Jump to content

Manual reporting to Amazon.com?


Geek
 Share

Recommended Posts

One of the forums I moderate gets nailed with spam all the time (ain't mine or I'd update it).

So we get hit from this IP address that ARIN shows to be owned by Amazon.com. Normally I just banhammer the IP addy and forget about it, but being Amazon.com, I thought I'd be the good Samaritan and give them a heads up.

The email abuse[at]amazon.com bounces as an outgoing only, so I search through their helpfile for a form to fill in for abuse. There went 1/2 an hour :rolleyes:

Hi,

WHOIS shows the IP 75.101.186.172 belonging to Amazon, so I hope this is

the right place to contact.

The IP address 75.101.186.172 is a proxy relaying spam like a sonofagun.

You might want to shut it, or at least secure it.

Just pop that IP into Google to see what I mean

I get this reply:

Thank you for writing to us at Amazon.com.

I offer my sincere apologies regarding this issue, and can understand your frustration in this regard.

Unfortunately, I cannot determine the assistance that is required from the content of your e-mail message, hence I kindly request you to click the following link and give us more information on this, so that we can solve this issue

Please visit the following link to provide the information we

requested:

Yadda, yadda, form letter with link from there on.

So I try and give more info:

You need more information on the abuse report. There is a spambot on your servers. They are infected. The IP I provided is the address the spam was posted from.

Please send the previous email and this to a webmaster, NOT a customer service person. This is regarding the security of your servers. I am trying to help you here.

Thank you and good luck!

I guess they think it's an email spam, because I get the following reply:

Thank you for reporting this issue. We'd like to investigate the situation further, but first we will need the *full* header information from the message you received.

The full headers of an e-mail aren't usually displayed when you open the message. For instance, you would see this when you open a message:

-Date:

-Subject:

-To:

-From:

However, if the full headers were disclosed, you would see several additional lines. The information we need is the routing path along with the message id. Here is an example of what the full header information may look like (there may be several additional lines of information):

-Received from:

-Received: by

-Date:

-Message-Id: < >

-To:

-From:

-Subject:

-Sender:

Depending on your mail client, you may be able to set your preferences to view the full headers of your messages. Otherwise, I would suggest contacting your ISP for assistance. You may also ask them to provide you with this information.

If you can send this information to abuse[at]amazon.com, or by using the form linked below, we will gladly investigate the situation. Without it, we will be unable to resolve the matter.

Please visit the following link to provide the information we

requested:

(Yadda, yadda, form letter with link from there on.)

Okayyyy! We're getting somewhere at least. So I offer them the info:

It was a forum drug/pills spam, not an email. There are no headers. Joined from the IP in question. Known robot, as I say, put the IP into Google and behold.

I tried sending a full report earlier to abuse[at]amazon.com and it bounced as "You have contacted a box that does not accept email".

We have come to an impasse.

The IP is now on most all blocklists for 72 hours. With luck, your regular maintenance will have cleaned it by then.

Good luck!

I think that hopefully they will get everything straight now.

NOT!

I get in reply:

Thank you for contacting us at Amazon.com.

I'm very sorry to hear about the difficulty you are experiencing on our website. We do not have any problems on our end that would be causing the effects you describe.

I would suggest clicking the "Help" link at the top of your browser window (above the browser commands) for specific trouble-shooting tips. If that does not solve the problem, you may need to contact your Internet service provider directly.

It sounds like you might be experiencing a memory cache problem. Most web browsers "cache" pages, meaning they temporarily store a local copy of every page you visit on the web.

The quickest solution is a "forced" reload to ensure that you are looking at a fresh copy of the page, and not the version stored in your cache. To force reload, hold down the "Shift" key and click on the "Reload" or "Refresh" button in your browser.

For instructions on clearing your cache on other browsers and platforms, please consult your browser's help documentation for details on how to manage this process.

If this does not help solve the issue, please click the link below and provide us with more information:

http://www.amazon.com/gp/help/contact-us/a...ssistance.html/

I hope these suggestions help. Thanks for shopping at Amazon.com.

Please let us know if this e-mail resolved your question:

Are they are full of idiots over there?

