Jump to content

Recipient address rejected: User unknown in relay recipient table


MIG
 Share

Recommended Posts

I'm guessing that when the spam report was originally sent by the Tracking URL above the report was sent to onyschenko_pb{AT}techcom{ÔĽŅDOT}kiev{DOT}ua¬† (Today it would have gone to abuse{AT}pcn{DOT}com{DOT}ua)

However, on the way to kiev{DOT}ua,  relay6...ru realized that the spam report was coming from SpamCop or maybe saw the word "spam" and rejected the message sending a bounce message back to SpamCop.

When the bounce message got back to SpamCop they looked at your < Report reply handling > preferences and forwarded the bounce to you as the spam reporter.

It has been awhile sense I have received a reply to a spam report, but if you look at the header you should (if I am right) see that the message came from or through SpamCop, not from relay6.hosting.reg.ru

If any of this is correct, " Forward replies from people and robots " option is selected on preferences tab.

The spam report bounce, maybe the reason that the report would now be sent to a different ISP or the change could be just a normal update.

Link to comment
Share on other sites

2 hours ago, Lking said:

I'm guessing that when the spam report was originally sent by the Tracking URL above the report was sent to onyschenko_pb{AT}techcom{ÔĽŅDOT}kiev{DOT}ua¬† (Today it would have gone to abuse{AT}pcn{DOT}com{DOT}ua)ÔĽŅ

However, on the way to kiev{DOT}ua,  relay6...ru realized that the spam report was coming from SpamCop or maybe saw the word "spam" and rejected the message sending a bounce message back to SpamCop.

When the bounce message got back to SpamCop they looked at your < Report reply handling > preferences and forwarded the bounce to you as the spam reporter.

It has been awhile sense I have received a reply to a spam report, but if you look at the header you should (if I am right) see that the message came from or through SpamCop, not from relay6.hosting.reg.ru

If any of this is correct, " Forward replies from people and robots " option is selected on preferences tab.

The spam report bounce, maybe the reason that the report would now be sent to a different ISP or the change could be just a normal update.

Hey Lking,

Thank you,¬†grassūü¶óhopper is grateful.

A clarification ( it was parsed today 19/02/19 09:11), I've run it thru the parser again,¬†¬†now get same as you, abuse{AT}pcn{DOT}com{DOT}ua¬†ūüėē,¬†'n, https://www.spamcop.net/mcgi?action=showadvanced, I don't have:¬†

" Forward replies from people and robots" option selected. My selection is:¬†Forward only replies from sentient people &¬†ūü¶ós.

And a question please: 194.5.250.154 results in "No reporting addresses found for 194.5.250.154, using devnull for tracking"

yet I get: zergrushsrlATgmailDOTcom

& 

https://www.spamcop.net/sc?id=z6522763509z82aa2f32b8442c89e1e1df44dd3983f9z

194.5.250.154¬† / zergrushsrlATgmailDOTcom¬†again, grassūü¶óhopperconfused, why is it soūü§Ē?

Cheers.

 

 

 

 

Edited by MIG
Link to comment
Share on other sites

20 hours ago, MIG said:

And a question please: 194.5.250.154 results in "No reporting addresses found for 194.5.250.154, using devnull for tracking"

yet I get: zergrushsrlATgmailDOTcom

The parser is a black box for security reasons mostly.  When you get a "No reporting address" routing refresh the page once or twice (buffering can be an issue).  Sometimes a refresh will update the addressing to a better address.

Link to comment
Share on other sites

4 hours ago, Lking said:

 refresh will update the addressing to a better address.

grassūü¶óhopper¬†did Master but grassūü¶óhopper¬†got¬†6+ with zergrushsrlATgmailDOTcom, then I reach out on SCF & no more. Have you ever met a paranoid¬†grassūü¶óhopper¬†ūüĎĀÔłŹ‚Äćūüó®ÔłŹ?

