Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by csouter

  1. Thanks for the heads-up! I've just received my first new piece of Gmail spam since my OP, and I was pleasantly surprised that the Gmail header problem seems to have been fixed! YAY! BTW, RobiBlue, it might be freezing where you are, but we're getting barbecued "Down Under" ATM!
  2. Hi all, Yet another of those stupid questions which I'm in the habit of asking. I don't get much spam these days, maybe three or four per week, (down from anything up to 400 - 500 per day a couple of years back)! Nowadays, I use Gmail for most of my online communications, and I will occasionally receive an email that has managed to slip through Gmail's spam filters, and, of course, I will immediately report it to SpamCop as soon as I become aware of it. However, more often than not, Gmail's filters will already have caught the spam and kindly placed it into the spam folder so that I can deal with it at my convenience. Most of the time, Gmail is correct in its assessment, but if it does come up with a false positive, it's a simple matter to click "not spam" and return the message to the inbox where it belongs. If a message has been correctly identified as spam, normally I will still report it to SpamCop, (having first redacted those lines that Gmail inserts into the headers, causing SpamCop to think that there's "nothing to do"). However, I do occasionally forget to make that report, and I'm just wondering whether it's really necessary to report spam that Gmail has already correctly identified. Is it of any use to anyone if I report spam that Gmail has already identified correctly? I'm looking forward to hearing your opinions on the matter. Thanks in advance. Best regards to all Christopher (Chris) Souter (Sydney, Australia)
  3. I've just received these 4 spams in the last hour. They seem to be arriving in pairs. 1. https://www.spamcop.net/sc?id=z6432003135z85b1283f75fe26fc67527132f3879eacz 2. https://www.spamcop.net/sc?id=z6432007009z4a4fd1a767cf2e2257b4392b71349c33z 3. https://www.spamcop.net/sc?id=z6432011457zbe5b0b3621ce9e6e4bf5846e9a7a7999z 4. https://www.spamcop.net/sc?id=z6432011515zfd9beaed8a2c8f9122436b50289c01ddz It would appear from the parse that the MailChimp abuse address gets the SpamCop "/dev/null treatment." I would have thought that an enormous mail forwarding organisation such as MailChimp ought to be investigating spammers and shutting them down, not ignoring SpamCop reports. It would also appear that SpamCop reports about the spamvertised Akamai links contined in those spams also get the same treatment, which mystifies me somewhat, considering that even though the reporting address is abuse-spamcop [at] akamai [dot] com, the reports are not sent because the annotation in the original parse states that akamai admins refuse to accept this type of report. If this is the case, why have a special "abuse-spamcop" account at all? WEIRD! I have a nasty feeling that I'm going to be getting a lot of spams like this, today, because it's quite unusual for me (a) to receive "paired" spams, and (b) to receive more than one spam pointing to the same host on the same day. (What I mean is that I usually get one copy per day of any given spam type). And the last time I received multiple copies of the same spam was a run of almost 500 on the same day, sent to one of my Gmail accounts about 5 years ago, just before that huge server takedown in wnich Microsoft and a few other major industry players were involved. Thoughts, anyone?
  4. You're not wrong about that, mate! Anyway, having conducted those little experiments in response to your useful suggestions, I've decided that I shall no longer be contacting Amazon AWS.directly, but I shall continue reporting to KnujOn. Cheers to all for Christmas and the New Year!
  5. Copied & pasted directly from the quoted report link: Reportid: 6758583785 To: hostmaster@hostex.lt Reportid: 6758583786 To: abuse@hostex.lt It's .it (.LT), not .it (IT) I also thought initially that it was .it, but hostex.it doesn't exist, according to my browser, whereas hostex.lt does. It's easy to mistake an "l" for an "i" because of the font used. .lt is the TLD for Latvia.
  6. I have no idea whether or the the "unsubscribe" link works. I did click on that link in the very first of those spams I received, but, IIRC, nothing happened - I was not taken anywhere at all - no new browser window opened, etc... nothing... Normally, I never respond to survey requests of any kind.
