Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by goodnerd

  1. I occasionally get similar bounces. Gmail occasionally flags the account as being a spammer, even though we are actually trying to send spam complaints. I was told it was because I had too many addresses in the Cc section of the email. Gmail even starting bouncing the complaints sent to abuse@namecheapm phishing-report@us-cert. gov and even spam@uce.gov because I was filing so many complaints a day.
  2. They also have a direct page at https://imgur.com/removalrequest Imgur is very good at promptly taking action.
  3. I do as well. I typically include the registrars in with the complaints as well. If it's GoDaddy, I file the spam directly on their website's abuse link. The other 99% goes to the blackhole abuse department at Namecheap. I let the registrars know they are providing services to a group engaging in spam and ID theft emails, along with posing as various companies and using their copyrighted logos. I also use https://support.aws.amazon.com/#/contacts/report-abuse This gets a case number assigned and they usually even follow up with (canned) response, but at least it gets the spammer IP shut down.... even if it's only for a few days.
  4. I didn't bother posting any tracking links because I was not sure others could see historical data from reports I filed. The party that utilizes AmazonAWS, numerous exposed Twitter accounts, Bit.ly and imgur image hostings now seems to be shrinking back to smaller country servers like vspnet.lt, home.pl, arax.md, and occasionally krypt.com. I've been dealing with this little man for quite a while now. That spammer even set up a fake Twitter account under my Gmail email address and occasionally sends me direct virus spams but yet he still can't stop spamming me. Go figure. I guess it's like the old Robert Soloway case where the man thought he was untouchable and above the law. Their account at digitalocean.com wasterminated on 11/22 (outlandisher.pw):
  5. A lot of the spams that I reported that were originating from the AmazonAWS servers were never sent to any address at Amazon but instead used addresses like abuse#amazonaws.com@devnull.spamcop.net I also filed every spam complaint directly on the AmazonAWS reporting page, even when I was getting 50+ a day from this spammer. Amazon took it a little more serious when the spammer started forging their name and logos in the fake Amazon Gift Card spam attack. I got some virus spams from the spammer after getting that one shut down. They always seem to point back to a common registrar.
  6. Namecheap has quite a relationship with this spammer, perhaps because he utilizes so many services, including email and privacy protection in what appears to be hundreds, if not thousands of domains. I have never seen such a pro-spam attitude from a registrar, especially when it involves criminal activities including hacking of Twitter accounts, falsifying information, posing as other companies, and downright virus and malware attacks. Despite being informed of these issues Namecheap continues to allow the criminal operation and even grow by providing a base of operations. Namecheap will take no actions unless the domain name itself is blacklisted (not just the IP). Once the domain name is removed from a blacklist they then give the owner access once again to continue the crime wave. Namecheap is an Arizona based company. Their Attorney General email addresses are 'consumerinfo(at)azag.gov' and 'mark.brnovich(at)azag.gov'. I include them in all spam complaints to Namecheap with hopes the AG will open an investigation into this matter. I also Cc the spam complaints to the FTC and to whichever company Namecheap's client is posing as in their spams.
