lsadmin Posted June 24, 2014 Share Posted June 24, 2014 We have been using SpamCop to file received spam reports for a decade or more. Recently, we have received a high volume of spam, to multiple email addresses all from plusserver.de. Netblock: 62.75.202.0 - 62.75.202.255 We have been reporting via SpamCop the spam that we receive from this source for well over 60 days at this point, however NONE of the IPs we've reported, including the one's just reported in the previous 24 hours, are listed in the SpamCop blacklist. Why is this? Here is a list of domains and IP addresses that have been used to send us UCE, specifically over the past 48 hours: smrinfo.com bawift.org refreshhomes.com wallstreetallocate.com emailbootcom.com 62.75.202.148 62.75.202.149 62.75.202.182 62.75.202.189 62.75.202.203 62.75.202.224 62.75.202.240 62.75.202.246 62.75.202.250 62.75.202.253 62.75.202.50 62.75.202.74 62.75.202.84 62.75.202.98 I'd like to know what's going on with this? Link to comment Share on other sites More sharing options...
turetzsr Posted June 24, 2014 Share Posted June 24, 2014 Hi, lsadmin, ...Sorry to hear of your problem. ...If I understand your question correctly, the answer will be found in the SpamCop FAQ Topic labeled "What is on the list?" especially the sections labeled "How the SCBL Works" and "SCBL Rules." Things to especially note: SpamCop counts separate IP addresses as separate sources, so if you send 14 reports one against each server "owned" by plusserver.de, SpamCop does not count this as 14 reports against plusserver.de but, rather, one report against each IP address, as if each were "owned" by entirely different domains. Reports from one user (for example, you) is not sufficient to list an IP address. The number of reports by us reporters is compared to the total number of e-mails seen to be coming from the IP address in question and only those with a relatively high ratio of reports to total e-mails is likely to get on the blacklist. Link to comment Share on other sites More sharing options...
petzl Posted June 24, 2014 Share Posted June 24, 2014 We have been using SpamCop to file received spam reports for a decade or more. [snip abuse[at]plusserver.de reporting not effective) I'd like to know what's going on with this? Perhaps you may have success at forwarding as attachment to abuse[at]plusserver.de and certbund[at]bsi.bund.de http://www.first.org/members/teams/cert-bund Might be mre reactive when they see they are being reported to CERT as well? Link to comment Share on other sites More sharing options...
kluless Posted June 29, 2014 Share Posted June 29, 2014 I'm having a similar problem with colocrossing.com, I receive 3 or 4 spam mails from them every day, which I report - but it seems they don't think that their unsolicited mails are spam. Link to comment Share on other sites More sharing options...
petzl Posted June 29, 2014 Share Posted June 29, 2014 Aside from a SpamCop report you need to forward each spam as attachment to BOTH abuse[at]colocrossing.com AND spam[at]uce.gov In YOUR report show SpamCop tracking URL and other details like "Unsubscribes don't work just worsen attack" or what ever You will probably only get "list washed" but spam should stop. Link to comment Share on other sites More sharing options...
kluless Posted July 12, 2014 Share Posted July 12, 2014 Aside from a SpamCop report you need to forward each spam as attachment to BOTH abuse[at]colocrossing.com AND spam[at]uce.gov In YOUR report show SpamCop tracking URL and other details like "Unsubscribes don't work just worsen attack" or what ever You will probably only get "list washed" but spam should stop. Thanks, the additional reports to uce.gov seem to have helped to stop the spam Link to comment Share on other sites More sharing options...
petzl Posted July 13, 2014 Share Posted July 13, 2014 Thanks, the additional reports to uce.gov seem to have helped to stop the spam The or any report needs BOTH abuse address of USA ISP and the uce.gov then include some details in message from SpamCop track 171.33.254.71 (Administrator of IP block - statistics only) and the track http://www.spamcop.net/sc?id=z5911068694zb...574452b2b32ba3z plus message (I use a boiler plate text) BOTNET ATTACK HOST BLOCK OUTBOUND PORT 25, RESERVE FOR LEGIT EMAIL SERVER CHANGE TO SECURE PASSWORD SCAN INFECTED COMPUTER FOR MALWARE which becomes in report http://www.spamcop.net/sc?id=z5911068694zbd5a8876fc583e92f3574452b2b32ba3z 171.33.254.71 (Administrator of network where email originates) BOTNET ATTACK HOST http://cbl.abuseat.org/lookup.cgi?ip=171.33.254.71 BLOCK OUTBOUND PORT 25, RESERVE FOR LEGIT EMAIL SERVER CHANGE TO SECURE PASSWORD SCAN INFECTED COMPUTER FOR MALWARE Link to comment Share on other sites More sharing options...
oliveerr Posted January 17, 2015 Share Posted January 17, 2015 This "serious" Company is free of pain. I receive since a few months spam from their "serious" customer and sent them all with the header first to the absue, later to all eMail-adresses that I found from them. also I called them a talked with them in a nice way to resolve this problme. later on I received this eMail from them Dear Mr xyx ,I have escalated this issue to our ABUSE management.I was told by the local colleagues reported that the process now to the appropriate support area for clarification and correction with the operator of the server ( a Reseller) was passed.Yours sincerelyIST_DOCH_REGAL- Head of Technical Support - That was in the first week of January ... On 13 January I get another spam eMail from the customer , and one more time I give them a phone call and they promised me the shutdown the server until further clarification , at the same time I also forwarded this problem to an Executive Assistant - ironically the server was OFFLINE for half an hour - but somebody has probably noticed and turned the server on again or the cleaning lady has cleaned the room. So I informed them seveal times to stop this customer, but I think the say hello to my lawyer. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.