lpsears63 Posted January 3, 2016 Share Posted January 3, 2016 I have been getting a lot of various spam/phishing emails from different domains using different IPs that all lead to NGTC as host. They have a block of IPs ranging from [116.128.0.0] to [116.191.255.255] and are from China. They apparently host 14 domains and have 118 of those IPs active, and of those another 59 have browsers, but they are not listed as a host provider. Thing is that is all I can find out about them. None of the emails originate from any of the active IPs. When doing a search for New Guoxin Telecom Corporation I only come up with addresses, from them, that other people are complaining about getting spam from. It is one of seven of the largest IP blocks in China, none any larger, and China has 6361 blocks assigned to them. I do not want to block the whole range, that would only succeed in Me not getting the emails. The emails will would still continue to be sent to others. Spamcop is only sending reports to the Chinese Government, and I don't think they care about what kind of emails some dumb American is receiving. I have helped to get 5 of the last 42 domains suspended thru their registrar, because they where blacklisted (that's the only time the registrar will help). Now the spammers have just changed name providers, and close the domain(s) more quickly to avoid being on the blacklist. Spamcop has helped me a lot in reducing the volume of spam that I receive. I have gone from 80 a day to around 3 a day, in the last month. So, how do I help Spamcop to keep up with Chinese spammers that are moving so quickly? And, how do you shut down spam that originates from a non-existent company? Sorry, I thought I was posting this in the lounge. Link to comment Share on other sites More sharing options...
petzl Posted January 4, 2016 Share Posted January 4, 2016 I have been getting a lot of various spam/phishing emails from different domains using different IPs that all lead to NGTC as host. They have a block of IPs ranging from [116.128.0.0] to [116.191.255.255] and are from China. They apparently host 14 domains and have 118 of those IPs active, and of those another 59 have browsers, but they are not listed as a host provider. Thing is that is all I can find out about them. None of the emails originate from any of the active IPs. When doing a search for New Guoxin Telecom Corporation I only come up with addresses, from them, that other people are complaining about getting spam from. It is one of seven of the largest IP blocks in China, none any larger, and China has 6361 blocks assigned to them. I do not want to block the whole range, that would only succeed in Me not getting the emails. The emails will would still continue to be sent to others. Spamcop is only sending reports to the Chinese Government, and I don't think they care about what kind of emails some dumb American is receiving. I have helped to get 5 of the last 42 domains suspended thru their registrar, because they where blacklisted (that's the only time the registrar will help). Now the spammers have just changed name providers, and close the domain(s) more quickly to avoid being on the blacklist. Spamcop has helped me a lot in reducing the volume of spam that I receive. I have gone from 80 a day to around 3 a day, in the last month. So, how do I help Spamcop to keep up with Chinese spammers that are moving so quickly? And, how do you shut down spam that originates from a non-existent company? Sorry, I thought I was posting this in the lounge. A tracking URL of one would help Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=z6203511080z8df1204de7f0fa708fef140a3df8c0daz I'm getting them too all criminal phishing, child porn you name it I add these addresses to report cncert[at]cert.org.cn zhouxm[at]chinaunicom.cn info[at]cn.verizon.com I will be reporting the websites from redirecting links depending on time, again most are unresponsive boiler plate below > China, Chaoyang Verizon Business criminal phishing fraud by spam crime gang 116.136.55.11 (Administrator of network where email originates) China, Chaoyang Verizon Business http://www.spamhaus.org/query/bl?ip=116.136.55.11 http://www.spamhaus.org/sbl/query/SBL214384 Register Of Known spam Operations (ROKSO) spam Operation: Michael Lindsay 116.128.0.0/10 is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Michael Lindsay New Guoxin Telecom Corporation Based on research, analysis of network records, our own intelligence sources and our experience, Spamhaus believes that this IP address range is being used or is about to be used for the purpose of high volume spam emission. As a precaution we are listing this range in an SBL Advisory until we are able to determine with certainty exactly who is operating these domains/hosts/servers and also verify the opt-in permission status and origin of whatever lists are used for those mailings. > Link to comment Share on other sites More sharing options...
lpsears63 Posted January 4, 2016 Author Share Posted January 4, 2016 petzl, Is this what you mean? https://www.spamcop.net/mcgi?action=gettrack&reportid=6398799410 Or do you need directly to my spam folder, or directly to the original header? Right now most of these are either sexual solicitation or trademarked company spoofs. And how did you get MY url? Link to comment Share on other sites More sharing options...
