Any point in reporting spam from AMAZONAWS?

[klappa]

22 hours ago, petzl said:

Same for the rest of the planet I forward abuse report to "abuse at amazon com" direct from my Gmail where it arrives
Google make it easy first I put Amazon source and a sendgrid IP (may be may not be spoofed) .
Gmail always put the IP that they received it on Open "See original"
SPF:    PASS with IP 54.240.13.49   IP from Amazon AutoACK

Criminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS 
Banned all Amazon and subsidiaries purchases because of inept AWS abuse responses to AmazonAWS DDoS multiple IP email attacks 

email server  
167.89.8.98 abuseXsendgridXcom  
injection  
52.45.146.143  abuseXamazonawsXcom
THEN space click "copy to clipboard" and past it below my "preamble"

 

I don't get it I only get the sender IP. Is that the injection?

How should i put the message to them? Mentioning it's a bot spam operator doesn't help.

[petzl]

6 minutes ago, klappa said:

I don't get it I only get the sender IP. Is that the injection?

167.89.8.98 is often in headers but probbaly spoofed
Gmail tell you the IP they recieved email from
Someone working for Amazon have a infected computer

Everyone in Amazon simply have to run a malware scan to fix it blocking port 25 would stop it as well.

[gnarlymarley]

On 1/14/2020 at 3:16 PM, petzl said:

It looks to me Amazon must block port 25 to prevent viruses and spam tools managing to connect directly from infected machines through their NAT?

Ah, but it appears that one can request port 25 to be unblocked.  I am not sure if there is a related fee or if it is free.

[RobiBue]

interesting read about the ports:

https://pepipost.com/blog/smtp-port-25/

and

https://pepipost.com/blog/25-465-587-2525-choose-the-right-smtp-port/

the former has a typo where it addresses port 467 (which is wrong as it is port 465) but in either case, that port schould not be used anyway  

[petzl]

2 hours ago, gnarlymarley said:

Ah, but it appears that one can request port 25 to be unblocked.  I am not sure if there is a related fee or if it is free.

These are Amazon IP's so it is up to Amazon to fix or not their spam problem.
I assume it is from inside Amazon Corp.

Edited January 16, 2020 by petzl

[gnarlymarley]

13 hours ago, petzl said:

These are Amazon IP's so it is up to Amazon to fix or not their spam problem.

And hopefully they would revoke the port 25 being open if they previous opened it and close it back down.  Yes, it is up to them to fix.

[TiredOfYelp]

This week the spammer is testing out to move the spam off the *YELP*.com domain, and off AWS servers.

The new spam campaign comes from a fake @yandex.ru address.
The spam comes from 192.236.177.29 (Hostwinds.com) and the redirects are made directly on an IP, 2.56.8.182 hosted with SonicFast.io.

SonicFast.io has never replied to my emails before.

https://www.spamcop.net/sc?id=z6609186119ze4f213952850b7dd24f8b2514aca38e0z

[petzl]

On 1/18/2020 at 7:33 AM, TiredOfYelp said:

This week the spammer is testing out to move the spam off the *YELP*.com domain, and off AWS servers.

The new spam campaign comes from a fake @yandex.ru address.
The spam comes from 192.236.177.29

Just got a couple today from Amazon
https://www.spamcop.net/sc?id=z6609487289z0285b33932067f7daed6ceaeb71b8f51z

[gnarlymarley]

On 1/18/2020 at 9:32 PM, petzl said:

Just got a couple today from Amazon

Interesting that my amazon spam has nearly all stopped after I had submitted ten reports in a four day period.

On 11/28/2018 at 2:33 PM, its8up said:

You could manually forward spam reports, but the people in the abuse@amazonaws department are USELESS.  Try sending a copy of the full header/email to stop-spoofing@amazon dot com.

What I also find is interesting is that I had one come back where the tech support person was not familiar with the date/time format in email headers and they needed it defined separately.

* Complete, accurate timestamps of the activity including:
    - Date
    - Time
    - Time Zone
* Full e-mail header and HTML content of the spam message

 

[petzl]

2 hours ago, gnarlymarley said:

Interesting that my amazon spam has nearly all stopped after I had submitted ten reports in a four day period.