  7. It's really great to see that someone else is trying to get Namecheap to stop helping this Amazonaws criminal continue their crime spree! I would love to see the Namecheap legal and abuse cohorts Oleg V. and Vlad V. brought before a judge and get charged in aiding and abetting once this goes to trial... and I'm really hoping this one does. I have not noticed the "we f u" in the paths... I'll have to keep an eye out for that one! One of the runs of Amazonaws spams actually munged the links to make it look like a federal website of studentaid.ed.gov when in fact it just a bitly redirect to another one of their scam websites. Bit.ly is HORRIBLE on their spam monitoring. They don't care at all either and are as bad as Twitter. Imgur is quick to take down the images. I file them directly at https://imgur.com/removalrequest
  8. The Amazonaws spammer also loves to use Yandex and Mail.ru for addresses, though for some reason he mainly uses ocn.jp servers for the phishing and advance fee fraud spams. Have you received batches of Amazonaws spams that have the titles: "Your confirmation to join our "Adult site" "Your request to be unsubscribe !" "Request to be removed from our mailing list" and ones similar? This is all the same Amazonaws spammer as well. The ones with those titles have 22-24 email addresses under the reply-to. I have found that when I filed separate direct complaints the email accounts would get suspended. My latest battle is with these addresses (see if they match yours) - all of these address are listed as the reply-to address on every one of the spams that require a reply: > Yandex accounts: > youshoulddoit@yandex.ru > gonewrongha@yandex.ru > hereiamthere@yandex.com > goodyearlife@yandex.com > accessfull@yandex.kz > modernwarr@yandex.kz > amzgoadd@yandex.ua > nanobilop@yandex.ua > > Mail.ru accounts: > lopalaopa@mail.ru > none.ofthis@mail.ru > becomehachich@inbox.ru > youyouuu@inbox.ru > konamiea@list.ru > easportto@list.ru > homeisgreat@bk.ru > justkiding@bk.ru > > mailbox.org accounts: > howshouldi@mailbox.org > makeyougo@mailbox.org > > Namecheap.com accounts: > admin@shelflevel.pw > admin@premiumevening.xyz > admin@perfumehousing.xyz > admin@onerousclap.pw This is all one person.
  9. No - mine is as follows: Sometimes the sites have metadata that is in Russian. They also use a lot of Hungarian sites and they seem to have an odd hankering for domains registered with the .pw extension. Bluehostmx.xyz is now listed on multiple blacklists. I have pointed this out to Namecheap so hopefully they will suspend that domain name as well. After some real battles with Namecheap they suspended the Amazonaws account domains of: hwmanymore.com rooxo.info bestofmor.com offerstoyou.bid ectomere.com alfadefender.club orangutann.club tchaikovski.xyz tomhanks.xyz But the list of accounts are huge - far more than what I posted on here.
  10. Namecheap is the registrar of choice for the Amazonaws spammer. This is because Namecheap will not take action on their client as long as they use non-namecheap servers to send out the spams and viruses. It was not until I started Cc'ing the complaints to the Arizona Attorney General (consumerinfo@azag.gov and mark.brnovich@azag.gov) that namecheap did any more than give me the generic response of how even though the domains are registered and protected through Namecheap they would not suspend any domain as long as the criminal uses other means to spam and commit fraud. Now Namecheap will suspend the domain after multiple complaints but only if they start appearing on blacklists. Even then it takes them days and sometimes weeks to take action. The Amazonaws spammer uses the following domains which are the websites the redirects and shortcuts eventually end up at: (the ones with the # next to it were using Twitter redirects) birthdayto.website contacthouse.website lolaca.club facebksupport.website azonews.com staringtogetinbox.com desperatebbws.com lolaa.site worldnowtrending.com blog2learn.com omaxlan.com lolalife.com Goodiesgreat.com vnonlineoffice.com eliettoo.com Hobydap.pro # jpchae.com hdzoom360.com facecrowned.com usa-homeprotection.com coursecode.co.uk thatboomerlifestyle.com omaxlan.com hwmanymore.com strongpark.monster # msala.pro # b-zil.xyz # marckers.me # hwmanymore.com # offersd.pw # wimbledon.site # suppmenow.com # clickoffer.email # cpheer.com # storymt.co # lifestreamlab.com # offerstoyou.bid # animepast.best # alfadefender.club # cannablisslabs.com # seminti.info # rooxo.info # spadesmile.com # datatechkit.com # webmailmx.xyz (used in virus attacks) mirabello.pw howtheyko.pw iftheykant.pw wouldbelost.pw niceputyk.pw iftheyfun.pw tickwrist.pw motocrass.pw dropewell.com damianthorns.com sandystorme.com as of 11/17/2019: infrastructure.pw (email virus spam) bluhostmx.xyz (email virus spam) redemption19.xyz # xipho.biz # Here's a list of the Amazonaws Twitter accounts. I was able to get three of them suspended but "Twitter doesn't care about