[Any point in reporting spam from AMAZONAWS?]

6 minutes ago, gnarlymarley said:

Well, now this is new.  I just got a bounce from amazon.  Hard to tell if gmail rejected my report to amazon or if amazon did.

 

Final-Recipient: rfc822; ec2-abuse@amazon.com
Action: failed
Status: 5.0.0
Diagnostic-Code: smtp; Message rejected.  See https://support.google.com/mail/answer/69585 for more information.
Last-Attempt-Date: Sun, 16 Feb 2020 15:23:11 -0800 (PST)

 

I occasionally get similar bounces.  Gmail occasionally flags the account as being a spammer, even though we are actually trying to send spam complaints.  I was told it was because I had too many addresses in the Cc section of the email.  Gmail even starting bouncing the complaints sent to abuse@namecheapm phishing-report@us-cert. gov and even spam@uce.gov because I was filing so many complaints a day.

[Any point in reporting spam from AMAZONAWS?]

They also have a direct page at https://imgur.com/removalrequest

Imgur is very good at promptly taking action.

[Any point in reporting spam from AMAZONAWS?]

I do as well.  I typically include the registrars in with the complaints as well.  If it's GoDaddy, I file the spam directly on their website's abuse link.  The other 99% goes to the blackhole abuse department at Namecheap.  I let the registrars know they are providing services to a group engaging in spam and ID theft emails, along with posing as various companies and using their copyrighted logos.

I also use https://support.aws.amazon.com/#/contacts/report-abuse  This gets a case number assigned and they usually even follow up with (canned) response, but at least it gets the spammer IP shut down.... even if it's only for a few days.

 

[October 2019 - A month different to others?]

I didn't bother posting any tracking links because I was not sure others could see historical data from reports I filed.

The party that utilizes AmazonAWS, numerous exposed Twitter accounts, Bit.ly and imgur image hostings now seems to be shrinking back to smaller country servers like vspnet.lt, home.pl, arax.md, and occasionally krypt.com. 

I've been dealing with this little man for quite a while now.  That spammer even set up a fake Twitter account under my Gmail email address and occasionally sends me direct virus spams but yet he still can't stop spamming me.  Go figure.  I guess it's like the old Robert Soloway case where the man thought he was untouchable and above the law.

Their account at digitalocean.com wasterminated on 11/22 (outlandisher.pw):
 

Quote

Hi there,

Thanks for making this report.  We identified and terminated the user responsible for this incident.

Regards,

Security Operations
Digital Ocean Security

 

[October 2019 - A month different to others?]

A lot of the spams that I reported that were originating from the AmazonAWS servers were never sent to any address at Amazon but instead used addresses like  abuse#amazonaws.com@devnull.spamcop.net 

I also filed every spam complaint directly on the AmazonAWS reporting page, even when I was getting 50+ a day from this spammer.  Amazon took it a little more serious when the spammer started forging their name and logos in the fake Amazon Gift Card spam attack.  I got some virus spams from the spammer after getting that one shut down.  They always seem to point back to a common registrar.

 

[Massive spam Attack - Looking For Input]

Namecheap has quite a relationship with this spammer, perhaps because he utilizes so many services, including email and privacy protection in what appears to be hundreds, if not thousands of domains.  I have never seen such a pro-spam attitude from a registrar, especially when it involves criminal activities including hacking of Twitter accounts, falsifying information, posing as other companies, and downright virus and malware attacks.  Despite being informed of these issues Namecheap continues to allow the criminal operation and even grow by providing a base of operations.  Namecheap will take no actions unless the domain name itself is blacklisted (not just the IP).  Once the domain name is removed from a blacklist they then give the  owner access once again to continue the crime wave.

Namecheap is an Arizona based company.  Their Attorney General email addresses are 'consumerinfo(at)azag.gov' and 'mark.brnovich(at)azag.gov'.  I include them in all spam complaints to Namecheap with hopes the AG will open an investigation into this matter.  I also Cc the spam complaints to the FTC and to whichever company Namecheap's client is posing as in their spams. 

