Geek Posted January 11, 2009 Share Posted January 11, 2009 One of the forums I moderate gets nailed with spam all the time (ain't mine or I'd update it). So we get hit from this IP address that ARIN shows to be owned by Amazon.com. Normally I just banhammer the IP addy and forget about it, but being Amazon.com, I thought I'd be the good Samaritan and give them a heads up. The email abuse[at]amazon.com bounces as an outgoing only, so I search through their helpfile for a form to fill in for abuse. There went 1/2 an hour Hi, WHOIS shows the IP 75.101.186.172 belonging to Amazon, so I hope this is the right place to contact. The IP address 75.101.186.172 is a proxy relaying spam like a sonofagun. You might want to shut it, or at least secure it. Just pop that IP into Google to see what I mean I get this reply: Thank you for writing to us at Amazon.com. I offer my sincere apologies regarding this issue, and can understand your frustration in this regard. Unfortunately, I cannot determine the assistance that is required from the content of your e-mail message, hence I kindly request you to click the following link and give us more information on this, so that we can solve this issue Please visit the following link to provide the information we requested: Yadda, yadda, form letter with link from there on. So I try and give more info: You need more information on the abuse report. There is a spambot on your servers. They are infected. The IP I provided is the address the spam was posted from. Please send the previous email and this to a webmaster, NOT a customer service person. This is regarding the security of your servers. I am trying to help you here. Thank you and good luck! I guess they think it's an email spam, because I get the following reply: Thank you for reporting this issue. We'd like to investigate the situation further, but first we will need the *full* header information from the message you received. The full headers of an e-mail aren't usually displayed when you open the message. For instance, you would see this when you open a message: -Date: -Subject: -To: -From: However, if the full headers were disclosed, you would see several additional lines. The information we need is the routing path along with the message id. Here is an example of what the full header information may look like (there may be several additional lines of information): -Received from: -Received: by -Date: -Message-Id: < > -To: -From: -Subject: -Sender: Depending on your mail client, you may be able to set your preferences to view the full headers of your messages. Otherwise, I would suggest contacting your ISP for assistance. You may also ask them to provide you with this information. If you can send this information to abuse[at]amazon.com, or by using the form linked below, we will gladly investigate the situation. Without it, we will be unable to resolve the matter. Please visit the following link to provide the information we requested: (Yadda, yadda, form letter with link from there on.) Okayyyy! We're getting somewhere at least. So I offer them the info: It was a forum drug/pills spam, not an email. There are no headers. Joined from the IP in question. Known robot, as I say, put the IP into Google and behold. I tried sending a full report earlier to abuse[at]amazon.com and it bounced as "You have contacted a box that does not accept email". We have come to an impasse. The IP is now on most all blocklists for 72 hours. With luck, your regular maintenance will have cleaned it by then. Good luck! I think that hopefully they will get everything straight now. NOT! I get in reply: Thank you for contacting us at Amazon.com. I'm very sorry to hear about the difficulty you are experiencing on our website. We do not have any problems on our end that would be causing the effects you describe. I would suggest clicking the "Help" link at the top of your browser window (above the browser commands) for specific trouble-shooting tips. If that does not solve the problem, you may need to contact your Internet service provider directly. It sounds like you might be experiencing a memory cache problem. Most web browsers "cache" pages, meaning they temporarily store a local copy of every page you visit on the web. The quickest solution is a "forced" reload to ensure that you are looking at a fresh copy of the page, and not the version stored in your cache. To force reload, hold down the "Shift" key and click on the "Reload" or "Refresh" button in your browser. For instructions on clearing your cache on other browsers and platforms, please consult your browser's help documentation for details on how to manage this process. If this does not help solve the issue, please click the link below and provide us with more information: http://www.amazon.com/gp/help/contact-us/a...ssistance.html/ I hope these suggestions help. Thanks for shopping at Amazon.com. Please let us know if this e-mail resolved your question: Are they are full of idiots over there? Has anyone else been able to get through to them? *insert head banging on a brick wall smiley* Cheers! Link to comment Share on other sites More sharing options...
Miss Betsy Posted January 11, 2009 Share Posted January 11, 2009 Are they are full of idiots over there?I think so. Has anyone else been able to get through to them?Probably not. *insert head banging on a brick wall smiley*If I don't hear from them soon, I will tell you my story! Miss Betsy Link to comment Share on other sites More sharing options...
