could be.
They however as evident in the spam report above almost in all cases rely on Outlook. MS doesn't seem to take action or unable to as they create throwaway accounts after another.
Should i instead of reporting them as sex spammer use phishing e-mail instead?
-
On 3/14/2019 at 1:25 AM, petzl said:
Seem to have some success with it
Another Forrest Gump moment for me?
https://www.businessinsider.com.au/facebook-criminal-investigation-data-sharing-2019-3?r=US&IR=T
Criminal phishing, bogus reply address, bogus unsubscribe This/my email address I believe sold to this Russian (?) Crime gang by FaceBook .. email source 94.100.177.97 abusexcorp.maxl.ruYes good for you but you are dealing with obvious phishing spam i am not. It's a difference since i dealing with sex spam. The sex spammers are running a scam business but it's still not phishing e-mail. Everyone takes spam less seriously.
-
15 hours ago, petzl said:
It's a safety measure to check URL's
https://www.virustotal.com/#/home/urlThat would be quite useless because if the spammer use hidden redirection domains you have to go to check the destination domain before being able to check it with Virustotal.
-
53 minutes ago, petzl said:
Pretty sure these creeps are opening a new "free" amazon account when one is taken down.
Seems Amazon are shutting them down when reported from the spammed email address, stating IP address and copy and pasting full headers with report.
https://www.virustotal.com/#/url/51cfab3c89b464ef6e07c89d13ae048eb6708dd49233bf740609da33f2834ea2/details
status: 404 Not FoundWhich domain is that from? I don't recognize it. They usually use domains from Namecheap but mostly bit.ly links. But as said i don't know how they could get their business going? They only rarely get only a few hundred hits if even that. Then the unsuspected user have to throw up the wallet and i guess that's much less, maybe in the single digits? But maybe in the total would amount to several thousand dollars.
I know they're running their domains spread out among several hosts. Usually using third party e-mail services to send their spam so they don't go around and compromise servers or domains. I have gotten these sex dating spam for several years now.
-
1 hour ago, RobiBue said:
Oddly enough, I haven’t been getting any amazon/bit.ly spam as of a few days ago.
In fact, I haven’t had any spam since Saturday 9th at noon.
/me happy/
Glad for you. It has happened to me too but this sex spammer constantly spam me. He doesn't get any hits either when checking his bit.ly links. I don't know how he goes around.
I have other spammers, some Russian or Ukrainian drug pharmacy spam and a Chinese fake handbag spam but it's far as the sex spammer and a couple of phishing spam. I will close my account since it isn't one i use anymore anyway.
-
On 3/10/2019 at 10:20 PM, petzl said:
They went away from me for a while, as Amazon refuse to take SpamCop reports
I send from the email it was sent to
These spammers have been kicked out of many "holes" before now reside with Amazon who have a incompetent abuse desk.
Amazon are offering free web space, which tells me there IT are causing them to go broke.
I will be adding "subpoena-criminal[x]amazon.cxm" to my reports to see if anyone in Amazon have brains or more pomposity
http://www.missingkids.org/gethelpnow/cybertipline is a good link worth a try they can get a seizure order on Amazon sites
Seem to be breaching "U.S. Department of Justice's Child Exploitation and Obscenity section" (as usual U.S. agency that's broken, links are not updated)
Just checked seems Amazon are taking sites down. These creeps must be just signing up with a new free one as they get closed.Tired of reporting. Bit.ly won't take down the sex dating sites. They seem to ignore Spamcop reports altogether.
Amazon promised to take action several times but nothing happens.
I've given up. Will close my e-mail account. It's for the better.
-
11 hours ago, MIG said:
https://www.scamwatch.gov.au/ reportATsubmitDOTspamDOTacmaDOTgovDOTau
https://www.idcare.org/contact/report-phishing reportphishingATidcareDOTorg
https://www.consumer.ftc.gov/ spamATuceDOTgov
& Petzl has mentioned phishing-reportATusDASHcertDOTgov
- Does it really help?
Scamwatch:
quote "The Australian Communications and Media Authority (ACMA) receives information about spam via complaints and reports. This information informs the ACMA’s compliance and enforcement activities.
