Hanco Posted November 18, 2019 Share Posted November 18, 2019 (edited) 20 hours ago, goodnerd said: tons of lines of hidden text in the message body Yes, that’s what the jerks I’m dealing with do. It’s in <style> tagged sections. Not sure why they do that, except when it is a really long SpamCop “truncates” and then the spammer links are removed if they follow the </style> closing tag. So the target spam sites are not reported in that case. I would just delete most of the “style padding text”. Now I forward the whole thing as attachment and it seems to work well. Edited November 18, 2019 by Hanco Quote Link to comment Share on other sites More sharing options...
goodnerd Posted November 18, 2019 Share Posted November 18, 2019 (edited) This same spammer (who is using the stolen email address list from the Google server hack a few years back) is also harvesting email addresses off of domain WHOIS data for the purpose of sending the spams. Ironically - they are now sending out fake Amazon alerts for a $500 gift card. I let Amazonaws know that their little pet client has now started forging their company name as well. Here's what I have as far as the infamous Amazonaws/sendgrid/fake yelp client: As we know, the spams are using multiple redirects. I follow the redirects and record them and started a list of websites involved. 99% of the websites use WHOIS privacy protection to hide the names but the ones that didn't were registered to: Jared Forbush 318 West 250 South Kaysville, UT 84037 Phone 801-903-2948 DBA: 4BUSH HOLDINGS LLC (https://secure.utah.gov/bes/details.html?entity=10989925-0160) FTC has already issued warnings to him regarding his websites: https://www.ftc.gov/system/files/documents/foia_requests/foia-2019-01289_warning_letters_sent_to_cbd_companies_9-30-19.pdf Second group of spams were: One Technologies, LLC 8144 Walnut Hill Lane Suite 600 Dallas TX 75231-4388https://www.bbb.org/us/tx/dallas/profile/internet-marketing-services/one-technologies-llc-0875-90008571/customer-reviews The FTC tagged them as well but they are back at their old tricks: https://www.ftc.gov/system/files/documents/cases/141121onetechstip.pdf The websites that were owned by these two are most, if not all of the ones listed in the Amazonaws spams, at least the 1200+ that I have received so far this year. I have notified the FTC agents listed in the PDF documents and sent them samples of the spams being sent through our amazonaws friend but have not received a response. I have also notified all of the corporations the Amazonaws spammer forges and poses as. I send direct emails to their legal and copyright departments. Edited November 18, 2019 by goodnerd Quote Link to comment Share on other sites More sharing options...
Hanco Posted November 18, 2019 Share Posted November 18, 2019 6 minutes ago, goodnerd said: they are now sending out fake Amazon alerts for a $500 gift card That’s what I just received too. Isthiswhat you see? Authentication-Results: spf=none (sender IP is 3.87.161.210) smtp.mailfrom=qzujrUyC.de; hotmail.com; dkim=none (message not signed) header.d=none;hotmail.com; dmarc=none action=none header.from=kEPMpuhj.de; Received-SPF: None (protection.outlook.com: qzujrUyC.de does not designate permitted sender hosts) I have also historically followed the redirects. Less so now. They are using VPSVILLE.RU for some hosting I think. A lot (a heck of a lot) of now-dns free redirect services I think also (and never get killed for abuse by either the Russian host nor the dns service) 3.87.161.210 is the Amazonaws contribution to the crap from these jerks. On this email anyway. Quote Link to comment Share on other sites More sharing options...
goodnerd Posted November 18, 2019 Share Posted November 18, 2019 Namecheap is the registrar of choice for the Amazonaws spammer. This is because Namecheap will not take action on their client as long as they use non-namecheap servers to send out the spams and viruses. It was not until I started Cc'ing the complaints to the Arizona Attorney General (consumerinfo@azag.gov and mark.brnovich@azag.gov) that namecheap did any more than give me the generic response of how even though the domains are registered and protected through Namecheap they would not suspend any domain as long as the criminal uses other means to spam and commit fraud. Now Namecheap will suspend the domain after multiple complaints but only if they start appearing on blacklists. Even then it takes them days and sometimes weeks to take action. The Amazonaws spammer uses the following domains which are the websites the redirects and shortcuts eventually end up at: (the ones with the # next to it were using Twitter redirects) birthdayto.website contacthouse.website lolaca.club facebksupport.website azonews.com staringtogetinbox.com desperatebbws.com lolaa.site worldnowtrending.com blog2learn.com omaxlan.com lolalife.com Goodiesgreat.com vnonlineoffice.com eliettoo.com Hobydap.pro # jpchae.com hdzoom360.com facecrowned.com usa-homeprotection.com coursecode.co.uk thatboomerlifestyle.com omaxlan.com hwmanymore.com strongpark.monster # msala.pro # b-zil.xyz # marckers.me # hwmanymore.com # offersd.pw # wimbledon.site # suppmenow.com # clickoffer.email # cpheer.com # storymt.co # lifestreamlab.com # offerstoyou.bid # animepast.best # alfadefender.club # cannablisslabs.com # seminti.info # rooxo.info # spadesmile.com # datatechkit.com # webmailmx.xyz (used in virus attacks) mirabello.pw howtheyko.pw iftheykant.pw wouldbelost.pw niceputyk.pw iftheyfun.pw tickwrist.pw motocrass.pw dropewell.com damianthorns.com sandystorme.com as of 11/17/2019: infrastructure.pw (email virus spam) bluhostmx.xyz (email virus spam) redemption19.xyz # xipho.biz # Here's a list of the Amazonaws Twitter accounts. I was able to get three of them suspended but "Twitter doesn't care about spam reports" so the others are still active. Some are old though. This spammer had even sent up a fake Twitter account using my email address for the use of creating redirects! https://twitter.com/imane25923950 (suspended 11/01/2019)https://twitter.com/ikramelharrak2 (suspended 11/01/2019)https://twitter.com/Imane_DH (suspended 11/01/2019)https://twitter.com/O19zhehttps://twitter.com/robertmdrakhttps://twitter.com/MyahoTmghttps://twitter.com/habybelahhttps://twitter.com/kazama_waynehttps://twitter.com/STmalah https://twitter.com/Mary96153713https://twitter.com/adamluis20https://twitter.com/rng_ali (may not be directly related but shares some of the spam addresses)https://twitter.com/0culGsnthttps://twitter.com/martinsolveig9https://twitter.com/peterso61174788https://twitter.com/claydrew2 Quote Link to comment Share on other sites More sharing options...