lpsears63 Posted January 4, 2016 Author Share Posted January 4, 2016 Yea!!!! I just got two more of their domains suspended! That makes 7 from NGTC in the last week, and (I'm losing count) around thirty or so in the last month (the other 25 or so are from other hosts). Link to comment Share on other sites More sharing options...
lpsears63 Posted January 4, 2016 Author Share Posted January 4, 2016 petzl, here's a fresh one. https://www.spamcop.net/mcgi?action=gettrack&reportid=6398954659 Link to comment Share on other sites More sharing options...
Dave_L Posted January 4, 2016 Share Posted January 4, 2016 Those aren't tracking URLs. After you parse the spam, look for this: Here is your TRACKING URL - it may be saved for future reference: Link to comment Share on other sites More sharing options...
lpsears63 Posted January 4, 2016 Author Share Posted January 4, 2016 OK ,thanks. https://www.spamcop.net/sc?id=z6203828180zc17dd596d0925629594d7b32f08159e2z https://www.spamcop.net/sc?id=z6203733885zbb0106cbfe92a7d7c0e170de92b55aa5z https://www.spamcop.net/sc?id=z6203592645zc128a65ac7972c07d405d4f619e1ee60z Link to comment Share on other sites More sharing options...
petzl Posted January 4, 2016 Share Posted January 4, 2016 petzl, Is this what you mean? https://www.spamcop.net/mcgi?action=gettrack&reportid=6398799410 Or do you need directly to my spam folder, or directly to the original header? Right now most of these are either sexual solicitation or trademarked company spoofs. And how did you get MY url? No at the top of spam reporting page copy link SpamCop provides - but I see you have found it. https://www.spamcop.net/sc?id=z6203891807z78ea35faf901bc3f0171228e59d9b57fz Verizon (USA) knowingly own operate the domain in China for a criminal! http://www.spamhaus.org/rokso/spammer/SPM818/michael-lindsay all you can do is add reporting addresses to your report. cncert[at]cert.org.cn zhouxm[at]chinaunicom.cn info[at]cn.verizon.com spam[at]uce.gov perhaps make a txt "boiler plate" to easily add notes (try to better mine) <> inequality signs, sign > just helps the formatting on a SC report. Without them SC makes them unreadable (won't word wrap proper) > China, Chaoyang - Domain operator Verizon Business (USA operated) spam[at]uce.gov criminal phishing fraud by spam crime gang http://www.spamhaus.org/sbl/query/SBL214384 Register Of Known spam Operations (ROKSO) spam Operation: Michael Lindsay 116.128.0.0/10 is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Michael Lindsay New Guoxin Telecom Corporation Based on research, analysis of network records, our own intelligence sources and our experience, Spamhaus believes that this IP address range is being used or is about to be used for the purpose of high volume spam emission. As a precaution we are listing this range in an SBL Advisory until we are able to determine with certainty exactly who is operating these domains/hosts/servers and also verify the opt-in permission status and origin of whatever lists are used for those mailings. > Here is one I finished > 116.159.251.191 (Administrator of network where email originates) China, Chaoyang - Domain operator Verizon Business (USA operated) spam[at]uce.gov criminal phishing fraud by spam crime gang http://www.spamhaus.org/query/ip/116.159.251.191 http://www.spamhaus.org/sbl/query/SBL214384 Register Of Known spam Operations (ROKSO) spam Operation: Michael Lindsay 116.128.0.0/10 is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Michael Lindsay New Guoxin Telecom Corporation Based on research, analysis of network records, our own intelligence sources and our experience, Spamhaus believes that this IP address range is being used or is about to be used for the purpose of high volume spam emission. As a precaution we are listing this range in an SBL Advisory until we are able to determine with certainty exactly who is operating these domains/hosts/servers and also verify the opt-in permission status and origin of whatever lists are used for those mailings. > Link to comment Share on other sites More sharing options...