Reporting is as simple as forwarding the message you have received to the ACMA’s spam Intelligence Database. Forwarding spam reports does not automatically stop the receipt of unwanted emails or SMS messages.
Complaints, submitted by completing the ACMA’s online complaint form about a message you have received, allow you to provide important background information, as well as consent for the ACMA to disclose your electronic address to the sender in the course of any enquiries that the ACMA makes.
Where the ACMA has been able to identify the sender of an email or SMS message, once per month the ACMA sends businesses a letter advising them that that a complaint and/or report has been received about them. This assists the company to review their business processes to ensure that they are meeting the requirements of the spam Act 2003 (spam Act).
If the ACMA continues to receive reports and/or complaints about a company, the ACMA may commence a formal investigation.
Under the Privacy Act, the ACMA cannot disclose a recipient’s email address without their consent. Because of the manner in which spam reports are received, the ACMA is unable to obtain appropriate consent to disclose a recipient’s address to the senders of those messages. As such, the ACMA is not able to request that your address be unsubscribed on the basis of spam reports alone. This is only possible when a complaint has been submitted to the ACMA, as submission of the complaint form establishes consent to disclose this information.
spam reports are stored in the spam Intelligence Database. The ACMA advises consumers not to alter emails when forwarding them as reports as this may interfere with the results when filtering for particular emails during the course of an investigation. If a consumer wishes to make specific comments about an email, we recommend that they lodge a complaint.
In addition, the information gathered from complaints and reports is used as part of a wider education process. The ACMA:
provides consumers with information on how to reduce the amount of spam they receive informs Internet Service Providers (ISPs) about their obligations under the Act produces and distributes comprehensive print publications and online material that offer detailed information and practical tips on avoiding and reducing spam, meeting the requirements of the spam Act and reporting spam." unquote
FTC:
quote "The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad." unquote
I'm sure there's others, as I come across them I post to the Forum.
Cheers!
Thanks but since this doesn't involve phishing they aren't relevant? And all parties involved resides in the US not Australia.
10 hours ago, petzl said:Most USA Government agencies can't find their own ass!
However if you can hit a concerned party you are away.Seems like it.
Unfortunately the spam from this sex spammer have increased. It comes in more regularly intervals now. I knew this would happen since I've clicked the spam links but there was no way to know the end resolving domain without doing so. There's no services or programs that follow all the way through his obfuscated domains to the end.
Namecheap just pretends they have nothing on him and their reply is
Quotedomain name is pointed to our URL forwarding server which means that we do not host the content in question, the server is used only for redirecting purposes. As for the sexyflirt.me domain name, it expired and is currently pointed to our parking page and will eventually be deleted.
You may also report the issue to the official authorities and ask them to investigate the issue. Namecheap Inc. regularly works with courts and law enforcement from the local to the international level. We will assist them any way we can.
Let us know if any additional questions arise.Amazon abuse desk just replies with a short reply and urge me to go through National Center for Missing and Exploited Children
Seems pointless. I give up! The spammers always wins.
-
1 hour ago, petzl said:
Yes spammer already has your email.
Got one from these scum this morning here are the notes
54.213.31.253 (Administrator of network where email originates) abuse@amazonaws.com phishing-report@us-cert.gov https://bit.ly/2EPC64E?1819469901?DL4B7Sr6I8Unq8090859 67.199.248.10 abuse@bitly.com redirects https://mmwaq.slutsnearby.com/c/1f0a2cb367c37dee?s1=25218&s2=158751&j1=1&j3=1&s3=17004&s5=432018&click_id=nthml5c841f5915e67849990878 URL IP 34.194.20.115 abuse@amazonaws.com phishing-report@us-cert.gov
Was it a phishing mail? Amazon doesn't seem to take it serious if it isn't a phishing mail.
1 hour ago, RobiBue said:SC munges the headers (unless it's a ISP that requires full headers) for me when I report the message.
usually the message ID looks something like this:
Message-Id: <wecW_______________________________________________upLM@vevida.net>
the underscore line is placed there by SC.
and non-ISP headers are often used by the spammer to trace reported spam and retaliate... that's why I tend to do that.
if the ISP wants more info, they can ask for it
Well retaliate how? I am sure Amazon doesn't provide or give away that info to the spammer if there's serious claims behind it. How would they trace the reported spam unless Amazon directly provide the spammer with the headers and body? And i can't be bothered to manually change every header, it's too much work.