goodnerd Posted November 18, 2019 Share Posted November 18, 2019 (edited) 15 minutes ago, Hanco said: That’s what I just received too. Isthiswhat you see? Authentication-Results: spf=none (sender IP is 3.87.161.210) smtp.mailfrom=qzujrUyC.de; hotmail.com; dkim=none (message not signed) header.d=none;hotmail.com; dmarc=none action=none header.from=kEPMpuhj.de; Received-SPF: None (protection.outlook.com: qzujrUyC.de does not designate permitted sender hosts) I have also historically followed the redirects. Less so now. They are using VPSVILLE.RU for some hosting I think. A lot (a heck of a lot) of now-dns free redirect services I think also (and never get killed for abuse by either the Russian host nor the dns service) 3.87.161.210 is the Amazonaws contribution to the crap from these jerks. On this email anyway. No - mine is as follows: Quote Received: from localhost ([192.119.64.124]) by home with MailEnable ESMTP; Mon, 18 Nov 2019 15:19:35 -0700 Content-Type: multipart/alternative; boundary="===============8470287868279491287==" MIME-Version: 1.0 From: valerie@bluhostmx.xyz To: ####################### Subject: Someone has sent you a $500 Amazon Giftcard Date: Mon, 18 Nov 2019 22:19:10 +0000 Message-Id: <157411555031.5522.14499642001909573174@bluhostmx.xyz> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluhostmx.xyz; i=@bluhostmx.xyz; q=dns/txt; s=default; t=1574115550; h=to : from : subject : date : message-id; bh=5QsAEqzodDqyQ4JxFmtgRSEvo4hseVxrSLmgJzdJi5w=; Sometimes the sites have metadata that is in Russian. They also use a lot of Hungarian sites and they seem to have an odd hankering for domains registered with the .pw extension. Bluehostmx.xyz is now listed on multiple blacklists. I have pointed this out to Namecheap so hopefully they will suspend that domain name as well. After some real battles with Namecheap they suspended the Amazonaws account domains of: hwmanymore.com rooxo.info bestofmor.com offerstoyou.bid ectomere.com alfadefender.club orangutann.club tchaikovski.xyz tomhanks.xyz But the list of accounts are huge - far more than what I posted on here. Edited November 18, 2019 by goodnerd Quote Link to comment Share on other sites More sharing options...
Hanco Posted November 18, 2019 Share Posted November 18, 2019 Oh wow... I recognize a lot of that! its comforting to see I’m not the only one who’s fighting these guys. Namecheap very quickly acts when SURBL shows the domain blacklisted, but you are right... in general they’ll do nothing otherwise. I've caught this jerk using a new domain the day it was created. Even then Namecheap pushed back often, though that improved and now they seem more willing to consider the obvious (how did a bad actor get access to a domain, randomly, the day it was created!) For a while I was working closely with SURBL but the volume was so high and it seems I triggered a false positive so back to going thru SC for reporting. I don’t know WHY Amazon either thinks this is ok (they claim they don’t think that) or why they cannot stop it happening. Quote Link to comment Share on other sites More sharing options...
Hanco Posted November 18, 2019 Share Posted November 18, 2019 hwmanymore.com esayant.info both of these I got notified suspended 10/30 after a couple of complaints and seeing them blacklisted. Do you see this in your abuse emails? (Notice “we f u” / “we f you” in the path/folder!!) storsge.googleapis.com seems and this particular folder seems a popular proces for this idiot. And Google (network-abuse@google.com) does nothing despite report volume sent. https://storage.googleapis.com/eiwufhiwehifiwefiewfyuwefuwefuywefuwefyuwefu/reverse_mr.html This I found interesting for a few minutes at https://storage.googleapis.com/eiwufhiwehifiwefiewfyuwefuwefuywefuwefyuwefu/ (CURL output) It seems to be a list of most of the spam I get, though I don’t think I get all of what is listed: <?xml version='1.0' encoding='UTF-8'?><ListBucketResult xmlns='http://doc.s3.amazonaws.com/2006-03-01'><Name>eiwufhiwehifiwefiewfyuwefuwefuywefuwefyuwefu</Name><Prefix></Prefix><Marker></Marker><IsTruncated>false</IsTruncated><Contents><Key>AutoWarrantyValue.html</Key><Generation>1572455108497312</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-30T17:05:08.497Z</LastModified><ETag>"6183b62bd73e8607c0f892274bf6bba8"</ETag><Size>339</Size></Contents><Contents><Key>BloodSugarFormula_B2.html</Key><Generation>1571665761496134</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-21T13:49:21.496Z</LastModified><ETag>"8164d412289e29f0c78e5d9a2ab4fdc9"</ETag><Size>331</Size></Contents><Contents><Key>BrainSmartPillEmail.html</Key><Generation>1571249083573826</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-16T18:04:43.573Z</LastModified><ETag>"8ed0cdb57c0893d05279ea2a5b74eacd"</ETag><Size>339</Size></Contents><Contents><Key>ChoicigeAut0Wafcrrahnty.html</Key><Generation>1572611674589884</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-01T12:34:34.589Z</LastModified><ETag>"30569d54a25b1db3992e15e37c892aa5"</ETag><Size>341</Size></Contents><Contents><Key>CompleteTaxDebt.html</Key><Generation>1571163943995196</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-15T18:25:43.995Z</LastModified><ETag>"999e7c349e29d32935888f58c185a8b1"</ETag><Size>339</Size></Contents><Contents><Key>CoolAir.html</Key><Generation>1572632117771752</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-01T18:15:17.771Z</LastModified><ETag>"6baac3dff3c6131b9a1a9b83aa9d79e1"</ETag><Size>327</Size></Contents><Contents><Key>CreditLendLoans.html</Key><Generation>1572449183101189</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-30T15:26:23.101Z</LastModified><ETag>"24472502875f9fda01cf3ea677ceecf4"</ETag><Size>333</Size></Contents><Contents><Key>DE_bitttcoinmccpa.html</Key><Generation>1573665923818640</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-13T17:25:23.818Z</LastModified><ETag>"08e0eb5ca64ddb8bb192d0ad0ac84cb4"</ETag><Size>309</Size></Contents><Contents><Key>Frenchmethod.html</Key><Generation>1572628634529810</