Jump to content

receiving spam from new guoxin telecom corporation


lpsears63
 Share

Recommended Posts

I have been getting a lot of various spam/phishing emails from different domains using different IPs that all lead to NGTC as host. They have a block of IPs ranging from [116.128.0.0] to [116.191.255.255] and are from China. They apparently host 14 domains and have 118 of those IPs active, and of those another 59 have browsers, but they are not listed as a host provider. Thing is that is all I can find out about them. None of the emails originate from any of the active IPs. When doing a search for New Guoxin Telecom Corporation I only come up with addresses, from them, that other people are complaining about getting spam from. It is one of seven of the largest IP blocks in China, none any larger, and China has 6361 blocks assigned to them. I do not want to block the whole range, that would only succeed in Me not getting the emails. The emails will would still continue to be sent to others. Spamcop is only sending reports to the Chinese Government, and I don't think they care about what kind of emails some dumb American is receiving. I have helped to get 5 of the last 42 domains suspended thru their registrar, because they where blacklisted (that's the only time the registrar will help). Now the spammers have just changed name providers, and close the domain(s) more quickly to avoid being on the blacklist. Spamcop has helped me a lot in reducing the volume of spam that I receive. I have gone from 80 a day to around 3 a day, in the last month. So, how do I help Spamcop to keep up with Chinese spammers that are moving so quickly? And, how do you shut down spam that originates from a non-existent company?

Sorry, I thought I was posting this in the lounge.

Edited by lpsears63
Link to comment
Share on other sites

I have been getting a lot of various spam/phishing emails from different domains using different IPs that all lead to NGTC as host. They have a block of IPs ranging from [116.128.0.0] to [116.191.255.255] and are from China. They apparently host 14 domains and have 118 of those IPs active, and of those another 59 have browsers, but they are not listed as a host provider. Thing is that is all I can find out about them. None of the emails originate from any of the active IPs. When doing a search for New Guoxin Telecom Corporation I only come up with addresses, from them, that other people are complaining about getting spam from. It is one of seven of the largest IP blocks in China, none any larger, and China has 6361 blocks assigned to them. I do not want to block the whole range, that would only succeed in Me not getting the emails. The emails will would still continue to be sent to others. Spamcop is only sending reports to the Chinese Government, and I don't think they care about what kind of emails some dumb American is receiving. I have helped to get 5 of the last 42 domains suspended thru their registrar, because they where blacklisted (that's the only time the registrar will help). Now the spammers have just changed name providers, and close the domain(s) more quickly to avoid being on the blacklist. Spamcop has helped me a lot in reducing the volume of spam that I receive. I have gone from 80 a day to around 3 a day, in the last month. So, how do I help Spamcop to keep up with Chinese spammers that are moving so quickly? And, how do you shut down spam that originates from a non-existent company?

Sorry, I thought I was posting this in the lounge.

A tracking URL of one would help

Here is your TRACKING URL - it may be saved for future reference:

https://www.spamcop.net/sc?id=z6203511080z8df1204de7f0fa708fef140a3df8c0daz

I'm getting them too all criminal phishing, child porn you name it

I add these addresses to report

cncert[at]cert.org.cn zhouxm[at]chinaunicom.cn info[at]cn.verizon.com

I will be reporting the websites from redirecting links depending on time, again most are unresponsive

boiler plate below

>

China, Chaoyang Verizon Business

criminal phishing fraud by spam crime gang

116.136.55.11 (Administrator of network where email originates) China, Chaoyang Verizon Business

http://www.spamhaus.org/query/bl?ip=116.136.55.11

http://www.spamhaus.org/sbl/query/SBL214384

Register Of Known spam Operations (ROKSO)

spam Operation: Michael Lindsay

116.128.0.0/10 is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Michael Lindsay

New Guoxin Telecom Corporation

Based on research, analysis of network records, our own intelligence sources and our experience, Spamhaus believes that this IP address range is being used or is about to be used for the purpose of high volume spam emission.

