Cutsnake88 Posted November 13, 2013 Share Posted November 13, 2013 I have been getting spammed by the same jerk for about a year now. He's been rubbed out of three hosts, that I know of - most recently iWeb. He has now secured his own IP address for his company and is spamming with impunity. How do we stop a spammer who owns his own server? I have been reporting him to CERT India, but it continues unabated. Company: Brainpulse Nameserver: indianemailmarketers.co.in Owner: Tarun Gupta Address: A-4 sector 27 Noida Uttar Pradesh 201301 India Phone:+91.1204730400 Email: support[at]brainpulse.com Link to comment Share on other sites More sharing options...
petzl Posted November 13, 2013 Share Posted November 13, 2013 I have been getting spammed by the same jerk for about a year now. He's been rubbed out of three hosts, that I know of - most recently iWeb. He has now secured his own IP address for his company and is spamming with impunity. How do we stop a spammer who owns his own server? I have been reporting him to CERT India, but it continues unabated. Would clue "us" in better if you included a tracking URL or even IP Top of the SpamCop report page is tracking URL SpamCop v 4.8.1.007 © 2013 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z5625210793z9...aa37d48c0f0962z Link to comment Share on other sites More sharing options...
turetzsr Posted November 13, 2013 Share Posted November 13, 2013 <snip> How do we stop a spammer <snip> ...The short answer is that we can't, any more than we can stop any other kind of criminal behavior outside of our direct reach. Only law enforcement agencies have any hope of doing that and they tend to show no interest unless it is clear either that financial damages have exceeded a certain threshold or harmed the agency or an important member. Link to comment Share on other sites More sharing options...
petzl Posted November 13, 2013 Share Posted November 13, 2013 ...The short answer is that we can't, any more than we can stop any other kind of criminal behavior outside of our direct reach. Only law enforcement agencies have any hope of doing that and they tend to show no interest unless it is clear either that financial damages have exceeded a certain threshold or harmed the agency or an important member. I can't fid any reports made? Parsing input: 223.130.5.34 No recent reports, no history available abusgestion[at]iweb.com Administrator interested in all reports The actual listed abuse address is network[at]brainpulse.com Their website (email marketing) http://www.shooturmail.com/contact-us.html would like to see headers Live link to supposed spammer removed. Don't give these people oxygen (indexable back links), please! Link to comment Share on other sites More sharing options...
Cutsnake88 Posted November 14, 2013 Author Share Posted November 14, 2013 I can't fid any reports made? Parsing input: 223.130.5.34 No recent reports, no history available abusgestion[at]iweb.com Administrator interested in all reports The actual listed abuse address is network[at]brainpulse.com Their website (email marketing) http://www.shooturmail.com/contact-us.html would like to see headers Brainpulse.com is the website of the company doing the spamming, so you're essentially reporting the spam to the spammer, thus confirming your email address. I have been reporting it to incident[at]cert-in.org.in, but clearly they don't give a damn. The most recent Spamcop reports were just now: Submitted: 11/14/2013 12:03:19 PM +1100: Increase your Website or products Sale within 12 weeks 6032781074 ( z_User_Notification ) To: incident[at]cert-in.org.in 6032781073 ( 223.130.4.87 ) To: abusgestion[at]iweb.com I know iWeb isn't the host anymore - they booted him. That's why I asked the question. Header of the most recent report: Return-Path: <ask[at]hostbirds.co.in> Received: from sm17.indianemailmarketers.co.in (sm17.indianemailmarketers.co.in [223.130.4.87]) by mail.wildchildweb.com with SMTP; Wed, 13 Nov 2013 20:23:56 +1100 Received: from WS68 (unknown [192.168.0.68]) by host.indianemailmarketers.co.in (Postfix) with ESMTPA id 6CF971F385FA for <admin[at]powersponsorship.com>; Wed, 13 Nov 2013 13:31:49 +0530 (IST) From: "Sarah Blake" <ask[at]hostbirds.co.in> To: <admin[at]powersponsorship.com> Subject: Increase your Website or products Sale within 12 weeks Date: Wed, 13 Nov 2013 14:35:54 +0530 Message-ID: <45f401cee04f$8fdb5f80$af921e80$[at]hostbirds.co.in> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_45F5_01CEE07D.A9960C80" X-Mailer: Microsoft Outlook 14.0 Thread-Index: Ac7gT40/oIE9sZgwQi2/3Pru0kabXQ== Content-Language: en-us X-SmarterMail-spam: SPF_Pass, SpamCop, ISpamAssassin 5 [raw: 3], DK_None, DKIM_None, Custom Rules [scam:60] X-SmarterMail-TotalSpamWeight: 67 Link to comment Share on other sites More sharing options...