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-01T17:17:14.529Z</LastModified><ETag>"b80dd68fab779b84a7071a791f7a28ac"</ETag><Size>309</Size></Contents><Contents><Key>FungusEliminatorEmail.html</Key><Generation>1571497866536040</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-19T15:11:06.535Z</LastModified><ETag>"21ad2fb78113a54dda236891d8bc36b7"</ETag><Size>343</Size></Contents><Contents><Key>HerbalistCBDOilEmail.html</Key><Generation>1571447759155150</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-19T01:15:59.155Z</LastModified><ETag>"3b0e9185f056c0420206cf03bfca9c70"</ETag><Size>335</Size></Contents><Contents><Key>JD.html</Key><Generation>1570840169367671</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-12T00:29:29.367Z</LastModified><ETag>"517ac9898073e2e949614a7d1008a60c"</ETag><Size>339</Size></Contents><Contents><Key>KetoadvancedSharkTankPreSell.html</Key><Generation>1572094019472692</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-26T12:46:59.472Z</LastModified><ETag>"32048f5fd2261ebb950083a50e10bece"</ETag><Size>331</Size></Contents><Contents><Key>ManPlusMaleEnhancementEmail.html</Key><Generation>1571394540702798</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-18T10:29:00.702Z</LastModified><ETag>"d8c8dac25ba795ed973a8189f78351dc"</ETag><Size>335</Size></Contents><Contents><Key>Manpride.html</Key><Generation>1572629241925850</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-01T17:27:21.925Z</LastModified><ETag>"b0570b7e2416acdb1f07a05cceb02e99"</ETag><Size>325</Size></Contents><Contents><Key>MontezumaSecretMaleEnhancementEmail.html</Key><Generation>1571243525812022</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-16T16:32:05.811Z</LastModified><ETag>"c7df1b61f3ec1d95555a8d43024ce42c"</ETag><Size>343</Size></Contents><Contents><Key>MortgageAdvisorVALoans.html</Key><Generation>1571338952754686</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-17T19:02:32.754Z</LastModified><ETag>"62afb35902da92024679c8d3b74c8bc1"</ETag><Size>343</Size></Contents><Contents><Key>MusclePresellDadBodKillerCPS.html</Key><Generation>1572482623305388</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-31T00:43:43.305Z</LastModified><ETag>"bb05a8040ed7ebc9e4ad80e5ef33ac1f"</ETag><Size>329</Size></Contents><Contents><Key>MyCompleteMedicareSavingsEmail.html</Key><Generation>1571486715350171</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-19T12:05:15.349Z</LastModified><ETag>"5089e606387bbdaa6b11e8943ec484b0"</ETag><Size>335</Size></Contents><Contents><Key>ProlesanPure.html</Key><Generation>1572631836835587</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-01T18:10:36.835Z</LastModified><ETag>"0df806db0a21d5dc43991dc0f9ba1496"</ETag><Size>325</Size></Contents><Contents><Key>Proscsdvtate911.html</Key><Generation>1572703584342096</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-02T14:06:24.341Z</LastModified><ETag>"179ac9fad62fcacae6eab50a91073a68"</ETag><Size>443</Size></Contents><Contents><Key>ReverseMortgageQuotess.html</Key><Generation>1572551047539966</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-31T19:44:07.539Z</LastModified><ETag>"ba12c22564fbd7096ef834746eb5c233"</ETag><Size>327</Size></Contents><Contents><Key>ReverseMortgageQuotessJuno.html</Key><Generation>1571700203227643</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-21T23:23:23.227Z</LastModified><ETag>"9e504db164a7283b2f771ad34bd6312e"</ETag><Size>335</Size></Contents><Contents><Key>Reverse_Mortgage_OnlineQuiz_shortWicon.jpg</Key><Generation>1572108656794357</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-26T16:50:56.794Z</LastModified><ETag>"cb799f9547c1fd737093447e3cbd0b8f"</ETag><Size>193038</Size></Contents><Contents><Key>SE_bitttcoinmccpa.html</Key><Generation>1573664305450709</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-13T16:58:25.450Z</LastModified><ETag>"ab0f9accf10465cb555838fd046f1a15"</ETag><Size>309</Size></Contents><Contents><Key>SE_weedprofit.html</Key><Generation>1573668074683976</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-13T18:01:14.683Z</LastModified><ETag>"536d0fb69b07d423230aef598b981c48"</ETag><Size>309</Size></Contents><Contents><Key>SHARK_TANK.PNG</Key><Generation>1572093793539338</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-26T12:43:13.539Z</LastModified><ETag>"ff1be365317bfcba1e504e911411ece7"</ETag><Size>355273</Size></Contents><Contents><Key>StealthAttra.PNG</Key><Generation>1573123424054760</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-07T10:43:44.054Z</LastModified><ETag>"79499544625ec0aa113e9d768399fe90"</ETag><Size>224114</Size></Contents><Contents><Key>TotalAutoAccidentSupportEmail.html</Key><Generation>1571492833320042</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-19T13:47:13.319Z</LastModified><ETag>"9ac8ec7056edd01fcfc4093ac88b942b"</ETag><Size>339</Size></Contents><Contents><Key>UK_bitttcoinmccpa.html</Key><Generation>1573666328876754</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-13T17:32:08.876Z</LastModified><ETag>"fc2a9893c76325c62c88c88fb90d31b0"</ETag><Size>309</Size></Contents><Contents><Key>UrgentMaleProstate.html</Key><Generation>1572482444411705</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-31T00:40:44.411Z</LastModified><ETag>"e84798f74e64e36a269a9f70ed53b1ad"</ETag><Size>335</Size></Contents><Contents><Key>Us_concealed.html</Key><Generation>1570902603359669</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-12T17:50:03.359Z</LastModified><ETag>"0b27d4573f7b7ead41b0e65b8b6ffcf1"</ETag><Size>343</Size></Contents><Contents><Key>VA_Eligibility.html</Key><Generation>1571672611537247</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-21T15:43:31.537Z</LastModified><ETag>"b3753127b01a07ade08da8a62c6e4b66"</ETag><Size>335</Size></Contents><Contents><Key>VA_Eligibilitylinode.html</Key><Generation>1571684070396197</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-21T18:54:30.396Z</LastModified><ETag>"1427f78b0de9a7b032cc19a394c461dc"</ETag><Size>339</Size></Contents><Contents><Key>VivemoneCasino.