Has anyone else been able to get through to them?

*insert head banging on a brick wall smiley*

Cheers!

Link to comment
Share on other sites

WHOIS data includes data for 'network operatons' ... have you tried sending your complaint there? As most complaints of something other than e-mail, they would like more data, such as log contents.

Comment: This network is a member of a dynamic hosting

Comment: environment. See http://ec2.amazonaws.com/

Comment: All reports MUST include:

Comment: * src IP

Comment: * dest IP (your IP)

Comment: * dest port

Comment: * Accurate date/timestamp and timezone of activity

Comment: * Intensity/frequency (short log extracts)

Comment: * Your contact details (phone and email)

Comment: Without these we will be unable to identify

Comment: the correct owner of the IP address at that

Comment: point in time.

RAbuseHandle: AEA8-ARIN

RAbuseName: Amazon EC2 Abuse

RAbusePhone: +1-206-266-2187

RAbuseEmail: ec2-abuse[at]amazon.com

RNOCHandle: ANO24-ARIN

RNOCName: Amazon EC2 Network Operations

RNOCPhone: +1-206-266-2187

RNOCEmail: aes-noc[at]amazon.com

Link to comment
Share on other sites

Geek,

I don't think you carefully read Wazoo's response, which contained an alternate abuse address for this particular branch of Amazon. Did you try sending to the "ec2-abuse" address? The IP in question is part of their "Amazon Web Services" cloud -- more specifically, the "Amazon Elastic Compute Cloud" (EC2), described here:

http://en.wikipedia.org/wiki/Amazon_Elastic_Compute_Cloud

I think part of the problem is the verbiage used in your complaints. You first told them that the IP was a "proxy relaying spam like a sonofagun" -- not very helpful, because to almost anyone in the world, "spam" is assumed to refer to email, and so you started off on the wrong foot.

I checked two of the best blocklist lookups, Robtex and OpenRBL, and they don't support your claim that the IP is on multiple lists. Robtex doesn't show the IP on *any* lists, and ObenRBL has it only on Spamhaus' Zen list, and then only due to a PBL listing, which simply means it's in a block of IPs that shouldn't be directly delivering email messages....which doesn't have to do with forum spam.

So, try contacting the correct division at Amazon, and instead of colorful and imprecise language, try simply stating the facts. It's very hard to get through to the "mega" online entities (Hotmail, Yahoo, etc.), but it probably doesn't help if you use unclear language and statements that don't seem to be supported by the evidence. Don't just tell them to look up the IP in Google....give them specific instances of abuse.

DT

(on edit) Never mind my suggestion about the "ec2-abuse" address...that was based on my initial research, and while it might be valid, I surfed through the EC2 site:

http://aws.amazon.com/ec2/

and found this page:

http://aws.amazon.com/contact-us/report-abuse/

Details are given there as to exactly what they need in reports of abuse, so just as I expected, you're "barking up the wrong tree." I think you'll be much more likely to get results if you follow the instructions found at the URL, above.

Edited by DavidT
Link to comment
Share on other sites

Hi,

I checked two of the best blocklist lookups, Robtex and OpenRBL, and they don't support your claim that the IP is on multiple lists. Robtex doesn't show the IP on *any* lists, and ObenRBL has it only on Spamhaus' Zen list, and then only due to a PBL listing, which simply means it's in a block of IPs that shouldn't be directly delivering email messages....which doesn't have to do with forum spam.

I went by this:

http://www.reputationauthority.org/lookup....p;Submit=Search

I think you'll be much more likely to get results if you follow the instructions found at the URL, above.

As said before, is moot. I have no access to some of the things needed for the report:

Destination IP address

(I have a destination URL, the IP is dynamic)

Destination port

(That's not even part of the logging system as I understand)

Description and log extract

(No access again)

So next time I get spam from them as a moderator, I'm just going to forget being the good Sam and plonk it back into the "Honeypot" and "Stop Forum spam" places bins.

Thanks all! :)

Link to comment
Share on other sites

Deeper research there shows that this IP Address 'reputation points" are based on a PBL listng, which is basically due to the IP Address not 'being' a recognzed (dedicated) e-mail server. This doesn't really factoir into your "posting spam to a Forum" situation at all.