1 hour ago, RobiBue said:the info behind the ? in the links is what gives the spammer your info. those are the ones I don't add in the reports ...
btw, got the same one today too... recognize the identical bit.ly address...
Well it doesn't matter. The spammer is too stupid knowing they send sex spam with underage women and sooner rather than later be put behind bars.
-
28 minutes ago, RobiBue said:
although they have your email, doesn't mean that if you report to their ISP that they know whodunit if you munge the name and address. of course, you'd also have to munge the message ID and a few other non-ISP headers that would/could reveal your info...
Re: porn spam, amazon has AFAIU pretty strict guidelines and do not tolerate offenders.
Yes that's true. But munging the Message ID and non-ISP headers is not recommended. They need all the details I can give them and those might be valuable. If Spamcop doesn't do it except the e-mail address I won't either. My e-mail is a lost cause. It's more a throwaway account for reporting spam nowadays.
-
4 hours ago, RobiBue said:
Hi klappa,
1) munged headers means that I copy the raw spam (with headers) into notepad (on win) or your editor of choice and change all entries of my email address or part thereof as well as my name into a fake email address and fake name:
X-Apparently-To: me@example.com; Sat, 02 Mar 2019 18:48:09 +0000 Received: by mail-it1-f193.google.com with SMTP id d125so1436534ith.1 for <me@example.com>; Sat, 02 Mar 2019 10:48:08 -0800 (PST) To: me@example.com Subject: MY NAME: $15,000 Loan - Pay Back in 3 Years hello MY NAME, we have a loan for you with exorbitant interest. pay it back in three years and we will only charge you 115% interestTurns into:
X-Apparently-To: x-x-x-x-x-x@x-xmail.com; Sat, 02 Mar 2019 18:48:09 +0000 Received: by mail-it1-f193.google.com with SMTP id d125so1436534ith.1 for <x-x-x-x-x-x@x-xmail.com>; Sat, 02 Mar 2019 10:48:08 -0800 (PST) To: me@example.com Subject: x-x-x-x-x-x: $15,000 Loan - Pay Back in 3 Years hello x-x-x-x-x-x, we have a loan for you with exorbitant interest. pay it back in three years and we will only charge you 115% interestAnd then I add the following at the top of the headers:
Comments: The recipient of the email wishes to stay anonymous and therefore has munged his name and/or address for privacy reasons to strings like "x-x-x" or "x". Please respect his privacy.That’s “munging”.
2) alas it’s true that certain links can be “traced” by spammers, the link I started with, had no traceable info.
http://se2. mogenromance-svenska. club/ is not traceable
let me rephrase that before I get in trouble for making false statements
ok, every link you click on, gives the host your IP address, therefore (per se) traceable, but what I mean, is, that it doesn’t give the spammer any clue of your e-mail address.
Traceable links, the way I mean it, can be, for instance:
http://www.example.com/907743add1337 <- this hex string could be your encoded address http://www.example.com/illgetyou?a=encodedaddresshereIf the link already starts like that, then caution is warranted.
Since the redirects originated from a “safe” link, the information passed has nothing to do with your info.
The links in between can be either reported at the same time or at a later point in time when the spammer is scrambling to get his new site redirected
Sometimes I complain to the registrar as well in the hopes that someone there is witty enough to catch the pattern and MO of the spammer.
Now i follow. Although i can't be bothered munging my e-mail anymore. It's to late for that. I guess you do it manually every time?
Yes that one isn't traceable but sometimes my e-mail is in the spam link often with the word campaign to lure the unsuspected user even more into clicking it. But since the spammer already have my e-mail it doesn't. Never seen that string before though. The sex dating dating domains are all scam through and through. Spammers use bots to lure the user into believing they are real people and make them throw up their credit card which essentially make the spammers into phishers in the end. The pictures of the girls/boys are stolen and have an unverified age.
/me happy/ 
Any point in reporting spam from AMAZONAWS?
in SpamCop Lounge
Posted
I don't get it I only get the sender IP. Is that the injection?
How should i put the message to them? Mentioning it's a bot spam operator doesn't help.