Jump to content

ocn.ad.jp spam


paulgj

Recommended Posts

Posted

Lately I don't get a huge amount of spam but it seems like almost all the spam I do get ends up being reported to abuse[at]ocn.ad.jp.    There seems to be no letup in the quantity though, so am wondering if ocn.ad.jp is actually a known spammer friendly provider of some kind?

  • Replies 110
  • Created
  • Last Reply
Posted

I don't know about ocn.ad.jp but it would seem so.

If you would go back to one of the spam you have reported and looking at the reports sent you will find their IP address (SpamCop tracks IP addresses not domains) you could then go to https://www.spamcop.net/w3m?action=map and find the reputation of their IP address.

Posted

apparently this provider is a major spam gateway, seems like sending spam reports to them is an exercise in futility 

Posted
6 hours ago, paulgj said:

apparently this provider is a major spam gateway, seems like sending spam reports to them is an exercise in futility 

 

6 hours ago, paulgj said:

apparently this provider is a major spam gateway, seems like sending spam reports to them is an exercise in futility 

Would help if you gave a trking url?
even a IP address.
In the mean time have no idea what you are on about?

  • 9 months later...
Posted

I get too many spams latelly from ocn.ad.jp Can we do anything to this provider? Just block all of their clients. That should make them think once their normal clients start complaining for non delivered emails.

Also it is kind of funny. Gmail delivers email from this forum into spam box. Just FYI

 

Posted

As you can tell from this year long thread, some spammers don't change.  Reporting all spam from ocn.ad.jp and their clients that use IP addresses controlled by them, will help keep their IPs on the SpamCop block list.

1 hour ago, lepa71 said:

Also it is kind of funny. Gmail delivers email from this forum into spam box. Just FYI

Yes, many ISP's use rather dumb filters, based on domain names - not IP addresses, to filter incoming email.  Why someone would think a spammer would include the word 'spam' in their domain name and use that to filter email, I do not know.  I believe you should be able to add SpamCop.net to your white list to over-ride the basic filtering.

  • 2 months later...
Posted

I also find that a major portion of my spams are coming from their servers and I don't think abuse@ goes anywhere but into their trash. 

The address that I received emails from when I contacted them directly regarding spams is 'abuse_support@ocn.ad.jp' of which the address is listed as the "OCN Internet Security Team".
 

  • 3 weeks later...
Posted

It's pretty clear this ISP is itself a criminal organization: I've reported an IP address of theirs for sending 419 scam message over 140 times during the past year and it still continues, 3-4 times a day.

  • 4 weeks later...
  • 3 months later...
Posted

As a follow up on my post above, I've now filed 300+ reports on 419 scam messages sent from the ocn.ad.jp system.  The content of the messages varies but it's clearly coming from one spammer.  ocn.ad.jp does nothing about it--I get 1-4 scam messages from them every day.  And if you check the Spamcop statistics for the top targets of spam reports, ocn.ad.jp is almost always in the top ten.

 

There are only two logical explanations: either it is an utterly incompetent ISP or it is actively collaborating with 419 scam criminals.

I've begged ocn.ad.jp to block any outgoing mail to my Gmail account but they don't respond.  I've requested that Gmail blacklist them but didn't get a response to that either.  I have a Gmail filter to automatically send any incoming mail from ocn.ad.jp  to the trash but the irresponsibility of this slimeball ISP still annoys me.

Posted

It is never a good idea or productive to ask a spammer to removed you address from their emailing list.  They view any contact from you as conformation that a real person does read their email and that is success for  them. See Spammer Rules, Rule #1, Finnell's Corollary.

A more direct way to keep these spam out of your inbox is have your ISP block them or use your email app to direct them to a spam folder.  I assume you are reporting your spam to SC.  This may not help you directly, depending on how your ISP handles incoming email, but it does help others filter their email.

Posted
On 10/12/2017 at 10:24 PM, SteveMetz said:

As a follow up on my post above, I've now filed 300+ reports on 419 scam messages sent from the ocn.ad.jp system.  The content of the messages varies but it's clearly coming from one spammer.  ocn.ad.jp does nothing about it--I get 1-4 scam messages from them every day.  And if you check the Spamcop statistics for the top targets of spam reports, ocn.ad.jp is almost always in the top ten.

 

There are only two logical explanations: either it is an utterly incompetent ISP or it is actively collaborating with 419 scam criminals.

