mrbungle Posted March 20, 2014 Posted March 20, 2014 The domain administrator has not done anything to stop the flow of UCE from 184.22.119.205. I have been flooded with dozens more messages today. I'm also seeing UCE from 184.22.119.204 now that also claims to have been resolved that I am betting have not. The whois information for that IP can be found at URL: http://www.networksolutions.com/whois/resu...=184.22.119.205
petzl Posted March 21, 2014 Posted March 21, 2014 The domain administrator has not done anything to stop the flow of UCE from 184.22.119.205. I have been flooded with dozens more messages today. I'm also seeing UCE from 184.22.119.204 now that also claims to have been resolved that I am betting have not. The whois information for that IP can be found at URL: http://www.networksolutions.com/whois/resu...=184.22.119.205 Just forward as attachment all spams to spam[at]uce.gov and nic[at]hostnoc.net Also pays to include SpamCop tracking URL if possible like http://www.spamcop.net/sc?id=z5816892251ze...191e36e2e7570bz
Farelf Posted March 21, 2014 Posted March 21, 2014 Like you, I see currently from SC "ISP believes this issue is resolved: 184.22.119.205 - no date available", not that I'm getting any of that spam in my inbox. I don't see any SC member reports after 12 March 2014 ... http://www.spamcop.net/w3m?action=map;mask...536;sort=ipsort (and go down to 184.22.119.0/24) indicates no "big picture" problems with the allocation - but does indicate mass-mailing hosts there. SenderBase is not so forgiving: http://www.senderbase.org/senderbase_queri...=184.22.119.205 with a "POOR" Email reputation and "Very High" spam volumes - but presumably masked by even higher legitimate mail volumes. Very frustrating, but not destined for SCbl listing until you (and, necessarily, other reporters) consistently report it - or it hits SC spamtraps. It is listed on other DNSBLs - http://multirbl.valli.org/dnsbl-lookup/184.22.119.205.html - with some of the more authoritative ones being Barracuda, SORBS and Spamhaus DBL. 184.22.119.205 is ns11.bluelightdeals.net but with no forward-reverse DNS match - which might limit the effectiveness of some detections and lookups. SenderScore.org gives that server a really lousy reputation score of just 8 (/100). Hard to credit that any of the mail from 184.22.119.205 actually gets delivered anywhere with poor reputations and blocklist registrations. I guess bluelightdeals "solution" to the high rates of rejection and filtering is simply to pump out higher volumes. Anyway, it should be easy to keep it out of your inbox - but don't just have it deleted, divert it and report it first.
mrbungle Posted March 21, 2014 Author Posted March 21, 2014 Like you, I see currently from SC "ISP believes this issue is resolved: 184.22.119.205 - no date available", not that I'm getting any of that spam in my inbox. I don't see any SC member reports after 12 March 2014 ... http://www.spamcop.net/w3m?action=map;mask...536;sort=ipsort (and go down to 184.22.119.0/24) indicates no "big picture" problems with the allocation - but does indicate mass-mailing hosts there. SenderBase is not so forgiving: http://www.senderbase.org/senderbase_queri...=184.22.119.205 with a "POOR" Email reputation and "Very High" spam volumes - but presumably masked by even higher legitimate mail volumes. Very frustrating, but not destined for SCbl listing until you (and, necessarily, other reporters) consistently report it - or it hits SC spamtraps. It is listed on other DNSBLs - http://multirbl.valli.org/dnsbl-lookup/184.22.119.205.html - with some of the more authoritative ones being Barracuda, SORBS and Spamhaus DBL. 184.22.119.205 is ns11.bluelightdeals.net but with no forward-reverse DNS match - which might limit the effectiveness of some detections and lookups. SenderScore.org gives that server a really lousy reputation score of just 8 (/100). Hard to credit that any of the mail from 184.22.119.205 actually gets delivered anywhere with poor reputations and blocklist registrations. I guess bluelightdeals "solution" to the high rates of rejection and filtering is simply to pump out higher volumes. Anyway, it should be easy to keep it out of your inbox - but don't just have it deleted, divert it and report it first. It's being filtered with Spamassassin. I reported every one I received even though SpamCop kept telling me the issue has been resolved. I am now dropping all traffic from those IPs to stop the flood. pHil
Farelf Posted March 22, 2014 Posted March 22, 2014 It's being filtered with Spamassassin. I reported every one I received even though SpamCop kept telling me the issue has been resolved. I am now dropping all traffic from those IPs to stop the flood. pHil Oh, I see (I think). I'm at cross-purposes. It's been ages since I've seen one of those untruthful "issue resolved" cases. Reaching back - when that happens the parser doesn't offer to send reports (and presumably doesn't add the instance to the stats for the IP address). BUT it (used to) each time offer the opportunity to appeal against the notation (with the stern injunction "experienced users only"). HAVE YOU APPEALED? - you are experienced. That's the way to have it reviewed. As said, no reports registered since 12 March. If they're still coming after even just several days since then, that would be sufficient to show the mail admin responsible was either lying through his teeth or hopelessly over-optimistic. In either case I don't think SC admin/deputies will readily forgive him. It may take more than one reporter to appeal, I don't know (but don't think so - surely that's why the stipulation of experienced reporters?). Steve
mrbungle Posted April 1, 2014 Author Posted April 1, 2014 Oh, I see (I think). I'm at cross-purposes. It's been ages since I've seen one of those untruthful "issue resolved" cases. Reaching back - when that happens the parser doesn't offer to send reports (and presumably doesn't add the instance to the stats for the IP address). BUT it (used to) each time offer the opportunity to appeal against the notation (with the stern injunction "experienced users only"). HAVE YOU APPEALED? - you are experienced. That's the way to have it reviewed. As said, no reports registered since 12 March. If they're still coming after even just several days since then, that would be sufficient to show the mail admin responsible was either lying through his teeth or hopelessly over-optimistic. In either case I don't think SC admin/deputies will readily forgive him. It may take more than one reporter to appeal, I don't know (but don't think so - surely that's why the stipulation of experienced reporters?). Steve I have not appealed - didn't even realize that was an option. No longer seeing UCE from those IPs since I started dropping all traffic. There is another untruthful issue resolved admin out there, so far for the IPs 109.236.89.232 109.236.89.233 109.236.89.235 109.236.89.236 109.236.89.238 => this one was today They are all between 6M and 8M in size with embedded JPG images, so the reports get truncated due to size. I have not appealed - didn't even realize that was an option. No longer seeing UCE from those IPs since I started dropping all traffic. There is another untruthful issue resolved admin out there, so far for the IPs 109.236.89.232 109.236.89.233 109.236.89.235 109.236.89.236 109.236.89.238 => this one was today They are all between 6M and 8M in size with embedded JPG images, so the reports get truncated due to size. After resubmitting the UCE from today I see no option to appeal when the pages refreshes to tell me the issue has been resolved. Am I looking in the wrong place?
