Jump to content

Reporting Bounced spam


Lking

Recommended Posts

Posted

I am one of the report everything types. With a new host I am able to open the doors wide and report all the spam send to my domains.

In the current cycle of things, my domain seems to be the base for a directory approach to forged FROM: in 1 or 2 spam attacks. One spambot is in the "L" account names the other in the Rs. I of course am getting several hundreds of bounce emails a day like this

http://www.spamcop.net/sc?id=z5543026339z9...3b1f331c0f5b13z

and they all get reported. The question is, do the .ru ISPs really care? Most reports go to devnull so we know they don't care much. Is there a more efficient way to identify the bozos that don't have a well behaved mail server?

Seems a wast to dump the bounce emails on the floor, with all those electrons dieing for no good reason.

Posted
<snip>

The question is, do the .ru ISPs really care? Most reports go to devnull so we know they don't care much.

<snip>

...We are probably safe in assuming not but I'd not worry unduly about that and just keep on reporting 'em and help keep 'em (or hopefully get them onto, if they're not already) on the SpamCop blacklist! :) <g>
Posted

...We are probably safe in assuming not but I'd not worry unduly about that and just keep on reporting 'em and help keep 'em (or hopefully get them onto, if they're not already) on the SpamCop blacklist! :) <g>

Everything Russian are on my SC email blocklist

http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php

"Block Russian: This option will block most Russian email (and other email in Cyrillic characters) and send it to your Held Mail, whether or not it is spam. Only select this if you do not receive any legitimate Russian emails."

Most are typical cowardly Russian bully mentality. Where you don't matter.

The IP 85.113.210.170 has no abuse address and just goes to "digital Hell"

Posted

(I see Steve T has responded, and petzl, this is what I was writing anyway).

So, you are being spoofed as the sender of a spam from China and the Russian network lazily bounces it back to you and you report it but the advice he shouldn't have, oughtn't have, hadn't have done that never gets back to him because he hasn't an abuse address or is otherwise unsuitable to receive the SC report? And presumably listing in the SCbl isn't a factor when it comes to the source of bounces (I forget - it would probably take a lot of reports even if they have the same weighting as direct spam). And that Chinese file include a suspicious Base64-encoded attachment, probably a .rar digest, even so you're not allowed to do anything about the real source via SC (because it's not "your" spam).

Well, we used to have RFC-Ignorant.org which might have warned about no abuse address, sadly now extinguished (http://www.dnsbl.com/2012/09/status-of-rfc...tting-down.html). But lack of reporting address is only part of the story when it comes to SC devnulling reports. Anyway, there's supposedly another service addressing such RFC ignorance matters (inheriting and verifying the RFC-Ignorant.org databases and maintaining them), rfc-clueless.org (see http://rfcignorant.org/). Unfortunately, at the moment, with the subject domain ksu.edu.ru, I'm seeing different results for the webpage lookup and the DNS lookup. Perhaps it is explained in the FAQ there, if you wanted to investigate.

Yes, they seem to do things differently in eastern Europe - spam (just about) seems to be accepted as just another advertising medium.

Posted

Yes, they seem to do things differently in eastern Europe - spam (just about) seems to be accepted as just another advertising medium.

RFC-Ignorant.org became "political" or biased which make it useless

JT when he was around stated he could just not answer Russian or "Cyrillic characters" tried using just that as my blacklist and it is very effective so sounds like a good way to clean the internet.

China seems to of evolved into addressing complaints although you get the odd one. Dream host are clowns they host Child porn (Under 18 or made to look under 18) refuse SpamCop reports so advised them via their web page. Not the brightest crayons in the world. I just replied "What you do or don't is fine by me" I of course unknown to them also reported the issue to the USA Feds who are hot on issues like this!

http://www.missingkids.com/CybertipLine

"In partnership with the FBI, Immigration and Customs Enforcement, U.S. Postal Inspection Service, U.S. Secret Service, military criminal investigative organizations, U.S. Department of Justice, Internet Crimes Against Children Task Force program, as well as other state and local law enforcement agencies."

In Australia the Police advertise all Child Porn Raids the Computers servers etc are taken and those under suspicion have their photos on local paper (not a good idea to not take it serious)

Posted

petzl thanks for the missingkids link. Although it has been awhile sense I spotted spam of that type, that is a good link to have.

Except for the flood of misdirected bounce I've been getting mostly pump-'n-dump stock stuff, with spikes of "replacement windows" party drugs, and links to hacker sites.

Have not seen any Rx spam sense the sting in July.

Anyway thanks for the moral support. Yesterday was an unusually heavy day, 2K+ bounces, without actually counting. Even quick reporting 20 at a time, takes a while on a VSAT link.

Posted

So, this bounce business with your domain(s) has been going on concurrently with a "perfect storm" of NDRs hitting CESmail/spamcop e-mail accounts1. and perhaps (just maybe) some rogue/compromised accounts in those domains in the mix as well (that question currently under investigation by both reporting and e-mail sides of SpamCop2.).

1.

http://forum.spamcop.net/forums/index.php?...ost&p=85352

http://forum.spamcop.net/forums/index.php?...amp;#entry85354

2.

http://forum.spamcop.net/forums/index.php?...c=13418&hl=

Joining the dots and recalling your original question ("do the .ru ISPs really care?") either the sods are complicit in this "bounce attack" business (and presumably not just the .ru TLDs) or someone is relying on their archaic and incorrect bounce process to deal out hurt to select domains. Either way, good cause for those that can to report them if it is going to feed to SCbl or at least put a little more load back their way and leave them trying to figure out what is significant and what might be not. Spare a thought for CESmail, dealing with many hundreds of thousands compared to your thousands ... :blink:

Or it's all just the by-product of a MONUMENTAL increase in botnet spam, not exactly sticking out in http://www.senderbase.org/static/spam#tab=1 yet but if increases are (also) being focussed that would make +46% in the past few days quite epic).

(Is it just me or are others bewildered by the plethora of new "update" topics in the SpamCop Email System & Accounts section? Initiated by Staff, even so the urge to merge grows minute by minute ...)

Posted
<snip>

(Is it just me or are others bewildered by the plethora of new "update" topics in the SpamCop Email System & Accounts section? Initiated by Staff, even so the urge to merge grows minute by minute ...)

...It's not just you! I had the same urge but suppressed it, remembering earlier admonitions to not touch SpamCop admin posts.
Posted

Interesting links Farelf. Being I do not use CESmail/spamcop mail/accounts I wonder how/why I got sucked into the deluge.

I does seem to have tapered off, at this point.

Posted

Interesting links Farelf. Being I do not use CESmail/spamcop mail/accounts I wonder how/why I got sucked into the deluge. ...

I guess it shows SC was not the only target - though there is little/no commentary from the internet generally. Or you might have upset someone with access to a handy botnet. Hard not to be paranoid at times. As we speak, GorillaServers in scenic Los Angeles has been pinging my modem non-stop every three seconds for the past 3 hours. I may return the favour if they keep it up. Or I might have a cup of tea, a Bex powder and a good lie down.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...