petzl Posted November 14, 2013 Share Posted November 14, 2013 Brainpulse.com is the website of the company doing the spamming, so you're essentially reporting the spam to the spammer, thus confirming your email address. I have been reporting it to incident[at]cert-in.org.in, but clearly they don't give a damn. Cert-in seem your best bet I would include in notes Turn the heat up? IP: 223.130.4.87 network[at]brainpulse.com spam crime gang "unsubscribes" don't work just worsen their attack http://spamcop.net/w3m?action=checkblock&ip=223.130.4.87 Other hosts in this "neighborhood" with spam reports 223.130.4.81 223.130.4.82 223.130.4.83 223.130.4.84 223.130.4.86 223.130.4.88 223.130.4.89 223.130.4.90 223.130.5.2 223.130.5.3 223.130.5.4 223.130.5.5 223.130.5.7 223.130.5.17 223.130.5.18 223.130.5.30 Link to comment Share on other sites More sharing options...
Cutsnake88 Posted November 14, 2013 Author Share Posted November 14, 2013 Cert-in seem your best bet I would include in notes Turn the heat up? IP: 223.130.4.87 network[at]brainpulse.com spam crime gang "unsubscribes" don't work just worsen their attack http://spamcop.net/w3m?action=checkblock&ip=223.130.4.87 Other hosts in this "neighborhood" with spam reports 223.130.4.81 223.130.4.82 223.130.4.83 223.130.4.84 223.130.4.86 223.130.4.88 223.130.4.89 223.130.4.90 223.130.5.2 223.130.5.3 223.130.5.4 223.130.5.5 223.130.5.7 223.130.5.17 223.130.5.18 223.130.5.30 Great idea. Thank you very much. Link to comment Share on other sites More sharing options...
petzl Posted November 29, 2013 Share Posted November 29, 2013 Great idea. Thank you very much. Getting bombed by india myself mainly stock "recommendations Cert India are proving useless so gave their email and every other Indian governments email address to spammer" In all probability the spammer may not be Indian the links go to phising sites in US of A Which you report here http://www.google.com/safebrowsing/report_phish/Captcha If looking at spam sites you need to heighten browser security example on Firefox I have Java on ask and a good free "Add-on" is https://adblockplus.org/en/firefox Do security scans regularly Link to comment Share on other sites More sharing options...
Cutsnake88 Posted December 9, 2013 Author Share Posted December 9, 2013 UPDATE I actually got an email back from CERT India! (Never thought that would happen!) They said they were taking action against Brainpulse, the Noida IN-based owner of the spam server. Lo and behold, the spam has stopped... at least for now. Link to comment Share on other sites More sharing options...
Farelf Posted December 9, 2013 Share Posted December 9, 2013 Very well done! Link to comment Share on other sites More sharing options...
petzl Posted December 10, 2013 Share Posted December 10, 2013 Very well done! Yes mine seem to of stopped as well http://www.spamcop.net/sc?id=z5631827269z8...1048dc0d59492cz Link to comment Share on other sites More sharing options...
Cutsnake88 Posted December 23, 2013 Author Share Posted December 23, 2013 The reporting address for these people has now been updated on Spamcop to be network[at]brainpulse.com. In other words, spam reports are going to the spammer - confirming all of our email addresses are live. Spamcop is not reporting to CERT-India (incident[at]cert-in.org.in, although I've been adding that to the reports, along with the "spam Crime Gang" wording suggested above. Screenshot: http://screencast.com/t/wjx3aBMZI5 CERT India actually did email me back a few weeks ago and said they were taking action, but nothing has happened and they're still spamming. The nameserver is indianemailmarketers.co.in. Now what? Link to comment Share on other sites More sharing options...
