Steve Posted May 23, 2018 Share Posted May 23, 2018 Of course it's an ocn.ne/ad.jp email. I don't bother reporting to them anymore because I find it pointless. I also reported it to netabuse (at) mtn.bj, but as you all know, they're notorious for not dealing with spam very well. I tried reporting to UBA's security email that I found doing a Google search and this is the result Gmail's mailer-daemon sent back: Quote Message not delivered Your message couldn't be delivered to security@ubagroup.com because the remote server is misconfigured. See technical details below for more information. The response from the remote server was: 550 5.4.1 [security@ubagroup.com]: Recipient address rejected: Access denied [AM5EUR03FT052.eop-EUR03.prod.protection.outlook.com] Final-Recipient: rfc822; security@ubagroup.com Action: failed Status: 5.4.1 Remote-MTA: dns; ubagroup-com.mail.protection.outlook.com. (213.199.154.106, the server for the domain ubagroup.com.) Diagnostic-Code: smtp; 550 5.4.1 [security@ubagroup.com]: Recipient address rejected: Access denied [AM5EUR03FT052.eop-EUR03.prod.protection.outlook.com] Last-Attempt-Date: Tue, 22 May 2018 21:54:17 -0700 (PDT) Original email: Delivered-To: x Received: by 10.55.27.222 with SMTP id m20-v6csp390695lfi; Tue, 22 May 2018 04:17:36 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpYbvb6tOhQ+iZm9i/WTdteOSq3c4khjtYYTyC0U88eDbOBeooA888yF+t/0UxRT/np7P7W X-Received: by 2002:a63:7c0b:: with SMTP id x11-v6mr18459486pgc.384.1526987856201; Tue, 22 May 2018 04:17:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526987856; cv=none; d=google.com; s=arc-20160816; b=jotNUqh782Or1fxX2A+r16K8REfifvVQHUFk5z9gyfBJuv9fVGAP0qgRPnjo4mlJlm 5YHfAR2j+kzg//ih9YB/fNpUmB729kKKSfQ5xmy85c9ocuiieMz1ecmflWftDgmq0zZt ua3SRaWu+/U51hn2R73K/de9iT02t1D57414RVDakaMz2x2Ff/mf+JjI+1+HSBH4ks0c Mt/Ch7XCfglJUNJl2qNlsBwzd2es8/8rWynsVjdv6BfyYMYTWc5Vda9xPSfUfZJZRTwM IoSDNFFFcgvewA9H8VXA04Cwoz9NY2SAysTZj9TyYRNJjI1C8zilRSMwrDytlSbZ9WoN 7bpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:subject:message-id:reply-to :from:date:arc-authentication-results; bh=LpXfDxdLzWxwHrFw1Qk9sqc0koHX4eJzLDY8tHHwhoo=; b=hOlAaQ8hWmtbEqeXcXlD0sYdvmdc30qlaSZMbFzJ+6d2giVZqBMmbmBVpMHj4KoQiO RLPsiMKUgcmBnHz8CeqGeJIjU+Zx78n91u+2hJRwIlmsVz7DXdXoWouGMvFNVwdU0LQZ 6GQehGfouDlQGGKOHI+XO4IvcWjgt94jseISgkqAPFx351PaFRYBpFlvnaOtYr8yD1Lc GYzktMwi0v9FVN1HZyX9lojZgz5fnqsJ0D/d1FjPiAdHQekp5QrcLfT1ehd161lEYL0P 7IxJLb8dgGDSG+1BNCrAJffzoPYGyTsD+l7Qyl16mqbM9hNktalB1qTiXvluMpBaSpcj 815Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of www.@miracle.ocn.ne.jp designates 153.149.233.15 as permitted sender) smtp.mailfrom=www.@miracle.ocn.ne.jp Return-Path: <www.@miracle.ocn.ne.jp> Received: from mbkd0214.ocn.ad.jp (mbkd0214.ocn.ad.jp. [153.149.233.15]) by mx.google.com with ESMTP id z18-v6si16038914pfd.357.2018.05.22.04.17.23; Tue, 22 May 2018 04:17:36 -0700 (PDT) Received-SPF: pass (google.com: domain of www.@miracle.ocn.ne.jp designates 153.149.233.15 as permitted sender) client-ip=153.149.233.15; Authentication-Results: mx.google.com; spf=pass (google.com: domain of www.@miracle.ocn.ne.jp designates 153.149.233.15 as permitted sender) smtp.mailfrom=www.