Edited by MIG
Link to comment
Share on other sites

1 hour ago, MIG said:

grassūü¶óhopper¬†did Master but grassūü¶óhopper¬†got¬†6+ with zergrushsrlATgmailDOTcom, then I reach out on SCF & no more. Have you ever met a paranoid¬†grassūü¶óhopper¬†ūüĎĀÔłŹ‚Äćūüó®ÔłŹ?

This is a redirect to a porno site

Find the IP of that site and report it the following reply usually gets it taken down.
Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS

>

Link to comment
Share on other sites

11 minutes ago, petzl said:

This is a redirect to a porno site

Find the IP of that site and report it the following reply usually gets it taken down.
Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS

>

Thanks for the scri_pt Petzl. 

[Porn site]¬†that's why¬†grassūü¶óhopper¬†¬†is so peeved!

Re [find the IP of that site] does that mean I have to go to that site? Rather notūü§¨

Why does everybody write scri_pt as scriunderscorept?

Thanks in advance. 

grassūü¶óhopper¬†

 

 

Edited by MIG
Link to comment
Share on other sites

2 hours ago, MIG said:

Re [find the IP of that site] does that mean I have to go to that site? Rather notūü§¨

I use a windows program which is sort of free they no longer sell the program
http://www.netdemon.net/

Text browser shows the IP and the redirect sites the destination site is run by
Needs working out by copy/pasting sites it forwards to and searching with new page.
The end site is this one 
52.30.84.167 blackhats abuse[AT]amazonaws.com 
My "scri_pt" is accurate enforced in USA so they would/should worry

Edited by petzl
Link to comment
Share on other sites

6 hours ago, RobiBue said:

the SC forum software inserts the underscore to prevent spamers/scammers/hackers to run <java s c r i p t> either remotely or locally on the servers or the hosts.

it's a security feature ;)

Oh! Therefore SCF-sw¬†more evolved than¬†grassūü¶óhopper¬†,

grassūü¶óhopper shattered!

ūü§£

 

Link to comment
Share on other sites

Hey Petzl, 

Re [http://www.netdemon.net/ "which is sort of free they no longer sell the program"], are you saying the component of netdemon (you use) to do [copy/pasting sites it forwards to and searching with new page] to get [IP and the redirect sites the destination site is run by] is not available on http://www.netdemon.net/ or via a registered netdemon account?

 

Cheers.

Edited by MIG
Link to comment
Share on other sites

7 hours ago, MIG said:

are you saying the component of netdemon (you use)

Mine is not registered (lost my registration) works well, but you need to work it out which is not hard.
If a site redirects to another, netdemon  show you the site it redirects to, this requires another "netdemon window" to go to that site,
which will include the reportable IP  of that redirected site. you can open many "panes" in netdemon 

Link to comment
Share on other sites

23 minutes ago, petzl said:

Mine is not registered (lost my registration) works well, but you need to work it out which is not hard.
If a site redirects to another, netdemon  show you the site it redirects to, this requires another "netdemon window" to go to that site,
which will include the reportable IP  of that redirected site. you can open many "panes" in netdemon 

Hey Petzl, 

Thank you. I entered the url into netdaemon, the resulting links were:

 Protocol:  http
     Host:  rrnntqutxtf.charlie-washington.info
     Path:  /
    Input:  ?eid=bWlnYWwwMEBob3RtYWlsLmNvbXwzMDcxNjM

--- Decoded URL:   [web-sniffer] - redirects to "This site can’t be reached"

http://rrnntqutxtf.charlie-washington.info/ -  The actual porn site - no way, no how.

