search-apnic-not-arin for 45.248.3.143

[tjsynkral]

It's happening again.

https://www.spamcop.net/sc?id=z6435051222z44941cc474161f94fbf68ab9350463b1z

Reports regarding this spam have already been sent:

Re: 45.248.3.143 (Administrator of network where email originates)
   Reportid: 6767219654 To: search-apnic-not-arin#apnic.net@devnull.spamcop.net

[Lking]

I split this post from your other report on a different IP address.

Quote

I refuse to bother search-apnic-not-arin@apnic.net.

Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking.

Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net

There are several possible reason for not sending reports to search-apnic-not-arin{AT}apnic{DOT}net, including the abuse address 1) has ask not to receive spam reports, 2) SC knows they do nothing with the reports, 3) reports are forwarded to the spammer, etc.

However, reporting spam from this IP address does feed the statistics for the SpamCop Block-list.

[petzl]

2 hours ago, tjsynkral said:

It's happening again.

SpamCop often does not get the abuse address or gets it wrong. Pays to use a whois program yourself, A Windows free one is "IPNetInfo v1.77"

Edited January 15, 2018 by petzl

[tjsynkral]

On 1/15/2018 at 11:09 AM, Lking said:

I split this post from your other report on a different IP address.

There are several possible reason for not sending reports to search-apnic-not-arin{AT}apnic{DOT}net, including the abuse address 1) has ask not to receive spam reports, 2) SC knows they do nothing with the reports, 3) reports are forwarded to the spammer, etc.

However, reporting spam from this IP address does feed the statistics for the SpamCop Block-list.

Do you not see the problem here?

There is a correct abuse contact for 45.248.3.143 and search-apnic-not-arin is not it. Spamcop has a configuration error and it's searching the wrong IP registry to find a reporting address.

If it was a scenario you described I expect to see a devnull.spamcop address in the contact field... not this.

Does anyone who actually works on Spamcop ever look at this forum or is it just full of users who tell you that yes, Spamcop is broken you should report spam yourself instead of using it.

[lisati]

Sometimes Spamcop decides not to bother the abuse contacts for the reasons already given.

When reports aren't sent, for whatever reason, the data gleaned from the submitted spam is still useful for helping to build the SCBL. Any reports that are sent and subsequently acted on are a bonus.

[tjsynkral]

1 hour ago, lisati said:

Sometimes Spamcop decides not to bother the abuse contacts for the reasons already given.

When reports aren't sent, for whatever reason, the data gleaned from the submitted spam is still useful for helping to build the SCBL. Any reports that are sent and subsequently acted on are a bonus.

In the case of this IP, they're trying to send mail to a black hole created to trap broken software that searched the wrong IP registry. Perhaps the abuse contact for 45.248.3.143 would like to know about the spam report and take action on it before it gets to SCBL. There's no chance that search-apnic-not-arin is a deliberate thing.

[Lking]

Checking another Whois I find for 45.248.3.143

Quote

Ref:            https://whois.arin.net/rest/org/APNIC
ReferralServer:  whois://whois.apnic.net
ResourceLink:  http://wq.apnic.net/whois-search/static/search.html
OrgAbuseHandle: AWC12-ARIN
OrgAbuseName:   APNIC Whois Contact
OrgAbusePhone:  +61 7 3858 3188
OrgAbuseEmail:  search-apnic-not-arin@apnic.net
OrgAbuseRef:    https://whois.arin.net/rest/poc/AWC12-ARIN
OrgTechHandle: AWC12-ARIN
OrgTechName:   APNIC Whois Contact
OrgTechPhone:  +61 7 3858 3188
OrgTechEmail:  search-apnic-not-arin@apnic.net    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
OrgTechRef:    https://whois.arin.net/rest/poc/AWC12-ARIN

This IP seems to be part of a large block of IPs in India used for VPN  (hiding the location of the source)

Going back to tjsynkral's old post on146.196.52.181 the block of IPs

Quote

Abuse contact for '146.196.52.0 - 146.196.55.255' is 'matthew.wu{AT}globalnetworkhk.com'

has a different abuse contact now.  I have no idea what was a valid abuse address for 146.196.52.181 Oct 2017.

Those who seem to support spammers do try to change blocks of IPs all the time to avoid being blocked.  Both blocks 146.196.52.- 146.196.55.255 and the block 45.248.0.0 - 45.248.3.255  are managed by APNIC.  Those who had 146.196.52.181 in October could now have control of 45.248.3.143.  There is a considerable body of anecdotal evidence that APNIC does not strongly enforce the rules.

If you have more valid information for an IP or block of IPs  <Reporting Help> <Reporting Address Issues> would be the correct (sub) forum to post current updated information.

[tjsynkral]

4 hours ago, Lking said:

Checking another Whois I find for 45.248.3.143

 

Can someone point me to the nearest wall so I can bang my head against it?

You're whoising ARIN for an IP in the APNIC pool (just as Spamcop is doing). Anytime you do that, you will get search-apnic-not-arin@apnic.net . APNIC is NOT an ISP. If you whois APNIC at whois.apnic.net for that IP, you will get current ISP information about 45.248.3.143.

role:    Manager Admin
address:    485-A/15,1st floor,G.T. Road, Dilshad garden,New Delhi,Delhi-110095
country:    IN
phone:    +91 9958033533
e-mail:    support@apnainfotech.co.in
admin-c:    AA1235-AP
tech-c:    AA1235-AP
nic-hdl:    MA965-AP
mnt-by:    MAINT-IN-APNAINFO
last-modified:    2016-04-29T09:31:10Z
source:    APNIC

 

(edit: P.S. The abuse contact for 146.196.52.181 via APNIC is still matthew.wu@globalnetworkhk.com.)

Edited January 18, 2018 by tjsynkral