petzl Posted December 16, 2013 Share Posted December 16, 2013 now i'm getting the following message when LARTing "spamtool [at] eu.level3.net" >>> 550 Invalid recipient my guess is that they don't want to receive spam reports at this address any longer... :angry: Include ""certbund [ AT ] bsi.bund.de" In report also include the fact that abuse address bounces and "unsubscribe" link increase attacks simply confirms email address http://www.first.org/members/teams/cert-bund Link to comment Share on other sites More sharing options...
salamandir Posted January 10, 2014 Author Share Posted January 10, 2014 Include ""certbund [ AT ] bsi.bund.de" certbund [AT] bsi.bun.de gets /dev/null'ed... /dev/null'ing report for certbund#bsi.bund.de[at]devnull.spamcop.net Link to comment Share on other sites More sharing options...
petzl Posted January 10, 2014 Share Posted January 10, 2014 also, in a completely separate spam report that i submitted today, i got the following information: i'm assuming that this is the same address... but why is it recommended for a manual LART if it bounces when i send automated ones? As Leasweb are based in Netherlands send abuse reports to https://www.ncsc.nl/english/organisation/contact "Outside office hours, for emergencies you may contact NCSC: cert [ AT ] ncsc.nl. " Been having trouble with a Brazil spam crime gang who have been with them some time Include any listed links to CBL or PBL these can be got by clicking link to Sender base http://mailsc.spamcop.net/bl.shtml (SC email users) non http://spamcop.net/bl.shtml Link to comment Share on other sites More sharing options...
Leon Posted January 26, 2014 Share Posted January 26, 2014 As Leasweb are based in Netherlands send abuse reports to https://www.ncsc.nl/english/organisation/contact "Outside office hours, for emergencies you may contact NCSC: cert [ AT ] ncsc.nl. " Been having trouble with a Brazil spam crime gang who have been with them some time Include any listed links to CBL or PBL these can be got by clicking link to Sender base http://mailsc.spamcop.net/bl.shtml (SC email users) non http://spamcop.net/bl.shtml For spam sent from a server in the Netherlands, you could also use the offical spam reporting site of the Dutch Government: https://www.spamklacht.nl/klacht-indienen/klachtformulier/ (and use Google Translate to translate) Link to comment Share on other sites More sharing options...
petzl Posted January 27, 2014 Share Posted January 27, 2014 For spam sent from a server in the Netherlands, you could also use the offical spam reporting site of the Dutch Government: https://www.spamklacht.nl/klacht-indienen/klachtformulier/ (and use Google Translate to translate) Thanks the Brazil attacks dried up after I contacted cert Netherlands (they contacted me) Link to comment Share on other sites More sharing options...
salamandir Posted February 12, 2014 Author Share Posted February 12, 2014 i don't have to send LARTs myself all the time, just some of the time... frequently i get an email that i can send from spamcop without any problem, but sometimes i get "Reports disabled for abuse[at]leaseweb.de... Nothing to do." instead, and these have been the ones that i'm LARTing manually. occasionally, i get a response from security.feedback [at] level3.com or abusedesk [at] leaseweb.com that says they're looking into it, but nothing else ever happens, and i continue to get spam from leaseweb about which spamcop tells me there's nothing to do... i would really like to find an email address to which i can send LARTs that will get the job done, rather than assuring me they're on the job, and then go back to sleep... Link to comment Share on other sites More sharing options...
Farelf Posted February 13, 2014 Share Posted February 13, 2014 sometimes i get "Reports disabled for abuse[at]leaseweb.de... Nothing to do." ... i would really like to find an email address to which i can send LARTs that will get the job done, rather than assuring me they're on the job, and then go back to sleep... Are you sure? When reports are disabled the message should be something like "Reports sent to abusedesk#leaseweb.com[at]devnul for statistical recording" or similar, which is very different to "nothing to do". That devnul business would indicate that SC continues to execute its main game, which is to "feed" the blocklist, even if the responsible abuse desk doesn't want to know or is spam-supportive or bounces reports, etc. Yes it would be good to find an effective address - if level3 are not taking note I suspect there's not much more can be done (other than to keep them in the loop to ensure no deniability on their part). Maybe they're a bit like the FCC, they maybe save it up until some critical event or point is reached. They're not going to compromise "commerce" and revenue-streams without a huge prod. Link to comment Share on other sites More sharing options...