spam reports" so the others are still active. Some are old though. This spammer had even sent up a fake Twitter account using my email address for the use of creating redirects! https://twitter.com/imane25923950 (suspended 11/01/2019) https://twitter.com/ikramelharrak2 (suspended 11/01/2019) https://twitter.com/Imane_DH (suspended 11/01/2019) https://twitter.com/O19zhe https://twitter.com/robertmdrak https://twitter.com/MyahoTmg https://twitter.com/habybelah https://twitter.com/kazama_wayne https://twitter.com/STmalah https://twitter.com/Mary96153713 https://twitter.com/adamluis20 https://twitter.com/rng_ali (may not be directly related but shares some of the spam addresses) https://twitter.com/0culGsnt https://twitter.com/martinsolveig9 https://twitter.com/peterso61174788 https://twitter.com/claydrew2
  11. This same spammer (who is using the stolen email address list from the Google server hack a few years back) is also harvesting email addresses off of domain WHOIS data for the purpose of sending the spams. Ironically - they are now sending out fake Amazon alerts for a $500 gift card. I let Amazonaws know that their little pet client has now started forging their company name as well. Here's what I have as far as the infamous Amazonaws/sendgrid/fake yelp client: As we know, the spams are using multiple redirects. I follow the redirects and record them and started a list of websites involved. 99% of the websites use WHOIS privacy protection to hide the names but the ones that didn't were registered to: Jared Forbush 318 West 250 South Kaysville, UT 84037 Phone 801-903-2948 DBA: 4BUSH HOLDINGS LLC (https://secure.utah.gov/bes/details.html?entity=10989925-0160) FTC has already issued warnings to him regarding his websites: https://www.ftc.gov/system/files/documents/foia_requests/foia-2019-01289_warning_letters_sent_to_cbd_companies_9-30-19.pdf Second group of spams were: One Technologies, LLC 8144 Walnut Hill Lane Suite 600 Dallas TX 75231-4388 https://www.bbb.org/us/tx/dallas/profile/internet-marketing-services/one-technologies-llc-0875-90008571/customer-reviews The FTC tagged them as well but they are back at their old tricks: https://www.ftc.gov/system/files/documents/cases/141121onetechstip.pdf The websites that were owned by these two are most, if not all of the ones listed in the Amazonaws spams, at least the 1200+ that I have received so far this year. I have notified the FTC agents listed in the PDF documents and sent them samples of the spams being sent through our amazonaws friend but have not received a response. I have also notified all of the corporations the Amazonaws spammer forges and poses as. I send direct emails to their legal and copyright departments.
  12. Yep - they always have Yelp references in the headers. Same spammer, exact same email fingerprints. When I helped the feds a while back with the Robert Soloway case I had purchased one of the domains Soloway was forging the sender email address of (just as in these Amazonaws spams). I then set up a mail server and captured all the bounces of returned spams and within a day or two I collected around 175,000 bounced spams that was presented in the trial showing Soloway's methods. This Amazonaws clown is doing the same thing as the sender's email address in the spams are from domains that don't even exist. Example:This header shows the sender's email address to come from the domain bagfczfpyelp.com - which is an unregistered domain name and does not exist. sender) smtp.mailfrom=BJpAJGNR@3otnx---3otnx----us-west-2.compute.amazonaws.com Received: from o1.923yelp (o1.923yelp []) mx.google.com with ESMTPS id i126si10064712ybi.415.2019. for <hjKcv.bPwV@gmail.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Feb 2019 07:44:34 -0800 (PST) Received: from smtp-sendgrid.yelpcorp.com (ec2-52-34-255-49.us-west-2.compute.amazonaws.com ) ismtpd0011p1las1.sendgrid.net (SG) with ESMTP id jxq4wpsYRtSCL30cEOF67Q for <hjKcv.bPwV@gmail.com>; Wed, 13 Feb 2019 15:44:32.244 +0000 (UTC) Content-Type: text/html; charset=utf-8 MIME-Version: 1.0 From: Improve Your Memory Today <EoZcDmolk@bagfczfpyelp.com> Subject: Improve your memory and brain To: ***************(my email address)********** Date: Sun, 10 Nov 2019 00:11:48 +0100 Errors-To: returnto@yelp.com Does this look familiar to yours? I've tracked down two names within the US that these spams are associated with. One is a company out of Texas called One Technologies (credit card and loan spams) - who has already been slapped down by the FTC once. The other was the 4Bush Holdings out of Utah (various drugs and hemp oil spams). I received another wave of Amazonaws spams last night and sent a copy of one of them to ec2-abuse@amazon.com in a reply to an earlier complaint. I then received a reply after only a few hours: When I file the spams on SpamCop I also manually add in the address ec2-abuse@amazon.com so they receive a copy as well. The other amazon addresses just appear to be a black hole.
