RobiBue
-
Posts
453 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by RobiBue
-
-
5 minutes ago, petzl said:
Yes spammer already has your email.
Got one from these scum this morning here are the notes
54.213.31.253 (Administrator of network where email originates) abuse@amazonaws.com phishing-report@us-cert.gov https://bit.ly/2EPC64E?1819469901?DL4B7Sr6I8Unq8090859 67.199.248.10 abuse@bitly.com redirects https://mmwaq.slutsnearby.com/c/1f0a2cb367c37dee?s1=25218&s2=158751&j1=1&j3=1&s3=17004&s5=432018&click_id=nthml5c841f5915e67849990878 URL IP 34.194.20.115 abuse@amazonaws.com phishing-report@us-cert.gov
the info behind the ? in the links is what gives the spammer your info. those are the ones I don't add in the reports ...
btw, got the same one today too... recognize the identical bit.ly address...
-
3 minutes ago, klappa said:
Yes that's true. But munging the Message ID and non-ISP headers is not recommended. They need all the details I can give them and those might be valuable. If Spamcop doesn't do it except the e-mail address I won't either. My e-mail is a lost cause. It's more a throwaway account for reporting spam nowadays.
SC munges the headers (unless it's a ISP that requires full headers) for me when I report the message.
usually the message ID looks something like this:
Message-Id: <wecW_______________________________________________upLM@vevida.net>
the underscore line is placed there by SC.
and non-ISP headers are often used by the spammer to trace reported spam and retaliate... that's why I tend to do that.
if the ISP wants more info, they can ask for it
-
44 minutes ago, klappa said:
Now i follow. Although i can't be bothered munging my e-mail anymore. It's to late for that. I guess you do it manually every time?
Yes that one isn't traceable but sometimes my e-mail is in the spam link often with the word campaign to lure the unsuspected user even more into clicking it. But since the spammer already have my e-mail it doesn't. Never seen that string before though. The sex dating dating domains are all scam through and through. Spammers use bots to lure the user into believing they are real people and make them throw up their credit card which essentially make the spammers into phishers in the end. The pictures of the girls/boys are stolen and have an unverified age.
although they have your email, doesn't mean that if you report to their ISP that they know whodunit if you munge the name and address. of course, you'd also have to munge the message ID and a few other non-ISP headers that would/could reveal your info...
Re: porn spam, amazon has AFAIU pretty strict guidelines and do not tolerate offenders.
-
2 hours ago, klappa said:
Thank you!
What do you mean by offending message with munged headers follows? How do you mung the headers with your name and address?
However the destination domain was hosted by either Key-Systems, RRProxy or Google i am not sure which is hosting which. I don't want to type down the domain as it would be traceable by the spammer. There's no trace routes services or functions i know of that would've showed the destination domain.
The domains you listed are hosted by Amazon and lies between the domain link found in the spam and the destination domain. I don't know their purpose though.
Hi klappa,
1) munged headers means that I copy the raw spam (with headers) into notepad (on win) or your editor of choice and change all entries of my email address or part thereof as well as my name into a fake email address and fake name:
X-Apparently-To: me@example.com; Sat, 02 Mar 2019 18:48:09 +0000 Received: by mail-it1-f193.google.com with SMTP id d125so1436534ith.1 for <me@example.com>; Sat, 02 Mar 2019 10:48:08 -0800 (PST) To: me@example.com Subject: MY NAME: $15,000 Loan - Pay Back in 3 Years hello MY NAME, we have a loan for you with exorbitant interest. pay it back in three years and we will only charge you 115% interestTurns into:
X-Apparently-To: x-x-x-x-x-x@x-xmail.com; Sat, 02 Mar 2019 18:48:09 +0000 Received: by mail-it1-f193.google.com with SMTP id d125so1436534ith.1 for <x-x-x-x-x-x@x-xmail.com>; Sat, 02 Mar 2019 10:48:08 -0800 (PST) To: me@example.com Subject: x-x-x-x-x-x: $15,000 Loan - Pay Back in 3 Years hello x-x-x-x-x-x, we have a loan for you with exorbitant interest. pay it back in three years and we will only charge you 115% interestAnd then I add the following at the top of the headers:
Comments: The recipient of the email wishes to stay anonymous and therefore has munged his name and/or address for privacy reasons to strings like "x-x-x" or "x". Please respect his privacy.That’s “munging”.