Search newsgroups: charlie-washington.info - "This site can’t be reached"

OpenRBL Lookup:    rrnntqutxtf.charlie-washington.info http://openrbl.org/?i=rrnntqutxtf.charlie-washington.info&amp;b= 

Query IP-Address 209.237.238.224 (UNRESOLVED)

  • IP-Address:¬†
  • Host-Name:¬†¬†WARNING: Reverse-DNS missing¬†

209.237.238.224 >¬†Unitedlayer¬†ūü§Ē

Search ROKSO: charlie-washington.info > [Spamhaus][Error 404 - File not found]

Whois: rrnntqutxtf.charlie-washington.info > [http://www.geektools.com/cgi-bin/proxy.cgi?query=rrnntqutxtf.charlie-washington.info&amp;targetnic=auto] but where to from here?

Traceroute to: rrnntqutxtf.charlie-washington.info > [http://www.opus1.com/htbin/traceroute?debug=NO&amp;query=rrnntqutxtf.charlie-washington.info][Object not found! The requested URL was not found on the Opus One server]

Would you mind chking [ https://www.spamcop.net/sc?id=z6523578908zcac6aea9fd1baba2a0870f1bd3f87baez  ] very curious to know what you get?

Re [netdemon shows the site it redirects to] ? Netdaemon shows all of the above, unless it's a state secet, please share.

Re [you need to work it out which is not hard] Try being a¬†grassūü¶óhopper¬†¬†ūüėā

Cheers!

 

 

 

Edited by MIG
Link to comment
Share on other sites

1 hour ago, MIG said:

ey Petzl, 

Thank you. I entered the url into netdÔĽŅÔĽŅaemon, theÔĽŅ resultingÔĽŅ ÔĽŅÔĽŅlÔĽŅinks were:

 

I get 139.60.161.75  abuse[AT]hostkey.us bounces/bitbin try SALES[AT]HOSTKEY.COM
First URL
--- 02/22/19 05:27:49 AUS Eastern Daylight Time
--- reading URL http://rrnntqutxtf.charlie-washington.infx/?eid=bWlnYWwwMEBob3RtYWlsLmNvbXwzMDcxNjM
--- contacting host rrnntqutxtf.charlie-washington.info [139.60.161.75] on port 80

HTTP/1.1 302 Found
Server: nginx/1.10.2
Date: Thu, 21 Feb 2019 18:21:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
X-Powered-By: PHP/5.3.3
Location: http://www.geoearnings.cxm/lgtrack/OTcuMTY?email=bWlnYWwwMEBob3RtYWlsLmNvbQ%3D%3D


--- connection closed
THEN URL http://www.geoearnings.cxm/ gives me another redirection 52.71.44.153  abuse@amazonaws.com USA - Washington

Final redirection https://www.localflirtbuddies.cxm      52.48.235.139  abuse[AT]amazonaws.com Ireland

get Cert address from here
https://www.first.org/members/teams/

include

 

Child porn spammer 
pictures undÔĽŅer 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS

>

amazonaws.com send your complaints to spammer,
These are the  Cybercriminals amazon are contacting in this case
"Thank you for submitting your abuse report. We have begun our investigation into the source of the activity or content you reported.
We've determined that an Amazon EC2 instance was running at the IP address you provided in your abuse report. We have reached out to our customer to determine the nature and cause of this activity or content in your report."

 

Edited by petzl
Link to comment
Share on other sites

31 minutes ago, petzl said:

I get 139.60.161.75  abuse[AT]hostkey.us bounces/bitbin try SALES[AT]HOSTKEY.COM
First URL
--- 02/22/19 05:27:49 AUS Eastern Daylight Time
--- reading URL http://rrnntqutxtf.charlie-washington.infx/?eid=bWlnYWwwMEBob3RtYWlsLmNvbXwzMDcxNjM
--- contacting host rrnntqutxtf.charlie-washington.info [139.60.161.75] on port 80

HTTP/1.1 302 Found
Server: nginx/1.10.2
Date: Thu, 21 Feb 2019 18:21:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
X-Powered-By: PHP/5.3.3
Location: http://www.geoearnings.cxm/lgtrack/OTcuMTY?email=bWlnYWwwMEBob3RtYWlsLmNvbQ%3D%3D

--- connection closed
THEN URL http://www.geoearnings.cxm/ gives me another redirection 52.71.44.153  abuse@amazonaws.com USA - WashingtonFinal redirection https://www.localflirtbuddies.cxm      52.48.235.139  abuse[AT]amazonaws.com Ireland
get Cert address from here
https://www.first.org/members/teams/
 

Hey Petzl,

Thank you.