html</Key><Generation>1572631427430941</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-01T18:03:47.430Z</LastModified><ETag>"3ab68c78564ebf6e656c063f6386789b"</ETag><Size>313</Size></Contents><Contents><Key>VixeaManPlusMaleEnhancementCPS.html</Key><Generation>1571504966152288</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-19T17:09:26.152Z</LastModified><ETag>"b94e612db472159f5e2a33d5fb5f845c"</ETag><Size>339</Size></Contents><Contents><Key>Walgreens.html</Key><Generation>1573760870704936</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-14T19:47:50.704Z</LastModified><ETag>"c257b301b984aa58ab29bc3eeeb7297f"</ETag><Size>333</Size></Contents><Contents><Key>amazon_rev_trax.jpg</Key><Generation>1573568124222079</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-12T14:15:24.221Z</LastModified><ETag>"114248410cd3c5a1f876499364ddf3eb"</ETag><Size>23970</Size></Contents><Contents><Key>autowarranty.html</Key><Generation>1571058295900223</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-14T13:04:55.900Z</LastModified><ETag>"9686efcd64567d5d93afac08d4917aa8"</ETag><Size>335</Size></Contents><Contents><Key>b2Freecreditclick.html</Key><Generation>1573570807368491</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-12T15:00:07.368Z</LastModified><ETag>"7a2266e1e000fd2b83f3c00c26c3c718"</ETag><Size>327</Size></Contents><Contents><Key>b2USbloodsug.html</Key><Generation>1572899106600928</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-04T20:25:06.600Z</LastModified><ETag>"0a9f3c2464e2350fa4d3644e0b91d256"</ETag><Size>331</Size></Contents><Contents><Key>b2_bloodsugarformula.html</Key><Generation>1572962996949091</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-05T14:09:56.948Z</LastModified><ETag>"3fd729e5deb2fc0eec45b6e51cd464fc"</ETag><Size>333</Size></Contents><Contents><Key>b2bloodSugaformulacps.html</Key><Generation>1573058760153285</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-06T16:46:00.153Z</LastModified><ETag>"5fd8ddbadcd9c128e763d0b0d3991fc1"</ETag><Size>333</Size></Contents><Contents><Key>b2loodsugarformula_lilhot.html</Key><Generation>1573091177012420</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-07T01:46:17.012Z</LastModified><ETag>"f9ae429bdc8a42caa82a7391fe3bfc48"</ETag><Size>333</Size></Contents><Contents><Key>b2loodsugarformula_lilmixte.html</Key><Generation>1573091622524716</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-07T01:53:42.524Z</LastModified><ETag>"c07a01f916e8f4d4dbb1317fc195af84"</ETag><Size>337</Size></Contents><Contents><Key>bej_cvsv1.html</Key><Generation>1573759454034163</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-14T19:24:14.033Z</LastModified><ETag>"53b8646cdd9501176f2d793efd0bd338"</ETag><Size>329</Size></Contents><Contents><Key>bejsamsclubv1.html</Key><Generation>1573756613037569</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-14T18:36:53.037Z</LastModified><ETag>"f32e6c4285cb5f3dc98f135ce59b7169"</ETag><Size>333</Size></Contents><Contents><Key>bitcoinInvestorMC.png</Key><Generation>1570800630831826</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-11T13:30:30.831Z</LastModified><ETag>"16fa356d0981efa491aa43723441aa0d"</ETag><Size>300799</Size></Contents><Contents><Key>blood.html</Key><Generation>1570805884097278</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-11T14:58:04.097Z</LastModified><ETag>"21c29aedfc65dcad3f50fcb5698453a1"</ETag><Size>301</Size></Contents><Contents><Key>blood.png</Key><Generation>1570805752528854</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-11T14:55:52.528Z</LastModified><ETag>"d2ac324111b690b71df9374a40fe34e4"</ETag><Size>131782</Size></Contents><Contents><Key>bloodsugarFormula.html</Key><Generation>1571226445794201</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-16T11:47:25.794Z</LastModified><ETag>"5c50a784f8178f1e61a5a7be7b40814e"</ETag><Size>343</Size></Contents><Contents><Key>bluechew1.jpg</Key><Generation>1573228797907812</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-08T15:59:57.907Z</LastModified><ETag>"59e2ef30bcd0573593b5f3995ee9af14"</ETag><Size>31846</Size></Contents><Contents><Key>bluechew2.jpg</Key><Generation>1573228798033331</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-08T15:59:58.033Z</LastModified><ETag>"17c05660872cbeb6e0c26eb68a369891"</ETag><Size>6857</Size></Contents><Contents><Key>botcoin.html</Key><Generation>1570800630427355</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-11T13:30:30.427Z</LastModified><ETag>"097cf87a04522d6e3b47320acd4792b3"</ETag><Size>305</Size></Contents><Contents><Key>cbd.PNG</Key><Generation>1571447766750985</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-19T01:16:06.750Z</LastModified><ETag>"459fcc25cd0550bf1ef3e7294da177cf"</ETag><Size>118570</Size></Contents><Contents><Key>choice_wrr1.PNG</Key><Generation>1572610515297120</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-01T12:15:15.296Z</LastModified><ETag>"ef76792bb342f59a1e3c165e41f83845"</ETag><Size>176625</Size></Contents><Contents><Key>choice_wrr2.PNG</Key><Generation>1572610523031137</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-01T12:15:23.030Z</LastModified><ETag>"7f8c73624d058e083cff63f8d04db84f"</ETag><Size>92426</Size></Contents><Contents><Key>choiceautowarr.html</Key><Generation>1571340548100344</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-17T19:29:08.100Z</LastModified><ETag>"5c50a784f8178f1e61a5a7be7b40814e"</ETag><Size>343</Size></Contents><Contents><Key>costco.PNG</Key><Generation>1573653883240280</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-13T14:04:43.240Z</LastModified><ETag>"23f441a59a6c1704efb087bf3a6838d0"</ETag><Size>213015</Size></Contents><Contents><Key>cvs.png</Key><Generation>1573650892385524</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-13T13:14:52.385Z</LastModified><ETag>"ba5ff9b697e5c396b2d7b5de99d452be"</ETag><Size>305288</Size></Contents><Contents><Key>dkjunsu2d.PNG</Key><Generation>1572354263133735</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-29T13:04:23.133Z</LastModified><ETag>"1eaa28f15f4b0983b426e2a2edb4d2cd"</ETag><Size>3130</Size></Contents><Contents><Key>donsfzja.png</Key><Generation>1571243989640391</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-16T16:39:49.640Z</LastModified><ETag>"f56e9c091fa0d00ed87c5f91b812be2a"</ETag><Size>748278</Size></Contents><Contents><Key>fredvescodvre360.html</Key><Generation>1572891463631716</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-04T18:17:43.631Z</LastModified><ETag>"b73fbba185be671d6081b874159d93f8"</ETag><Size>331</Size></Contents><Contents><Key>fungusnails.jpg</Key><Generation>1571498652270480</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-19T15:24:12.270Z</LastModified><ETag>"ffb306c87790c424748784e4de8047b4"</ETag><Size>614279</Size></Contents><Contents><Key>gmail_b2USbloodsug.html</Key><Generation>1572901246638251</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-04T21:00:46.638Z</LastModified><ETag>"0e4ab1c33d6a71bbd9de20de3f7fd186"</ETag><Size>331</Size></Contents><Contents><Key>heart.PNG</Key><Generation>1571356637217437</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-17T23:57:17.217Z</LastModified><ETag>"e0fb703d11210f20e1ffdbb62ba8c88d"</ETag><Size>264195</Size></Contents><Contents><Key>heartAttack.html</Key><Generation>1571356992501293</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-18T00:03:12.501Z</LastModified><ETag>"6a5804c3445818541e0789617d74d208"</ETag><Size>339</Size></Contents><Contents><Key>id11_stealtattrarction.html</Key><Generation>1573646799998286</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-13T12:06:39.998Z</LastModified><ETag>"d8b23cf6ff8b24aadfbd4427ebfb1d92"</ETag><Size>443</Size></Contents><Contents><Key>idMontezumaSecret.html</Key><Generation>1572901775746673</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-04T21:09:35.746Z</LastModified><ETag>"8a51748be841ad7cc0ad08d57bddc9b1"</ETag><Size>435</Size></Contents><Contents><Key>idMontezumaSecretMale.html</Key><Generation>1572890305733460</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-04T17:58:25.733Z</LastModified><ETag>"f5d346892f6b2c27578900f9a2a48572"</ETag><Size>439</Size></Contents><Contents><Key>idMontezumaSecret_mixte.html</Key><Generation>1572962997051923</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-05T14:09:57.051Z</LastModified><ETag>"f5d346892f6b2c27578900f9a2a48572"</ETag><Size>439</Size></Contents><Contents><Key>idMontezumasecrethot6.html</Key><Generation>1573067329475560</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-06T19:08:49.475Z</LastModified><ETag>"2c4a859025e6836d0e8e29cdc199e440"</ETag><Size>439</Size></Contents><Contents><Key>idmontezumasecret6.html</Key><Generation>1573052330807031</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-06T14:58:50.806Z</LastModified><ETag>"e69f4a20440ecb370f0143c2da9cb980"</ETag><Size>441</Size></Contents><Contents><Key>idprostate.jpg</Key><Generation>1572703372500567</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-02T14:02:52.500Z</LastModified><ETag>"1c7c4a142c5b7a116830bc865d7de30a"</ETag><Size>19840</Size></Contents><Contents><Key>idrreverse_mixte.html</Key><Generation>1573146083170166</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-07T17:01:23.169Z</LastModified><ETag>"1d9a1756c94997e11ee10585bd35cf2a"</ETag><Size>439</Size></Contents><Contents><Key>idstealtattrarction.html</Key><Generation>1573123977490941</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-07T10:52:57.490Z</LastModified><ETag>"4cbdfcd3040897db2f8ebccf71be018d"</ETag><Size>441</Size></Contents><Contents><Key>iemd.PNG</Key><Generation>1572526746463729</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-31T12:59:06.463Z</LastModified><ETag>"a2b9e880e9bd952cf1f0aec21ed39240"</ETag><Size>545717</Size></Contents><Contents><Key>ket 1.html</Key><Generation>1572526746453455</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-31T12:59:06.453Z</LastModified><ETag>"8552f5c088cf548338b122f804da1398"</ETag><Size>325</Size></Contents><Contents><Key>ket 2.html</Key><Generation>1572526745103436</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-31T12:59:05.103Z</LastModified><ETag>"38179e0d3105aa4dd6a3ef6261ddd49a"</ETag><Size>343</Size></Contents><Contents><Key>keto 2.html</Key><Generation>1572353810289839</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-29T12:56:50.289Z</LastModified><ETag>"c4baf5c7320b68de9fcc30e1a070ae30"</ETag><Size>329</Size></Contents><Contents><Key>keto unsub.html</Key><Generation>1572353816891488</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-29T12:56:56.891Z</LastModified><ETag>"38179e0d3105aa4dd6a3ef6261ddd49a"</ETag><Size>343</Size></Contents><Contents><Key>manplus.PNG</Key><Generation>1571394214495613</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-18T10:23:34.495Z</LastModified><ETag>"72cbf0cd9b2eddd1d11d95224aa3e231"</ETag><Size>393800</Size></Contents><Contents><Key>medic.jpg</Key><Generation>1573127113988664</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-07T11:45:13.988Z</LastModified><ETag>"d176b3901627b40b8d1369e009e75799"</ETag><Size>12945</Size></Contents><Contents><Key>medicaovidehuropnly.html</Key><Generation>1572449986236630</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-30T15:39:46.236Z</LastModified><ETag>"bfa848d6ac979e2f1334517fff05fc6c"</ETag><Size>337</Size></Contents><Contents><Key>mont.png</Key><Generation>1573067991162837</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-06T19:19:51.162Z</LastModified><ETag>"d65083ae18cf105b38fe8444258011ee"</ETag><Size>161965</Size></Contents><Contents><Key>reverse_mortgage_quotes.html</Key><Generation>1572551047302223</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-31T19:44:07.302Z</LastModified><ETag>"ba12c22564fbd7096ef834746eb5c233"</ETag><Size>327</Size></Contents><Contents><Key>reverse_mr.html</Key><Generation>1572551047438338</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-31T19:44:07.438Z</LastModified><ETag>"ba12c22564fbd7096ef834746eb5c233"</ETag><Size>327</Size></Contents><Contents><Key>reversemor.PNG</Key><