Bogus domain renewals and my domain name

[danq]

Hi,

I am a new Spamcop user, and have been reporting several fake domain renewal scams recently. This one included my full name and for some reason contained my old address that is no longer associated with the domain.

Today I reported a message, but my domain's hosting provider was listed in the possible e-mails to send the report abuse to. I closed the window to take a second look at the message, and later reported it to one of your /dev/null addresses, unchecking my hosting provider.

However, after clicking "Past Reports", I see that the original report was listed "cancelled - stats only". Is there a risk that my domain name has been blacklisted by you by mistake and I was reported to my hosting provider?

Thank you, Dan

BTW the scammer is "jiffytext DOT com" which for some reason resolves from both your end and mine as 127.0.0.1. You might want to take a look at this, as Spamcop reported the loopback IP as "unable to resolve".

[turetzsr]

Hi, Dan,

...Sorry to hear of your problems!

<snip>

my domain's hosting provider was listed in the possible e-mails to send the report abuse to.

...Have you gone through the Mailhosts configuration process, yet? If not, please consider it, it will hopefully fix the problem. For more information, please see the SpamCop FAQ (links to which appear near the top left of each SpamCop Forum page) article labeled "How do I configure Mailhosts for SpamCop?" and those below it prefixed with the string "----->." You may also wish to review the SpamCop FAQ article labeled "Why does SpamCop want to send a report to my own network administrator?"

<snip>and later reported it to one of your /dev/null addresses, unchecking my hosting provider.

...If I'm not mistaken, you did not need to report to a /dev/null address. Good move unchecking your provider! <g>

However, after clicking "Past Reports", I see that the original report was listed "cancelled - stats only".

...Actually, you should probably have just canceled entirely because the statistics will (I assume) count against one of your provider's outgoing IP addresses. However, this is unlikely to cause a problem, as it takes many such reports to cause an IP address to be listed in the SCBl (SpamCop blacklist)

Is there a risk that my domain name has been blacklisted by you

...Absolutely not, SpamCop does not blacklist domains (unless every IP in a domain sends spam; even them, SpamCop is not blocking the domain, per se)!

and I was reported to my hosting provider?

...Your statistics will (probably) count against one of your provider's outgoing IP addresses but, again, that will not by itself cause a problem.

BTW the scammer is "jiffytext DOT com" which for some reason resolves from both your end and mine as 127.0.0.1. You might want to take a look at this, as Spamcop reported the loopback IP as "unable to resolve".

...When I parsed spam[at]jiffytext.com, I got back:

SpamCop v 4.8.1.007 © 2013 Cisco Systems, Inc. All rights reserved.

Parsing input: spam[at]jiffytext.com

No recent reports, no history available

127.0.0.1 is an MX ( 0 ) for jiffytext.com

127.0.0.1 is not a routeable IP address

Cannot resolve spam[at]jiffytext.com

No valid email addresses found, sorry!

There are several possible reasons for this:

The site involved may not want reports from SpamCop.

SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.

SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.

There may be no working email address to receive reports.

127.0.0.1 is an alias for "localhost," which is the machine that is issuing the query (in my case, that's me; in your case, it's you); I presume that's just SpamCop's way of saying that it can't find jiffytext.com in a DNS lookup. Oh, actually, it's not just SpamCop:

C:\>tracert jiffytext.com

Tracing route to jiffytext.com [127.0.0.1]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms <snip my machine name> [127.0.0.1]

Trace complete.

[Farelf]

...

BTW the scammer is "jiffytext DOT com" which for some reason resolves from both your end and mine as 127.0.0.1. You might want to take a look at this, as Spamcop reported the loopback IP as "unable to resolve".

Hi Dan,

The Registrant (allegedly a Mr Toby Wong of Lok Fu in Kowloon) appears to be using his subdomain of "jif [dot] jiffytext [dot] com" to run all services - a comprehensive suite of them. I should imagine that is one of the few circumstances under which the Registrar (godaddy.com) would support a loopback address on the base domain - though robtex shows me another 87 domains and sub-domains (with a variety of Registrars) also with the loopback address as their internet address.

I don't know how this hosting-DNS manipulation profits "your" scammer (or any other) - would need to know the context in which "jiffytext [dot] com" appears in the spam - but certainly any reference to just the base domain shouldn't be going anywhere. The nameservice host abuse address - ipadmin[at]websitewelcome.com - might be one avenue for reports on that one (with some explanatory notes).

[SpamCopAdmin]

If you will post a TRACKING URL that you get from the top of the SpamCop page when you try to process the spam, I will look into this for you.

This has nothing to do with Mailhosts.

It sounds like you tried to report a web URL that belongs to you or your host.

Or maybe ths email originated from your host.

You have to send the report, or SpamCop will not charge it against the source IP. Sending the report to dev/null works just fine for our purposes.

When you closed your browser window, the report you were preparing was cancelled.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

[danq]

...Have you gone through the Mailhosts configuration process, yet? If not, please consider it, it will hopefully fix the problem.

I don't know what Mailhosts is, I have just been copying and pasting the e-mail's source into the Web form.

...Actually, you should probably have just canceled entirely because the statistics will (I assume) count against one of your provider's outgoing IP addresses. However, this is unlikely to cause a problem, as it takes many such reports to cause an IP address to be listed in the SCBl (SpamCop blacklist)

The first time I cancelled entirely, the second time I sent to the /dev/null.

My question was if the domain did wind up in the blacklist.

My Web host is Lunarpages, and I use their shared hosting.

The domain was coredumpcentral.org BTW. There are no [at]coredumpcentral.org e-mail addresses in existence.

When you closed your browser window, the report you were preparing was cancelled.

OK then there isn't a problem. I just thought that "stats only" meant that Spamcop kept a copy of the potential report with the checkbox still selected.

"Not sent - stats only" report with my hosting provider checked:

http://www.spamcop.net/sc?id=z5623329930z1...e8f07b489732bcz

Later report which was sent to the dev/null address with my hosting provider unchecked:

http://www.spamcop.net/sc?id=z5623331933z7...f32d94d1cd018az

Again note that the mailing address in the spam message is outdated.

[turetzsr]

I don't know what Mailhosts is

<snip>

...I suspected as much, which is why I mentioned the FAQ articles that discuss it. However, Don indicates that this particular issue does not have to do with MailHosts. Nevertheless, MailHosts is recommended. It is a little difficult to understand at first but if you ignore the chaff and follow the essential instructions carefully, then if you're like me you should not have much trouble with it.

<snip>

My question was if the domain did wind up in the blacklist.

<snip>

...Presuming you meant the IP address (SpamCop doesn't add domains, only IP addresses of spam sources), then no, per Don the "thing" you are talking about is a web URL; SpamCop does not add web URLs to its blacklist.