Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by Hanco

  1. 1 hour ago, NanaBird said:

    . If it continues much longer I think I will file an official complaint with our Canadian government and the RCMP.

    Hope that helps. I include the authorities on all my Amazon reporting. Not sure it has any impact here in this country. Canada may be different...

  2. 1 hour ago, NanaBird said:


    You are dealing with a group of very well known spam/phishing jerks (at least, we’ll known to me)

    Namecheap are almost exclusively the domains they (1) Create, or (2) Takeover.

    The s.free.fr is a redirect site (short url) so the actual sites are not linked to in their malicious emails. Thus reducing risk of their actual redirect site being listed on SURBL or such.

    Their actual site is not the ultimate destination either, but a redirect dance site to wherever they fancy sending you.

    You'll also probably find they use other sites for image hosting (to deliver to their malicious emails when opened). Often they use “imgur.com” - and imgur will happily delete those as against their terms of service. Report here, if you want to help make the malicious emails look more odd than they do already 😏


  3. On 10/4/2019 at 4:47 AM, HeatherReid43 said:

    I hope I am not bringing out a thread from back from the grave
    today i have received multiple instances of spam originating from AWS
    any idea how to stop this onslaught ?

    I’m sending mine to:

    abuse@amazonaws.com, abuse@amazon.com, ec2-abuse@amazon.com, ipmanagement@amazon.com

    That seems to be working.

    Were your target sites hosted by Lithuania outfit vpsnet? All mine were (australy.win, australy.bid, bulkoffers.win) 

    The target site australy.bid went onto SURBL Phishing blacklist Sunday/yesterday.

    Not sure why/how, but the good news is that Nanecheap finally deleted the registration for the domain. That is something they refused to do several times (on February 6 and Feb 8 this year for example) despite emails for “number 1 milf site” etc!!

    My level of frustration with Amazon (and with Namecheap) reaches far too high a level at times LOL

  4. On 10/3/2019 at 11:07 AM, Shoo said:

    I have tried multiple selections of the message source pasted into the two boxes and I still get a "No Data Found" message.

    I got that a few times too. I refreshed and sometimes it took as many as 4-6 attempts but it eventually worked. Something was wrong but it wasn’t my ability to copy/paste :)

  5. 55 spam emails from Amazon IPs in the past 2-3 days... all designed to push traffic to one of three domains. All of no interest to me on topics from Gutter Guards, Home Warranty, some miracle instant translator device, some cure for a nerve condition, a flashlight, how stainless steel reverses diabetes, boosting testosterone, dating is easy with their Asian ladies, anthropomorphic renovation, CBD oil and miracle pain cures, dating for people much (much) older than me, and mortgages.

    A surge recently in volume of this crap and a significant fall (to zero) in the Canada Pharma sh**e, and the “you’ve got to send me your personal details so you can get $1m that is yours”. Also not had the emails from my close friends by name with “saw this and you should look” links (typically link to a site domains created with Namecheap less than 24 hours ago, and always under 3 days ago)

    It seems really clear this spam bot group is pushing all content through Amazon, and Amazon is either powerless, or doesn’t want to actually stop it.

    Rarely will SpamCop offer reporting to Amazon, instead doing the abuse#amazon thing.

    Should we send direct to Amazon or not? Which is likely to cause maximum potential nuisance to the spammer and reduce volume longer term?

  6. 23 hours ago, Lking said:

    why should they??? They don's SEND any spam.  Remember the objective of the SCBL is to block/filter incoming spam, not rate all the IP in the world.  In the beginning spammers would include phony links to NY Times/ Washington Post, etc. to make it look like the spamvertised product was valid.  A dynamic proces

    Why should they? I agree with you that innocent bystanders don’t want to be impacted. I’m talking about three specific domains/sites, which exist ONLY for spam operations.

    Obviously I appreciate determination of a site existence only for this purpose is not always straightforward. And maybe this is not the place to ask about it. Just curious how a domain like “australy.bid” or “australy.win” gets on blacklists like SURBL. It certainly seems like it is not achieved by the reports sent to the host this week :(

  7. 3 hours ago, Lking said:

    Lets start with the SCBL deals with IP addresses not domain names. As for which IPs are blocked, have you looked at https://www.spamcop.net/spamstats.shtml  or https://www.spamcop.net/fom-serve/cache/351.html

    Have you looked at https://www.spamcop.net/fom-serve/cache/297.html scroll down to "Rules" Speed all depends.