Generation>1571055435103299</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-14T12:17:15.103Z</LastModified><ETag>"af0968905549c38b16623dc894940c28"</ETag><Size>89050</Size></Contents><Contents><Key>reversemor2.PNG</Key><Generation>1571838104905444</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-23T13:41:44.905Z</LastModified><ETag>"065fcf2a4899d3402906a9485bed0fc8"</ETag><Size>272849</Size></Contents><Contents><Key>reversortgaquotes.html</Key><Generation>1572350217021775</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-29T11:56:57.021Z</LastModified><ETag>"9b06a35cb60462b91a99deec704147ee"</ETag><Size>339</Size></Contents><Contents><Key>rghjhgj.JPG</Key><Generation>1571058096475123</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-14T13:01:36.474Z</LastModified><ETag>"e83eac3b7e9affd4f63bd276a32c699f"</ETag><Size>60346</Size></Contents><Contents><Key>rkingeasetinnituscps.html</Key><Generation>1572463825778222</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-30T19:30:25.778Z</LastModified><ETag>"b34a4c46d2066c3b1d688f479c972065"</ETag><Size>333</Size></Contents><Contents><Key>sams.png</Key><Generation>1573737028460747</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-14T13:10:28.460Z</LastModified><ETag>"63ee3c7834c0029c6ab1919ed243ae48"</ETag><Size>602355</Size></Contents><Contents><Key>sd45KeftosdfsAdvansfcedSharksfdsTankPreSell.PNG</Key><Generation>1572354265291352</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-29T13:04:25.291Z</LastModified><ETag>"a2b9e880e9bd952cf1f0aec21ed39240"</ETag><Size>545717</Size></Contents><Contents><Key>shadowbox.jpg</Key><Generation>1573842154557224</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-15T18:22:34.557Z</LastModified><ETag>"8a67c08f80d9cbeb7d42e202d544f2ba"</ETag><Size>107202</Size></Contents><Contents><Key>steadlthdattrraction.html</Key><Generation>1573829764000539</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-15T14:56:04.000Z</LastModified><ETag>"defa32fba63bb5cdc2c39956e4a11f54"</ETag><Size>443</Size></Contents><Contents><Key>testers.html</Key><Generation>1571511637989773</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-19T19:00:37.989Z</LastModified><ETag>"00abe041c524a34162bb8c688ea01686"</ETag><Size>2028</Size></Contents><Contents><Key>traxtatrrumpcarreediccare.html</Key><Generation>1573133157907162</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-07T13:25:57.906Z</LastModified><ETag>"28f0393737424563ff5e679fbb75909e"</ETag><Size>329</Size></Contents><Contents><Key>traxtaxMontezuma__5.html</Key><Generation>1572977264197821</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-05T18:07:44.197Z</LastModified><ETag>"914dc077c3e6060d65c785f9602ed3bc"</ETag><Size>327</Size></Contents><Contents><Key>un.PNG</Key><Generation>1572526747671643</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-31T12:59:07.671Z</LastModified><ETag>"1eaa28f15f4b0983b426e2a2edb4d2cd"</ETag><Size>3130</Size></Contents><Contents><Key>un_bejsamsclubv1.html</Key><Generation>1573756613027315</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-14T18:36:53.027Z</LastModified><ETag>"9c953a92a50747dba893e0058c293ea7"</ETag><Size>335</Size></Contents><Contents><Key>uncvs.jpg</Key><Generation>1573650900286112</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-13T13:15:00.285Z</LastModified><ETag>"2313d430017f2257858070f8bfaaaacd"</ETag><Size>5247</Size></Contents><Contents><Key>unsams.jpg</Key><Generation>1573737032059410</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-14T13:10:32.059Z</LastModified><ETag>"2313d430017f2257858070f8bfaaaacd"</ETag><Size>5247</Size></Contents><Contents><Key>unschoice.html</Key><Generation>1571184229065428</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-16T00:03:49.065Z</LastModified><ETag>"f860cde78e66517d141dcb583697cbef"</ETag><Size>331</Size></Contents><Contents><Key>unsub_bejcvsv1.html</Key><Generation>1573759453955603</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-14T19:24:13.955Z</LastModified><ETag>"1278bc3fb0716f98bb4fecd39c95ba2c"</ETag><Size>321</Size></Contents><Contents><Key>unsub_steadlthdattrraction.html</Key><Generation>1573829761105265</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-15T14:56:01.105Z</LastModified><ETag>"f864a1577e742ec8e89703480a080d16"</ETag><Size>429</Size></Contents><Contents><Key>unsubyahya_ShadowBox.html</Key><Generation>1573842707181850</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-15T18:31:47.181Z</LastModified><ETag>"28ee464b7f9c5420bb3b49a497adf954"</ETag><Size>429</Size></Contents><Contents><Key>unsubyahya_montezumasecret15.html</Key><Generation>1573838546091025</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-15T17:22:26.090Z</LastModified><ETag>"4bd98bf052120e24ddbce83ad05858ab"</ETag><Size>429</Size></Contents><Contents><Key>vixia.jpg</Key><Generation>1571506994451771</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-19T17:43:14.451Z</LastModified><ETag>"c22e5c50bf59bc02445e3e69824f010d"</ETag><Size>76770</Size></Contents><Contents><Key>walgreen.png</Key><Generation>1573745760829977</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-14T15:36:00.829Z</LastModified><ETag>"8e2acd90ed8edb5b792f39df4192cccc"</ETag><Size>630499</Size></Contents><Contents><Key>workout_warrior.html</Key><Generation>1572483005654064</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-10-31T00:50:05.653Z</LastModified><ETag>"e9f27e6a3805f5803d9ae5346c58ac9a"</ETag><Size>329</Size></Contents><Contents><Key>yahya_ShadowBox.html</Key><Generation>1573842707289370</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-15T18:31:47.289Z</LastModified><ETag>"a34e667c6da4c80ef8da79b0c5e8db96"</ETag><Size>443</Size></Contents><Contents><Key>yahya_montezumasecret15.html</Key><Generation>1573838546396599</Generation><MetaGeneration>1</MetaGeneration><LastModified>2019-11-15T17:22:26.396Z</LastModified><ETag>"c0e49452e37ec11bc29a205d2828c6a1"</ETag><Size>443</Size></Contents></ListBucketResult> Quote Link to comment Share on other sites More sharing options...
