Peace Freak Posted December 20, 2017 Posted December 20, 2017 Am not sure if this is the right forum to be posting this... I'm currently getting 80 to 120 spam a day from what appears to be a single spammer. I've been consistent in submitting the spam but there has been zero reduction in their number... Below is what I see in the SpamCop reporting window. Google seems to be ignoring these reports. Does anyone have any suggestions on getting google to do something about this? Thanks! Re: 151.150.58.94 (Administrator of network where email originates) To: clifford.vaughan@honeywell.com (Notes) Re:http://trollssupportsshowstopper.site/7g5HwW8HF... (Administrator of network hosting website referenced in spam) To: google-cloud-compliance@google.com (Notes) Re:http://trollssupportsshowstopper.site/NWv9mMy97... (Administrator of network hosting website referenced in spam) To: google-cloud-compliance@google.com (Notes)
Lking Posted December 20, 2017 Posted December 20, 2017 PF there are two reasons the spam reports you reference were sent. a report was sent to honeywell.com as the sender of the email/spam two reports were sent to google.com as the host of web pages referenced in the spam Google can not control the sender of email that includes links to web pages in their domain. In the pasted it was common for weight loss/nutrition supplement sellers to buy full page articles (advertisements) in papers like the New York Times. They then reference the NYT in their spam. Obviously the paper could not stop the spam. They have stopped taking the ads.
Peace Freak Posted December 20, 2017 Author Posted December 20, 2017 Thanks for helping me understand the situation. So from what your saying there is nothing further that I can do?
Lking Posted December 21, 2017 Posted December 21, 2017 Keep reporting. Perhaps adding KnujOn.net, fda.gov, acma.gov.au uce.gov
Peace Freak Posted December 21, 2017 Author Posted December 21, 2017 Thank you. Should I just add the addresses: nonreg@knujon.net, spam@UCE.GOV, report@submit.spam.acma.gov.au, uce@ftc.gov to Personal copies of outgoing reports in SpamCop Preferences? Also, is there a reporting plugin available for Apple Mail or some other method to make reporting easier? Thank you?
lisati Posted December 22, 2017 Posted December 22, 2017 I think the uce[at\ftc.gov address was phased out back in 2004, and replaced with spam[at]uce.gov Source: https://www.ftc.gov/news-events/press-releases/2004/07/ftc-unveils-new-e-mail-address-deceptive-spam-spamucegov
petzl Posted December 22, 2017 Posted December 22, 2017 On 12/21/2017 at 9:47 AM, Peace Freak said: Thanks for helping me understand the situation. So from what your saying there is nothing further that I can do? Try giving a "Tracking URL" at top of SpamCop reporting page BEFORE you submit.
Peace Freak Posted December 22, 2017 Author Posted December 22, 2017 Not sure what you mean by "try giving a "Tracking URL". A tracking URL appears at the top of the spam reporting window. Should I copy it somewhere?
Lking Posted December 22, 2017 Posted December 22, 2017 Should I copy it somewhere? Yes. That was a gentle suggestion to include the Tracking URL of a spam report you are posting about. That way all of us can see the full email & header, the information the parser found and what action the parser suggested.
Peace Freak Posted December 22, 2017 Author Posted December 22, 2017 OK, well, here are some typical headers from this spammer: https://www.spamcop.net/sc?id=z6431337730z01e68a5444fd5eb9a907d2f9a82c0fa3z https://www.spamcop.net/sc?id=z6431337731z797bd417f3da084a115d2a81d8099eafz https://www.spamcop.net/sc?id=z6431337733ze663f52e3b66a40f168699205168a559z Any suggestions would be most welcome...
petzl Posted December 23, 2017 Posted December 23, 2017 22 hours ago, Peace Freak said: https://www.spamcop.net/sc?id=z6431337733ze663f52e3b66a40f168699205168a559z OK this is a redirection site put in comments Just save BELOW as a text file, this should grab their attention also copy and paste, above porn spammer text, "IP(Administrator of network where email originates)" and "URL IP Resolves to 35.225.234.14" Child porn spammer pictures under 18 or made to look under 18 NO PROOF OF AGE available! SENT TO MINORS >
Peace Freak Posted December 24, 2017 Author Posted December 24, 2017 Thanks Petxl, I would definitely like to improve the reports I send but I don't fully understand your instructions. Firstly, that spam was already submitted. So I guess you are you saying that for future spam of a similar nature I should write in the "Additional notes (optional - max 2000 characters)" section, the IP address, and also: *** Child porn spammer pictures under 18 or made to look under 18NO PROOF OF AGE available! SENT TO MINORS *** Is this correct?