    • SCBL lists IP addresses with a large number of reports relative to reputation points. The SpamCop team manually balances the threshold in an effort to make the list as accurate as possible.

    I guess I won’t know what that means in actual volume terms.

    • The SCBL weights reports depending on how recently the mail was received (or "freshness"):
      • The SCBL counts the most recently received reports 4:1.

    That’s me and these reports I send for sure. Avg reporting time 2 hrs now. Very fresh!


    • The SCBL does not count reports regarding URLs or addresses in the body of the email. Therefore, the SCBL does not list websites or email addresses used to receive replies in reported email, unless that IP is also used to send the mail.

    So, for spam emails that are from Amazon AWS IPs, where the body of the email is sent to drive traffic to the IP address of  “australy.win”... australy.win’s IP address will never become blacklisted through the reports I send? The Amazon AWS IP might though?


    • The SCBL will not list an IP address with only one report filed.

    I hope someone else is receiving the junk I get and is bothered enough to report

  8. On 10/1/2019 at 5:29 AM, j4v3d said:

    Newbie here! What happens once you submit the spam using the form on the website?

    When can you expect to see less spam emails coming through?

    I wish I knew what drives inclusion of sites (or their Domain Names) in blacklists. I’ve been using SpamCop for a long time, but I’ve not worked it out. I feel like it has definitely reduced the spam I get. Many years ago I received very few every year. I stopped reporting them. Then about 18-24 months ago it started again.

    Either I was in a data leak (pwned) or somehow I did get added to a list. Maybe a random bot sent email arrived and I opened it? Heaven forbid, but maybe I even replied to one?

    Ive re-learned submissions, deciphering the plain text/headers and the “tricks” of the criminal idiots behind spam/phishing emails.

    Now they all get reported. Average submissions time 2 hours. I also report image content when hosted off their spamvertized domain site. Some image hosting applications respond in under an hour at times, deleting the files. The spammer who continues to blast me has noticed and has to include “Can’t see the images? View unblocked email here” (or similar message at the top of their spammy emails)

    I wish the blacklisting was faster. Especially SURBL, because then see the domain registrar take actual action to shut down one more spam site the spammer moves onto their next one but it causes them inconvenience which reduces the spam for a while!

    Currently I’m dealing with ~24 spams per day, and all for the same three domains hosted by the same provider. Hoping for a slow down soon 😊

    Best wishes.

  9. I tried 5 times (one of those being many minutes after the other 4 so I could paste a link here in the forum)

    Even re copy/pasting did not work. Something is wrong today or the spammers are finding ways to cause issues.

    It did work now though. Worth knowing. 

    Would be good for the tracking link to be available in “Past Reports” (I had to recreate for my forum post above)

  10. Same for me today with multiple spam emails. I copy paste the headers/plain text into the form and submit.


    Does that link above help? Is there a place to forward the plain text for further investigation? Seems like one spammer in my case has found a way to break the capability to report.

  11. On 9/28/2019 at 12:12 AM, petzl said:

    Looks to me like Amazon abuse desk is behind and protect
    Criminal  phishing, bogus reply address, bogus unsubscribe
    Be very wary about giving Amazon credit card information they will have bogus charges appearing on it,
    Some bogus charges on my credit card for kindle books I noticed, recommend canceling accounts/credit cards they have access to.
    26/07/2019    Amazon Australia Servi Melbourne Au 
    Entertainment & Recreation    $13.99    
    26/09/2019    10:44    Amazon Australia ServiMELBOURNE AU    $13.99    

    Although after spotting this I rang and they refunded the money I believe misappropriated
    27/09/2019    Amazon Australia Servi Melbourne Au
    Deposits        $13.99...

    Wow, that’s not good. Credit card provider would likely have reversed all those if Amazon didn’t I guess.

    Meanwhile here, Amazon IPs are the source of regular spams by the same criminal group now, every day for:

    bulkoffers.win / australy.win / australy.bid

    I wonder how many times it takes reporting these through SpamCop before we finally see them go on SURBL or similar...