goodnerd Posted November 18, 2019 Share Posted November 18, 2019 The Amazonaws spammer also loves to use Yandex and Mail.ru for addresses, though for some reason he mainly uses ocn.jp servers for the phishing and advance fee fraud spams. Have you received batches of Amazonaws spams that have the titles: "Your confirmation to join our "Adult site" "Your request to be unsubscribe !" "Request to be removed from our mailing list" and ones similar? This is all the same Amazonaws spammer as well. The ones with those titles have 22-24 email addresses under the reply-to. I have found that when I filed separate direct complaints the email accounts would get suspended. My latest battle is with these addresses (see if they match yours) - all of these address are listed as the reply-to address on every one of the spams that require a reply: > Yandex accounts: > youshoulddoit@yandex.ru > gonewrongha@yandex.ru > hereiamthere@yandex.com > goodyearlife@yandex.com > accessfull@yandex.kz > modernwarr@yandex.kz > amzgoadd@yandex.ua > nanobilop@yandex.ua >> Mail.ru accounts: > lopalaopa@mail.ru > none.ofthis@mail.ru > becomehachich@inbox.ru > youyouuu@inbox.ru > konamiea@list.ru > easportto@list.ru > homeisgreat@bk.ru > justkiding@bk.ru >> mailbox.org accounts: > howshouldi@mailbox.org > makeyougo@mailbox.org >> Namecheap.com accounts: > admin@shelflevel.pw > admin@premiumevening.xyz > admin@perfumehousing.xyz > admin@onerousclap.pw This is all one person. Quote Link to comment Share on other sites More sharing options...
goodnerd Posted November 19, 2019 Share Posted November 19, 2019 It's really great to see that someone else is trying to get Namecheap to stop helping this Amazonaws criminal continue their crime spree! I would love to see the Namecheap legal and abuse cohorts Oleg V. and Vlad V. brought before a judge and get charged in aiding and abetting once this goes to trial... and I'm really hoping this one does. I have not noticed the "we f u" in the paths... I'll have to keep an eye out for that one! One of the runs of Amazonaws spams actually munged the links to make it look like a federal website of studentaid.ed.gov when in fact it just a bitly redirect to another one of their scam websites. Bit.ly is HORRIBLE on their spam monitoring. They don't care at all either and are as bad as Twitter. Imgur is quick to take down the images. I file them directly at https://imgur.com/removalrequest Quote Link to comment Share on other sites More sharing options...
Hanco Posted November 19, 2019 Share Posted November 19, 2019 9 minutes ago, goodnerd said: Imgur is quick to take down the images. I file them directly at https://imgur.com/removalrequest Ah yeah, Martyn and Jacob are top guys. Sometimes the takedown is in a matter of only a few minutes. Quote Link to comment Share on other sites More sharing options...
Hanco Posted November 19, 2019 Share Posted November 19, 2019 11 minutes ago, goodnerd said: I have not noticed the "we f u" in the paths. Hmm I wonder if it is a specific list targeting me... well I’ll just keep reporting until they get bored. I won’t stop ✋ Quote Link to comment Share on other sites More sharing options...
Hanco Posted November 19, 2019 Share Posted November 19, 2019 31 minutes ago, goodnerd said: Have you received batches of Amazonaws spams that have the titles: "Your confirmation to join our "Adult site" "Your request to be unsubscribe !" "Request to be removed from our mailing list" Not this time around. Earlier in the year I did get a bunch of unsubscribe verbiage emails. Eventually the spam stopped. I did not reply to the spam emails. I just don’t, ever!! Quote Link to comment Share on other sites More sharing options...
Hanco Posted November 19, 2019 Share Posted November 19, 2019 36 minutes ago, goodnerd said: Yandex accounts: I used to get a lot of Yandex emails. It’s fallen significantly. Rare to see a Yandex reply to now for me. But generally I don’t look at the reply to emails. If I had more time I’d really get into this! Quote Link to comment Share on other sites More sharing options...
goodnerd Posted November 21, 2019 Share Posted November 21, 2019 (edited) Response from Sendgrid: Quote Hello, Thank you for taking the time to send this message to the Twilio-SendGrid Compliance Team. This is not one of our clients and is an issue we are aware of. It seems to be apart of a very organized criminal operation. and, as you pointed out, the messages are being forged from potentially multiple email headers, including ours. The malicious sender is using an old SendGrid email header and has manipulated and changed the content. You can see this by looking at the first Received: event in the header of the message, which has an original processed date of 02-13-2019. ismtpd0011p1las1.sendgrid.net (SG) with ESMTP id jxq4wpsYRtSCL30cEOF67Q for <KVNJr.NVZz@gmail.com>; Wed, 13 Feb 2019 15:44:32.244 +0000 (UTC) I would assume your address is part of this malicious senders list. We've had this happen to some recipients before, and the best thing you can do is to 1) not open the emails 2) report the messages as spam to your inbox provider, and 3) do not try to unsubscribe or engage with the sender in any way. Unfortunately, opening the messages to send them to us often marks you as an "engager" on the spammers list, and can lead you to getting even more spam mail. Since we are not processing these messages, there is little we can do except report to various hosting providers and agencies like you mentioned. Thank you again for reaching out and please let us know if there is anything else we can help with. Edited November 21, 2019 by goodnerd Quote Link to comment Share on other sites More sharing options...
petzl Posted November 21, 2019 Share Posted November 21, 2019 (edited) 5 hours ago, goodnerd said: Thank you again for reaching out and please let us know if there is anything else we can help with. Try to send a SpaCop Track to see these headers? would help if Sendgrid shut down they are a spammers paradise! Their advice is lousy like their allowing DDoS attacks on email accounts Gmail have a email spam cut off point where, with a overdose, they disable your account no warning from their website Quote https://sendgrid.com/marketing/sendgrid-services-cro/ Try it out! Send 40,000 emails for 30 days, then 100/day forever. Sign up for free. No credit card required. Seems that there is a connection to amazonaws as their IP is always stamped as the injection point?https://www.spamcop.net/sc?id=z6588724520zeaff576385f38c9a53fea8a2da697254z email server (look for yelp in headers name of server) 167.89.8.98 abuse[]sendgrid.com injection (look for AWS in headers) 3.134.0.217 abuse[]amazonaws.com Edited November 21, 2019 by petzl Quote Link to comment Share on other sites More sharing options...
