MIG Posted February 19, 2019 Share Posted February 19, 2019 https://www.spamcop.net/sc?id=z6522591850zc2a3621e8fc8ca206a98e22ebd112769z relay6.hosting.reg.ru rejected your message to the following email addresses: onyschenko_pbATtechcomDOTkievDOTua Anyone care to share some sage wisdom with grass🦗hopper please? Cheers. Link to comment Share on other sites More sharing options...
Lking Posted February 19, 2019 Share Posted February 19, 2019 I'm guessing that when the spam report was originally sent by the Tracking URL above the report was sent to onyschenko_pb{AT}techcom{DOT}kiev{DOT}ua (Today it would have gone to abuse{AT}pcn{DOT}com{DOT}ua) However, on the way to kiev{DOT}ua, relay6...ru realized that the spam report was coming from SpamCop or maybe saw the word "spam" and rejected the message sending a bounce message back to SpamCop. When the bounce message got back to SpamCop they looked at your < Report reply handling > preferences and forwarded the bounce to you as the spam reporter. It has been awhile sense I have received a reply to a spam report, but if you look at the header you should (if I am right) see that the message came from or through SpamCop, not from relay6.hosting.reg.ru If any of this is correct, " Forward replies from people and robots " option is selected on preferences tab. The spam report bounce, maybe the reason that the report would now be sent to a different ISP or the change could be just a normal update. Link to comment Share on other sites More sharing options...
MIG Posted February 19, 2019 Author Share Posted February 19, 2019 2 hours ago, Lking said: I'm guessing that when the spam report was originally sent by the Tracking URL above the report was sent to onyschenko_pb{AT}techcom{DOT}kiev{DOT}ua (Today it would have gone to abuse{AT}pcn{DOT}com{DOT}ua) However, on the way to kiev{DOT}ua, relay6...ru realized that the spam report was coming from SpamCop or maybe saw the word "spam" and rejected the message sending a bounce message back to SpamCop. When the bounce message got back to SpamCop they looked at your < Report reply handling > preferences and forwarded the bounce to you as the spam reporter. It has been awhile sense I have received a reply to a spam report, but if you look at the header you should (if I am right) see that the message came from or through SpamCop, not from relay6.hosting.reg.ru If any of this is correct, " Forward replies from people and robots " option is selected on preferences tab. The spam report bounce, maybe the reason that the report would now be sent to a different ISP or the change could be just a normal update. Hey Lking, Thank you, grass🦗hopper is grateful. A clarification ( it was parsed today 19/02/19 09:11), I've run it thru the parser again, now get same as you, abuse{AT}pcn{DOT}com{DOT}ua 😕, 'n, https://www.spamcop.net/mcgi?action=showadvanced, I don't have: " Forward replies from people and robots" option selected. My selection is: Forward only replies from sentient people & 🦗s. And a question please: 194.5.250.154 results in "No reporting addresses found for 194.5.250.154, using devnull for tracking" yet I get: zergrushsrlATgmailDOTcom & https://www.spamcop.net/sc?id=z6522763509z82aa2f32b8442c89e1e1df44dd3983f9z 194.5.250.154 / zergrushsrlATgmailDOTcom again, grass🦗hopperconfused, why is it so🤔? Cheers. Link to comment Share on other sites More sharing options...
Lking Posted February 20, 2019 Share Posted February 20, 2019 20 hours ago, MIG said: And a question please: 194.5.250.154 results in "No reporting addresses found for 194.5.250.154, using devnull for tracking" yet I get: zergrushsrlATgmailDOTcom The parser is a black box for security reasons mostly. When you get a "No reporting address" routing refresh the page once or twice (buffering can be an issue). Sometimes a refresh will update the addressing to a better address. Link to comment Share on other sites More sharing options...
MIG Posted February 20, 2019 Author Share Posted February 20, 2019 4 hours ago, Lking said: refresh will update the addressing to a better address. grass🦗hopper did Master but grass🦗hopper got 6+ with zergrushsrlATgmailDOTcom, then I reach out on SCF & no more. Have you ever met a paranoid grass🦗hopper 👁️🗨️? Link to comment Share on other sites More sharing options...
petzl Posted February 20, 2019 Share Posted February 20, 2019 1 hour ago, MIG said: grass🦗hopper did Master but grass🦗hopper got 6+ with zergrushsrlATgmailDOTcom, then I reach out on SCF & no more. Have you ever met a paranoid grass🦗hopper 👁️🗨️? This is a redirect to a porno site Find the IP of that site and report it the following reply usually gets it taken down.Child porn spammer pictures under 18 or made to look under 18 NO PROOF OF AGE available! SENT TO MINORS > Link to comment Share on other sites More sharing options...
