Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by MisterBill

  1. Yes, and the spam has stopped. But I still do not have the answer to my question of where they got all of my addresses from. Like i said, these were custom addresses only used on a single site, and more than one of them was compromised.
  2. One more…and AOL/Verizon isn't even detecting most of these as spam. https://www.spamcop.net/sc?id=z6710065633z192f91b1f7193305693b068e59643ee1z
  3. Here's another https://www.spamcop.net/sc?id=z6710032794z03f4d1b80cc92f5fae783a52e9092ac4z
  4. Thanks. Here's the link. https://www.spamcop.net/sc?id=z6710032672z2e5edeb821389227f9c6126db5290b12z
  5. Background: I have my own domain and use a different address at each site so I know where the address was compromised. I use wildcard forwarding so I get all email sent to that domain. I have started getting a bunch of spam to multiple email addresses on my domain and they are being sent to addresses that I have used on other sites, not just random ids. They all have 8888 in the subject line and are a similar format, with a URL pointing to a site in the Philippines. The emails are sent through different servers per Spamcop. It almost seems like some site that manages mailing lists got hacked and addresses got stolen. Is there anyone who actually investigates spammers anymore, or somewhere to discuss this other than here? I can't be the only one seeing this. I looked on Reddit and was unable to find an appropriate place to discuss so I came back here as a fallback, but even these boards don't seem to be very busy anymore.
  6. Except that I am not seeing that message, and there obviously is a link in my mail body. BTW after sending the URL thru Spamcop and getting the abuse address, I added it as the "Public standard report recipients" option in Spamcop. I selected that address to get a couple of reports of the spam sent to them (it's not checked by default) and included some comments in one of the reports. Knock on wood and all that, but it's been two days since the last piece of spam was received, and I was getting at least 5 per day. So maybe it did something to at least get my address removed (not sure if the URL was personalized and they would have known who the report came from, I guess it would have to be to be removed, unless they actually shut down the spammer).
  7. Thanks for the info on decoding the message. And maybe it's not obfuscation in the strict definition of the word but it's not in clear text. And the bottom line is that Spamcop is not recognizing and reporting on it, for whatever reason that may be.
  8. Couldn't you just cancel the processing and resubmit the email? What significance does clearing the browser cookies have? BTW I tried submitting it via e-mail figuring maybe it would take the time to process the body, same result.
  9. I'm pretty sure it used to de-obfuscate hidden links like that. It was a way to beat spammers who resorted to stuff like that. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/bom-obfuscation-in-spam/ The good news is that AOL is still picking it up as spam. Bad news is that whenever I went to the spam folder previously, it was false positives. Now it's mostly this crap.
  10. Good point, but if you try going to the site (without the stuff after the first slash) it actually is a valid address.
  11. Good idea to include a SC link with the contents of the email. Here's one of mine so folks can see what the mail looks like. https://www.spamcop.net/sc?id=z6526542656z686e6200afbb5e1b095fea9160ee8108z
  12. I've recently managed to get one of my email addresses added to a spammer's list, getting several piece a day, generally for bogus medical cures. The emails always have an encoded body and it appears that Spamcop is not decoding it and finding the link that is part of it. When I opened a recent email (and obviously not showing the image), I saw Who knew you could regular blood sugar this easy You May Safely Display Content of Message and the second line is a link to http://131. 107.193.85joanny.info.boyman.space/205/3-2-2019-clickersin (space added after the first dot to break the link) Yet when I feed the email thru Spamcop, it doesn't find or report on the link. Has the spammer adjusted their behavior so that Spamcop cannot pick up and report the email to their host? In this case, the report is only going to network-abuse@google.com (where the email apparently originated from), which I'm assuming isn't doing anything about it.
  13. Sorry, here's the link: https://www.spamcop.net/sc?id=z6372706844z03952f3bb4595463ae09c956c7b4d131z I don't want it to be deleted automatically before I can view the messages but in normal cases where SC decides it is unable to send any reports, it takes it out of the queue. In this case, it just seems like it aborts processing rather than deciding that it cannot send reports. And this isn't the first time I've run into this.