Destination IP address

(I have a destination URL, the IP is dynamic)

Interesting that I just Banned a user based on the use of an e-mail address that fits this descripton ... also running a Forum application that relied on a Dynamic DNS server/service for connectivity.

Destination port

(That's not even part of the logging system as I understand)

Depends more on what OS is involved, configuration settings, which logs are being looked at. For instance, on a *NIX system, those web-Forum posts would normally be found under the (also asumed) Apache log files .. and with only an "http://" string for a connection, Port 80 is assumed. Other types of traffic would be found under "system" logs, the associated Ports would also be somewhat assumed based on the attempted type of connection, most services also have 'default' connection ports involved.

Description and log extract

(No access again)

Yeah, but .... where's the site owner in all of this?

The whole point of my original post was to suggest that your complaints be sent to someone that actually deals with 'network' traffic, rather than folks that were set up to deal with issues of the Amazon web-sites and e-mail, reseller sites and e-mail, associated sites and e-mail, etc.

Link to comment
Share on other sites

They are in here too:

http://www.projecthoneypot.org/ip_75.101.186.172

http://www.stopforumspam.com/search?q=75.101.186.172

Which are dedicated forum comment spam reporting places.

I'll give a shot with that email.

Yeah, but .... where's the site owner in all of this?

Delegated responsibility to a pair of us and only come if called for some BIG action.

Cheers!

Link to comment
Share on other sites

  • 6 months later...
...Someone please tell me what happened?
Ah yes, I see now. Going overboard on the explanation so it is clear for hypothetical other readers.

Firstly, your link indeed confirmed (botnet) hosting by Amazon, in the 'reports sent":

Reportid: 4388637584 To: abuse[at]amazon.com

Reportid: 4388637656 To: ec2-abuse[at]amazon.com

- those relating to cgi.ebay.com.jghtyu.com, which is to say jghtyu.com, domain registered by namebay.com which lives in the Principality of Monaco and has the proud, evidently true, claim "Registering a domain name with Namebay is as simple as eating pie !"

Now jghtyu.com is hosted on a fast-flux botnet (a quick nslookup or equivalent on the domain name will indicate that) which, currently resolves as:

canonical name cgi.ebay.com.jghtyu.com.

aliases

addresses

24.4.240.109

24.18.33.116

69.229.210.150

78.97.205.243

79.116.237.205

84.229.13.157

86.124.197.95

88.156.39.27

93.103.61.15

94.21.81.34

121.182.88.116

189.202.41.188

190.82.26.244

200.77.205.199

221.160.142.228

Now SpamCop, when it can resolve one of these things at all, can resolve only the "topmost" of the continually rotating list. When the parser handled 'your' report, it seems an Amazon IP was top of the stack. Repeat the process sometime later (even a few seconds) and something else might be on top. Apparently, or to all intents and purposes, whenever you or anyone else looks up a "past report" tracking link the data are reprocessed. But "reports sent" are 'writing on the wall', fixed.

(Heh - jghtyu.com - DNS records from DomainDossier:

IN HINFO

CPU: Casio

OS: Calculator

- very droll but I digress)

Now the good news - Amazon, no doubt stung by your past and trenchant criticism :D, seems to have been able to quickly wrench its IP(s) out of that botnet. The bad news is SC reporting can (usually) do next to nothing about botnets - you need Complainterator or manual reports for that, to get to the (jghtyu.com) domain registrar and/or nameservers (hosted on lock-kind.com) rather than the unsuspecting hosts who are usually less responsive than Amazon and whose individual IP addresses are redundant/easily replaced in the botnet any event. The surviving IPs are all the usual suspects in Romania, Korea, Israel, Slovenia, Chile, Columbia, Mexico and, of course, Comcast (oh, and there's an AT&T one in there too).

Sorry, I was a bit slow on the uptake on this one (I put it down to either a cerebral flatus or premature senescence, time will tell) - confused by the real e-Bay links which may be innocent, I haven't looked - but e-Bay thinks it doesn't need to know anyway.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...