petzl Posted February 13, 2014 Share Posted February 13, 2014 Are you sure? When reports are disabled the message should be something like "Reports sent to abusedesk#leaseweb.com[at]devnul for statistical recording" or similar, which is very different to "nothing to do". That devnul business would indicate that SC continues to execute its main game, which is to "feed" the blocklist, even if the responsible abuse desk doesn't want to know or is spam-supportive or bounces reports, etc. Yes it would be good to find an effective address - if level3 are not taking note I suspect there's not much more can be done (other than to keep them in the loop to ensure no deniability on their part). Maybe they're a bit like the FCC, they maybe save it up until some critical event or point is reached. They're not going to compromise "commerce" and revenue-streams without a huge prod. You can just forward spam as attachment to that abuse address same as for spam[at]uce.gov include anyother info in letter Some want evidence and no chance of altered headers Link to comment Share on other sites More sharing options...
salamandir Posted June 9, 2014 Author Share Posted June 9, 2014 Are you sure? yes. when it said "Reports disabled for abuse[at]leaseweb.de... Nothing to do." i copied it and pasted it here. if it had said something else, i would have pasted something different. and i don't get "Nothing to do." all the time, just some of the time. when i don't get it, i let spamcop do the reporting. when i do get it, that's when i LART manually. Link to comment Share on other sites More sharing options...
techie Posted June 9, 2014 Share Posted June 9, 2014 I haven't seen "nothing to do" in a while, but I seem to recall it showed up when all possible abuse addresses for a given report were /dev/null'd. If there was a single working address for any section of the report, then you would see the "statistical tracking" message. My sense is that it is a bug. Link to comment Share on other sites More sharing options...
Farelf Posted June 10, 2014 Share Posted June 10, 2014 yes. when it said "Reports disabled for abuse[at]leaseweb.de... Nothing to do." i copied it and pasted it here. if it had said something else, i would have pasted something different. ...Thanks for the confirmation, thanks too, techie. Sorry to query - it is easy to be a little muddled about the precise circumstance and sequencing of these things but copying and pasting the actual lines resolves any doubt about that! When 'nothing to do' is encountered it is usually in the context that there is no parser analysis session, I think (I'm not sure) - so no Tracking URL to copy while the parser instance is still 'live'. I guess these would be the same? And no Report ID recorded in Past Reports. That would make the forensics/replication for SC staff pretty difficult, yet it sounds like something they might wish to pursue - as techie says, it smacks of a bug in the code. In effect, an inconsistent one from the sound, which is disturbing. The inconsistency could be down to just a subset of the machines doing the parsing (almost never a factor but stranger things have happened). In which case resubmission might produce a different result (a probablility, not a certainty, if that were the case). At least in those cases where the parse happens it would be possible to record the successful machine(s), if you were interested. The 'page source' for a parse result shows something like one of the following comment lines, in the second top-most line: <!-- SpamCop::Web::Look $Revision: #17 $ produced by prod-sc-www3 --> <!-- SpamCop::Web::Look $Revision: #17 $ produced by prod-sc-www2 --> <!-- SpamCop::Web::Look $Revision: #17 $ produced by prod-sc-www1 --> Oh well, if they're interested/concerned no doubt they'll contact you for your help. Link to comment Share on other sites More sharing options...
techie Posted June 13, 2014 Share Posted June 13, 2014 I have made the suggestion several times in the past, but I will make it again. Spamcop obviously knows which sites are refusing spamcop reports, for whatever reason, since they are reporting it as part of the parsing process. I would like to see that data made available as an extension of the spamcop bl. For starters, I would have a class for sites that feed data direct to spammers, or otherwise support spammers, another for sites where all the addresses are bouncing, and another for administrative refusal to accept reports. Use a different return code for each class, so you can decide which sites you want to refuse mail from, and what type of status code you want to return to the sender. I mostly use spamcop as a feedback loop, as I see relatively little spam actually blocked by spamcop. Most is already blocked by one of the other bl's or sanity checks that I use on my server, including a ever growing local blocklist. If I notice a site sending excessive spam, and spamcop shows reports disabled for that site, that site/ip block generally find their way into my local bl in short order. I treat my local bl as a spammer (roach) motel, with infinite capacity, and a write once register. IP blocks check in, and never check out. If the IP range looks like is used for dynamic assignments, then the whole range is added. If the provider appears to be ignoring spam in general, the entire range is added. If the range is assigned to an entity in certain countries, the entire range is entered.. you get the picture.. I block China and Korea on principle, as well of several of the large european ISP's and hosting providers. I also sanity check for valid domain names, and valid and matching reverse DNS. Link to comment Share on other sites More sharing options...