The bit I don't understand is why SC parser doesn't also drag up amazonaws?

I do always report to Amazonaws when I know they're in the loop, I was relying on SC to detect... They've always been very responsive to every report I forwarded. 

Now with your advice it seems as if I'll have to do additional interrogation to find any buried related sources.

I'm happy to do the extra digging, just wish I'd known it was necessary. 

The last 30+-  have all had hostkey,  was starting to get po'd; happy now I can do something extra.

Cheers!

grassūü¶óhoppe

Link to comment
Share on other sites

6 minutes ago, MIG said:

The bit I don't understand is why SC parser doesn't also drag up¬†amazonaws?ÔĽŅ

SC just looks at link provided the link in this case is a redirect link with a abuse address that bounces.
Try to be better than SpamCop is you have the time
In the case of porn spammers send to the CERT of that country as well.

Edited by petzl
Link to comment
Share on other sites

39 minutes ago, petzl said:

SC just looks at link provided the link in this case is a redirect link with a abuse address that bounces.
Try to be better than SpamCop is you have the time
In the case of porn spammers send to the CERT of that country as well.

SC, I see! Thanks. 

Time, I always have the time if it means pulverising a spammer. Even if they do mutate like ebola.

CERT of that country, cool, I did not know that. Thank you!

If you don't mind please chk [ https://www.spamcop.net/sc?id=z6523510515zc7e28a23652bcebaa6a110ff76938540z ] I'd like to make sure I understand your methodology please.

Cheers!

 

Edited by MIG
Link to comment
Share on other sites

21 minutes ago, MIG said:

understand you methodology please

just get the bogus abuse email address right "granatnetou[AT]gmail.com" Ukraine bogus address
https://www.first.org/members/teams/cert-ua

 URL abuse[AT]hostkey.us bounce try sales
https://www.us-cert.gov


 

 

Link to comment
Share on other sites

On 2/22/2019 at 7:48 AM, petzl said:

just get the bogus abuse email address right "granatnetou[AT]gmail.com" Ukraine bogus address
https://www.first.org/members/teams/cert-ua

¬†URL abuse[AT]hostkey.us bounce try salesÔĽŅ
https://www.us-cert.gov

 

[hostkey.us]sales I got that, I'm trying to understand NetDemon in relation to your posts.

Cheers.

Edited by MIG
Link to comment
Share on other sites

20 minutes ago, MIG said:

[hostkey.us]sales I got that, I'm trying to understand NetDaemonin relation to your posts.

netdemon offers a safe txt browser.
I use this to get IP's of URL's
I get spammed by Russian crime gang and not keen on clicking link.
They sometimes try to download ransomware to your computer.

Edited by petzl
Link to comment
Share on other sites

On 2/22/2019 at 8:13 AM, petzl said:

netdemon offers a safe txt browser.
I use this to get IP's of URL's
I get spammed by Russian crime gang and not keen on clicking link.
They sometimes try to download ransomware to your computer.

Hey Petzl, 

grassūü¶óhopper¬†prefers VirusTotal, sames results without the dead links.

Cheers.

Edited by MIG
Link to comment
Share on other sites

6 hours ago, MIG said:

Hey Petzl, 

grassūü¶óhopper¬†prefers VirusTotal, sames results without the dead links.

Cheers.

Netdemon gives the IP address.
Just tried it yes it works well thanks

https://www.virustotal.com/#/url/87a1133f47025b43f18b4af7431bc40fb324c2ca6ff58f922e98ea7093ce8d3e/detection

Edited by petzl
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...