2) alas it’s true that certain links can be “traced” by spammers, the link I started with, had no traceable info.
http://se2. mogenromance-svenska. club/ is not traceable
let me rephrase that before I get in trouble for making false statements
ok, every link you click on, gives the host your IP address, therefore (per se) traceable, but what I mean, is, that it doesn’t give the spammer any clue of your e-mail address.
Traceable links, the way I mean it, can be, for instance:
http://www.example.com/907743add1337 <- this hex string could be your encoded address http://www.example.com/illgetyou?a=encodedaddresshere
If the link already starts like that, then caution is warranted.
Since the redirects originated from a “safe” link, the information passed has nothing to do with your info.
The links in between can be either reported at the same time or at a later point in time when the spammer is scrambling to get his new site redirected
Sometimes I complain to the registrar as well in the hopes that someone there is witty enough to catch the pattern and MO of the spammer.
-
5 hours ago, klappa said:
Thank you! That will help a lot. With this i can improve my reporting even more.
Amazon promised to take action now in the last second when i threatened to report them to the government authorities. Now i see that the redirect URL service unfortunately didn't show the destination domain which was hosted by another domain host entirely from Amazon. These spammers are clever. IT's really a pain in the ass. It is also unfortunate that Spamcop isn't that much of a help when they are constantly changing from where they send the spam from and hosts their obfuscated domains. Spamcop will only report the responsible parties in the spam.
I really do hope Spamcop does something though even if you have to dig further than what Spamcop does.
to Amazon I would writethe following (adding the spam at the end):
you are harboring a spamvertised porn site:
spamvertised link:
http://se2. mogenromance-svenska. club/
redirects as follows:
HTTP/1.1 302 Found =>
Server => nginx
Date => Sat, 09 Mar 2019 07:04:17 GMT
Content-Type => text/html; charset=utf-8
Content-Length => 75
Connection => close
Location => https:// crazytrackings. com/ ?a=100225&c=102723&s1=232
X-Served-By => Namecheap URL ForwardHTTP/1.0 302 Found =>
Cache-Control => private
Content-Length => 226
Content-Type => text/html; charset=utf-8
Date => Sat, 09 Mar 2019 07:04:42 GMT
Location => https:// cyberblueberry. com/ ?a=100225&c=102723&s1=232&ckmguid=5eaf0d44-97f6-419a-bf50-4dc7daa946baHTTP/1.0 302 Found =>
Cache-Control => private
Content-Length => 250
Content-Type => text/html; charset=utf-8
Date => Sat, 09 Mar 2019 07:05:03 GMT
Location => https:// kewkr. girlstofu**. net/ c/da57dc555e50572d?s1=12951&s2=153430&s3=100225&s5=&click_id=22381729&j1=1&j3=1
P3p => CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie => c100916=B0u1wB9CbYmmbLsSFz+i2AKhvFRakvmMJc94KAGrH+9633KgqJ4kxg==; domain=.cyberblueberry.com; expires=Mon, 08-Apr-2019 07:05:04 GMT; path=/; HttpOnlyHTTP/1.1 200 OK =>
Server => nginx
Date => Sat, 09 Mar 2019 07:05:24 GMT
Content-Type => text/html; charset=UTF-8
Content-Length => 12475
Connection => close
Set-Cookie => scriptHash=49415_12951_153430; expires=Mon, 08-Apr-2019 07:05:24 GMT; Max-Age=2592000; path=/; HttpOnly
X-Powered-By => PHP/7.0.32and this last redirect is on IP address
Host kewkr. girlstofu**. net (checking ip) = 34.194.20.115whois -h whois.arin.net 34.194.20.115 ... [...] NetRange: 34.192.0.0 - 34.255.255.255 CIDR: 34.192.0.0/10 NetName: AT-88-Z NetHandle: NET-34-192-0-0-1 Parent: NET34 (NET-34-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Amazon Technologies Inc. (AT-88-Z) RegDate: 2016-09-12 [...] OrgAbuseHandle: AEA8-ARIN OrgAbuseName: Amazon EC2 Abuse OrgAbusePhone: +1-206-266-4064 OrgAbuseEmail: abuse@amazonaws.com OrgAbuseRef: https://rdap.arin.net/registry/entity/AEA8-ARIN [...]
I believe this is your IP space.
please enforce your AUP.
offending message with munged headers follows (and I always munge the headers with my name and address since I send it from a dedicated spam reporting email address which is in name and address different from any other)
and see if they say that it's not their IP space
-
yeah, pretty sure there's money involved. if someone complains they'll probably slap them on their wrist... if too many complain, they'll probably close the account, but the spamvertiser can easily open a new account and start anew...