  13. I am also a victim of the AmazonAWS spam. I'm guessing most of what we are all seeing is from the same group. They use forged headers and put tons of lines of hidden text in the message body which poses as everything from Enterprise Rental car to IBM cloud to Event Temple church. This is all from the same person. They also use bitly and twitter redirects to mask the real links in the spams. I have a list of about 10 Twitter accounts they use as link farms. They also use a ton of domains registered through Namecheap as Namecheap refuses to take any action on any of their clients no matter how severe the crime is. I've even busted them for fake Warren Buffet phishing spams and Namecheap still would not disable the domain which is registered though their client with WHOIS privacy protection. The best luck that I have found so far is the ec2-abuse@amazon.com address as far as getting replies. But if you want direct action then you have to go here: https://support.aws.amazon.com/#/contacts/report-abuse and submit a ticket. It's a pain because you have to enter the spam into SpamCop to get the IP address and then copy it all over here once again along with timestamp data and other useless info. They eventually shut down the account but the spammer just keeps opening up new ones. I have filed a complaint with the Attorney General against Namecheap for providing a base of operations for this AmazonAWS spam group. Many of the spams being sent though AmazonAWS that fall into this same footprint of redirects, forged headers, and the same hidden text in the message body are advertising websites owned by Jared Forbush, aka 4Bush Holdings LLC out of Kaysville, UT But try the https://support.aws.amazon.com/#/contacts/report-abuse link - it at least gets a response.
  14. Thank you both for very useful information. It's good to know that SpamCop is aware of the issue and I'm now inserting parentheses from spams received at Gmail. Both the ipnetinfo and the parentheses fix works like a charm. Thanks again!
  15. This may or may not be associated with the issue but I was just researching out the phishing spam I received today and reported through SpamCop, since the header showed who the domain was and who the webmail server was. The sending address was from edesigngroup.net, which pings out to When I went to ping.eu to research out things I did a whois on the IP and it came up with the default I know the IP is GoDaddy's so I ran the same IP on their WHOIS again, this time selecting the "full info" option on ping.eu's lookup service, and it displayed the proper information on the IP in question and not the generic iana.org info: Maybe this is related to the iana.org default reporting address...
  16. I started seeing this a couple of months ago, at first I thought it was some sort of statistical collecting address since I was fighting a lot of spams from ocn.ad.jp servers (where I usually ended up having to manually enter their Abuse department address of abuse_support@ocn.ad.jp) but it seems to be appearing all the time now, even when the headers show other sources. I've been using Spamcop reporting for years and I'm reporting the spams the same way that I have always had but now I'm seeing abuse#iana.org@devnull.spamcop.net (Notes) pop up, even when it has other sources stated in the headers. On some I've had to manually enter the abuse department addresses since it would not pick up on the originating IP. I seem to get this 80-90% of the time. I hope this is what you are looking for as far as Tracking URLs: Submitted: Mon Jul 23 13:58:00 2018 GMT ‎7‎/‎23‎/‎2018‎ ‎9‎:‎58‎:‎00‎ ‎AM -0400: Do you have any problem you need to solve? A pending court case you want to r... 6834492181 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Sat Jul 21 19:16:17 2018 GMT ‎7‎/‎21‎/‎2018‎ ‎3‎:‎16‎:‎17‎ ‎PM -0400: PCH-087- 0426-2018-TP 6834051593 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net 6830233770 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Wed Jul 18 01:14:18 2018 GMT ‎7‎/‎17‎/‎2018‎ ‎9‎:‎14‎:‎18‎ ‎PM -0400: If I can't afford a down payment, should I still try to buy? 6832940524 ( http://static.trulia-cdn.com/images/email/marke... ) To: abuse@amazonaws.com 6832940523 ( http://links.iterable.com/e/eo?