spam from Google Hosted website??

[Peace Freak]

Am not sure if this is the right forum to be posting this...

I'm currently getting 80 to 120 spam a day from what appears to be a single spammer. 

I've been consistent in submitting the spam but there has been zero reduction in their number... Below is what I see in the SpamCop reporting window.

Google seems to be ignoring these reports.

Does anyone have any suggestions on getting google to do something about this?

Thanks!

Re: 151.150.58.94 (Administrator of network where email originates)
 To: clifford.vaughan@honeywell.com (Notes)

Re:http://trollssupportsshowstopper.site/7g5HwW8HF... (Administrator of network hosting website referenced in spam)
 To: google-cloud-compliance@google.com (Notes)

Re:http://trollssupportsshowstopper.site/NWv9mMy97... (Administrator of network hosting website referenced in spam)
 To: google-cloud-compliance@google.com (Notes)

 

 

 

 

[Lking]

PF there are two reasons the spam reports you reference were sent.

1. a report was sent to honeywell.com as the sender of the email/spam
2. two reports were sent to google.com as the host of web pages referenced in the spam

Google can not control the sender of email that includes links to web pages in their domain.  In the pasted it was common for weight loss/nutrition supplement sellers to buy full page articles (advertisements) in papers like the New York Times.  They then reference the NYT in their spam.  Obviously the paper could not stop the spam.  They have stopped taking the ads.

[Peace Freak]

Thanks for helping me understand the situation. So from what your saying there is nothing further that I can do?

[Lking]

Keep reporting.  Perhaps adding KnujOn.net, fda.gov, acma.gov.au uce.gov

[Peace Freak]

Thank you. Should I just add the addresses:

nonreg@knujon.net, spam@UCE.GOV, report@submit.spam.acma.gov.au, uce@ftc.gov

to Personal copies of outgoing reports in SpamCop Preferences?

Also, is there a reporting plugin available for Apple Mail or some other method to make reporting easier?

Thank you?

[lisati]

I think the uce[at\ftc.gov address was phased out back in 2004, and replaced with spam[at]uce.gov

Source: https://www.ftc.gov/news-events/press-releases/2004/07/ftc-unveils-new-e-mail-address-deceptive-spam-spamucegov

[petzl]

On 12/21/2017 at 9:47 AM, Peace Freak said:

Thanks for helping me understand the situation. So from what your saying there is nothing further that I can do?

Try giving a "Tracking URL" at top of SpamCop reporting page BEFORE you submit.

[Peace Freak]

Not sure what you mean by "try giving a "Tracking URL". A tracking URL appears at the top of the spam reporting window. Should I copy it somewhere?

[Lking]

Should I copy it somewhere?  Yes.

That was a gentle suggestion to include the Tracking URL of a spam report you are posting about.  That way all of us can see the full email & header, the information the parser found and what action the parser suggested.

 

 

[Peace Freak]

OK, well, here are some typical headers from this spammer:

https://www.spamcop.net/sc?id=z6431337730z01e68a5444fd5eb9a907d2f9a82c0fa3z

https://www.spamcop.net/sc?id=z6431337731z797bd417f3da084a115d2a81d8099eafz

https://www.spamcop.net/sc?id=z6431337733ze663f52e3b66a40f168699205168a559z

Any suggestions would be most welcome...

 

[petzl]

22 hours ago, Peace Freak said:

https://www.spamcop.net/sc?id=z6431337733ze663f52e3b66a40f168699205168a559z

OK this is a redirection site put in comments
Just save BELOW as a text file, this should grab their attention also copy and paste, above porn spammer text, "IP(Administrator of network where email originates)" and "URL IP Resolves to 35.225.234.14"

Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS

>

[Peace Freak]

Thanks Petxl, I would definitely like to improve the reports I send but I don't fully understand your instructions.

Firstly, that spam was already submitted. So I guess you are you saying that for future spam of a similar nature I should write in the "Additional notes (optional - max 2000 characters)" section, the IP address, and also:

***
Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS
***

Is this correct?

[petzl]

2 hours ago, Peace Freak said:

Thanks Petxl, I would definitely like to improve the reports I send but I don't fully understand your instructions.

Firstly, that spam was already submitted. So I guess you are you saying that for future spam of a similar nature I should write in the "Additional notes (optional - max 2000 characters)" section, the IP address, and also:

***
Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS
***

Is this correct?

Yes in additional notes  put that in plus the IP address of The spam source and the URL IP resolves to under that put ">" to stop SpamCop formating it different

Send a report to yourself so you see what a abuse desk does 

SpamCop without "additional notes" is just headers  and body text makes it hard below is what I put in

Quote

 SpamCop V4.8.6 ]
This message is brief for your comfort.  Please use links below for details.