  7. FYI, my spam came from Latvia, not Italy. The TLD is .lt, not .it.
  8. Got the following reply from Amazon: (Bold text emphasis added by me, because I think this proves that the spammers are receiving the reports and using them to harvest known valid email addresses). It makes me wonder wny I should even bother reporting to Amazon Web Services at all, if the spammers are just using the reports to send more spam. BTW, I have just this minute received another such spam, pointing to not quite the same site, (the beginning of the link is the same, but it ends slightly differently). SpamCop reporting URL for this message is: https://www.spamcop.net/sc?id=z6430456086z1fbf0bab202104b59115db70b74a2770z These messages seem to work in very much the same way as the popup ads that accompany so-called "free" mobile apps: if the hapless user taps the ad, he/she is taken to some bogus website, asked to provide his/her mobile number and told that he/she is in a draw for a free iPad, or some such thing, and if the user is silly enough to provide the number, he/she will start receivng a barrage of spam SMS messages, to which the standard reply of STOP has absolutely no effect. The exact spamvertised URLs are constantly changing, and as soon as the network admin shuts one down, they simply create a replacement. I suspect that the entire process is fully automated. Anyway, that's my 2ยข worth.
  9. I just received another spam with a URL pointing to the same website administered by Amazon Web Services. I followed your suggestions, reporting to SpamCop, and I was able successfully to submit an abuse report to Amazon Web Services, but only after considerably truncating the email source. I had to trawl through the source to find the spamvertised URL, and I made sure that it was still there after I had stripped out all the HTML formatting code. As far as I can make out, it seems that Amazon Web Services don't need the full email source. BTW, the SpamCop reporting URL for this message is: https://www.spamcop.net/sc?id=z6430220543z9c15449883f426c8a3dc680c9ae70c46z We'll see what happens.
  10. Next time I get one, I'll give it a try.
  11. I get several spams per week from senders hosted by hostex [dot] lt, and the reporting address is shown as pagalba [at] hostex [dot] lt They all spamvertise sites hosted by amazonaws [dot] com and the reporting address is shown as abuse [at] amazonaws [dot] com It's not a lot of trouble reporting them, (I only get 1 or 2 per day, on average), but these spams have been continuing to arrive for many months, and reporting them seems to make no difference at all. Now, not all the spams originate from hostex [dot] lt and SpamCop sometimes shows the reporting address as <I-can't-quite-remember-the-exact-name. [at] microsoft [dot] com However, all the emails contain links to spamvertised websites that are hosted by amazonaws [dot] com As an aside, I have noticed that a spamvertising campaign usually drops off, (for me, at least), after maybe two or three months, but these amazonaws spams have been going on for almost a year, now, and show no signs of stopping. In fact, I have already reported 2 such spams this morning. As for Yahoo-based spammers, my email account seems mostly to receive 419 spams from them. 419 spams don't usually contain links, but mostly they seem to originate from large web-based email services such as Yahoo, Outlook [dot] com and gmail [dot] com. These campaigns usually last about 2 to 3 months and then drop off for a few months before resuming their onslaught. I should also add that I think I may well have brought these amazonaws spams upon myself, because I actually opened the first one that I ever received, (it was almost a year ago, I think), as it looked genuine, and was purporting to be associated with an online account that I really do have with Woolworths, a large Australian supermarket chain. Not only that, but there was a large button AT THE VERY TOP OF THE MESSAGE, NO LESS(!), marked "Report spam or unsolicited email!" Thinking that this button was a genuine, legitimate unsubscribe link, fool that I am, I clicked on it, which would have well and truly confirmed the validity of my email address to the spammers. I use MS Outlook 2010, (correctly configured with the appropriate registry settings to save the full message source, not only the headers), but my Outlook filtering settings mostly seem to fail, (even though the spams are shown by SpamCop to have originated from the same sender), and so I now have my inbox set up without a preview window. I can now right-click on the subject line and choose "block sender," and Outlook will move it to my Junk folder, with all links and images disabled, but the full source is still available for SpamCop reporting. I know that 10 or 12 spams a week is far from any kind of a big deal, but it's really frustrating that this particular campaign just seems to go on and on and on...
