Lking Posted September 26, 2009 Posted September 26, 2009 This spam source is not the most prolific but it has cough my eye. Before I started watching closely they were sending spam to several of my domain email addresses. Now they are sending to only one but they send several a day. With a little bit of looking I see there is no way to get them on SC's list. By rotating through all the SMTP they have, 64.246.231.x, the volume of reports will never get them listed. Not being into "Life Consulting Services" (I don't need someone's help to screw up my life) this is UCE/spam. Looking at their AUP page, it must be window dressing. In addition to reporting, I am sending abuse[at] copies of each spam. But the stream continues. Starting with the most current: http://www.spamcop.net/sc?id=z3355763984z9...f4af16c892de04z http://www.spamcop.net/sc?id=z3355619164zd...a659925c70e4b0z http://www.spamcop.net/sc?id=z3355619163z1...293b38b4538b37z http://www.spamcop.net/sc?id=z3355619161za...152a04599f0dc7z http://www.spamcop.net/sc?id=z3355619156z4...536d29f090e7dfz http://www.spamcop.net/sc?id=z3355619153ze...03fa0a7f1eb246z http://www.spamcop.net/sc?id=z3355619010z7...aee73aa5d2be24z http://www.spamcop.net/sc?id=z3351746472zb...f3c961c807c078z http://www.spamcop.net/sc?id=z3351746466zf...38c58ae94d5a7cz That's enough to make the point. I have more if anyone cares. I do feel better now.
Farelf Posted September 27, 2009 Posted September 27, 2009 ...That's enough to make the point. I have more if anyone cares. I do feel better now.Yes, what a beautiful snowshoe operation (mail.emailonsteroids.com, mail1.emailonsteroids.com - mail180.emailonsteroids.com but SenderBase currently "only" sees 71 of those mail servers, with very nearly all of them in recent use). Well, someone is getting the sender IP addresses listed in Barracuda: http://www.barracudanetworks.com/reputatio...p=64.246.231.41 http://www.barracudanetworks.com/reputatio...p=64.246.231.47 http://www.barracudanetworks.com/reputatio...p=64.246.231.56 http://www.barracudanetworks.com/reputatio...p=64.246.231.67 http://www.barracudanetworks.com/reputatio...p=64.246.231.73 http://www.barracudanetworks.com/reputatio...p=64.246.231.77 http://www.barracudanetworks.com/reputatio...p=64.246.231.84 http://www.barracudanetworks.com/reputatio...p=64.246.231.92 The SenderBase reputation is poor for all the sending IPs seen and it is probably the same for other reputation-based systems and those would filter that stuff too. The weak point should be the domain but the Barracuda domain report says "This domain name emailonsteroids.com is not listed on Barracuda's Intent Block List." And it is not on the sc.surbl.org list nor on the multi.surbl.org list (nor even the multi.uribl.com list). I thought it might make it to those, but no. Lou, this is "straight-up" UCE, have you tried the unsubscribe links (from the spammed address)? If not, that would certainly be worth trying IMO. Their carrier is never going to stop them, nor the domain registrar. Their immediate liability is not great if they don't honor an unsubscribe (the FTC may, on substantiating a complaint, add them to a database that might eventually be used somehow if they come to the attention of an actual law enforcement agency on account of a serious crime) but they may be compliant. Worth trying?
Lking Posted September 27, 2009 Author Posted September 27, 2009 Yes, what a beautiful snowshoe operation I knew there was a name for it, just had a senior moment. Thanks. For some reason I though Barracuda had gone the way of CastleCops. I need to put them back on my list. As for using their "unsubscribe" or "Expunge" links, I just have a philosophical dislike for responding to links in spam/UCE. It would seem that it would act as a conformation that someone has read the trash. Yes it does seem to be a straight forward, what I assume is a, MLM. On the other hand some of the spam do try to sell directly. One of the cut-and-past efforts seemed to get confused if they were trying to "get me started" selling the stuff or buy a bottle for $27.95. As for UCE and FTC I think you are correct. IIRC if someone gets on their radar, then they look at the database to support any action they may take.
Farelf Posted September 27, 2009 Posted September 27, 2009 ...As for using their "unsubscribe" or "Expunge" links, I just have a philosophical dislike for responding to links in spam/UCE. It would seem that it would act as a conformation that someone has read the trash....Yeah, I know how you feel - but that's easily fixed, use the webform http://www.emailonsteroids.com/subscription/index.php (they need never know their junk was ever looked at - oh, but they could work out otherwise - because you send user-defined reports) . Sorry, the devil made me do it.
Lking Posted September 27, 2009 Author Posted September 27, 2009 - oh, but they could work out otherwise - because you send user-defined reports) . Sorry, the devil made me do it. You mean no one will believe that I used a psychic to figure out I wanted to send reports to abuse[at]... and support[at]... ? The world just isn't fare!
Farelf Posted September 28, 2009 Posted September 28, 2009 ...The world just isn't fare! Be of good cheer Lou, injustice for all is the perfect kind of justice for an imperfect world.
Lking Posted September 28, 2009 Author Posted September 28, 2009 injustice for all is the perfect kind of justice for an imperfect world. In an effort to avoid being responsible for some of the injustice in the world, I feel obliged to report that I have received a lengthy email from abuse[at]..lifeconsultingservices.com From the content it appears to me that appropriate action will/has been taken. Although some of the information may seem to be ironic, these folks are trying to be responsible mass mailers. Jerry's email is in response to the second of 37 emails I sent to abuse[at] reporting each UCE I received 23-27 Sept. First off I would like to apologize for the delay. I did receive you first email on 09/23/2009 at 6:45am according to the logs. But as you addressed it to our abuse[at] address which gets spam'med around 10,000 times per day by actual spam'mers there is a backlog in our reading the incoming abuse address. I will adjust the web page with a comment that removals sent to the abuse[at] or postmaster[at] addresses can take 4 times longer than any of the other methods. I can understand not clicking but why not use the automatic email removal address? That link would have generated an email that would have gone right into the system and have been removed in realtime. Or you could have used our 800# and been removed within 30 minutes of leaving a message on the voicemail. We are a reputable bulk email firm and have been in this business for 8+ years. We are monitored regularly by SPAMCOP where we maintain a ratio of 1 unique complaint to 1 million unique emails sent. We work closely with SPAMHAUS and have addressed every issue they have required of us. Since we maintain complete and permanent records of all signups I have instituted an inquiry as to the full data record for the signup of "Louis King" <x> and all the associated address, city, state, zip and phone and demographic information including the signup IP. If some has impersonated you we will gladly report that IP to the relevant authorities. <snip> per your 37 requests we have not just removed the email in our system. We have removed your entire domain. No request by ANYONE at your system will be honored to re-add any address into our system without meeting our AUP's requirements for reinstatement. Our AUP has quoted by SPAMHAUS is one of the harshest around. We have a zero tolerance policy. And none of our email clients may use outside mailing lists. <snip> ps I am also looking into why you received so many per day at our system only normally only delivers email to an address once every 3 days. The number you received in 3 days indicates a problem somewhere that must also be looked into. So if helps any your temporary inconvenience may result in further improvement in our system which has evolved continuously for years. This thread could be marked 'resolved'
Farelf Posted September 28, 2009 Posted September 28, 2009 ...This thread could be marked 'resolved'Thanks for the update Lou.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.