User-targeted report, see notes, if any.
  deleted
183.32.221.122 is open proxy, see: https://www.spamcop.net/mky-proxies.html

[ Additional comments from recipient ]

cncert@cert.org.cn 183.32.221.122 is an open proxy BOTNET SEE https://www.abuseat.org/lookup.cgi SEE ALSO CisCo sites REPUTATION IP LOOKUP https://www.talosintelligence.com If Microsoft Windows Defender is available to you, use it! THEN Change Password

Other BOTNEThosts in this "neighborhood" with spam reports 183.32.220.123 183.32.220.134 183.32.220.135 183.32.220.137 183.32.220.168 183.32.220.190 183.32.220.208 183.32.220.213 183.32.220.219 183.32.220.235 183.32.220.241 183.32.220.243 183.32.220.245 183.32.220.247 183.32.221.1 183.32.221.5 183.32.221.74 183.32.221.124 183.32.221.136 183.32.221.145 183.32.221.160 183.32.221.162 183.32.221.179 183.32.221.182 183.32.221.186 183.32.221.204 183.32.221.207 183.32.221.246 183.32.221.248 183.32.221.255 183.32.222.0 183.32.222.24 183.32.222.29 183.32.222.31 183.32.222.35 183.32.222.37 183.32.222.44 183.32.222.57 183.32.222.75 183.32.222.76 183.32.222.92 183.32.222.93 183.32.222.107 183.32.222.115

[ Offending message ] Return-Path: <277387642@qq.com> Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by sloti1d2t03 (Cyrus fastmail-fmjessie46427-15765-git-fastmail-15765) with LMTPA; Fri, 22 Dec 2017 15:26:25 -0500

 

[Peace Freak]

Have started to follow your suggestions. The IP addresses do not resolve to a URL. Here are 4 that I tried:

213.173.54.67
213.190.7.23
217.18.56.98
193.176.18.54

I wonder why?

Thank you for introducing CBL and Talos. Checked both IPs with them but they were not listed or neutral.

Would appreciate any comments and/or suggestions.

[petzl]

5 hours ago, Peace Freak said:

213.173.54.67
213.190.7.23
217.18.56.98
193.176.18.54

Using https://whoisip.ovh identifies country of IP then send incident to relevant CERT https://www.first.org/members/teams/ (view all page bottom)
1  info@us-cert.gov no whois address?

2  info@us-cert.gov no whois address?

3 cert@ncsc.nl no whois address?

4 cert@ncsc.nl no whois address?

Aways in "Additional notes (optional - max 2000 characters): " I have created some templates saved in "notepad"  to copy and paste ALWAYS under text put in > or SpamCop format to one unreadable line send a copy to yourself to improve

[Peace Freak]

Thanks Petxl, I followed your advice about adding notes with the IP address as well as other information. This was the basic content:

***
This is a CHILD PORN spammer!
Pictures of girls under 18, or made to look under 18.
NO PROOF OF AGE available on the site! 
THIS spam WAS SENT TO MINORS!

IP Address: 

Please investigate and stop this disgusting spammer! Thank you!
***

For spam from amazonaws.com I manually sent a spam report with the full content of the email via my email application to (I copied everything in: "View full message" into the email):

ec2-abuse@amazon.com

This was effective as Amazon is very diligent, and within a day or two they'd get back to me and report:

...We've determined that an Amazon EC2 instance was running at the IP address you provided  in your abuse report. We have reached out to our customer to determine the nature and cause of this activity or content in your report... etc.

After about 10 or 15 of such submits, the spam from Amazon stopped!

Regardless, the spam from Google continued unabated.

At the beginning, all the spam from this spammer had different subjects and content, but then whoever it was started to send each spam out in duplicate or triplicate. I guess they were pushing me, thinking I would give up reporting, given the amount of spam they were sending... Nevertheless, I was relentless in reporting every single one, sometimes it would take me an hour or more each day!

But good news, finally, three of four days ago it all stopped! Who knows what happened, maybe whoever it was took a vacation... but for now there is no more spam from that entity!!

It may be a bit early, but thanks to everyone for their advice.

[Lking]

Good work! Being relentless does work.  I know the effort is time consuming, I just spend 1/2 hour to clear the spam out of this forum and will not start on my private accounts. The fight goes on, Thanks.

[petzl]

On 1/19/2018 at 9:13 PM, Peace Freak said:

But good news, finally, three of four days ago it all stopped! Who knows what happened, maybe whoever it was took a vacation... but for now there is no more spam from that entity!!

The best form of defense is attack! By adding to "submission notes" upgrades your report. Send yourself a copy to see what your sending, spamcop reformats a lot of notes on the last line I put a > symbol. Rhis seems to make your notes better formated.

[Peace Freak]

Would like to report that the situation remains positive at this time. Virtually all the spam has stopped! Was hard work but worth it!

[petzl]

2 hours ago, Peace Freak said:

Would like to report that the situation remains positive at this time. Virtually all the spam has stopped! Was hard work but worth it!

"Book Em Danno"