  12. Do we feedback somewhere on issues where SpamCop’s Whois came back wrong? belongs to Amazon not Verizon.

    Source Registry
    Net Range -
    Net Type
    Origin AS
    Wed, 25 Apr 2018 18:02:37 GMT (Wed Apr 25 2018 local time)
    Last Changed
    Wed, 25 Apr 2018 18:02:37 GMT (Wed Apr 25 2018 local time)
    Port 43 Whois
    Related Entities  1 Entity
    Source Registry
    Full Name
    Amazon Data Services Ireland Limited

  13. Middle of the night and they are spamming for a new Namecheap domain again...
    Hosted via (not necessarily “at” : abuse@ovh.net, noc@ovh.net
    Camill.icu Namecheap registrar domain is only 4 days old
    Spammer also using free redirect services for links  and including large unnecessary text blocks in <style> tags, and sending from Amazon network AWS IPs (again) and using Imgur image storage service (who delete anything I report to them pretty fast)

  14. I report spam directly on the SpamCop site (pasting plain text into the form) and for Amazon reports:

    1) SpamCop almost always says “Using abuse#amazonaws.com@devnull.spamcop.net for statistical tracking”

    2) Rarely, but occasionally, I find SpamCop decides to send a report to ipmanagement@amazon.com

    3) Now, if the source IP in the spam email headers is at Amazon, I send the report to three addresses. I always include the time the email was received (and time zone). Just occasionally they mess up the conversion to UTC and ask about the time again.

    ipmanagement@amazon.com because it seems to respond sometimes 

    ec2-abuse@amazon.com because sometimes it is those guys responsible for the sending IP apparently 

    abuse@amazonaws.com because that’s what SpamCop was going to send to


    I also report any spam image content links I find in the emails. Pinterest is a pain to deal with, but Imgur and others have been very responsive. So much so that the spammer now puts “if the images are not shown below click here” - LOL!! 

    If only they stopped sending me their crap, they would have more success with their intended victims.

  15. Prior was different. Don’t seem to be very rigid standard responses.

    Thank you for bringing this issue to our attention. The customer responsible was removed from our platform.

    If you have any questions, please feel free to reach out. Have a great rest of your day.




    Thank you for bringing this to our attention. We take the integrity of our platform very seriously and are currently working with the customer to resolve this issue.

    If you have any questions or concerns in the meantime, please don’t hesitate to ask.

  16. My last Linode reply to a direct email was positive:

    Thank you for bringing this to our attention. We have removed this user from our platform as their actions have violated our terms of service.

    Please let us know if you have any questions.

  17. On 9/5/2019 at 10:54 AM, nhraj700 said:

    On another note I have been able to have about a dozen domains suspended, however the spammers quickly react by creating/using other ones.

    Every so often I get one suspended. But yes, they just move to another. When I first started reporting these guys it spurned a total onslaught of spam. 10 to 15 spams for the same junk every day for a few days. All sent from AWS IP addresses and, more often than not, pushing traffic to Namecheap domains, which are only setup to do redirects. The target sites never have an actual website at them. I think it is known as spamvertising.

  18. Namecheap are not impressive. I am regularly reporting spam where the benefiting/target domain in the spam was created “today” (same date spam received), 1 day old (one of those this week) and just today there is a 1 and a 3 day old domain.

    Namecheap’s response: We are not host so we cannot check server logs... contact the host.

    Is it me? Are domains used in obvious spam emails, less than 24 hours, 1 or 3 days old, likely to be genuine customers of their business???

    I report every one of the spams through SpamCop, I include the sender host of the email when possible (so many are AWS IPs now, and I report those directly to Amazon).

    I also report the hosted images. The spammer used to use Imgur exclusively, but they (and several others) handle my image ad reports very quickly now.

    It seems VERY hard to get the sender of this junk onto SURBL or other Namecheap recognized list. Only when they are does Namecheap do anything concrete at all.

    One day old spam promoted site example from today:


    A few others

    hiotoau.info was created via Namecheap the same day as the spam email was sent: 20 September

    arstoe.info was created via Namecheap the same day as the spam email was sent: 15 August

    iornfao.info was created via Namecheap the same day as the spam email was sent: 27 July

  19. Hi, I’ve not been looking forward to the day they implemented this on my account but Microsoft did it this week.

    Spammer links/URLs are now embedded within a new string/link which Microsoft has replaced the original link with.

    Users cannot disable this unwarranted, unwanted change. It means a user cannot review the link easily before visiting the webpage, but it also means SpamCop doesn’t seem able to identify the site. So now reports are suggested for the host/reverse proxy provider :(

    Are there any plans to take care of this on the SpamCop side? Otherwise it requires people like I to identify the link within the Microsoft mess, copy that, remove the % handling for forward slash characters, open another instance of the SpamCop page and use that to get the reporting address/IP of the spamvertized site etc, then come back to the original page and add a user report address.



    (Thanks Microsoft for messing this up but not actually reducing the spam junk I get from the same criminal’s...)