salamandir Posted August 18, 2014 Author Share Posted August 18, 2014 http://www.spamcop.net/sc?id=z5944506286zd...fd95f8feebcd83z another instance of leaseweb.de being responsible, but "nothing to do"... i haven't seen one of these in a couple of months, but they're definitely still out there... Link to comment Share on other sites More sharing options...
petzl Posted August 18, 2014 Share Posted August 18, 2014 http://www.spamcop.net/sc?id=z5944506286zd...fd95f8feebcd83z another instance of leaseweb.de being responsible, but "nothing to do"... i haven't seen one of these in a couple of months, but they're definitely still out there... Brazil crime gang have again resigned up with them You have to forward as attachment the spam to their address INCLUDE in To: line "certbund [ AT ] bsi.bund.de" abuse[at]leaseweb.de Both addresses together makes them get attention. Subject: spam source: 46.165.253.195 in body include SpamCop TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z5944506286zd...fd95f8feebcd83z Brazil spam crime gang using spam "friendly" hosts from all over the world "unsubscribes" don't work just worsen their attack *NEVER EVER SUBSCRIBED* I don't even speak Portuguese Link to comment Share on other sites More sharing options...
salamandir Posted August 18, 2014 Author Share Posted August 18, 2014 You have to forward as attachment the spam to their address INCLUDE in To: line "certbund [ AT ] bsi.bund.de" abuse[at]leaseweb.de when i have LARTed abuse[at]leaseweb.de and certbund[at]bsi.bund.de in the past, it has bounced. i currently have the following in the To: line: technical[at]leaseweb.com, abusedeskl[at]easeweb.com, abuse[at]leaseweb.com, abuse[at]leaseweb.nl, abuse[at]eu.level3.net, cert[at]ncsc.nl Link to comment Share on other sites More sharing options...
petzl Posted August 18, 2014 Share Posted August 18, 2014 when i have LARTed abuse[at]leaseweb.de and certbund[at]bsi.bund.de in the past, it has bounced. i currently have the following in the To: line: technical[at]leaseweb.com, abusedeskl[at]easeweb.com, abuse[at]leaseweb.com, abuse[at]leaseweb.nl, abuse[at]eu.level3.net, cert[at]ncsc.nl Got a reply from both early in year? Their abuse address is abuse[at]leaseweb.com Abuse address not .NET From - Sat Jan 11 07:52:57 2014 X-Account-Key: account1 X-UIDL: UID19499-1066456927 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-Path: <www-data[at]ocom.com> Delivered-To: spamcop-net-XXXXl[at]spamcUp.nUt Received: (qmail 29939 invoked from network); 10 Jan 2014 13:42:50 -0000 X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8 X-spam-Level: X-spam-Status: hits=0.0 tests=none version=3.2.4 Received: from unknown (192.168.1.108) by filter8.cesmail.net with QMQP; 10 Jan 2014 13:42:50 -0000 Received: from rt3.requesttracker.org (HELO rt36.requesttracker.org) (85.17.130.58) by mx71.cesmail.net with SMTP; 10 Jan 2014 13:42:45 -0000 Received: by rt36.requesttracker.org (Postfix, from userid 33) id BD6AC5F7C0; Fri, 10 Jan 2014 14:05:10 +0100 (CET) Subject: [ts #3205442] Re: spam from Brazilian crime gang using you abuse[at]leaseweb.com as host ip 85.17.249.245 From: "LeaseWeb - Abuse Desk " <abusedesk[at]leaseweb.com> Reply-To: abusedesk[at]leaseweb.com In-Reply-To: References: <RT-Ticket-3205442[at]requesttracker> Message-ID: <rt-3.6.5-14105-1389359110-391.3205442-14-0[at]requesttracker> Precedence: bulk X-RT-Loop-Prevention: ts RT-Ticket: ts #3205442 To: XXXXl[at]spamcUp.nUt MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-RT-Original-Encoding: utf-8 Date: Fri, 10 Jan 2014 14:05:10 +0100 X-SpamCop-Checked: =========================================================================== This is an automated e-mail informing you we received your abuse complaint. =========================================================================== Your abuse complaint has been processed by an automated system. We have notified our customer to handle the complaint according to the applicable laws. In case your complaint is not handled correctly or you would like human intervention, please reply to this e-mail and leave the subject intact. Kind regards, LeaseWeb Netherlands B.V. - Abuse Desk Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.