 

 

 

[Any point in reporting spam from AMAZONAWS?]

Response from Sendgrid:

 

Quote

 

Hello,

Thank you for taking the time to send this message to the Twilio-SendGrid Compliance Team.

This is not one of our clients and is an issue we are aware of. It seems to be apart of a very organized criminal operation. and, as you pointed out, the messages are being forged from potentially multiple email headers, including ours.

The malicious sender is using an old SendGrid email header and has manipulated and changed the content. You can see this by looking at the first Received: event in the header of the message, which has an original processed date of 02-13-2019.

ismtpd0011p1las1.sendgrid.net (SG) with ESMTP id jxq4wpsYRtSCL30cEOF67Q

 

for <KVNJr.NVZz@gmail.com>; Wed, 13 Feb 2019 15:44:32.244 +0000 (UTC)

 

I would assume your address is part of this malicious senders list. We've had this happen to some recipients before, and the best thing you can do is to

1) not open the emails
2) report the messages as spam to your inbox provider, and
3) do not try to unsubscribe or engage with the sender in any way.

Unfortunately, opening the messages to send them to us often marks you as an "engager" on the spammers list, and can lead you to getting even more spam mail.

Since we are not processing these messages, there is little we can do except report to various hosting providers and agencies like you mentioned.

Thank you again for reaching out and please let us know if there is anything else we can help with.

 

 

 

[Any point in reporting spam from AMAZONAWS?]

It's really great to see that someone else is trying to get Namecheap to stop helping this Amazonaws criminal continue their crime spree!

I would love to see the Namecheap legal and abuse cohorts Oleg V. and Vlad V. brought before a judge and get charged in aiding and abetting once this goes to trial... and I'm really hoping this one does.

I have not noticed the "we f u" in the paths... I'll have to keep an eye out for that one!

One of the runs of Amazonaws spams actually munged the links to make it look like a federal website of studentaid.ed.gov when in fact it just a bitly redirect to another one of their scam websites.
Bit.ly is HORRIBLE on their spam monitoring.  They don't care at all either and are as bad as Twitter.
Imgur is quick to take down the images.  I file them directly at https://imgur.com/removalrequest

 

[Any point in reporting spam from AMAZONAWS?]

The Amazonaws spammer also loves to use Yandex and Mail.ru for addresses, though for some reason he mainly uses ocn.jp servers for the phishing and advance fee fraud spams.

Have you received batches of Amazonaws spams that have the titles:
"Your confirmation to join our "Adult site"
"Your request to be unsubscribe !"
"Request to be removed from our mailing list"

and ones similar?  This is all the same Amazonaws spammer as well.   The ones with those titles have 22-24 email addresses under the reply-to.  I have found that when I filed separate direct complaints the email accounts would get suspended.  My latest battle is with these addresses (see if they match yours) - all of these address are listed as the reply-to address on every one of the spams that require a reply:

> Yandex accounts:
> youshoulddoit@yandex.ru
> gonewrongha@yandex.ru
> hereiamthere@yandex.com
> goodyearlife@yandex.com
> accessfull@yandex.kz
> modernwarr@yandex.kz
> amzgoadd@yandex.ua
> nanobilop@yandex.ua
>
> Mail.ru accounts:
> lopalaopa@mail.ru
> none.ofthis@mail.ru
> becomehachich@inbox.ru
> youyouuu@inbox.ru
> konamiea@list.ru
> easportto@list.ru
> homeisgreat@bk.ru
> justkiding@bk.ru
>
> mailbox.org accounts:
> howshouldi@mailbox.org
> makeyougo@mailbox.org
>
> Namecheap.com accounts:
> admin@shelflevel.pw
> admin@premiumevening.xyz
> admin@perfumehousing.xyz
> admin@onerousclap.pw

This is all one person.

 

[Any point in reporting spam from AMAZONAWS?]

