Hanco

Yeah, advance fee 419 scam. They go to junk mail daily for me. i always add the exact same format to a user report: 419 scammer Gmail account abuse (Reply-To) (the reply-to address, usually but not always gmail) Gmail account abuse (reply requested in body) (the email address mentioned in the email body text, if present, usually but not always gmail) And I copy the report to abuse@gmail.com i use keyboard short text/quick reply text to put that detail into the user report in the same format every time. In the hope the reply accounts are reviewed/shut down quickly. I think it’s working because 419 scammer emails tend to stress how urgent replying is now!

They do divest of responsibility but it is accurate. They are a “pass thru” and are used by spammers who host some of their gazillions of redirect websites behind the “cover” of a Cloudflare IP address. There are legitimate reasons to use the services of Cloudflare. I have actually found Cloudflare to be pretty good at dropping their service from scammer/spammer websites. They’re pretty decent in my experience. I can’t speak for everyone of course :)

Thank you for that!!

I don’t get the sign in required. But I am experiencing the reporting challenges that are mentioned here in the thread and in the notice on the report page now. Yeah it has been happening a few days now, then today it was the worst it could be (coincidentally the same day as what appeared to be the most spam attacking the forum). On that topic, we seem to have a few new members joined in the past 4-7 hours but nothing like the large number of new account influx seen 17 hours ago… Not just you 👍 Until certain ISPs get their head out of the sand and sort out their customers, we’ll have this problem of well constructed spam continue. Most seem willing to take the action required. Just 2 I know of that are real obstinate. So while they continue, they are getting reports and sub reports filed in detail.

Got it thanks Petzl

Thank you to whoever has been doing all the cleaning and fixing things. Appreciate you.

Here also 👍

Do you need long time member volunteers to help with moderation? I’ll help deleting the actual spam posts if you like.

I cannot get spamcop.net to load. That’s what my browser shows on the page after trying. Is it just me or are others seeing the same today?

I’m seeing 500 Server Errors today. And lots of spam posts on the forum. A huge number of spam posts I do also think: If the spammers are posting on the forum then maybe that is a sign that SpamCop works.

Thanks for what you do! Looks like they want to keep you busy today.

I started seeing the DNS error yesterday. Like others, I found refresh resolved usually after one or two tries. It did seem to get worse with time though. It has been bad for me too through March/April with higher levels of prizes/surveys and recently “love interest” - and the fake invoices (refund scam GeekSquad etc.) plus there’s a Fake Facebook Signin Alert which comes multiple times per day. Is it a coincidence that the forum is under a spam attack with new members registered posting airline tickets and intuit quick books nonsensically.

What is the significance of doing that? Thanks

Do you know what date you did that? I’ll repeat the same and ask them. I’ll refer them here to this thread too. it’s not ok to have two faces on something like this, but there could be a simple explanation, maybe.

Thanks. I am checking with Bitly if they were aware of the reports I sent in the form there to see if it was duplicated reporting of my SpamCop report.

Yes I’m aware of that. So when a spam arrives and I paste the headers into SpamCop, if it has just a bit.ly short URL, then I use an app to see where the redirect goes and I check who hosts the destination site (after the bitly redirect). I add the host of the true spamvertized site to the user reports. I then check the target spamvertized site domain age. If it was recent then I add the registrar to the user reports (ex.: abuse@namecheap.com) example: spam Short URL https://bit.ly/3L5F0pO and https://bit.ly/3YwN85S Redirects to the same site as all these this morning https://mammothtrunk.com/0/0/0/ (parameters removed) Hosted at 172.99.172.168 : abuse@baxetgroup.com Domain name is 6 weeks old, created for this spam campaign Domain Name: MAMMOTHTRUNK.COM Registry Domain ID: 2755384967_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.name.com Registrar URL: http://www.name.com Updated Date: 2023-02-01T18:23:04Z Creation Date: 2023-02-01T18:23:04Z

I wish I’d thought of that! Always a good idea… https://www.spamcop.net/sc?id=z6801823440z842f34171779f715e8acf2de705a997ez