  14. I tried to report spam, and apparently it's not reportable. However, the email doesn't get cleared from the queue, and when I go back to the site, it tells me "Unreported spam Saved: Report Now". It seems like Spamcop should be deleting this from my queue when it realizes that it can't send any reports. I should not have to remove it myself. Here is the end of the processing screen that I get. Suggestions? Bill Tracking link: http://www.fedex.com/?location=home No recent reports, no history available ISP does not wish to receive report regarding www.fedex.com Host www.fedex.com (checking ip) = Resolves to Routing details for [refresh/show] Cached whois for : ip-admin@akamai.com Using abuse net on ip-admin@akamai.com abuse net akamai.com = abuse@akamai.com Using best contacts abuse@akamai.com abuse@akamai.com redirects to abuse-spamcop@akamai.com ISP does not wish to receive reports regarding http://www.fedex.com/?location=home - no date available http://www.fedex.com/?location=home has been appealed previously. Tracking link: http://www.fedex..com/us/legal/ No recent reports, no history available Host www.fedex..com (checking ip)
  15. I have my own domain, and I use different email addresses at different sites (like starbucks[at]mydomain.us) so I can tell where my address came from if/when their mailing list gets stolen (I use wildcard forwarding so I don't need to define each address). It turns out that this happens a lot more often than you'd think and I've been getting emails at addresses used at only a single site for a while now. They seem to come in batches, typically it's some of the nasty stuff with attachments and thanks to Spamcop I've determined that it comes from different sites, so I'm guessing it's being sent by zombie machines. Interestingly, I rarely get this spam at addresses that I've never used, so this says to me that something is getting these addresses and I'd like to know how. I've always figured that it was various sites that got hacked. My email addresses from sites like Consumerist, Couponmom and Opentable that routinely get spam. Some of those that have been compromised for a while I've set up dummy forwarding for (to a non-existent address) so I don't get those anymore. I got a really huge batch of this spam today (it's been bad for the past week), and included in it was one sent to a "citi" address, which I've used for Citibank and nothing else (and this is the first time I've seen spam sent to it). So this means that either their database has been hacked, or else the spammers are getting my addresses from some other source. My mail is forwarded thru Namecheap's forwarding service to my Verizon mailbox. It seems like they'd be getting it from one of those sources, or from my machine, and I think that the latter is pretty unlikely. Fortunately all of this stuff ends up in my Verizon spam folder, but I would love to figure out how this is happening. Any ideas?
  16. I'm also seeing this problem, and it's occurring with email sent by Mailwasher and the piece of mail being tossed likely had multiple pieces of spam in it, all of which are presumably lost. Are you still interested in receiving a copy of the email to investigate? Sadly, I don't think it contains what was sent, which would be useful.
  17. This is still a problem. I got this spam reporting rejected today. Can someone tell me what the ipv6 header is? They look OK to me. http://www.spamcop.net/sc?id=z5246558407z8...;action=display
  18. Thanks for the link. I agree that reporting email addresses in the header is useless. But that page says that reporting the address where the spammer is expecting replies can be useful. yet it does not do it. I prefer to have something like Spamcop doing the reporting because it is anonymous. If I have to send it with my real email address and find out that the spammer also owns the domain I am reporting him to (i.e., he is getting the complaint), I will likely get much more spam as a result.
  19. I've recently started getting a lot of spam from a hosting company. There is no website to report but there is a mailto that they have responses going to. However, Spamcop is not sending any notice to that site. Is there a reason? Seems like an address that gets replies is going to be real, so definitely the site owner should be notified. http://www.spamcop.net/sc?id=z4996578016z3...7ff1799c84ceeaz
  20. Not to belabor the point, but the net result was the same. Changing the URL's so that enough of them were alike or deleting a bunch, both reduced the count of URL's to allow Spamcop to report on a number it considers acceptable. In both cases it changed the behavior of Spamcop because it would not have reported any URL's otherwise.
  21. Thanks. But once again, it appears that deleting lines is just as bad as changing URL's. So I don't understand why that was suggested as an acceptable solution.
  22. I had not thought of deleting lines, but how is doing that any different than changing the URL to be the same domain as others already in the email? Either way, the mail has been doctored. It's not like I am adding new domains to be reported, so the result is the same as deleting the lines.
  23. Well, given that the emails seemed to come from different locations, I assume they were being sent by zombie machines, which made the mail origin not very useful, either.
  24. Sorry, I did not want to post the URL because I thought that it would have my actual email address in the source, but I see that it's x'ed out. This is not the link for the email that I posted above, but it is a similar one (turns out they were using several different domains, I discovered this when processing the rest of the spam I had received). http://www.spamcop.net/sc?id=z4993364257z6...9710e86d3c2b5fz And the issue is not that some of the domain names are not valid and cannot be resolved -- it's that Spamcop doesn't even try because there are more than 25 in the email, so it stops processing any of them. It seems like a really simple way for a spammer to avoid getting their domains reported. Just overload Spamcop with a bunch of different hosts, and none get reported.
  25. I've started getting Viagra spam at multiple addresses at my private domain which have clearly been stolen from other sites. Making things worse, the sleazy spammer is using multiple random first level names on their domain (example: http://lpijuxl.domcitystr.com), so Spamcop stops looking at URLs after the first 25 and does not report any of them! I tried playing with it and changed a bunch of the URLs to be the same and it was going to report to: spam[at]ccert.edu.cn anti-spam[at]mail.sxptt.zj.cn abuse#anti-spam.cn[at]devnull.spamcop.net What can be done to fix Spamcop so it can't get tricked by spammers like this and DOES report? Granted, reporting to this site is not likely to result in the spammer being stopped, but it would be nice to have it sent so it can be tracked. I wonder if the spammer is actually doing this to break Spamcop, or for another reason. Here is the spam with my domain and forwarding email at my ISP x'ed out: Admn Edit: entire spam posting removed. Things like this is why the use of a Tracking URL is requested.
  • Create New...