@miracle.ocn.ne.jp Received: from mf-smf-ucb035c3 (mf-smf-ucb035c3.ocn.ad.jp [153.153.66.232]) by mbkd0214.ocn.ad.jp (Postfix) with ESMTP id 0E1A418D8F6; Tue, 22 May 2018 20:17:23 +0900 (JST) Received: from ntt.pod01.mv-mta-ucb022 ([153.149.142.85]) by mf-smf-ucb035c3 with ESMTP id L5IAfKI3F3vLcL5IAf4CBa; Tue, 22 May 2018 20:17:23 +0900 Received: from vcwebmail.ocn.ad.jp ([153.149.227.167]) by ntt.pod01.mv-mta-ucb022 with id pPHN1x00F3dLKTM01PHNBl; Tue, 22 May 2018 11:17:22 +0000 Received: from mzcstore202.ocn.ad.jp (mz-cb202p.ocn.ad.jp [180.8.111.9]) by vcwebmail.ocn.ad.jp (Postfix) with ESMTP; Tue, 22 May 2018 20:17:22 +0900 (JST) Date: Tue, 22 May 2018 20:17:22 +0900 (JST) From: "Mr.Emanuela Guidobaldi" <www.@miracle.ocn.ne.jp> Reply-To: "Mr.Emanuela Guidobaldi" <ubabnk0012@live.fr> Message-ID: <114857748.28834412.1526987842427.JavaMail.root@miracle.ocn.ne.jp> Subject: Attention:My dear MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit X-Originating-IP: [197.234.221.192] Attention:My dear I waited for your message as you told me with none received. Remember, i supposed to have traveled last night but the weather is too bad. I will be leaving to Paraguay tomorrow. Meanwhile, contact the Bank manager with below address, i have kept the cheque with them at amount of USD4.5Million. They will either mail it to you or remit it for transfer depending on how you want it; Mr.Emanuela Guidobaldi united bank for Africa -(UBA) E-EMAIL US:ubabnk0012@live.fr Link to comment Share on other sites More sharing options...
petzl Posted May 23, 2018 Share Posted May 23, 2018 1 hour ago, Steve said: Of course it's an ocn.ne/ad.jp email. I don't bother reporting to them anymore because I find it pointless. I also reported it to netabuse (at) mtn.bj, but as you all know, they're notorious for not dealing with spam very well. I tried reporting to UBA's security email that I found doing a Google search and this is the result Gmail's mailer-daemon sent back: They have a lot of compromised accounts which they act on, getting Japs to turn on Windows Defender is complicated? would help if you learn what a SpamCop tracking URL was Link to comment Share on other sites More sharing options...
Steve Posted May 23, 2018 Author Share Posted May 23, 2018 ? Here's the Tracking URL. Feel free to remove what you need from the URL after examining the report: https://www.spamcop.net/sc?id=z6466108812zeb3430e28af1b6f93be3ffdc98bf48c7z Link to comment Share on other sites More sharing options...
petzl Posted May 23, 2018 Share Posted May 23, 2018 2 hours ago, Steve said: ? Here's the Tracking URL. Feel free to remove what you need from the URL after examining the report: https://www.spamcop.net/sc?id=z6466108812zeb3430e28af1b6f93be3ffdc98bf48c7z That's better "X-Originating-IP: [197.234.221.192]" is the botnet source all their IP's listed as a botnet, yes they are sent through a compromised ocn computer "153.149.227.167" but not reported Other hosts in this "neighborhood" with spam reports 197.234.221.1 197.234.221.4 197.234.221.5 197.234.221.12 197.234.221.13 197.234.221.42 197.234.221.43 197.234.221.46 197.234.221.47 197.234.221.54 197.234.221.66 197.234.221.68 197.234.221.69 197.234.221.70 197.234.221.80 197.234.221.91 197.234.221.105 197.234.221.108 197.234.221.120 197.234.221.161 197.234.221.170 197.234.221.172 197.234.221.183 197.234.221.188 197.234.221.192 197.234.221.193 197.234.221.205 197.234.221.224 197.234.221.232 197.234.221.236 197.234.221.238 197.234.221.243 197.234.221.245 Link to comment Share on other sites More sharing options...