15 minutes ago, Hanco said:

That’s what I just received too. Isthiswhat you see?

Authentication-Results: spf=none (sender IP is 3.87.161.210)
 smtp.mailfrom=qzujrUyC.de; hotmail.com; dkim=none (message not signed)
 header.d=none;hotmail.com; dmarc=none action=none header.from=kEPMpuhj.de;
Received-SPF: None (protection.outlook.com: qzujrUyC.de does not designate
 permitted sender hosts)

I have also historically followed the redirects. Less so now. They are using VPSVILLE.RU for some hosting I think. A lot (a heck of a lot) of now-dns free redirect services I think also (and never get killed for abuse by either the Russian host nor the dns service)

3.87.161.210 is the Amazonaws contribution to the crap from these jerks. On this email anyway.

No - mine is as follows:

Quote

Received: from localhost ([192.119.64.124]) by home with MailEnable ESMTP; Mon, 18 Nov 2019 15:19:35 -0700
Content-Type: multipart/alternative;
 boundary="===============8470287868279491287=="
MIME-Version: 1.0
From: valerie@bluhostmx.xyz
To: #######################
Subject: Someone has sent you a $500 Amazon Giftcard
Date: Mon, 18 Nov 2019 22:19:10 +0000
Message-Id: <157411555031.5522.14499642001909573174@bluhostmx.xyz>
DKIM-Signature:  v=1; a=rsa-sha256; c=relaxed/simple; d=bluhostmx.xyz;
 i=@bluhostmx.xyz; q=dns/txt; s=default; t=1574115550; h=to : from :
 subject : date : message-id;
 bh=5QsAEqzodDqyQ4JxFmtgRSEvo4hseVxrSLmgJzdJi5w=;

 

Sometimes the sites have metadata that is in Russian.  They also use a lot of Hungarian sites and they seem to have an odd hankering for domains registered with the .pw extension.

Bluehostmx.xyz is now listed on multiple blacklists.  I have pointed this out to Namecheap so hopefully they will suspend that domain name as well.

After some real battles with Namecheap they suspended the Amazonaws account domains of:

hwmanymore.com

rooxo.info
bestofmor.com
offerstoyou.bid
ectomere.com
alfadefender.club
orangutann.club
tchaikovski.xyz
tomhanks.xyz

But the list of accounts are huge - far more than what I posted on here.

 

[Any point in reporting spam from AMAZONAWS?]

Namecheap is the registrar of choice for the Amazonaws spammer.  This is because Namecheap will not take action on their client as long as they use non-namecheap servers to send out the spams and viruses.  It was not until I started Cc'ing the complaints to the Arizona Attorney General (consumerinfo@azag.gov  and mark.brnovich@azag.gov) that  namecheap did any more than give me the generic response of how even though the domains are registered and protected through Namecheap they would not suspend any domain as long as the criminal uses other means to spam and commit fraud.

Now Namecheap will suspend the domain after multiple complaints but only if they start appearing on blacklists.  Even then it takes them days and sometimes weeks to take action.

The Amazonaws spammer uses the following domains which are the websites the redirects and shortcuts eventually end up at:
(the ones with the # next to it were using Twitter redirects)

 

birthdayto.website
contacthouse.website
lolaca.club
facebksupport.website
azonews.com
staringtogetinbox.com
desperatebbws.com
lolaa.site
worldnowtrending.com
blog2learn.com
omaxlan.com
lolalife.com
Goodiesgreat.com
vnonlineoffice.com
eliettoo.com
Hobydap.pro #
jpchae.com
hdzoom360.com
facecrowned.com
usa-homeprotection.com
coursecode.co.uk
thatboomerlifestyle.com
omaxlan.com
hwmanymore.com
strongpark.monster   #
msala.pro  #
b-zil.xyz #
marckers.me #
hwmanymore.com #
offersd.pw #
wimbledon.site #
suppmenow.com #
clickoffer.email #
cpheer.com #
storymt.co #
lifestreamlab.com #
offerstoyou.bid #
animepast.best #
alfadefender.club #
cannablisslabs.com #
seminti.info #
rooxo.info #
spadesmile.com #
datatechkit.com #
webmailmx.xyz (used in virus attacks)