petzl Posted December 24, 2017 Posted December 24, 2017 2 hours ago, Peace Freak said: Thanks Petxl, I would definitely like to improve the reports I send but I don't fully understand your instructions. Firstly, that spam was already submitted. So I guess you are you saying that for future spam of a similar nature I should write in the "Additional notes (optional - max 2000 characters)" section, the IP address, and also: *** Child porn spammer pictures under 18 or made to look under 18NO PROOF OF AGE available! SENT TO MINORS *** Is this correct? Yes in additional notes put that in plus the IP address of The spam source and the URL IP resolves to under that put ">" to stop SpamCop formating it different Send a report to yourself so you see what a abuse desk does SpamCop without "additional notes" is just headers and body text makes it hard below is what I put in Quote SpamCop V4.8.6 ] This message is brief for your comfort. Please use links below for details. User-targeted report, see notes, if any. deleted 183.32.221.122 is open proxy, see: https://www.spamcop.net/mky-proxies.html [ Additional comments from recipient ] cncert@cert.org.cn 183.32.221.122 is an open proxy BOTNET SEE https://www.abuseat.org/lookup.cgi SEE ALSO CisCo sites REPUTATION IP LOOKUP https://www.talosintelligence.com If Microsoft Windows Defender is available to you, use it! THEN Change Password Other BOTNEThosts in this "neighborhood" with spam reports 183.32.220.123 183.32.220.134 183.32.220.135 183.32.220.137 183.32.220.168 183.32.220.190 183.32.220.208 183.32.220.213 183.32.220.219 183.32.220.235 183.32.220.241 183.32.220.243 183.32.220.245 183.32.220.247 183.32.221.1 183.32.221.5 183.32.221.74 183.32.221.124 183.32.221.136 183.32.221.145 183.32.221.160 183.32.221.162 183.32.221.179 183.32.221.182 183.32.221.186 183.32.221.204 183.32.221.207 183.32.221.246 183.32.221.248 183.32.221.255 183.32.222.0 183.32.222.24 183.32.222.29 183.32.222.31 183.32.222.35 183.32.222.37 183.32.222.44 183.32.222.57 183.32.222.75 183.32.222.76 183.32.222.92 183.32.222.93 183.32.222.107 183.32.222.115 [ Offending message ] Return-Path: <277387642@qq.com> Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by sloti1d2t03 (Cyrus fastmail-fmjessie46427-15765-git-fastmail-15765) with LMTPA; Fri, 22 Dec 2017 15:26:25 -0500
Peace Freak Posted December 24, 2017 Author Posted December 24, 2017 Have started to follow your suggestions. The IP addresses do not resolve to a URL. Here are 4 that I tried: 213.173.54.67 213.190.7.23 217.18.56.98 193.176.18.54 I wonder why? Thank you for introducing CBL and Talos. Checked both IPs with them but they were not listed or neutral. Would appreciate any comments and/or suggestions.
petzl Posted December 25, 2017 Posted December 25, 2017 5 hours ago, Peace Freak said: 213.173.54.67 213.190.7.23 217.18.56.98 193.176.18.54 Using https://whoisip.ovh identifies country of IP then send incident to relevant CERT https://www.first.org/members/teams/ (view all page bottom) 1 info@us-cert.gov no whois address? 2 info@us-cert.gov no whois address? 3 cert@ncsc.nl no whois address? 4 cert@ncsc.nl no whois address? Aways in "Additional notes (optional - max 2000 characters): " I have created some templates saved in "notepad" to copy and paste ALWAYS under text put in > or SpamCop format to one unreadable line send a copy to yourself to improve
Peace Freak Posted January 19, 2018 Author Posted January 19, 2018 Thanks Petxl, I followed your advice about adding notes with the IP address as well as other information. This was the basic content: *** This is a CHILD PORN spammer! Pictures of girls under 18, or made to look under 18. NO PROOF OF AGE available on the site! THIS spam WAS SENT TO MINORS! IP Address: Please investigate and stop this disgusting spammer! Thank you! *** For spam from amazonaws.com I manually sent a spam report with the full content of the email via my email application to (I copied everything in: "View full message" into the email): ec2-abuse@amazon.com This was effective as Amazon is very diligent, and within a day or two they'd get back to me and report: ...We've determined that an Amazon EC2 instance was running at the IP address you provided in your abuse report. We have reached out to our customer to determine the nature and cause of this activity or content in your report... etc. After about 10 or 15 of such submits, the spam from Amazon stopped! Regardless, the spam from Google continued unabated. At the beginning, all the spam from this spammer had different subjects and content, but then whoever it was started to send each spam out in duplicate or triplicate. I guess they were pushing me, thinking I would give up reporting, given the amount of spam they were sending... Nevertheless, I was relentless in reporting every single one, sometimes it would take me an hour or more each day! But good news, finally, three of four days ago it all stopped! Who knows what happened, maybe whoever it was took a vacation... but for now there is no more spam from that entity!! It may be a bit early, but thanks to everyone for their advice.
Lking Posted January 19, 2018 Posted January 19, 2018 Good work! Being relentless does work. I know the effort is time consuming, I just spend 1/2 hour to clear the spam out of this forum and will not start on my private accounts. The fight goes on, Thanks.
petzl Posted January 22, 2018 Posted January 22, 2018 On 1/19/2018 at 9:13 PM, Peace Freak said: But good news, finally, three of four days ago it all stopped! Who knows what happened, maybe whoever it was took a vacation... but for now there is no more spam from that entity!! The best form of defense is attack! By adding to "submission notes" upgrades your report. Send yourself a copy to see what your sending, spamcop reformats a lot of notes on the last line I put a > symbol. Rhis seems to make your notes better formated.
Peace Freak Posted January 29, 2018 Author Posted January 29, 2018 Would like to report that the situation remains positive at this time. Virtually all the spam has stopped! Was hard work but worth it!
petzl Posted January 30, 2018 Posted January 30, 2018 2 hours ago, Peace Freak said: Would like to report that the situation remains positive at this time. Virtually all the spam has stopped! Was hard work but worth it! "Book Em Danno"
Recommended Posts
Archived
This topic is now archived and is closed to further replies.