lpsears63 Posted January 7, 2016 Author Share Posted January 7, 2016 Hi petzl, I quit sending reports to the Chinese they don't respond. And info[at]cn.verizon.cn won't even accept my emails. The first place that I started sending reports to was spam[at]uce.gov then I added phishing-report[at]us-cert.gov. Then I was sending the reports to anyone even remotely connected with the email. The best luck I've had though has been with the domain's registrar(except for abuse[at]web.com, they suck). They will only investigate if they find the domain on a blacklist, but I have gotten over 30 domains suspended in the last month. Not a lot, about one a day, but it makes me feel better. But it also has reduced my spam volume from 80 a day to three or less. Anyway I've been using a "boiler plate" for a few weeks now, though I didn't know it was called that. I did have to make a second one just for the Chinese. You helped me to rewrite it (I stole some from you I hope you don't mind). Hello, My name is L...... S......, and I have received an unsolicited and unwanted email from '''''''''''''.faith and ''''''''''''''.date.Using an IP allocated to New Guoxin Telecom Corporation in Beijing, China.Who's IP block [116.128.0.0]-[116.191.255.255] is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Michael Lindsay: New Guoxin Telecom Corporation. See link below: http://www.spamhaus....query/SBL214384 I consider it to be "spam"or "phishing attack" and may contain malicious links. My address was obtained without my consent. Please, if you respond to this email, kindly refer to the domain(s) in question. As I send out many such reports. Thank you. Link to comment Share on other sites More sharing options...
petzl Posted January 7, 2016 Share Posted January 7, 2016 Hi petzl, I quit sending reports to the Chinese they don't respond. And info[at]cn.verizon.cn won't even accept my emails. The first place that I started sending reports to was spam[at]uce.gov then I added phishing-report[at]us-cert.gov. Then I was sending the reports to anyone even remotely connected with the email. The best luck I've had though has been with the domain's registrar(except for abuse[at]web.com, they suck). They will only investigate if they find the domain on a blacklist, but I have gotten over 30 domains suspended in the last month. Not a lot, about one a day, but it makes me feel better. But it also has reduced my spam volume from 80 a day to three or less. Anyway I've been using a "boiler plate" for a few weeks now, though I didn't know it was called that. I did have to make a second one just for the Chinese. You helped me to rewrite it (I stole some from you I hope you don't mind). Hello, My name is L...... S......, and I have received an unsolicited and unwanted email from '''''''''''''.faith and ''''''''''''''.date.Using an IP allocated to New Guoxin Telecom Corporation in Beijing, China.Who's IP block [116.128.0.0]-[116.191.255.255] is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Michael Lindsay: New Guoxin Telecom Corporation. See link below: http://www.spamhaus....query/SBL214384 I consider it to be "spam"or "phishing attack" and may contain malicious links. My address was obtained without my consent. Please, if you respond to this email, kindly refer to the domain(s) in question. As I send out many such reports. Thank you. NEVER use you full name your first is adequate I'm not having much luck ether. Just keep pounding through SC reports. By all means use anything I write you think is helpful Try to keep out of jail. It is spam but I get so many of them they are a DoS attack also! Haven't tried a registrar but yes good idea if it is porn call it child porn definition below Child porn spammer pictures under 18 or made to look under 18 NO PROOF OF AGE available! SENT TO MINORS China, Chaoyang are on a blacklist http://www.spamhaus.org/sbl/query/SBL214384 Register Of Known spam Operations (ROKSO) spam Operation: Michael Lindsay 116.128.0.0/10 is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Michael Lindsay I added this to end of my boiler plate which should stop spam being sent. BLOCK OUTBOUND PORT 25, RESERVE FOR LEGIT EMAIL SERVER Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you) Link to comment Share on other sites More sharing options...