Steve Posted May 23, 2018 Author Share Posted May 23, 2018 7 hours ago, petzl said: That's better "X-Originating-IP: [197.234.221.192]" is the botnet source all their IP's listed as a botnet, yes they are sent through a compromised ocn computer "153.149.227.167" but not reported Other hosts in this "neighborhood" with spam reports 197.234.221.1 197.234.221.4 197.234.221.5 197.234.221.12 197.234.221.13 197.234.221.42 197.234.221.43 197.234.221.46 197.234.221.47 197.234.221.54 197.234.221.66 197.234.221.68 197.234.221.69 197.234.221.70 197.234.221.80 197.234.221.91 197.234.221.105 197.234.221.108 197.234.221.120 197.234.221.161 197.234.221.170 197.234.221.172 197.234.221.183 197.234.221.188 197.234.221.192 197.234.221.193 197.234.221.205 197.234.221.224 197.234.221.232 197.234.221.236 197.234.221.238 197.234.221.243 197.234.221.245 Why is it only blacklisted at abuseat and nowhere else? Is there a reason for that? Link to comment Share on other sites More sharing options...
lisati Posted May 23, 2018 Share Posted May 23, 2018 4 hours ago, Steve said: Why is it only blacklisted at abuseat and nowhere else? Is there a reason for that? If it's on abuseat's CBL list, it will usually find its way to spamhaus's ZEN list as well, I think Spamhaus took the list over a year or two back. I'm also seeing listings on other lists as well. Link to comment Share on other sites More sharing options...
petzl Posted May 24, 2018 Share Posted May 24, 2018 4 hours ago, lisati said: If it's on abuseat's CBL list, it will usually find its way to spamhaus's ZEN list as well, I think Spamhaus took the list over a year or two back. I'm also seeing listings on other lists as well. That is a public list which is available free to many ISP's, many have secret blocklists that are never known by anyone but them.. Link to comment Share on other sites More sharing options...
Steve Posted May 24, 2018 Author Share Posted May 24, 2018 18 hours ago, petzl said: That's better "X-Originating-IP: [197.234.221.192]" is the botnet source all their IP's listed as a botnet, yes they are sent through a compromised ocn computer "153.149.227.167" but not reported Other hosts in this "neighborhood" with spam reports 197.234.221.1 197.234.221.4 197.234.221.5 197.234.221.12 197.234.221.13 197.234.221.42 197.234.221.43 197.234.221.46 197.234.221.47 197.234.221.54 197.234.221.66 197.234.221.68 197.234.221.69 197.234.221.70 197.234.221.80 197.234.221.91 197.234.221.105 197.234.221.108 197.234.221.120 197.234.221.161 197.234.221.170 197.234.221.172 197.234.221.183 197.234.221.188 197.234.221.192 197.234.221.193 197.234.221.205 197.234.221.224 197.234.221.232 197.234.221.236 197.234.221.238 197.234.221.243 197.234.221.245 Are emails with this string of IP addresses originating from Benin and OCN is just used to send the emails? Link to comment Share on other sites More sharing options...
lisati Posted May 24, 2018 Share Posted May 24, 2018 3 hours ago, petzl said: That is a public list which is available free to many ISP's, many have secret blocklists that are never known by anyone but them.. True. When I was running my own email server a few years back, I had what amounted to private blacklists, hidden from public view until an incoming email ran foul of the filtering I had in place. I never got round to running a DNSBL/RBL. Link to comment Share on other sites More sharing options...
petzl Posted May 24, 2018 Share Posted May 24, 2018 16 hours ago, Steve said: Are emails with this string of IP addresses originating from Benin and OCN is just used to send the emails? https://www.talosintelligence.com/reputation_center/lookup?search=197.234.221.192 They have port 25 blocked so SpamCop is finding the source IP? Seems near all their entire IP range. CBL are saying their email servers themselves are infected with "sendsafe" Link to comment Share on other sites More sharing options...
Steve Posted May 25, 2018 Author Share Posted May 25, 2018 7 hours ago, petzl said: https://www.talosintelligence.com/reputation_center/lookup?search=197.234.221.192 They have port 25 blocked so SpamCop is finding the source IP? Seems near all their entire IP range. CBL are saying their email servers themselves are infected with "sendsafe" Why is this? Link to comment Share on other sites More sharing options...
petzl Posted May 25, 2018 Share Posted May 25, 2018 5 hours ago, Steve said: Why is this? Crime gang running ISP? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.