Jump to content

No reporting addresses found for 103.1.12.91, using devnull for tracking.


Steve
 Share

Recommended Posts

https://www.spamcop.net/sc?id=z6519956282z3287af6539a13394828b32aaa4e4b1a7z

 

Tracking message source: 103.1.12.91:

Routing details for 103.1.12.91
[refresh/show] Cached whois for 103.1.12.91 : iptech@readyspace.com.sg
info@readyspace.com.hk bounces (31 sent : 16 bounces)
Using best contacts

No reporting addresses found for 103.1.12.91, using devnull for tracking.

Message is X hours old
103.1.12.91 not listed in cbl.abuseat.org
103.1.12.91 not listed in dnsbl.sorbs.net
103.1.12.91 not listed in accredit.habeas.com
103.1.12.91 not listed in plus.bondedsender.org
103.1.12.91 not listed in iadb.isipp.com

 

I have tried refreshing the page with no change in result. I went ahead and manually reported the spam to the ISP. 

Link to comment
Share on other sites

👍sounds good, would have sent it to both addresses myself :)

I do get these spams with the fake received line "s.okazik.pl" a lot. Looks like whoever wrote the spamming software is using it as something like a signature, as lots of fake "unsubscribe me" and "you have been successfully subscribed" spam contains that line.

Link to comment
Share on other sites

3 hours ago, Steve said:

NETWORK OWNER  
103.1.12.91 email server - compromised email account - change password
Warning - Does not support TLS.
cs[AT]readyspace.com.hk

not stamping recived IP spammer is adding this to headers
Received: from s.okazik.pl (s.okazik.pl. 216.244.76.116)  

Edited by petzl
Link to comment
Share on other sites

18 hours ago, petzl said:

not stamping recived IP spammer is adding this to headers
Received: from s.okazik.pl (s.okazik.pl. 216.244.76.116)  

Sorry, could you explain what you mean here? other language maybe? Deutsch? Español? Italiano? Français? Portugues?

I Know that the spammer is placing this there. or at least the software he uses. that's why I said that whoever wrote the spammer's software it is using it as some kind of a signature. maybe to see how many different spammers are using his software...

Link to comment
Share on other sites

5 hours ago, RobiBue said:

Sorry, could you explain what you mean here? other language maybe? Deutsch? Español? Italiano? Français? Portugues?

I Know that the spammer is placing this there. or at least the software he uses. that's why I said that whoever wrote the spammer's software it is using it as some kind of a signature. maybe to see how many different spammers are using his software...

The email server (probably infected) is not stamping a received line. Instead it's stamping 
Received: from s.okazik.pl (s.okazik.pl. 216.244.76.116)
 

Link to comment
Share on other sites

On 2/10/2019 at 6:59 PM, petzl said:

The email server (probably infected) is not stamping a received line. Instead it's stamping 
Received: from s.okazik.pl (s.okazik.pl. 216.244.76.116)
 

hehe :) I noticed, on google maps, that okazik.pl is a fully "blacked-out" 24h internet c@fe in a Polish city called Poznań, right between Berlin and Warsaw...

might even be the home of the original developer of the spamming malware...

Link to comment
Share on other sites

20 minutes ago, RobiBue said:

hehe :) I noticed, on google maps, that okazik.pl is a fully "blacked-out" 24h internet c@fe in a Polish city called Poznań, right between Berlin and Warsaw...

might even be the home of the original developer of the spamming malware...

I get the IP 216. 244.76.116 located in USA
https://www.talosintelligence.com/reputation_center/lookup?search=216. 244.76.116

most likely a infected/compromised server  

Edited by petzl
Link to comment
Share on other sites

1 hour ago, petzl said:

I get the IP 216. 244.76.116 located in USA
https://www.talosintelligence.com/reputation_center/lookup?search=216. 244.76.116

most likely a infected/compromised server  

yeah, that's why I'm saying, I believe that injected Received line acts somewhat as a signature placed there by the designer of the malware...

that IP might, at one time, have been assigned there... I don't know if there is a historical IP database available ;)

but I understand now what you meant. thanks.

Link to comment
Share on other sites

2 hours ago, RobiBue said:

yeah, that's why I'm saying, I believe that injected Received line acts somewhat as a signature placed there by the designer of the malware...

that IP might, at one time, have been assigned there... I don't know if there is a historical IP database available ;)

but I understand now what you meant. thanks.

Reporting the IP address results in this address coming up: abuse@wowrack.com

I have tried reporting this IP address several times last year and a few times an employee said they will "Null-route" the IP address. But it still shows up in spam.

Link to comment
Share on other sites

15 minutes ago, Steve said:

Reporting the IP address results in this address coming up: abuse@wowrack.com

I have tried reporting this IP address several times last year and a few times an employee said they will "Null-route" the IP address. But it still shows up in spam.

just checked 216. 244.76.116 is now "not a routeable IP address"

Edited by petzl
Link to comment
Share on other sites

FYI reporting that specific address (the one given in the "obviously" fake received s.okazik.pl header) is pointless and makes no sense.

all it is, is a fake injected header line by the spammer or by the spammer software.

the actual Received: header line is

Received: from fervently.site (fervently.site. [103.1.12.91])
        by mx.google.com with ESMTP id c16si308648pgh.545.2019.02.09.06.43.54
        for <x>;
        Sat, 09 Feb 2019 06:43:54 -0800 (PST)
Received-SPF: temperror (google.com: error in processing during lookup of return@asciidic.com: DNS error) client-ip=103.1.12.91;
Authentication-Results: mx.google.com;
       spf=temperror (google.com: error in processing during lookup of return@asciidic.com: DNS error) smtp.mailfrom=return@asciidic.com

but as you can see, even Google mail sees a DNS problem with that IP address.

everything below these headers in the original spam is injected by the spammer's software

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...