-
On 1/14/2019 at 10:20 PM, ANGEL said:
RobiBue, you may be able to answer my question please (specific to SCv5)(IPv6 624)
With V5, do we no longer have to "cut"
1st [Received: from PU1APC01HT007.eop-APC01.prod.protection.outlook.com(2603:10a6:800:92::20) blah, blah, blah, Mon, 14 Jan 2019 06:08:02 +0000]
?
instead post to parser ENTIRE source data?
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
And, anyone who's game
may be able to answer:
if the answer's "yes"; why parsing the entire source data would result in different [Reports sent to] distributions?
https://www.spamcop.net/sc?id=z6513483714z596b7c076a2121c3ce82e632cf6e31a3z
as opposed to parsing modified source data [Reports sent to] distributions
https://www.spamcop.net/sc?id=z6513484404zf0c78fe42b97237ee395ad8a37facc9cz
Thanks in advance!
Sorry it's taken me so long to reply, but I've been busy and could only do minimalistic replies, so I have waited until I had more time to delve in deeper...
While the Gmail hack is no longer necessary, unfortunately Microsoft's outlook "hack" is still needed due to its difference...
looking at the unmodified Received: headers in https://www.spamcop.net/sc?id=z6513483714z596b7c076a2121c3ce82e632cf6e31a3z
[line] (Received origin/destination) [0001] Received: from PU1APC01HT007.eop-APC01.prod.protection.outlook.com (2603:10a6:800:92::20) [0002] by VI1PR06MB5360.eurprd06.prod.outlook.com [0003] Received: from PU1APC01FT052.eop-APC01.prod.protection.outlook.com (10.152.252.54) [0004] by PU1APC01HT007.eop-APC01.prod.protection.outlook.com (10.152.252.101) [0005] Received: from iainternalmeds.com (69.160.26.74) [0006] by PU1APC01FT052.mail.protection.outlook.com (10.152.253.137) (only the Received: lines are relevant here. Omitting the timestamps as well as the transfer method/protocol)
Line [0002] is the host from which you picked the email up.
Lines [0001] and [0004] should have the same host name and number, but only the host name is the same, so SC cannot safely confirm that it is the same host and with right determines the following: "Internal handoff or trivial forgery".
Lines [0003] and [0006] also should have the same host name/address, but neither are equal, and therefore line [0005] is also a possible forgery.It looks complicated like this, but by keeping in mind, that the header lines are actually filled from the bottom up, let's "flip" the above Received: header lines:
[line] (Received origin/destination) [0005] Received: from iainternalmeds.com (69.160.26.74) [0006] by PU1APC01FT052.mail.protection.outlook.com (10.152.253.137) [0003] Received: from PU1APC01FT052.eop-APC01.prod.protection.outlook.com (10.152.252.54) [0004] by PU1APC01HT007.eop-APC01.prod.protection.outlook.com (10.152.252.101) [0001] Received: from PU1APC01HT007.eop-APC01.prod.protection.outlook.com (2603:10a6:800:92::20) [0002] by VI1PR06MB5360.eurprd06.prod.outlook.com (only the Received: lines are relevant here. Omitting the timestamps as well as the transfer method/protocol)
[0005] sent it
[0006] received it which then in turn sent it as [0003] (PU1APC01FT052 is the same, but then the sub-domain name differs as well as the private IP address)
[0004] received it which then in turn sent it as [0001] (here all: host, sub-domain, and domain are exactly the same, but unfortunately the address is not)
[0002] received it in the end, waiting for you to pick it up.Therefore, unfortunately, Received: line [0001]/[0002] is the only trusted Received header: and the rest: [0003]/[0004], and [0005]/[0006] are possible forgeries in the eye of SC.
By removing the top Received: line (here [0001]/[0002]) in outlook recipients, SC treats the following Received lines as Private/internal handoffs and correctly identifies the culprit in [0005].
This is not SC's fault, and SC cannot fix it. This fix has to come from M$ themselves, and, although SC did fix it in Gmail's sector, which, though Gmail's fault, and rightly also in Gmail's mail-server's code to be fixed, as 6to4 addresses should not propagate with private networks, is in the end a needed fix in SC's parser, and hopefully, whoever fixed it, made sure that only private networks are affected in the 2002:: 6to4 range, because it is possible (and allowed) to have valid IPv4 networks translated and propagated in IPv6 6to4 addresses. (please forgive the long-winding-ultra-long-complex-sentence. I hope it is understandable
🙃.)