I've begged ocn.ad.jp to block any outgoing mail to my Gmail account but they don't respond.  I've requested that Gmail blacklist them but didn't get a response to that either.  I have a Gmail filter to automatically send any incoming mail from ocn.ad.jp  to the trash but the irresponsibility of this slimeball ISP still annoys me.

send a report to your email address then use the SECRET link contained in it

User-targeted report, see notes, if any.

this will show you replies to your reports if any 

  • 2 months later...
Posted

This OCN network is by far the biggest spam network in the world and they ignore every abuse email received even more so with Spamcop because they send the emails to a non existent email address, the one OCN use is abuse_support@ocn.ad.jp

Still wont do much good because I've reported to much to them they blocked me, still spamming me with hundreds of emails a week mind

Posted
5 hours ago, salfordian said:

This OCN network is by far the biggest spam network

A tracking URL helps. I get the odd one but not many to escalate try JP Cert always in comment IP address if that IP is AN open PROXY

cirt [at] cyberdefense [ dot ] jp 

[ Additional comments from recipient ]
cncert@cert.org.cn
183.32.221.122 is an open proxy   BOTNET
SEE https://www.abuseat.org/lookup.cgi

SEE ALSO CisCo sites REPUTATION IP LOOKUP
https://www.talosintelligence.com

If Microsoft Windows Defender is available to you, use it!
THEN Change Password

Other BOTNET hosts in this "neighborhood" with spam reports
183.32.220.123 183.32.220.134 183.32.220.135 
183.32.220.137 183.32.220.168 183.32.220.190 
183.32.220.208 183.32.220.213 183.32.220.219 
183.32.220.235 183.32.220.241 183.32.220.243 
183.32.220.245 183.32.220.247 183.32.221.1 183.32.221.5 
183.32.221.74 183.32.221.124 183.32.221.136 183.32.221.145 
183.32.221.160 183.32.221.162 183.32.221.179 
183.32.221.182 183.32.221.186 183.32.221.204 
183.32.221.207 183.32.221.246 183.32.221.248 
183.32.221.255 183.32.222.0 183.32.222.24 183.32.222.29 
183.32.222.31 183.32.222.35 183.32.222.37 183.32.222.44 
183.32.222.57 183.32.222.75 183.32.222.76 183.32.222.92 
183.32.222.93 183.32.222.107 183.32.222.115

 

  • 3 weeks later...
Posted

I've reported several hundered spam messages with no let up in messages being sent from their network.

Here's a recent (January 8th) auto-reply email I got from sending a report to abuse [at] ocn.ad.jp through the reporting form: 

Quote

Dear "Steve" <6765033934@reports.spamcop.net>;

 This is auto reply mail.
 That site is one of our customers'.
  I advise the administrator of the site
  to fix this problem as soon as possible.

  Thank you for your patience.

Sincerely yours,
 ---
 NTT Communications(OCN)

 ---------- Begin Included Message ----------
 Date: Mon, 08 Jan 2018 06:18:12 -0800
 From: "Steve" <6765033934@reports.spamcop.net>
 To: abuse@ocn.ad.jp
 Subject: [SpamCop (153.149.230.3) id:6765033934]

[ SpamCop V4.8.6 ]
This message is brief for your comfort.  Please use links below for details.

Email from 153.149.230.3 / Mon, 08 Jan 2018 06:18:12 -0800
https://www.spamcop.net/w3m?i=z6765033934z388df03ed4b4e22c2ffbe7efd654f7b4z