_t=3ea3eb5515744... ) To: abuse@amazonaws.com 6832940522 ( http://click.prop.trulia.com/q/rHVbRMoot0RNs_ax... ) To: abuse@amazonaws.com 6832940521 ( 2002:a02:aa88:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Tue Jul 17 01:57:58 2018 GMT ‎7‎/‎16‎/‎2018‎ ‎9‎:‎57‎:‎58‎ ‎PM -0400: GOODNEWS FOR YOU? 6832609756 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Sat Jul 14 19:13:11 2018 GMT ‎7‎/‎14‎/‎2018‎ ‎3‎:‎13‎:‎11‎ ‎PM -0400: Attn: Sir 6831921278 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Thu Jul 12 03:58:38 2018 GMT ‎7‎/‎11‎/‎2018‎ ‎11‎:‎58‎:‎38‎ ‎PM -0400: Attention: Beneficiary, 6831042063 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Wed Jul 11 00:38:16 2018 GMT ‎7‎/‎10‎/‎2018‎ ‎8‎:‎38‎:‎16‎ ‎PM -0400: My Dear Beloved (Donation) 6830668325 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Mon Jul 9 17:55:45 2018 GMT ‎7‎/‎9‎/‎2018‎ ‎1‎:‎55‎:‎45‎ ‎PM -0400: My Dear Beloved (Donation) Submitted: Sun Jul 8 05:20:10 2018 GMT ‎7‎/‎8‎/‎2018‎ ‎1‎:‎20‎:‎10‎ ‎AM -0400: Thanks for joining Trulia! 6829676874 ( 2002:a02:aa88:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Sat Jul 7 13:48:33 2018 GMT ‎7‎/‎7‎/‎2018‎ ‎9‎:‎48‎:‎33‎ ‎AM -0400: NOTIFICATION OF YOUR PAYMENT VIA ATM VISA CARD 6829448770 ( 2002:a50:ec9a:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Sat Jul 7 13:38:44 2018 GMT ‎7‎/‎7‎/‎2018‎ ‎9‎:‎38‎:‎44‎ ‎AM -0400: My Dear Beloved (Donation) 6829446064 ( 2002:a50:ec9a:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Sat Jul 7 13:27:51 2018 GMT ‎7‎/‎7‎/‎2018‎ ‎9‎:‎27‎:‎51‎ ‎AM -0400: I AM REVEREND FATHER TONY JOHNSON SHEDRACK 6829442906 ( 2002:a50:ec9a:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net As a test I sent myself several emails and then submitted them to SpamCop by pasting the entire email on the spamcop.net home page. NOTE: I did not click on "send spam report" - I cancelled the spam report but I wanted to see what addresses would appear as to who it was reporting to. Test 1: I am located in the US and use AT&T as my internet service provider, I also have a server through GoDaddy/WildWestDomains. I sent an email from one of my server website addresses to my Gmail account. The following report was generated: From: "[[[removed by me]]]" <[[[removed by me]]]> (test) This is a multipart message in MIME format. ------=_NextPart_000_0018_01D42272.7B270D40 Report spam to: Re: 2002:aa7:d9c9:0:0:0:0:0 (Administrator of network where email originates) To: abuse#iana.org@devnull.spamcop.net (Notes) Test 2: I tried another legit email - once again I was sure not to submit any spam report but I only wanted to see what it would generate the report as. I'm a Miitary Veteran so I tried an real email from the VA Administration which was sent to one of my Gmail addresses: From: "Department of Veterans Affairs" <No_Reply_Allowed@va.gov> Report spam to: Re: 2002:a81:288f:0:0:0:0:0 (Administrator of network where email originates) To: abuse#iana.org@devnull.spamcop.net (Notes) Test 3: I tried a few more tests and when I sent a test message from my domain address back to the same address it did pick up on the correct originating IP. It wanted to send a spam report to AT&T since that is my ISP but not where my domain that the test email was sent from. What am I doing wrong here? Thank you for any assistance.
  • Create New...