mirabello.pw
howtheyko.pw
iftheykant.pw
wouldbelost.pw
niceputyk.pw
iftheyfun.pw
tickwrist.pw
motocrass.pw

dropewell.com
damianthorns.com
sandystorme.com

as of 11/17/2019:
infrastructure.pw (email virus spam)
bluhostmx.xyz (email virus spam)
redemption19.xyz #
xipho.biz #

Here's a list of the Amazonaws Twitter accounts.
I was able to get three of them suspended but "Twitter doesn't care about spam reports" so the others are still active.  Some are old though.
This spammer had even sent up a fake Twitter account using my email address for the use of creating redirects!

https://twitter.com/imane25923950 (suspended 11/01/2019)
https://twitter.com/ikramelharrak2 (suspended 11/01/2019)
https://twitter.com/Imane_DH (suspended 11/01/2019)
https://twitter.com/O19zhe
https://twitter.com/robertmdrak
https://twitter.com/MyahoTmg
https://twitter.com/habybelah
https://twitter.com/kazama_wayne
https://twitter.com/STmalah

https://twitter.com/Mary96153713
https://twitter.com/adamluis20
https://twitter.com/rng_ali (may not be directly related but shares some of the spam addresses)
https://twitter.com/0culGsnt
https://twitter.com/martinsolveig9
https://twitter.com/peterso61174788
https://twitter.com/claydrew2

 

[Any point in reporting spam from AMAZONAWS?]

This same spammer (who is using the stolen email address list from the Google server hack a few years back) is also harvesting email addresses off of domain WHOIS data for the purpose of sending the spams.  Ironically - they are now sending out fake Amazon alerts for a $500 gift card.  I let Amazonaws know that their little pet client has now started forging their company name as well. 

 

Here's what I have as far as the infamous Amazonaws/sendgrid/fake yelp client:

As we know, the spams are using multiple redirects.  I follow the redirects and record them and started a list of websites involved.  99% of the websites use WHOIS privacy protection to hide the names but the ones that didn't were registered to:

Jared Forbush

318 West 250 South
Kaysville, UT 84037
Phone 801-903-2948
DBA: 4BUSH HOLDINGS LLC
(https://secure.utah.gov/bes/details.html?entity=10989925-0160)
FTC has already issued warnings to him regarding his websites: https://www.ftc.gov/system/files/documents/foia_requests/foia-2019-01289_warning_letters_sent_to_cbd_companies_9-30-19.pdf

Second group of spams were:

One Technologies, LLC
8144 Walnut Hill Lane Suite 600
Dallas TX 75231-4388
https://www.bbb.org/us/tx/dallas/profile/internet-marketing-services/one-technologies-llc-0875-90008571/customer-reviews The FTC tagged them as well but they are back at their old tricks: https://www.ftc.gov/system/files/documents/cases/141121onetechstip.pdf

The websites that were owned by these two are most, if not all of the ones listed in the Amazonaws spams, at least the 1200+ that I have received so far this year.
I have notified the FTC agents listed in the PDF documents and sent them samples of the spams being sent through our amazonaws friend but have not received a response.

I have also notified all of the corporations the Amazonaws spammer forges and poses as.  I send direct emails to their legal and copyright departments.

 

 

[Any point in reporting spam from AMAZONAWS?]

Yep - they always have Yelp references in the headers.  Same spammer, exact same email fingerprints.

When I helped the feds a while back with the Robert Soloway case I had purchased one of the domains Soloway was forging the sender email address of (just as in these Amazonaws spams).  I then set up a mail server and captured all the bounces of returned spams and within a day or two I collected around 175,000 bounced spams that was presented in the trial showing Soloway's methods.  This Amazonaws clown is doing the same thing as the sender's email address in the spams are from domains that don't even exist.