[ Offending message ]
Delivered-To: x
Received: by 10.25.81.199 with SMTP id g68csp1495561lfl;
        Mon, 8 Jan 2018 06:18:12 -0800 (PST)
X-Google-Smtp-Source: ACJfBotDlAvDdTjcx3hJ5Wwh8Lihk5TaNEwnt3d6wkxhCAymYHKu4tp7EzP1kqZt2rV8yG7MfBXN
X-Received: by 10.99.116.82 with SMTP id e18mr3807706pgn.3.1515421092220;
        Mon, 08 Jan 2018 06:18:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1515421092; cv=none;
        d=google.com; s=arc-20160816;
        b=tPyZEhl98wyFIfwxRkQFLzwDXw0QH7YdnDCwlZJOX1dc27P60kS2tNT5sFhJvJgUXZ
         PbF0e9F33QN0Qjsm/8WAOzGISd6z5aYSkJPHirIzCEH9EHcci945cHWldtbO4pWgRdLb
         P27KsdoicEdI6SSmxrJb9u3lnbvHHar1cWhOHxQzUYnn/FWkk++b6PWuhvmJhngLtjba
         PKfnLPQkFvPuoglaW23ijg2TmqRUZXnMs5Hm0Z/P91b7/895gMQARFyZM9Ex55jc+6o1
         PQMnT+jFZPbEHFQS8prV040HPDOFCmdP3k8yETuPgUAqGL3WWWRDxJdzM/u25E+B4l64
         Lv1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=importance:date:subject:from:to:mime-version:message-id
         :arc-authentication-results;
        bh=Ce7aoijsgkaF6otzXyHekJBxp+CbaWNpalc+L5wvBPg=;
        b=BgaJ/BsRbpqMPylKi9KxzdoUHCuSaJTTF2SWlWVGlNakVEjXb6EGuxsmNS8vq+2GaQ
         Pyu+ImnWqQChRHdBp8k8QU8Lu2l+6CH1abOKiWKV14W10w2xUSfO/mJww6sCZ/vw341+
         7cctfj7xXYWf7sLC+cITPPXsyt8RONEpBQ+QMxvZZXTbhC+0FNhx2Wm1fkd72jFKIJnq
         bjYGdH6QMMoZ4tSmLHSmwvAgjR48eDXMRyoapWoirlwk5iyRaGuDzSmXBzWEp5rvlIG8
         idPvWJuwUy6zznNN/foEEgUzqgq7iAn1VHUdO84INHAISbPyIaInfT1S2Nx3Wc3Ghxgu
         zQ1w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of qqb65by9k@sunny.ocn.ne.jp designates 153.149.230.3 as permitted sender) smtp.mailfrom=qqb65by9k@sunny.ocn.ne.jp
Return-Path: <qqb65by9k@sunny.ocn.ne.jp>
Received: from mbkd0102.ocn.ad.jp (mbkd0102.ocn.ad.jp. [153.149.230.3])
        by mx.google.com with ESMTP id b2si7495207pgn.405.2018.01.08.06.18.11
        for <x>;
        Mon, 08 Jan 2018 06:18:12 -0800 (PST)
Received-SPF: pass (google.com: domain of qqb65by9k@sunny.ocn.ne.jp designates 153.149.230.3 as permitted sender) client-ip=153.149.230.3;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of qqb65by9k@sunny.ocn.ne.jp designates 153.149.230.3 as permitted sender) smtp.mailfrom=qqb65by9k@sunny.ocn.ne.jp
Received: from mf-smf-ucb013.ocn.ad.jp (mf-smf-ucb013.ocn.ad.jp [153.149.228.232]) by mbkd0102.ocn.ad.jp (Postfix) with ESMTP id 27259100D091; Mon,
  8 Jan 2018 23:18:10 +0900 (JST)
Received: from mf-smf-ucb013.ocn.ad.jp (mf-smf-ucb013 [153.149.228.232]) by mf-smf-ucb013.ocn.ad.jp (Postfix) with ESMTP id 0C595A00238; Mon,
  8 Jan 2018 23:18:10 +0900 (JST)
Received: from ntt.pod01.mv-mta-ucb027 (mv-mta-ucb027.ocn.ad.jp [153.149.142.101]) by mf-smf-ucb013.ocn.ad.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id w08EI9Yc049183; Mon, 8 Jan 2018 23:18:09 +0900
Message-Id: <2018___________________9183@mf-smf-ucb013.ocn.ad.jp>
Received: from smtp.ocn.ne.jp ([153.149.227.134]) by ntt.pod01.mv-mta-ucb027 with id vqJ21w0042ud8JZ01qJ2V8; Mon, 08 Jan 2018 14:18:09 +0000
Received: from smtp.ocn.ne.jp (unknown [113.190.137.50]) by smtp.ocn.ne.jp (Postfix) with ESMTPA; Mon,
  8 Jan 2018 23:18:01 +0900 (JST)
MIME-Version: 1.0
To: x <x>, x <x>, bmw x <x>, pandothis x <x>, PandoMovies TVShows x <x>, pando mine x <x>, PurrsPando x <x>, pando mega media x <x>, x <x>
From: crystal coleman <qqb65by9k@sunny.ocn.ne.jp>
Subject:
Date: Mon, 8 Jan 2018 04:17:59 -1000
Importance: normal
X-Priority: 3
Content-Type: multipart/alternative; boundary="_16A9152F-11C4-45CB-CD90-87F94A03CB8B_"