Nearly all stopped for me also after forwarding their spam back at them with a nerdy note!
That said I still get the odd multiple spam splurge at once all from different IP's 
Something wrong with their security. Possibly one of their home connected WiFi gadgets?

[gnarlymarley]

23 hours ago, petzl said:

 That said I still get the odd multiple spam splurge at once all from different IP's 

I do find it interesting that I still get the occasional spam from a specific "claimed" helo name and from.  Seems like the spammer is able to stand up new EC2 instances almost as soon as amazon "claims" they are resolved the issue.

[Keats]

I've also started getting this rubbish in the last few weeks...

On receiving each one (to my Gmail address), I do the following:

Hit "Show Original", and copy the header info.

Come to SpamCop and enter it, as usual. I also report the IP address(es) at abuseipdb.com

Forward the original message to the following addresses: ec2-abuse at amazon.com , email-abuse at amazon.com , abuse at amazonaws.com , abuse at google.com , and network-abuse at google.com , after pasting the header info in. 

If the phishing e-mail purports to be from a well-known company - Costco, PayPal, Chase Bank, etc - I also forward it to whatever their abuse / anti-phishing report address is.

I've noticed that the latest batches now also include cisco.com and yelp.com addresses.

 

[goodnerd]

I do as well.  I typically include the registrars in with the complaints as well.  If it's GoDaddy, I file the spam directly on their website's abuse link.  The other 99% goes to the blackhole abuse department at Namecheap.  I let the registrars know they are providing services to a group engaging in spam and ID theft emails, along with posing as various companies and using their copyrighted logos.

I also use https://support.aws.amazon.com/#/contacts/report-abuse  This gets a case number assigned and they usually even follow up with (canned) response, but at least it gets the spammer IP shut down.... even if it's only for a few days.

 

[Hanco]

If the parasite uses Imgur.com to host images, send a report at the link below, reporting the ad. They are responsive. You’ll get a confirmation of opened ticket first (almost instantaneously) and later a confirmation of deletion, sometimes within minutes and I find always under 12 hours.

https://help.imgur.com/hc/en-us/requests/new

Another host they commit theft of resources with against their terms of service is Zupimages.net

Email the spam email image link(s) to the address below. They used to take time to reply but now they just delete, which is fine by me. They delete almost always very quickly.

contact a-t zupimages.net

 

[goodnerd]

They also have a direct page at https://imgur.com/removalrequest

Imgur is very good at promptly taking action.

[Hanco]

1 hour ago, goodnerd said:

They also have a direct page at https://imgur.com/removalrequest

Imgur is very good at promptly taking action.

I’ve never used that! I but I will if they continue to send me junk

[mdsimon2]

After directly reporting spam to AWS for over a year and getting nothing but a canned reply and more spam from them, I opened a case with the BBB.  Not only did spam nearly completely stop shortly thereafter, I received a human response from an "investigator" on Amazon's team telling me that they will find out where they dropped the ball and correct the problem.  I suggest others' file an online complaint with the BBB.

Edited February 7, 2020 by mdsimon2

[gnarlymarley]

7 hours ago, mdsimon2 said:

I opened a case with the BBB.  Not only did spam nearly completely stop shortly thereafter, I received a human response from an "investigator" on Amazon's team telling me that they will find out where they dropped the ball and correct the problem.  I suggest others' file an online complaint with the BBB.

Hopefully, this keeps working out for you.  The last BBB case I opened, the provider just laughed at me and the BBB didn't do anything about it.

[Keats]

I got this response from Amazon on one of the reports I sent:

"We've determined that an Amazon EC2 instance was running at the IP address you provided in your abuse report. We have reached out to our customer to determine the nature and cause of this activity or content in your report"

So, they've basically asked the spammer if he's spamming. I'm sure he'll give them a scrupulously honest answer...

 

 

 

Edited February 9, 2020 by Keats
left a word out!

[Hanco]

2 minutes ago, Keats said:

I got this response from Amazon on one of the reports I sent:

"We've determined that an Amazon EC2 instance was running at the IP address you provided in your abuse report. We have reached out to our customer to determine the nature and cause of this activity or content in your report"

So, they've basically asked the spammer if he's spamming. I'm sure he'll give them a scrupulously honest answer...