As a precaution we are listing this range in an SBL Advisory until we are able to determine with certainty exactly who is operating these domains/hosts/servers and also verify the opt-in permission status and origin of whatever lists are used for those mailings.

>

Link to comment
Share on other sites

petzl, Is this what you mean?

https://www.spamcop.net/mcgi?action=gettrack&reportid=6398799410

Or do you need directly to my spam folder, or directly to the original header?

Right now most of these are either sexual solicitation or trademarked company spoofs. And how did you get MY url?

No at the top of spam reporting page copy link SpamCop provides - but I see you have found it.

https://www.spamcop.net/sc?id=z6203891807z78ea35faf901bc3f0171228e59d9b57fz

Verizon (USA) knowingly own operate the domain in China for a criminal!

http://www.spamhaus.org/rokso/spammer/SPM818/michael-lindsay

all you can do is add reporting addresses to your report.

cncert[at]cert.org.cn zhouxm[at]chinaunicom.cn info[at]cn.verizon.com spam[at]uce.gov

perhaps make a txt "boiler plate" to easily add notes (try to better mine)

<> inequality signs, sign > just helps the formatting on a SC report. Without them SC makes them unreadable (won't word wrap proper)

>

China, Chaoyang - Domain operator Verizon Business (USA operated) spam[at]uce.gov

criminal phishing fraud by spam crime gang

http://www.spamhaus.org/sbl/query/SBL214384

Register Of Known spam Operations (ROKSO)

spam Operation: Michael Lindsay

116.128.0.0/10 is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Michael Lindsay

New Guoxin Telecom Corporation

Based on research, analysis of network records, our own intelligence sources and our experience, Spamhaus believes that this IP address range is being used or is about to be used for the purpose of high volume spam emission.

As a precaution we are listing this range in an SBL Advisory until we are able to determine with certainty exactly who is operating these domains/hosts/servers and also verify the opt-in permission status and origin of whatever lists are used for those mailings.

>

Here is one I finished

>

116.159.251.191 (Administrator of network where email originates)

China, Chaoyang - Domain operator Verizon Business (USA operated) spam[at]uce.gov

criminal phishing fraud by spam crime gang

http://www.spamhaus.org/query/ip/116.159.251.191

http://www.spamhaus.org/sbl/query/SBL214384

Register Of Known spam Operations (ROKSO)

spam Operation: Michael Lindsay

116.128.0.0/10 is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Michael Lindsay

New Guoxin Telecom Corporation

Based on research, analysis of network records, our own intelligence sources and our experience, Spamhaus believes that this IP address range is being used or is about to be used for the purpose of high volume spam emission.

As a precaution we are listing this range in an SBL Advisory until we are able to determine with certainty exactly who is operating these domains/hosts/servers and also verify the opt-in permission status and origin of whatever lists are used for those mailings.

>

Link to comment
Share on other sites

Hi petzl,

I quit sending reports to the Chinese they don't respond. And info[at]cn.verizon.cn won't even accept my emails.

The first place that I started sending reports to was spam[at]uce.gov then I added phishing-report[at]us-cert.gov.

Then I was sending the reports to anyone even remotely connected with the email. The best luck I've had though has

been with the domain's registrar(except for abuse[at]web.com, they suck). They will only investigate if they find

the domain on a blacklist, but I have gotten over 30 domains suspended in the last month. Not a lot, about one a day,

but it makes me feel better. But it also has reduced my spam volume from 80 a day to three or less.

Anyway I've been using a "boiler plate" for a few weeks now, though I didn't know it was called that. I did have to

make a second one just for the Chinese. You helped me to rewrite it (I stole some from you I hope you don't mind).