Example:This header shows the sender's email address to come from the domain bagfczfpyelp.com - which is an unregistered domain name and does not exist.

sender) smtp.mailfrom=BJpAJGNR@3otnx---3otnx----us-west-2.compute.amazonaws.com
Received: from o1.923yelp (o1.923yelp [167.89.8.98])
        mx.google.com with ESMTPS id i126si10064712ybi.415.2019.02.13.07.44.33
        for <hjKcv.bPwV@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 13 Feb 2019 07:44:34 -0800 (PST)
Received: from smtp-sendgrid.yelpcorp.com (ec2-52-34-255-49.us-west-2.compute.amazonaws.com )
  ismtpd0011p1las1.sendgrid.net (SG) with ESMTP id jxq4wpsYRtSCL30cEOF67Q for <hjKcv.bPwV@gmail.com>; Wed, 13 Feb 2019 15:44:32.244 +0000 (UTC)
Content-Type: text/html; charset=utf-8
MIME-Version: 1.0
From: Improve Your Memory Today <EoZcDmolk@bagfczfpyelp.com>
Subject: Improve your memory and brain
To: ***************(my email address)**********
Date: Sun, 10 Nov 2019 00:11:48 +0100
Errors-To: returnto@yelp.com

Does this look familiar to yours?  I've tracked down two names within the US that these spams are associated with.  One is a company out of Texas called One Technologies (credit card and loan spams) - who has already been slapped down by the FTC once.  The other was the 4Bush Holdings out of Utah (various drugs and hemp oil spams).

I received another wave of Amazonaws spams last night and sent a copy of one of them to ec2-abuse@amazon.com in a reply to an earlier complaint.  I then received a reply after only a few hours:

 

Quote

 

Hi there,

We see you have received another spam originating from another an AWS Ip.

Request you to kindly open a new abuse case so we can find the owner behind the spam and take appropriate action as this case is tagged to the old report that was sent.

AWS Abuse team.

---

How can I contact a member of the Amazon EC2 abuse team?
Send an e-mail to ec2-abuse@amazon.com; remember to include your case number.

Amazon Web Services

Amazon Web Services LLC is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message produced and distributed by Amazon Web Services, LLC, 410 Terry Avenue North, Seattle, WA 98109-5210.

 

When I file the spams on SpamCop I also manually add in the address ec2-abuse@amazon.com so they receive a copy as well.  The other amazon addresses just appear to be a black hole.

[Any point in reporting spam from AMAZONAWS?]

I am also a victim of the AmazonAWS spam.  I'm guessing most of what we are all seeing is from the same group.  They use forged headers and put tons of lines of hidden text in the message body which poses as everything from Enterprise Rental car to IBM cloud to Event Temple church.  This is all from the same person. 
They also use bitly and twitter redirects to mask the real links in the spams.  I have a list of about 10 Twitter accounts they use as link farms.

They also use a ton of domains registered through Namecheap as Namecheap refuses to take any action on any of their clients no matter how severe the crime is.  I've even busted them for fake Warren Buffet phishing spams and Namecheap still would not disable the domain which is registered though their client with WHOIS privacy protection.

The best luck that I have found so far is the ec2-abuse@amazon.com address as far as getting replies.

But if you want direct action then you have to go here: https://support.aws.amazon.com/#/contacts/report-abuse and submit a ticket.  It's a pain because you have to enter the spam into SpamCop to get the IP address and then copy it all over here once again along with timestamp data and other useless info.

They eventually shut down the account but the spammer just keeps opening up new ones.

I have filed a complaint with the Attorney General against Namecheap for providing a base of operations for this AmazonAWS spam group.  Many of the spams being sent though AmazonAWS that fall into this same footprint of redirects, forged headers, and the same hidden text in the message body are advertising websites owned by Jared Forbush, aka 4Bush Holdings LLC out of Kaysville, UT

But try the https://support.aws.amazon.com/#/contacts/report-abuse link - it at least gets a response.