  12. Hi all, I have a question about SpamCop's policy regarding email source modifications. I use Avast Premier AV, which has, among its components an Anti-spam feature and a separate Mail Shield feature. By default, these features will modify email messages in various ways. Rather than going into all the details, (one picture is worth a thousand words), I provide here links to the relevant settings pages. 1. Avast Premier AV Anti-spam Settings Page 2. Avast Premier AV Mail Shield Settings Page If you care to visit these two links, you will see what Avast adds to the different kinds of emails, regardless of whether or not they have been flagged as spam. My question is: If Avast, (or any other AV, for that matter), modifies emails in this way, do they still fit within the SpamCop guidlines regarding unmodified sources? Thanks in advance for any help or advice on this matter. Best regards to all, Chris Souter (Sydney, Australia)
  13. OK, thanks for that. So if it's from Brazil, I can use cert.br as well as the ISPs own abuse desk, right? So, I guess I would have to research each one of them and try to build up a database of who will & who won't accept SpamCop reports. Sounds rather time-consuming, doesn't it? Downloaded and installed already! I've been reporting to SpamCop since about 2004, I think. I started using KnujOn after the BlueFrog fiasco, around the middle of 2006, IIRC. I can't remember how I found out about them, but maybe it was through CastleCops, where I was a member until they closed down in the face of the massive DDoS attacks of 2008. KnujOn had a forum on CastleCops, but when they closed down, he moved to LinkedIn, and I didn't follow; as a retired person, I have no interest in furthering business connections. That would certainly get their attention, but I couldn't use that for the pay2us site: I doubt if they're child porn spammers; from what I can find out about them, it's most likely a phishing site. Do you think it's any use for me to send reports to the FTC? I'm not a US citizen; I'm an Australian citizen, (obviously, also living in Australia). I seem to remember reading somewhere that the FTC is not interested in reports from outside the US, but please correct me if I'm wrong. Many thanks for all your info!
  14. Hello, petzl, and thank you for the information. I do, however, have some questions, if you would be so kind as to answer them. 1. After a bit of Googling, I now know what a "boilerplate" is, but I have no idea how to use one, let alone how to use it in conjunction with SpamCop reporting. Should I ask you for advice in this thread, or ask everyone, by starting a new topic in the Lounge? (I have no wish to ask questions in the wrong place, and I suspect that asking such a question here could be seen as "thread hijacking.") 2. I understand why you say that an additional report needed to be sent to cert.br, (the spam originated from a Brazilian ISP), but what would CERT be able to do that the Brazilian ISP's abuse desk could not? 3. A bit more Googling led me to the CERT website, where I was hoping that I might find a list of CERT reporting addresses worldwide. Unfortunately, I was unable to find such a list anywhere on the site, but my Google search showed that there are many such agencies throughout the world. Could you possibly provide a link to such a list, or alternatively, give me some suggestions where to look? 4. Your boilerplate covers the spam source, but I would also like to report the spammed site. The SpamCop parser gives the ISP as Cloudflare, and states that they do not wish to receive reports about the spammed site, which is still up and running, and has been for several years, according to Netcraft. Do you have any suggestions as to what I might be able to do about pay2us.biz, in addition to reporting the site to KnujOn, as I normally do?
  15. I got one of these this morning. Here is the tracking URL: https://www.spamcop.net/sc?id=z6192680539z3e71881001ff276a5234d3c859906cb1z Previous spams I've been getting have contained links to pay2us.biz, and the text in the message referred to in the above link has been lifted from their website. The previous spams have all been about some kind of expired account with an amount to pay (amounts vary) and a link to pay2us.biz. Here is the tracking URL to a recent example of this: https://www.spamcop.net/sc?id=z6192381628z6c239d393d50bdf7033887b9b6cb7b96z Here is the Netcraft Toolbar site report: http://toolbar.netcraft.com/site_report?url=https://pay2us.biz This report states that the domain is on the Spamhaus Domain Block List. I've been getting spams like this every day for about the last 2 to 3 weeks, but the spam mentioned at the top of my post is the first time I have seen this particular variant. There is a message about spamcop.net's ISP not wishing to receive reports (obviously to be expected), but what does worry me is that the SpamCop parser always shows the same message about pay2us.biz (I've tried my best to obfuscate the link): "ISP does not wish to receive reports regarding [h|t|t|p|s]etc/ pay 2 us . [biz] no date available" Does Cloudflare's ISP normally ignore complaints about sites hosted by them? If I'm correctly understanding petzl's reply to the OP, pay2us.biz is hosting malware; is that correct? If so, what can actually be done about this site?