Hello,

My name is L...... S......, and I have received an unsolicited and unwanted email from '''''''''''''.faith and

''''''''''''''.date.Using an IP allocated to New Guoxin Telecom Corporation in Beijing, China.Who's IP block

[116.128.0.0]-[116.191.255.255] is listed on the SBL as being assigned to, being under the control of, or being

otherwise connected with a known spam operation listed on the ROKSO database as:

Michael Lindsay: New Guoxin Telecom Corporation. See link below:

http://www.spamhaus....query/SBL214384

I consider it to be "spam"or "phishing attack" and may contain malicious links. My address was obtained without my consent.

Please, if you respond to this email, kindly refer to the domain(s) in question. As I send out many such reports. Thank you.

Edited by lpsears63
Link to comment
Share on other sites

Hi petzl,

I quit sending reports to the Chinese they don't respond. And info[at]cn.verizon.cn won't even accept my emails.

The first place that I started sending reports to was spam[at]uce.gov then I added phishing-report[at]us-cert.gov.

Then I was sending the reports to anyone even remotely connected with the email. The best luck I've had though has

been with the domain's registrar(except for abuse[at]web.com, they suck). They will only investigate if they find

the domain on a blacklist, but I have gotten over 30 domains suspended in the last month. Not a lot, about one a day,

but it makes me feel better. But it also has reduced my spam volume from 80 a day to three or less.

Anyway I've been using a "boiler plate" for a few weeks now, though I didn't know it was called that. I did have to

make a second one just for the Chinese. You helped me to rewrite it (I stole some from you I hope you don't mind).

Hello,

My name is L...... S......, and I have received an unsolicited and unwanted email from '''''''''''''.faith and

''''''''''''''.date.Using an IP allocated to New Guoxin Telecom Corporation in Beijing, China.Who's IP block

[116.128.0.0]-[116.191.255.255] is listed on the SBL as being assigned to, being under the control of, or being

otherwise connected with a known spam operation listed on the ROKSO database as:

Michael Lindsay: New Guoxin Telecom Corporation. See link below:

http://www.spamhaus....query/SBL214384

I consider it to be "spam"or "phishing attack" and may contain malicious links. My address was obtained without my consent.

Please, if you respond to this email, kindly refer to the domain(s) in question. As I send out many such reports. Thank you.

NEVER use you full name your first is adequate

I'm not having much luck ether. Just keep pounding through SC reports.

By all means use anything I write you think is helpful

Try to keep out of jail.

It is spam but I get so many of them they are a DoS attack also!

Haven't tried a registrar but yes good idea if it is porn call it child porn definition below

Child porn spammer
pictures under 18 or made to look under 18
NO PROOF OF AGE available!
SENT TO MINORS

China, Chaoyang are on a blacklist

http://www.spamhaus.org/sbl/query/SBL214384

Register Of Known spam Operations (ROKSO)

spam Operation: Michael Lindsay

116.128.0.0/10 is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Michael Lindsay

I added this to end of my boiler plate which should stop spam being sent.

BLOCK OUTBOUND PORT 25,

RESERVE FOR LEGIT EMAIL SERVER

Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you)

Link to comment
Share on other sites

NEVER use you full name your first is adequate

petzl,

Never really thought much about not using my full name.

Did just try 20 different email lookups, only 2 found me,

but those would cost someone $20-$30 just to view. I don't

belong to any social networks so they can't find me that way.

Googled my email and just got a link to Spamcop))))

I have searched my name before, and around 70 people in the

US share the same name as mine.

Of the three that have been using the NGTC IPs, at this point

I have found more about them. Well, at least two of them. One

was smart enough to use an alias, the other two only munged their

address around a little. It wasn't that hard to figure out. Things

like using Rd. instead of Dr. or north when it should be north-west

or using the town 10 mi. down the road. Which of course could be all

completely fake, but some people don't really have that much imagination.

Since I started getting the few domains suspended that I have. Four from

Donna L. McCorkle, she has dumped all of her GTLD's and only kept her .com

domains. She had over two thousand domains and now only 12 remain.

James Francis still has a little over 100, but those are all .com ones too.

They don't seem to like those to send spam with those. the generic TLD's cost

a lot less. Just like throw away cell phones drug dealers use. Also,

these are US citizens using the Chinese IPs.