mrbungle Posted April 1, 2014 Author Posted April 1, 2014 There is another block of IPs that continue sending me UCE daily. The messages are between 5M and 8M with embedded JOG images, so the reports get truncated through the web GUI. Every one I have reported claims the issue has been resolved. So far the IPs I am now dropping all traffic from are: 109.236.89.232 109.236.89.233 109.236.89.235 109.236.89.236 109.236.89.238 => from this IP today
mrbungle Posted April 1, 2014 Author Posted April 1, 2014 There is another block of IPs that continue sending me UCE daily. The messages are between 5M and 8M with embedded JOG images, so the reports get truncated through the web GUI. Every one I have reported claims the issue has been resolved. So far the IPs I am now dropping all traffic from are: 109.236.89.232 109.236.89.233 109.236.89.235 109.236.89.236 109.236.89.238 => from this IP today Add another from today 109.236.89.21 Not yet showing up as issue resolved.
petzl Posted April 2, 2014 Posted April 2, 2014 Add another from today 109.236.89.21 Not yet showing up as issue resolved. Better if you could show tracking URL spammers are now using compromised email accounts My Hotmail I get about 20 a day all compromised email accounts IF the email server stamps the injection point they always are from Botnet attack hosts This is tracking link from my SpamCop email http://www.spamcop.net/sc?id=z5841572594zc...a7ab0b5a90da4bz 1.82.191.88 (Administrator of network where email originates) But injection point is Botnet attack host 119.129.246.72 http://cbl.abuseat.org/lookup.cgi?ip=119.129.246.72 CBL will shut lookup if hit too many times! SenderBase shows it is still spewing spam http://www.senderbase.org/senderbase_queri...=119.129.246.72 Very much points out a NEED for TLS LOGIN
lisati Posted April 2, 2014 Posted April 2, 2014 Definitely looks like the folks who administer 1.82.191.88 need to tighten up who they accept mail from. Open relay? Maybe, maybe not.
petzl Posted April 2, 2014 Posted April 2, 2014 Definitely looks like the folks who administer 1.82.191.88 need to tighten up who they accept mail from. Open relay? Maybe, maybe not. A Botnet is more than an open relay! In fact I haven't seen an "open relay" used for years? It is in effect a Zombie computer or a computer while on internet is taken over Usually hackers scan that Botnet computer for credit card numbers, account passwords, even home addresses Robberies do happen using this information! Spamming is just a "value add" to their crime.
Farelf Posted April 2, 2014 Posted April 2, 2014 ... After resubmitting the UCE from today I see no option to appeal when the pages refreshes to tell me the issue has been resolved. Am I looking in the wrong place? That's the right place as I recall it. Maybe things have changed. And as petzl notes, it is always good for you to provide a Tracking URL when discussing report submissions and matters arising from them - that way we see exactly and all of what you are seeing and, if needed, some of us can even dummy a like submission to replicate the whole submission process (which would be subsequently cancelled of course).
lisati Posted April 2, 2014 Posted April 2, 2014 A Botnet is more than an open relay! In fact I haven't seen an "open relay" used for years? It is in effect a Zombie computer or a computer while on internet is taken over Usually hackers scan that Botnet computer for credit card numbers, account passwords, even home addresses Robberies do happen using this information! Spamming is just a "value add" to their crime. True about the botnet bit. What I'd spotted was the reference to Postfix in the message headers, which is fairly easily configured to prevent unauthorised access from outside sources that might want to relay spam. When I was running my own email server, I was using Postfix as the MTA, the spam mentioned in the tracking link you provided would have either been caught by the cbl listing, or possibly rejected with a "relaying not allowed" message.
petzl Posted April 2, 2014 Posted April 2, 2014 True about the botnet bit. What I'd spotted was the reference to Postfix in the message headers, which is fairly easily configured to prevent unauthorised access from outside sources that might want to relay spam. When I was running my own email server, I was using Postfix as the MTA, the spam mentioned in the tracking link you provided would have either been caught by the cbl listing, or possibly rejected with a "relaying not allowed" message. I remember some using "blocklists" to prevent access to mail servers but not sure how it was done The SCBL was used to give a" try again in 24 hours" message
Recommended Posts
Archived
This topic is now archived and is closed to further replies.