  16. Hi, all! I get regular spams originating from dion.ne.jp These spams always contain spamvertised links which trace back to dion.ne.jp They are advertisements for sunglasses or other similar items. The reporting address for the spams and the spamvertised sites is abuse [at] dion.ne.jp (according to the SpamCop report. Here is the reporting URL for a report I submitted today: https://www.spamcop.net/sc?id=z6180432363z3d31273a2790e56e8e776523a894275cz The actual spamvertised sites' names are always different, but they are all hosted on dion.ne.jp I'm not getting a lot of spams from them - usually about 4 or 5 every week - but it has been going on for about 2 or 3 years now. Is anyone else getting presistent spams from this dion.ne.jp? I don't know why, but these spams always get through my spam filters, and they turn up in Outlook with all their embedded images intact for all to see... I have even attempted setting up a filter to block any messages from the .jp TLD, but to no avail. Any suggestions?
  17. Followed your instructions, but all that Google comes up with is this thread.
  18. Hi, all! Well, I'm not sure which column I'm in, but I had been getting no more than one or two spams a day, until yesterday afternoon, at least. Whichever botnet it was that was taken down, it, or a replacement, is up and running again. For a period of about 12 hours from about 4:00pm yesterday afternoon, to about 4:00am this morning, (Sydney, Australia UTC+10:00), I received about 160 spams, and all except two or three of them were for fake meds. That's an average of about 13 spams per hour, but during some one-hour periods, the actual number received was about 25 - 30 in certain periods. It seems to have stopped for the moment, but I expect another big run to start later this afternoon. That is what happened a few weeks ago, when SpamCop reporting was experiencing big problems, which, fortunately, seem to have been fixed. I expect this run to last about 3 days, as it did last time. Has anyone else experienced this? Reporting was quick and efficient, no delays from SpamCop, which is good for me, because the spams are all in a Gmail account, so I have to report each one individually, which takes quite a bit of time. Also, I noticed that the vast majority of the spams contained links which SpamCop was unable to resolve. They are the same website names as the run of a couple of weeks ago, but with two differences: they are in a different TLD, and the domain name was prefixed in each one by some kind of gibberish, a weird, apparently random mixture of upper and lower case characters. I'm wondering what this means. Perhaps they are some kind of code which would let the spammer know which email address was visiting the website. Any ideas? Of the domains which were able to be resolved, none had a reporting address, and, as with the originating address of a large number of the spams, the reports were all sent to nomaster[at]devnull[dot]spamcop[dot]net. I reckon at least 75% of the spams in this latest run were unreportable, either as to the originating addresses or the spamvertised domains. It never ends, does it?
  19. Hi, all! I got my free fuel as well! Thanks, SpamCop!
  20. No problems with reporting for the last two days now. Everything seems to be working very well! I'd just like to say A BIG "THANK YOU" to all those who have been working on fixing this problem!
  21. [at]hok: This is where I found the info: http://forum.spamcop.net/forums/index.php?showtopic=163 There is a lot of information in that thread, and it takes a bit of time to wade through it all. The following URL was given in an earlier reply to your enquiry: http://forum.spamcop.net/scwik/QuickReporting/ This page gives a much simpler explanation of the process, and is much easier to read.
  22. Only got 4 spams overnight. Only 2 of those were for misterjoy.ru, the others were what I mostly get these days: advance fee fraud (Nigerian scams). BTW, misterjoy.ru has no reporting address. Report goes to nomaster[at]devnull.etc... All 4 spams were reported with the full web interface in about 3 minutes. No problems at all, no delays or timeouts. Fingers crossed!
  • Create New...