--_16A9152F-11C4-45CB-CD90-87F94A03CB8B_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

http://now.yourprofitsunleashed.net
Crystal Coleman



--_16A9152F-11C4-45CB-CD90-87F94A03CB8B_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/of=
fice/2004/12/omml
" xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta ht=
tp-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta name=
=3DGenerator content=3D"Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
=09{font-family:"Cambria Math";
=09panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
=09{font-family:Calibri;
=09panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
=09{font-family:"Calibri Light";
=09panose-1:2 15 3 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
=09{margin:0in;
=09margin-bottom:.0001pt;
=09font-size:11.0pt;
=09font-family:"Calibri",sans-serif;}
p.MsoTitle, li.MsoTitle, div.MsoTitle
=09{mso-style-priority:10;
=09mso-style-link:"Title Char";
=09margin:0in;
=09margin-bottom:.0001pt;
=09mso-add-space:auto;
=09font-size:28.0pt;
=09font-family:"Calibri Light",sans-serif;
=09letter-spacing:-.5pt;}
p.MsoTitleCxSpFirst, li.MsoTitleCxSpFirst, div.MsoTitleCxSpFirst
=09{mso-style-priority:10;
=09mso-style-link:"Title Char";
=09mso-style-type:export-only;
=09margin:0in;
=09margin-bottom:.0001pt;
=09mso-add-space:auto;
=09font-size:28.0pt;
=09font-family:"Calibri Light",sans-serif;
=09letter-spacing:-.5pt;}
p.MsoTitleCxSpMiddle, li.MsoTitleCxSpMiddle, div.MsoTitleCxSpMiddle
=09{mso-style-priority:10;
=09mso-style-link:"Title Char";
=09mso-style-type:export-only;
=09margin:0in;
=09margin-bottom:.0001pt;
=09mso-add-space:auto;
=09font-size:28.0pt;
=09font-family:"Calibri Light",sans-serif;
=09letter-spacing:-.5pt;}
p.MsoTitleCxSpLast, li.MsoTitleCxSpLast, div.MsoTitleCxSpLast
=09{mso-style-priority:10;
=09mso-style-link:"Title Char";
=09mso-style-type:export-only;
=09margin:0in;
=09margin-bottom:.0001pt;
=09mso-add-space:auto;
=09font-size:28.0pt;
=09font-family:"Calibri Light",sans-serif;
=09letter-spacing:-.5pt;}
a:link, span.MsoHyperlink
=09{mso-style-priority:99;
=09color:#0563C1;
=09text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
=09{mso-style-priority:99;
=09color:#954F72;
=09text-decoration:underline;}
span.TitleChar
=09{mso-style-name:"Title Char";
=09mso-style-priority:10;
=09mso-style-link:Title;
=09font-family:"Calibri Light",sans-serif;
=09letter-spacing:-.5pt;}
..MsoChpDefault
=09{mso-style-type:export-only;}
@page WordSection1
=09{size:8.5in 11.0in;
=09margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
=09{page:WordSection1;}
--></style></head><body lang=3DEN-US link=3D"#0563C1" vlink=3D"#954F72"><di=
v class=3DWordSection1><p class=3DMsoTitle><a href=3D"http://now.yourprofit=
sunleashed.net"><span style=3D'font-size:11.0pt;font-family:"Calibri",sans-=
serif;letter-spacing:0pt'>http://now.yourprofitsunleashed.net</span></a></p=
><p class=3DMsoNormal>Crystal Coleman<span style=3D'font-size:14.0pt'><o:p>=
</o:p></span></p><p class=3DMsoTitleCxSpFirst><span style=3D'font-size:14.0=
pt;font-family:"Times New Roman",serif'><o:p>&nbsp;</o:p></span></p><p clas=
s=3DMsoTitleCxSpLast><span style=3D'font-size:14..0pt;font-family:"Times Ne=
w Roman",serif'><o:p>&nbsp;</o:p></span></p></div></body></html>
--_16A9152F-11C4-45CB-CD90-87F94A03CB8B_--

Whenever possible, instead of reporting emails to OCN (abuse [at] ocn.ad.jp) using the reporting from, I look for the X-Originating-IP at the end of the email and try to report it that way by replacing OCN's IP address in the 1st Received line such as the one below:

Received: from mbkd0102.ocn.ad.jp (mbkd0102.ocn.ad.jp. [153.149.230.3])

with the one in the X-Originating-IP which is usually a 41.xx.xxx.x and usually, the ISP's email address that comes up is netabuse [at] mtn.bj. 