Hanco Posted December 9, 2019 Share Posted December 9, 2019 This lady/guy is on point. Some of the sites they mention are the same as I have seen. The sweetsumner-dot-com domain mentioned is one of a rare appearance of a domain without Domains By Proxy or other privacy hiding layer. The address for VanillaMud is a UPS store. Does ICANN permit the use of mailbox providers for registration details for domain owners? I would like to get the details for the true owner, but is that possible in the United States? Does it require a lawyer involvement? Tech Contact Support Admin VanillaMud 18766 John J Williams Hwy , #270, Rehoboth Beach, DE, 19971, us (p) Quote Link to comment Share on other sites More sharing options...
TiredOfYelp Posted December 31, 2019 Share Posted December 31, 2019 Hello, I'm getting bombarded with their spam too. Are you guys also getting tens of mails per day? I've tried automatically reporting every email I get to AWS, so far I've forwarded them over 300 instances of such mail. They however don't seem to take this issue seriously, and take days to validate each abuse. They always say they have resolved the issue, but it really doesn't seem like they did anything at all. I've also been automatically forwarding the bit.ly links to bitly directly, but I've never got a reply to my mails and they don't seem to have taken any action. I've also tried contacting Namecheap, but they completely ignore "spamvertising" and bounce me back. I've also tried to contact the hosting provided they use (A record of the PW domains) and also A2Hosting (A record of the destination URL to *.vip domains), but to no avail. Have you guys had any better luck? Quote Link to comment Share on other sites More sharing options...
petzl Posted January 1, 2020 Share Posted January 1, 2020 (edited) 10 hours ago, TiredOfYelp said: I'm getting bombarded with their spam too. Are you guys also getting tens of mails per day? Would help if you could send ONE SpamCop tracking URLhttps://www.spamcop.net/sc?id=z6604938278z71b6ef1a81f29722e4620c90d9fb479ez I report/foward with spam text, from email account directly toabusexamazon.com abusexsendgrid.com phishing-reportxus-cert.gov spamxuce.gov stop-spoofingxamazon.com (replace "x" with @) With this message (hasn't stopped the spam but reduced it a lot) Criminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS Banned all Amazon and subsidiaries purchases because of inept AWS abuse responses to AmazonAWS DDoS multiple IP email attacks email server 167.89.8.98 abuseXsendgrid.com injection 44.227.253.148 abuseXamazonaws.com Edited January 1, 2020 by petzl Quote Link to comment Share on other sites More sharing options...
TiredOfYelp Posted January 2, 2020 Share Posted January 2, 2020 Sure, here are two different version, t-co and bit-ly. https://www.spamcop.net/sc?id=z6605383185zeb2ca47ab2de578d8d14c12674dbb689z https://www.spamcop.net/sc?id=z6605190845zcc44b7932fbc0c0bc30300db008610a3z Quote Link to comment Share on other sites More sharing options...
petzl Posted January 3, 2020 Share Posted January 3, 2020 7 hours ago, TiredOfYelp said: Sure, here are two different version, t-co and bit-ly. https://www.spamcop.net/sc?id=z6605383185zeb2ca47ab2de578d8d14c12674dbb689z https://www.spamcop.net/sc?id=z6605190845zcc44b7932fbc0c0bc30300db008610a3z 1st 167.89.8.98 sendgrid email server SpamCop don't pickup? 35.182.184.76 amazon botnet 2nd 167.89.8.98 sendgrid email server SpamCop don't pickup? 35.182.184.76 amazon botnet Quote Link to comment Share on other sites More sharing options...
TiredOfYelp Posted January 13, 2020 Share Posted January 13, 2020 Sendgrid is a false, injected signature. I've successfully got 1 of their phishing domains suspended, I'm still reporting and engaging to whoever offers them any kind of service. Quote Link to comment Share on other sites More sharing options...
klappa Posted January 14, 2020 Share Posted January 14, 2020 14 hours ago, TiredOfYelp said: Sendgrid is a false, injected signature. I've successfully got 1 of their phishing domains suspended, I'm still reporting and engaging to whoever offers them any kind of service. I've recently got a tons of spam from Amazon owned domains. Can't send or forward the spam manually since they ask for addition information, apparently send the whole spam e-mail and the send IP isn't enough for them. Quote Link to comment Share on other sites More sharing options...
petzl Posted January 14, 2020 Share Posted January 14, 2020 (edited) 9 hours ago, klappa said: I've recently got a tons of spam from Amazon owned domains. Can't send or forward the spam manually since they ask for addition information, apparently send the whole spam e-mail and the send IP isn't enough for them. Same for the rest of the planet I forward abuse report to "abuse at amazon com" direct from my Gmail where it arrives Google make it easy first I put Amazon source and a sendgrid IP (may be may not be spoofed) . Gmail always put the IP that they received it on Open "See original"SPF: PASS with IP 54.240.13.49 IP from Amazon AutoACK Criminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS Banned all Amazon and subsidiaries purchases because of inept AWS abuse responses to AmazonAWS DDoS multiple IP email attacks email server 167.89.8.98 abuseXsendgridXcom injection 52.45.146.143 abuseXamazonawsXcom THEN space click "copy to clipboard" and past it below my "preamble" Edited January 14, 2020 by petzl Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted January 14, 2020 Share Posted January 14, 2020 9 hours ago, klappa said: since they ask for addition information, apparently send the whole spam e-mail and the send IP isn't enough for them. I am guessing this is because amazon appears to be rotating public IPs every minute. They seem to want to know the minute and since I have NTP enabled, it should make just fine into their systems. I wish that they would just enable IPv6 and stop with the NAT stuff. Quote Link to comment Share on other sites More sharing options...
petzl Posted January 14, 2020 Share Posted January 14, 2020 18 minutes ago, gnarlymarley said: I wish that they would just enable IPv6 and stop with the NAT stuff. It looks to me Amazon must block port 25 to prevent viruses and spam tools managing to connect directly from infected machines through their NAT? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.