turetzsr Posted December 24, 2013 Share Posted December 24, 2013 <snip> In other words, spam reports are going to the spammer - confirming all of our email addresses are live. <snip> ...Generally, not so! SpamCop attempts to "munge" your e-mail address, unless you tell it to not do so or it misses a place where it appears, as it sometimes does. See the last paragraph of SCWiki entry "Mung / Munge / Obfuscate." Link to comment Share on other sites More sharing options...
petzl Posted December 24, 2013 Share Posted December 24, 2013 The reporting address for these people has now been updated on Spamcop to be network[at]brainpulse.com. In other words, spam reports are going to the spammer - confirming all of our email addresses are live. Spamcop is not reporting to CERT-India (incident[at]cert-in.org.in, although I've been adding that to the reports, along with the "spam Crime Gang" wording suggested above. Screenshot: http://screencast.com/t/wjx3aBMZI5 CERT India actually did email me back a few weeks ago and said they were taking action, but nothing has happened and they're still spamming. The nameserver is indianemailmarketers.co.in. Now what? Has there been a resurrection of spam from India? Not yet getting it Getting a lot of "Hard Drive drive encryption sites" Screen capture showing Splash page image https://dl.dropboxusercontent.com/u/50667687/MAL04.jpg Link to comment Share on other sites More sharing options...
Cutsnake88 Posted December 26, 2013 Author Share Posted December 26, 2013 ...Generally, not so! SpamCop attempts to "munge" your e-mail address, unless you tell it to not do so or it misses a place where it appears, as it sometimes does. See the last paragraph of SCWiki entry "Mung / Munge / Obfuscate." If the spammer is also the server admin, it would be easy to trace the original email using the email ID etc in the header. I have to assume that information - added by the originating server on the way out - wouldn't be munged, allowing reputable ISPs to track spammer activity and complaints. If that's the case, munging the email and other ID stuff included in the original email doesn't help when the spammer is also the server admin. Link to comment Share on other sites More sharing options...
turetzsr Posted December 27, 2013 Share Posted December 27, 2013 <snip> If the spammer is also the server admin, it would be easy to trace the original email using the email ID etc in the header. I have to assume that information - added by the originating server on the way out - wouldn't be munged, allowing reputable ISPs to track spammer activity and complaints. <snip> ...And your assumption, while reasonable, would be wrong. <g> ...But you don't have to take my word for it, just click the "Preview Reports" button after parsing; if you don't like what you see, click the "Cancel" button. If you are so inclined, you can re-submit, first editing the internet header to remove the offending content, provided that you change only the information that identifies you, personally, not any IP addresses or other header information that the parser uses to find the spam source (and replace the edited-out information with a comment that indicates that you made the edit). The only remaining concern would be that the spammer may have hidden some information in the spam internet header or the spam body that you could not recognize as identifying your e-mail address. If you fear that might be the case then, yes, you should uncheck all the boxes next to the abuse addresses for the spam source to which SpamCop offers to send the complaint, then click the (now mislabeled) "Send spam Report(s) Now" button, which will submit the information only to the statistics database used by SpamCop to determine whether a spam source should be included on the SpamCop blacklist. Link to comment Share on other sites More sharing options...
Cutsnake88 Posted December 27, 2013 Author Share Posted December 27, 2013 ...And your assumption, while reasonable, would be wrong. <g> Ah, well... I've been wrong before! I've got so I know many of the tracking IDs embedded in the body of my repeated spammers and mung those myself. That's a sad state of affairs, really! Link to comment Share on other sites More sharing options...
turetzsr Posted December 27, 2013 Share Posted December 27, 2013 Ah, well... I've been wrong before! <snip> ...And I strongly resemble that remark, m'self! <g> Link to comment Share on other sites More sharing options...
petzl Posted January 1, 2014 Share Posted January 1, 2014 If the spammer is also the server admin, it would be easy to trace the original email using the email ID etc in the header. I have to assume that information - added by the originating server on the way out - wouldn't be munged, allowing reputable ISPs to track spammer activity and complaints. If that's the case, munging the email and other ID stuff included in the original email doesn't help when the spammer is also the server admin. Police in India say they have arrested six foreign nationals suspected http://www.bbc.co.uk/news/technology-16392960 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.