Wazoo Posted January 11, 2009 Share Posted January 11, 2009 WHOIS data includes data for 'network operatons' ... have you tried sending your complaint there? As most complaints of something other than e-mail, they would like more data, such as log contents. Comment: This network is a member of a dynamic hosting Comment: environment. See http://ec2.amazonaws.com/ Comment: All reports MUST include: Comment: * src IP Comment: * dest IP (your IP) Comment: * dest port Comment: * Accurate date/timestamp and timezone of activity Comment: * Intensity/frequency (short log extracts) Comment: * Your contact details (phone and email) Comment: Without these we will be unable to identify Comment: the correct owner of the IP address at that Comment: point in time. RAbuseHandle: AEA8-ARIN RAbuseName: Amazon EC2 Abuse RAbusePhone: +1-206-266-2187 RAbuseEmail: ec2-abuse[at]amazon.com RNOCHandle: ANO24-ARIN RNOCName: Amazon EC2 Network Operations RNOCPhone: +1-206-266-2187 RNOCEmail: aes-noc[at]amazon.com Link to comment Share on other sites More sharing options...
Geek Posted January 11, 2009 Author Share Posted January 11, 2009 Hi Wazoo, Thanks. But it's not my forum, so I have no log access. Looks like Miss Betsy and I will just have to wait until some webmaster shows up at their front door with a tire iron Cheers! Link to comment Share on other sites More sharing options...
DavidT Posted January 11, 2009 Share Posted January 11, 2009 Geek, I don't think you carefully read Wazoo's response, which contained an alternate abuse address for this particular branch of Amazon. Did you try sending to the "ec2-abuse" address? The IP in question is part of their "Amazon Web Services" cloud -- more specifically, the "Amazon Elastic Compute Cloud" (EC2), described here: http://en.wikipedia.org/wiki/Amazon_Elastic_Compute_Cloud I think part of the problem is the verbiage used in your complaints. You first told them that the IP was a "proxy relaying spam like a sonofagun" -- not very helpful, because to almost anyone in the world, "spam" is assumed to refer to email, and so you started off on the wrong foot. I checked two of the best blocklist lookups, Robtex and OpenRBL, and they don't support your claim that the IP is on multiple lists. Robtex doesn't show the IP on *any* lists, and ObenRBL has it only on Spamhaus' Zen list, and then only due to a PBL listing, which simply means it's in a block of IPs that shouldn't be directly delivering email messages....which doesn't have to do with forum spam. So, try contacting the correct division at Amazon, and instead of colorful and imprecise language, try simply stating the facts. It's very hard to get through to the "mega" online entities (Hotmail, Yahoo, etc.), but it probably doesn't help if you use unclear language and statements that don't seem to be supported by the evidence. Don't just tell them to look up the IP in Google....give them specific instances of abuse. DT (on edit) Never mind my suggestion about the "ec2-abuse" address...that was based on my initial research, and while it might be valid, I surfed through the EC2 site: http://aws.amazon.com/ec2/ and found this page: http://aws.amazon.com/contact-us/report-abuse/ Details are given there as to exactly what they need in reports of abuse, so just as I expected, you're "barking up the wrong tree." I think you'll be much more likely to get results if you follow the instructions found at the URL, above. Link to comment Share on other sites More sharing options...
Geek Posted January 12, 2009 Author Share Posted January 12, 2009 Hi, I checked two of the best blocklist lookups, Robtex and OpenRBL, and they don't support your claim that the IP is on multiple lists. Robtex doesn't show the IP on *any* lists, and ObenRBL has it only on Spamhaus' Zen list, and then only due to a PBL listing, which simply means it's in a block of IPs that shouldn't be directly delivering email messages....which doesn't have to do with forum spam. I went by this: http://www.reputationauthority.org/lookup....p;Submit=Search I think you'll be much more likely to get results if you follow the instructions found at the URL, above. As said before, is moot. I have no access to some of the things needed for the report: Destination IP address (I have a destination URL, the IP is dynamic) Destination port (That's not even part of the logging system as I understand) Description and log extract (No access again) So next time I get spam from them as a moderator, I'm just going to forget being the good Sam and plonk it back into the "Honeypot" and "Stop Forum spam" places bins. Thanks all! Link to comment Share on other sites More sharing options...
Wazoo Posted January 12, 2009 Share Posted January 12, 2009 I went by this: http://www.reputationauthority.org/lookup....p;Submit=Search Deeper research there shows that this IP Address 'reputation points" are based on a PBL listng, which is basically due to the IP Address not 'being' a recognzed (dedicated) e-mail server. This doesn't really factoir into your "posting spam to a Forum" situation at all. Destination IP address (I have a destination URL, the IP is dynamic) Interesting that I just Banned a user based on the use of an e-mail address that fits this descripton ... also running a Forum application that relied on a Dynamic DNS server/service for connectivity. Destination port (That's not even part of the logging system as I understand) Depends more on what OS is involved, configuration settings, which logs are being looked at. For instance, on a *NIX system, those web-Forum posts would normally be found under the (also asumed) Apache log files .. and with only an "http://" string for a connection, Port 80 is assumed. Other types of traffic would be found under "system" logs, the associated Ports would also be somewhat assumed based on the attempted type of connection, most services also have 'default' connection ports involved. Description and log extract (No access again) Yeah, but .... where's the site owner in all of this? The whole point of my original post was to suggest that your complaints be sent to someone that actually deals with 'network' traffic, rather than folks that were set up to deal with issues of the Amazon web-sites and e-mail, reseller sites and e-mail, associated sites and e-mail, etc. Link to comment Share on other sites More sharing options...