So in the end, the answer is as follows:
For Gmail users: you do not have to remove/replace the 1st (topmost) Received: header.
For Outlook users: you still have to remove/replace the 1st (topmost) Received: header. Sorry.
This should answer both parts of the question. HTH
-
And, anyone who's game
-
Well, after several months of complaining and work-arounds, the SC update to v 5.0.0 finally did it (at least one part of this post's problem):
-
I started doing that too for every amazonAWS spam.
I am not sure how effective they are, as their case numbers keep changing for every report and every other reply.
reporting to them gives me a case number, but when they reply about the action (which they can't tell me) they have yet another case number, and when I submit the same IP address a few days later (from a new spam) they give me yet another case number, so in this sense, I have no idea how they can even track their own cases...
although I have been able to get a live person answer there... so they do read the stuff they get...
-
35 minutes ago, Lking said:
The current refresh (just now) shows - as you suggest
It is a dynamic system.
Does this mean, that I should [refresh/show] every cached whois of every report?
thanks for the heads-up
-
Well, amazonaws spam reports get sent to /dev/null in my case:
https://www.spamcop.net/sc?id=z6503507988zf04f1366f6ca8e5a872324eb4f96d690z
Tracking message source: 54.180.88.238:Routing details for 54.180.88.238
[refresh/show] Cached whois for 54.180.88.238 : abuse@amazonaws.com
Using abuse net on abuse@amazonaws.com
abuse net amazonaws.com = abuse@amazonaws.com
Using best contacts abuse@amazonaws.com
Reports disabled for abuse@amazonaws.comUsing abuse#amazonaws.com@devnull.spamcop.net for statistical tracking. -
From what I understand, when Julian Haight designed SpamCop, it looked at every possible correctly chained IP address, where it was sent from, and who received it, making sure that spoofed headers would not confuse the chain. If he were still running this system, he would have correctly implemented the 6to4 IPv6 checks, which apparently Cisco/Talos has no intention to do. For them to claim the implementation would cause a security vulnerability is pure BS in my not so humble opinion. It just shows, that their programmers are not as good as one would expect from a company of such security weight.
It's an email header parser/analyzer for heavens' sake. And it's broken (on the IPv6 6to4 address side at least.)
-
6 hours ago, Lking said:
Yes petzl, I miss spoke.
I do not believe you mis-spoke. It is an IPv6 problem.
SpamCop doesn't resolve the 6to4 private addresses, which are in IPv6 format, and that qualifies as an "IPv6 problem" that we all wish SpamCop would be able to handle "today" -
In other words: he probably jinxed it... now someone at outlook will “fix” that “working flaw” 😱
-
Many times, pasting the spam into a blank notepad first, will take care of those empty lines or will show that there are empty lines. Usually this happens when there is a carriage return (cr) and a line feed (lf) like in unix (cr/lf) and microsoft (cr) receives it...
-
I would like to propose a change in SpamCop's handling of cloudflare links.
1. when looking up the whois for the domain, or test the link, do not use the full path, only use the domain name, as a visitor trigger trap causes more spam to be sent as soon as the report is performed.
I munged for that purpose every link in my "cloudflare" spams:
https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez
https://www.spamcop.net/sc?id=z6493410187zb583dc5e2b40660c7a81ed43e718e3aaz
https://www.spamcop.net/sc?id=z6493340629z49245d803153055044b14f0dc24f00a3z
https://www.spamcop.net/sc?id=z6493340613z69f628f405e36a4d6fbdf4e2014ffe58z
and so on and so forth.
it would be grand if SpamCop could do this automagically.
-
https://www.spamcop.net/sc?action=rcache;ip=162.252.58.155
Quoteabuse[at]netrouting.com bounces (99 sent : 99 bounces)
Using abuse#netrouting.com@devnull.spamcop.net for statistical tracking.netrouting.com claims that it works. Please reset.
QuoteThank you for writing in and so unfortunately to hear you're having spam issues.
Please go a head and send the abuse report over to abuse[at]netrouting.com
Despite the fact what spamcop says (just verified it myself) our abuse[at]netrouting.com address works like a charm.
Unfortunately, we're getting complaints almost everyday.
Should work definitely work when sending from gmail (tested from my personal mail adres moments ago).
may be able to answer:
What do do with Amazon hosted spammers
in SpamCop Reporting Help
Posted
Oddly enough, I haven’t been getting any amazon/bit.ly spam as of a few days ago.
In fact, I haven’t had any spam since Saturday 9th at noon.
/me happy/ 