Spamcop report response

[jev]

Just got the following from a report I sent out. Supposedly, the ticket was open for only about 1.25 hours before resolution.

The server in question was hosting a user that unfortunately had an old formmail scri_pt that was exploited by a formmail attack. The scripts have been removed, the IP's blocked from the server and a filter has been put in place to drop these messages in the future. Thank you for notifying us of this problem.

It's nice getting these. Not only a response on what happened, but how they cleaned up, and an actual thanks on helping to point out the problem. If this is genuine (and I have no reason to suspect otherwise, I wish more companies were like this.

-JEV

[Merlyn]

What was the IP???

[jev]

What was the IP???

Looks like the IP was 64.91.241.115. The tracking URL looks to be http://www.spamcop.net/sc?id=z673911137zd1...971da3351078d6z.

Sorry for the lag in response (it's been a busy day) and not including that info in the first place (no real excuse for that ).

-JEV

[keythumper]

Looks like the IP was 64.91.241.115.  The tracking URL looks to be http://www.spamcop.net/sc?id=z673911137zd1...971da3351078d6z.

Sorry for the lag in response (it's been a busy day) and not including that info in the first place (no real excuse for that ).

-JEV

17668[/snapback]

I'm also far behind in my abuse tasks. I think the abuse desk for liquidweb.com should be noticed:

Parsing input: 64.91.241.115

host 64.91.241.115 = underworld.liquidweb.com. (cached)

Reporting addresses:

abuse[at]liquidweb.com

Well done!

[dra007]

Well, it looks like even our famous kornet may eventually take some action:

This is Kornet Abuse Operating Center.

In response of your request, we inform you that Kornet has solved the problem of suspicious activity from our network.

we informed our customer of his illegal activity and requested to fixing a this problem.

In future if it will try again, we will not service to this customer from our network.

Related IP : 222.121.81.249

If you have any further question,

please contact us kams-3522956-1-rep[at]abuse.kornet.net or http://abuse.kornet.net/

Thank you.

[agsteele]

It's nice getting these.  Not only a response on what happened, but how they cleaned up, and an actual thanks on helping to point out the problem.  If this is genuine (and I have no reason to suspect otherwise, I wish more companies were like this.

We always acknowledge reports for the domains we manage. I consider it a common courtesy to let a reporter know what is happening.

Thankfully, our customers don't spam - or at least any that do are quickly dealt with. The reports we receive are therefore few and far between and invariably innocent bystander type reports where a spammer has taken a domain and included it within their Email to tie up the rporting processes.

So it isn't a major effort to acknowledge and thank for the reports we receive. I can imagine, though, that a large ISP hosting many domains might find the task rather overwhelming

Andrew

[dra007]

PS. Can someone correct <<resonce>> in the title of this thread?

PS2. Thanks Wazoo for the prompt action!

[jev]

PS. Can someone correct <<resonce>> in the title of this thread?

PS2. Thanks Wazoo for the prompt action! 

17825[/snapback]

Eh, like I said, it was a busy day. (And right before vacation -- just got back! ) Normally I'm a bit better on the spell checking though...

Add another thanks for the spelling correction.

-JEV

[btech]

Well, it looks like even our famous kornet may eventually take some action:

17818[/snapback]

wow... that's something I never thought I'd see. I wonder if we'll be seeing more of these.

[Farelf]

wow... that's something I never thought I'd see. I wonder if we'll be seeing more of these.

Well, nearly - a mere 2 years later, it was addressed to me but seems to be directed to a spamvertizer(?) and I didn't send this particular complaint to Kornet in the first place, as far as I can tell (I have sent manual reports to them but none with these particular referrents). Maybe they're just telling me it is not a valid complaint, but they tried (the Korean text could be interpreted that way, going by BabelFish). Well, I didn't make the complaint anyway.

From: kams-15-20060901157640-1-rep[at]abusemail.kornet.net

Subject: 민원 반송 처리 메일

[picture]

내용이 불충분하여 반송 처리되었습니다.

http://abuse.kornet.net으로 접속하시면 웹으로 신고하실 수 있습니다.

원문 : Dear ISP

This is an unwanted email from IP: 125.133.28.59

Please take appropriate actions to stop it.

If this mail is a legal newsletter ,

please help to remove the recipient from your mailing list .

If this spam report has any problem , please DO NOT reply directly , and

use this page to tell us

http://www.softworking.com/isp.asp?spammail=3085490

Thanks

Best Regards,

AntiSpam Team in Taiwan - softworking

http://www.softworking.com

The information below should be all you need.

X-POP3-Rcpt: backup[at]leadcorp.com.tw

Received: from 64.176.16.106 ([125.133.28.59])

by host102.apollohosting.com (8.12.11.20060614/8.13.6) with SMTP id k7RAw4jQ024036

for ; Sun, 27 Aug 2006 06:58:15 -0400

Message-Id: <200608271058.k7RAw4jQ024036[at]host102.apollohosting.com>

From: "¸¨??¤F¡I"

Subject: ²{?b°_¡A§A?i?H¨M?w??¤vªº??¤J,,??¿?¾???¤vªº¤u§[at]??¶¡?a?I.........................?uªº???²³æ

Date: Sun, 27 Aug 2006 18:58:07 +0800

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="--=====309474679586062=_"

----=====309474679586062=_

Content-Type: text/html;

Content-Transfer-Encoding: quoted-printable

=B8=A8=A5=EE=A4F=A1I

[lots of whitespace]

3300">=A6p=AAG=C1=D9=B5L=AAk=A6b=BA=F4=B8=F4=A4W=C1=C8=BF=FA=A1I=B4N=B8=A8=

=A5=EE=A4F=A1I=A4=E8=AAk=AFu=AA=BA=AB=DC=C2=B2=B3=E6

[=3D"http://xpoo.idv.tw/008"]

[whitespace]

----=====309474679586062=_--

[picture]

Anyway, it is not so nice to invite listwashing instead of taking the big stick to the perpetrators (I would like to see their foetid remains strewn in pliable strands over several acres of the mosses and brackens of the tundra, but that's just me). Maybe "legal newsletters" just means complaint from valid but forgetful subscribers. They munge when they provide enough detail to stipulate the sender anyway (msg ID) which seems a little strange. Or maybe it was (poorly) munged before they got it.