lpsears63 Posted January 7, 2016 Author Share Posted January 7, 2016 NEVER use you full name your first is adequate petzl, Never really thought much about not using my full name. Did just try 20 different email lookups, only 2 found me, but those would cost someone $20-$30 just to view. I don't belong to any social networks so they can't find me that way. Googled my email and just got a link to Spamcop)))) I have searched my name before, and around 70 people in the US share the same name as mine. Of the three that have been using the NGTC IPs, at this point I have found more about them. Well, at least two of them. One was smart enough to use an alias, the other two only munged their address around a little. It wasn't that hard to figure out. Things like using Rd. instead of Dr. or north when it should be north-west or using the town 10 mi. down the road. Which of course could be all completely fake, but some people don't really have that much imagination. Since I started getting the few domains suspended that I have. Four from Donna L. McCorkle, she has dumped all of her GTLD's and only kept her .com domains. She had over two thousand domains and now only 12 remain. James Francis still has a little over 100, but those are all .com ones too. They don't seem to like those to send spam with those. the generic TLD's cost a lot less. Just like throw away cell phones drug dealers use. Also, these are US citizens using the Chinese IPs. Maybe I'll replace my name with just my email instead. If I just use my first name, anyone with half a brain can figure out what my last name is by looking at my email. Well it looks like I still don't have the quote thing down yet. Forgive me I never post in any forums or anything. This is all a first. Thanks for all your help, and for talking to me. Almost forgot to tell you. I did send a report to IC3 about NGTC. I think actually that CNNIC knows all about the issue, which means so does the Chinese Government. That is why no response or help from them. Link to comment Share on other sites More sharing options...
petzl Posted January 19, 2016 Share Posted January 19, 2016 NEVER use you full name your first is adequate petzl, Never really thought much about not using my full name. Did just try 20 different email lookups, only 2 found me, but those would cost someone $20-$30 just to view. I don't belong to any social networks so they can't find me that way. Googled my email and just got a link to Spamcop)))) Don't know why but for a week no spam from them? Must of reported a 1000 times? Link to comment Share on other sites More sharing options...
lpsears63 Posted January 19, 2016 Author Share Posted January 19, 2016 petzl, on 18 Jan 2016 - 9:05 PM, said:petzl, on 18 Jan 2016 - 9:05 PM, said:Don't know why but for a week no spam from them? Hey Petzl, Same here. Actually, not much from anyone right now, nine altogether since Jan. 7th. Most of which are pretty hard to track. They use Office365, then bounce it all over the place. They'll use a private network address then go thru a loopback to another private address then bounce it around a little more before it gets to me I did find out that Microsoft has their own CERT address, you can report directly at www[dot]cert[dot]Microsoft[dot]com or email at cert[at]Microsoft[dot]com. I think you get faster response using the website. And is used only for Microsoft account abuse. I don't always know whether someone else would consider an email spam or phishing, and I'm not about to click on a link to find out if it's malicious or not. So, I still send anything originating from Office365 or Outlook to the other three emails they have. In case your not familiar with them they are, abuse[at]Microsoft[dot]com, junk[at]Microsoft[dot]com and report_spam[at]outlook[dot]com. As for NGTC, they either got sick of me closing down their domains as soon as they would start using them, or I'm in for a big DoS attack. Hope not the latter I did check on what outbound ports my server uses, and they use both 587 and 25, depending on the volume that's going thru. The security I'm using, I found out, has a stealth port shield already set up on it. So someone trying to find an open port on my computer can't find one. Tested it seems to work fine. Anyway, it's good to know you're still here, and your spam count is down too. Talk with you soon Link to comment Share on other sites More sharing options...
petzl Posted January 19, 2016 Share Posted January 19, 2016 Hey Petzl, Same here. Actually, not much from anyone right now, nine altogether since Jan. 7th. Most of which are pretty hard to track. They use Office365, then bounce it all over the place. They'll use a private network address then go thru a loopback to another private address then bounce it around a little more before it gets to me I did find out that Microsoft has their own CERT address, you can report directly at www[dot]cert[dot]Microsoft[dot]com or email at cert[at]Microsoft[dot]com. I think you get faster response using the website. And is used only for Microsoft account abuse. I don't always know whether someone else would consider an email spam or phishing, and I'm not about to click on a link to find out if it's malicious or not. So, I still send anything originating from Office365 or Outlook to the other three emails they have. In case your not familiar with them they are, abuse[at]Microsoft[dot]com, junk[at]Microsoft[dot]com and report_spam[at]outlook[dot]com. As for NGTC, they either got sick of me closing down their domains as soon as they would start using them, or I'm in for a big DoS attack. Hope not the latter I did check on what outbound ports my server uses, and they use both 587 and 25, depending on the volume that's going thru. The security I'm using, I found out, has a stealth port shield already set up on it. So someone trying to find an open port on my computer can't find one. Tested it seems to work fine. Anyway, it's good to know you're still here, and your spam count is down too. Talk with you soon Hopefully "we" won one? Good work thanks Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.