Geek Posted January 12, 2009 Author Share Posted January 12, 2009 They are in here too: http://www.projecthoneypot.org/ip_75.101.186.172 http://www.stopforumspam.com/search?q=75.101.186.172 Which are dedicated forum comment spam reporting places. I'll give a shot with that email. Yeah, but .... where's the site owner in all of this? Delegated responsibility to a pair of us and only come if called for some BIG action. Cheers! Link to comment Share on other sites More sharing options...
Geek Posted July 18, 2009 Author Share Posted July 18, 2009 Obviously, they didn't bother and are now hosting phishing sites with their infected computers http://www.spamcop.net/sc?id=z3132540596z1...4e0a6c47721416z Cheers! Link to comment Share on other sites More sharing options...
Farelf Posted July 18, 2009 Share Posted July 18, 2009 ... http://www.spamcop.net/sc?id=z3132540596z1...4e0a6c47721416z Is that the link you meant to post? eBay hosting? Has there been some unnatural eBay-Amazon conjugation while I slept? Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 18, 2009 Share Posted July 18, 2009 I don't understand either. The first IP address was 75.101.186.172 and this spamcop report is for 59. something. Miss Betsy Link to comment Share on other sites More sharing options...
Geek Posted July 18, 2009 Author Share Posted July 18, 2009 Is that the link you meant to post? eBay hosting? Has there been some unnatural eBay-Amazon conjugation while I slept? The report you see changed from the link literally overnight. http://www.scorpiorising.ca/images/spamcop_report.jpg Someone please tell me what happened? Link to comment Share on other sites More sharing options...
Farelf Posted July 19, 2009 Share Posted July 19, 2009 ...Someone please tell me what happened?Ah yes, I see now. Going overboard on the explanation so it is clear for hypothetical other readers. Firstly, your link indeed confirmed (botnet) hosting by Amazon, in the 'reports sent": Reportid: 4388637584 To: abuse[at]amazon.com Reportid: 4388637656 To: ec2-abuse[at]amazon.com - those relating to cgi.ebay.com.jghtyu.com, which is to say jghtyu.com, domain registered by namebay.com which lives in the Principality of Monaco and has the proud, evidently true, claim "Registering a domain name with Namebay is as simple as eating pie !" Now jghtyu.com is hosted on a fast-flux botnet (a quick nslookup or equivalent on the domain name will indicate that) which, currently resolves as: canonical name cgi.ebay.com.jghtyu.com. aliases addresses 24.4.240.109 24.18.33.116 69.229.210.150 78.97.205.243 79.116.237.205 84.229.13.157 86.124.197.95 88.156.39.27 93.103.61.15 94.21.81.34 121.182.88.116 189.202.41.188 190.82.26.244 200.77.205.199 221.160.142.228 Now SpamCop, when it can resolve one of these things at all, can resolve only the "topmost" of the continually rotating list. When the parser handled 'your' report, it seems an Amazon IP was top of the stack. Repeat the process sometime later (even a few seconds) and something else might be on top. Apparently, or to all intents and purposes, whenever you or anyone else looks up a "past report" tracking link the data are reprocessed. But "reports sent" are 'writing on the wall', fixed. (Heh - jghtyu.com - DNS records from DomainDossier: IN HINFO CPU: Casio OS: Calculator - very droll but I digress) Now the good news - Amazon, no doubt stung by your past and trenchant criticism , seems to have been able to quickly wrench its IP(s) out of that botnet. The bad news is SC reporting can (usually) do next to nothing about botnets - you need Complainterator or manual reports for that, to get to the (jghtyu.com) domain registrar and/or nameservers (hosted on lock-kind.com) rather than the unsuspecting hosts who are usually less responsive than Amazon and whose individual IP addresses are redundant/easily replaced in the botnet any event. The surviving IPs are all the usual suspects in Romania, Korea, Israel, Slovenia, Chile, Columbia, Mexico and, of course, Comcast (oh, and there's an AT&T one in there too). Sorry, I was a bit slow on the uptake on this one (I put it down to either a cerebral flatus or premature senescence, time will tell) - confused by the real e-Bay links which may be innocent, I haven't looked - but e-Bay thinks it doesn't need to know anyway. Link to comment Share on other sites More sharing options...
Geek Posted July 19, 2009 Author Share Posted July 19, 2009 Wow, serious thanks Farelf for the detailed reply! Cheers! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.