 

 

 

They’ve done that before. It didn’t stop their customer continuing to spew out endless repetitive emails multiple times a day with links to new Namecheap sold domain names for sites that have no purpose except to provide redirect mechanisms to the scam sites the “affiliate spammer” exists to drive traffic to (NerveRenew, Snow Teeth Whitener, Miracle Erectile Dysfunction Cures, Diet Wonder Pills etc.)

I’m with you. This scumbag email abuser will say whatever they want and the flow of emails from Amazon IPs will continue (with links to Zupimages, Bit.ly, Imgur, etc.)

And the unsubscribe links will continue to be to random (mostly Namecheap domains, and sometimes to actual “mailto” actual email addresses, with many being to domains that don’t even have an MX running at them)

In short, useless of Amazon to claim they are doing anything. They are in bed with the Namecheap customer.

[gnarlymarley]

1 hour ago, Keats said:

We have reached out to our customer to determine the nature and cause of this activity or content in your report"

I have not got that.  Mine has only said "This is a follow up regarding the abusive content or activity report that you submitted to AWS. We have investigated this report, and have taken steps to mitigate the reported abusive content or activity."  Which I wonder if they are taking down the correct customer or are just sending a stock reply.

55 minutes ago, Hanco said:

They’ve done that before. It didn’t stop their customer continuing to spew out endless repetitive emails multiple times a day with

I am not sure amazon is doing anything on this or else maybe the spammers themselves are running support.

56 minutes ago, Hanco said:

In short, useless of Amazon to claim they are doing anything.

Amen.

[HasJuggled7]

I probably should have posted something about Spamazon in the July/August timeframe after a mistake I made when preparing to send a report. I fat fingered the mouse and an empty message went to Spamazon (ec2-abuse@amazon.com). The bane of my existence at that time was Parsec Cloud (and still is - keep reading - I get *very* little spam from any other sources) as at times I was receiving their garbage every other hour on weekends (all weekend).  I received the standard response as an initial response almost immediately after I accidentally clicked [send]:

blah-blah-blah "We've determined that an Amazon EC2 instance was running at the IP address you provided" yadda-yadda

Obviously an empty message supplied no data so I decided to experiment and just sent "ABCD" in the body and got the same response.

That's when I knew they didn't care IOR didn''t test IOR there was no way to communicate via this mechanism.  But I persisted in my reports so that if they were to ever to claim to give a shred of a care I could demonstrate I'd been doing my part and the fault didn't lie with me not making reports.

I'm not sure what changed but around the end of January I stopped receiving Parsec Cloud spam via Spamazon.  They've now been sending (according to SC) from the following domains:

AlphaInfoNet.com
GyaneshWarComputer.com
MukeshTech.com

to the combined tune of 18 hits in less than the previous 40 hours (the day is young).

WHOIS on the latter two indicate essentially the same name servers & considering they are now spammish domains means they & the name servers don't pass the sniff test.

Cheers.


p

[petzl]

8 hours ago, HasJuggled7 said:

I probably should have posted something about Spamazon in the July/August timeframe after a mistake I made when preparing to send a report. I fat fingered the mouse and an empty message went to Spamazon (ec2-abuse@amazon.com). The bane of my existence at that time was Parsec Cloud (and still is - keep reading - I get *very* little spam from any other sources) as at times I was receiving their garbage every other hour on weekends (all weekend).  I received the standard response as an initial response almost immediately after I accidentally clicked [send]:
 

I always forward my Amazon spam to abuse [AT] amazon [DOT] com which now has stopped from amazon 
spammer has moved to India
https://www.spamcop.net/sc?id=z6614613333z33924b4aa692bdb379203b970853f7efz
Creep is using a number of Indian IP's but same fingerprint as Amazon spam
"contact[AT]gyaneshwarcomputer[DOT]com"  "abuse[AT]alphainfonet[DOT]com"  "admin[AT]mukeshtech[DOT]com"
 

[HasJuggled7]

I've filed a SpamCop report for each instance.  After a few dozen repeats from them this weekI am wondering if they might have found bulletproof hosts.

[petzl]

6 hours ago, HasJuggled7 said:

I've filed a SpamCop report for each instance.  After a few dozen repeats from them this weekI am wondering if they might have found bulletproof hosts.

Sometimes SpamCop reports re ignored!
These creeps I report directly from the email account they attack