Normally when SpamCop doesn’t want to send reports (for any of the reasons you mentioned) it says something about that. In this case it says the site is not hosted anywhere. CURL app for the URL shows it can find it and connect. -- Trying 179.60.149.187:80... -- Connected to www.umkhn.ipeaet.com (179.60.149.187) port 80 (#0) >> GET / HTTP/1.1 >> Host: www.umkhn.ipeaet.com >> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 >> Accept: */* >> >> -- Mark bundle as not supporting multiuse HTTP/1.1 200 OK Connection: keep-alive Content-Type: text/html Server: nginx Date: Wed, 08 Mar 2023 20:51:34 GMT Content-Length: 0 -- Closing connection 0 ** Timing Details ** -- Name Lookup: 0.00s -- TCP Connect: 0.18s -- First Byte: 0.39s -- Total Download: 1.25s -- Size: 0 bytes -- Speed: 0 bytes/sec -- Using: HTTP/1.1 ** RESULT CODE: 200** If I browse to the URL I get the site redirects ending at https://advicetips4life.com/us/acyq/acvluxe-onl?bhu=spkfLVx74Uxzr6Jje713xZGdBSdmqjSHcSxbXT

Why does spamcop think this is not hosted anywhere? A ping for http://www.umkhn.ipeaet.com/ 179.60.149.187 info@vds4you.ru

Well it’s reassuring to read that I am not the only one being bombarded with this junk and a2hosting is the host of the fraudulent scamming spammer customer! I even spoke to them and they were pretty unclear what they were doing about it all. It’s very obvious there is a determined spammer behind this crap and they are not being handled appropriately or quickly enough.

They seem confused! But when you report a spam email sent by an ExactTarget sender’s IP address, this is the result: Devnull because they don’t want the report?

Isn’t it strange? I go to that site and it’s live. It redirects to https://great-tipsline.com/us/owiy/acvluxe-onl?bhu=spkfLVx74Uxzr6Jje713xZGdBSdmqafrfZKtn5 What does spamcop say ? SpamCop v 5.4.0 © 2023 Cisco Systems, Inc. All rights reserved. Parsing input: 88.214.26.85 No recent reports, no history availableRouting details for 88.214.26.85Report routing for 88.214.26.85: info@ip-interactive.deinfo@ip-interactive.de redirects to support@ip-interactive.desupport@ip-interactive.de bounces (19201 sent : 9601 bounces) Statistics: 88.214.26.85 not listed in bl.spamcop.netMore Information.88.214.26.85 not listed in cbl.abuseat.org88.214.26.85 not listed in dnsbl.sorbs.net Reporting addresses: (NONE) I found up-interactive.de is now Layer7.net I emailed Layer7 and they explained:

Ongoing… this one still cannot be found by Spamcop but is definitely live. I can ping the web address: Target URL for the emailed link in a mail pretending to be from a friend or relative: hkdps.piarliye.com Pings at 88.214.26.85 no response since 19 Jan from support@ip-interactive.de - trying them again.

Thanks

These sites are all hosted by a2hosting.com (all have the same site page content “Business Casual” template, with same stock “family photo” image). The spammer creates the domains with Namecheap registrar the day they send spam, or up to 3 days before they send their spam mails. Example site name/domains at 190.92.179.156: 5369555.vip ryanpage.website wanaolaomaod.art eoniolsa.pro zltaxafa.cloud (behind 172.67.169.142 but was visible at 190.92.179.156: on 6 November) a2hosting does have a reporting address. EXAMPLE SPAMCOP OUTPUT: Parsing input: http://5369555.vip No recent reports, no history availableHost 5369555.vip (checking ip) = 190.92.179.156Display data:"whois 190.92.179.156@whois.lacnic.net" (Getting contact from whois.lacnic.net)whois.lacnic.net 190.92.179.156 = abuse@a2hosting.com Cannot find ip range in whois output No reporting addresses found for 190.92.179.156, using devnull for tracking. Statistics: 190.92.179.156 not listed in bl.spamcop.netMore Information.190.92.179.156 not listed in cbl.abuseat.org190.92.179.156 not listed in dnsbl.sorbs.net No valid email addresses found, sorry!