 Steve

Posted
9 hours ago, Steve said:

I've reported several hundered spam messages with no let up in messages being sent from their network.

Here's a recent (January 8th) auto-reply email I got from sending a report to abuse [at] ocn.ad.jp through the reporting form: 

113.190.137.50 is where it came from "hm-changed [at] vnnic.vn" in notes put

compromised/forged web and or email accounts

BLOCK OUTBOUND PORT 25, 
RESERVE FOR LEGIT EMAIL SERVER
Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you)
FAQ see
https://www.spamhaus.org/faq/section/Spamhaus PBL
>

  • 3 weeks later...
Posted

Is there any surefire way to get ocn.ad/ne.jp emails to stop (of course, aside from setting a filter to send them to trash) because reporting to abuse (at) ocn.ad.jp seems like NTT doesn't give a crap despite the auto-reply email they send out. Also, why doesn't SC parse the originating IP address since that's where the emails originate from despite the spammer (scammer) using NTT's servers to send this crap?

Posted

 abuse (at) ocn.ad.jp do deal with spammers just don't tell you

Posted

Then why haven't they stopped all spam yet despite the hundreds if not thousands of reports sent?

Posted
On 5/4/2016 at 11:21 AM, paulgj said:

Lately I don't get a huge amount of spam but it seems like almost all the spam I do get ends up being reported to abuse[at]ocn.ad.jp.    There seems to be no letup in the quantity though, so am wondering if ocn.ad.jp is actually a known spammer friendly provider of some kind?

Japanese have little English skills and tend to turn off malware programs like windows defender because it "nags" them

https://www.spamcop.net/sc?id=z6444739102zd3ea6cfa9f916bda689da0afcd930389z 

X-Originating-IP: [41.138.91.165] Etisalat Benin SA (SpamCop didn't pickup) in notes I put
compromised/forged web and or email accounts
If Microsoft Windows Defender is available to you, use it
Scan for Malware! THEN
Change log-on to a more secure password-Phrase! 


>

SpamCop reports to mail server 153.149.236.27  abuse (at) ocn.ad.jp

Other hosts in this "neighborhood" with spam reports

153.149.236.2 153.149.236.3 153.149.236.4 153.149.236.5 153.149.236.6 153.149.236.7 153.149.236.8 153.149.236.9 153.149.236.10 153.149.236.11 153.149.236.22153.149.236.23 153.149.236.24 153.149.236.25 153.149.236.26 153.149.236.27 153.149.236.28 153.149.236.29 153.149.236.30 153.149.236.31 153.149.236.32 153.149.236.33153.149.236.34 153.149.236.35 153.149.236.36 153.149.236.37 153.149.236.38 153.149.236.39 153.149.236.40

Posted

SC NEVER picks X-Originating-IP up in ocn.ad/ne.jp emails. I almost always (99% of the time) have to re-report the emails and replace the 1st 153.xxx.xxx.x/153.xxx.xxx.xx IP address with the IP in the X-Originating-IP field so it goes to that respective ISP.

 

Steve


 
Posted
12 hours ago, Steve said:

SC NEVER picks X-Originating-IP up in ocn.ad/ne.jp emails. I almost always (99% of the time) have to re-report the emails and replace the 1st 153.xxx.xxx.x/153.xxx.xxx.xx IP address with the IP in the X-Originating-IP field so it goes to that respective ISP.

 

Steve



 

SC will often stop at a mail server, as if in doubt it won't report, but you can take over

Posted

That's why, whenever possible, I take the X-Originating-IP address and replace it with NTT's and then report the email again.

Posted
15 hours ago, Steve said:

That's why, whenever possible, I take the X-Originating-IP address and replace it with NTT's and then report the email again.

I try to be better than SC and would add Botnet 41.138.91.165 abuse address (if any) to report [moov [at] moov.bj]

41.138.91.165    BOTNET
SEE https://www.abuseat.org/lookup.cgi

SEE ALSO CisCo sites REPUTATION IP LOOKUP
https://www.talosintelligence.com

If Microsoft Windows Defender is available to your customers, they need to  use it!
THEN Change Password


>

 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...