Maybe I'll replace my name with just my email instead. If I just use my first name,

anyone with half a brain can figure out what my last name is by looking at my email.

Well it looks like I still don't have the quote thing down yet. Forgive me I never

post in any forums or anything. This is all a first.

Thanks for all your help, and for talking to me.

Almost forgot to tell you. I did send a report to IC3 about NGTC. I think actually

that CNNIC knows all about the issue, which means so does the Chinese Government.

That is why no response or help from them.

Edited by lpsears63
Link to comment
Share on other sites

  • 2 weeks later...

NEVER use you full name your first is adequate

petzl,

Never really thought much about not using my full name.

Did just try 20 different email lookups, only 2 found me,

but those would cost someone $20-$30 just to view. I don't

belong to any social networks so they can't find me that way.

Googled my email and just got a link to Spamcop))))

Don't know why but for a week no spam from them?

Must of reported a 1000 times?

Link to comment
Share on other sites

petzl, on 18 Jan 2016 - 9:05 PM, said:petzl, on 18 Jan 2016 - 9:05 PM, said:

Don't know why but for a week no spam from them?

Hey Petzl,

Same here. Actually, not much from anyone right now, nine altogether since Jan. 7th. Most of which are pretty hard to track.

They use Office365, then bounce it all over the place. They'll use a private network address then go thru a loopback to another

private address then bounce it around a little more before it gets to me :) I did find out that Microsoft has their own CERT address,

you can report directly at www[dot]cert[dot]Microsoft[dot]com or email at cert[at]Microsoft[dot]com. I think you get faster response

using the website. And is used only for Microsoft account abuse. I don't always know whether someone else would consider an

email spam or phishing, and I'm not about to click on a link to find out if it's malicious or not. So, I still send anything originating

from Office365 or Outlook to the other three emails they have. In case your not familiar with them they are,

abuse[at]Microsoft[dot]com,

junk[at]Microsoft[dot]com and

report_spam[at]outlook[dot]com.

As for NGTC, they either got sick of me closing down their domains as soon as they would start using them, or I'm in for a big

DoS attack. Hope not the latter :)

I did check on what outbound ports my server uses, and they use both 587 and 25, depending on the volume that's going thru.

The security I'm using, I found out, has a stealth port shield already set up on it. So someone trying to find an open port on my

computer can't find one. Tested it seems to work fine.

Anyway, it's good to know you're still here, and your spam count is down too. Talk with you soon ^_^

Edited by lpsears63
Link to comment
Share on other sites

Hey Petzl,

Same here. Actually, not much from anyone right now, nine altogether since Jan. 7th. Most of which are pretty hard to track.

They use Office365, then bounce it all over the place. They'll use a private network address then go thru a loopback to another

private address then bounce it around a little more before it gets to me :) I did find out that Microsoft has their own CERT address,

you can report directly at www[dot]cert[dot]Microsoft[dot]com or email at cert[at]Microsoft[dot]com. I think you get faster response

using the website. And is used only for Microsoft account abuse. I don't always know whether someone else would consider an

email spam or phishing, and I'm not about to click on a link to find out if it's malicious or not. So, I still send anything originating

from Office365 or Outlook to the other three emails they have. In case your not familiar with them they are,

abuse[at]Microsoft[dot]com,

junk[at]Microsoft[dot]com and

report_spam[at]outlook[dot]com.

As for NGTC, they either got sick of me closing down their domains as soon as they would start using them, or I'm in for a big

DoS attack. Hope not the latter :)

I did check on what outbound ports my server uses, and they use both 587 and 25, depending on the volume that's going thru.

The security I'm using, I found out, has a stealth port shield already set up on it. So someone trying to find an open port on my

computer can't find one. Tested it seems to work fine.

Anyway, it's good to know you're still here, and your spam count is down too. Talk with you soon ^_^

Hopefully "we" won one? Good work thanks

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...