MIG Posted February 20, 2019 Author Share Posted February 20, 2019 11 minutes ago, petzl said: This is a redirect to a porno site Find the IP of that site and report it the following reply usually gets it taken down.Child porn spammer pictures under 18 or made to look under 18 NO PROOF OF AGE available! SENT TO MINORS > Thanks for the scri_pt Petzl. [Porn site] that's why grass🦗hopper is so peeved! Re [find the IP of that site] does that mean I have to go to that site? Rather not🤬 Why does everybody write scri_pt as scriunderscorept? Thanks in advance. grass🦗hopper Link to comment Share on other sites More sharing options...
petzl Posted February 20, 2019 Share Posted February 20, 2019 2 hours ago, MIG said: Re [find the IP of that site] does that mean I have to go to that site? Rather not🤬 I use a windows program which is sort of free they no longer sell the programhttp://www.netdemon.net/ Text browser shows the IP and the redirect sites the destination site is run by Needs working out by copy/pasting sites it forwards to and searching with new page. The end site is this one 52.30.84.167 blackhats abuse[AT]amazonaws.com My "scri_pt" is accurate enforced in USA so they would/should worry Link to comment Share on other sites More sharing options...
RobiBue Posted February 20, 2019 Share Posted February 20, 2019 4 hours ago, MIG said: Why does everybody write scri_pt as scriunderscorept? the SC forum software inserts the underscore to prevent spamers/scammers/hackers to run <java s c r i p t> either remotely or locally on the servers or the hosts. it's a security feature Link to comment Share on other sites More sharing options...
MIG Posted February 20, 2019 Author Share Posted February 20, 2019 6 hours ago, RobiBue said: the SC forum software inserts the underscore to prevent spamers/scammers/hackers to run <java s c r i p t> either remotely or locally on the servers or the hosts. it's a security feature Oh! Therefore SCF-sw more evolved than grass🦗hopper , grass🦗hopper shattered! 🤣 Link to comment Share on other sites More sharing options...
MIG Posted February 20, 2019 Author Share Posted February 20, 2019 8 hours ago, petzl said: http://www.netdemon.net/ Cool, thanks Petzl😀! Link to comment Share on other sites More sharing options...
MIG Posted February 21, 2019 Author Share Posted February 21, 2019 Hey Petzl, Re [http://www.netdemon.net/ "which is sort of free they no longer sell the program"], are you saying the component of netdemon (you use) to do [copy/pasting sites it forwards to and searching with new page] to get [IP and the redirect sites the destination site is run by] is not available on http://www.netdemon.net/ or via a registered netdemon account? Cheers. Link to comment Share on other sites More sharing options...
petzl Posted February 21, 2019 Share Posted February 21, 2019 7 hours ago, MIG said: are you saying the component of netdemon (you use) Mine is not registered (lost my registration) works well, but you need to work it out which is not hard. If a site redirects to another, netdemon show you the site it redirects to, this requires another "netdemon window" to go to that site, which will include the reportable IP of that redirected site. you can open many "panes" in netdemon Link to comment Share on other sites More sharing options...
MIG Posted February 21, 2019 Author Share Posted February 21, 2019 23 minutes ago, petzl said: Mine is not registered (lost my registration) works well, but you need to work it out which is not hard. If a site redirects to another, netdemon show you the site it redirects to, this requires another "netdemon window" to go to that site, which will include the reportable IP of that redirected site. you can open many "panes" in netdemon Hey Petzl, Thank you. I entered the url into netdaemon, the resulting links were: Protocol: http Host: rrnntqutxtf.charlie-washington.info Path: / Input: ?eid=bWlnYWwwMEBob3RtYWlsLmNvbXwzMDcxNjM --- Decoded URL: [web-sniffer] - redirects to "This site can’t be reached" http://rrnntqutxtf.charlie-washington.info/ - The actual porn site - no way, no how. Search newsgroups: charlie-washington.info - "This site can’t be reached" OpenRBL Lookup: rrnntqutxtf.charlie-washington.info http://openrbl.org/?i=rrnntqutxtf.charlie-washington.info&b= Query IP-Address 209.237.238.224 (UNRESOLVED) IP-Address: Host-Name: WARNING: Reverse-DNS missing 209.237.238.224 > Unitedlayer 🤔 Search ROKSO: charlie-washington.info > [Spamhaus][Error 404 - File not found] Whois: rrnntqutxtf.charlie-washington.info > [http://www.geektools.com/cgi-bin/proxy.cgi?query=rrnntqutxtf.charlie-washington.info&targetnic=auto] but where to from here? Traceroute to: rrnntqutxtf.charlie-washington.info > [http://www.opus1.com/htbin/traceroute?debug=NO&query=rrnntqutxtf.charlie-washington.info][Object not found! The requested URL was not found on the Opus One server] Would you mind chking [ https://www.spamcop.net/sc?id=z6523578908zcac6aea9fd1baba2a0870f1bd3f87baez ] very curious to know what you get? Re [netdemon shows the site it redirects to] ? Netdaemon shows all of the above, unless it's a state secet, please share. Re [you need to work it out which is not hard] Try being a grass🦗hopper 😂 Cheers! Link to comment Share on other sites More sharing options...
petzl Posted February 21, 2019 Share Posted February 21, 2019 1 hour ago, MIG said: ey Petzl, Thank you. I entered the url into netdaemon, the resulting links were: I get 139.60.161.75 abuse[AT]hostkey.us bounces/bitbin try SALES[AT]HOSTKEY.COM First URL --- 02/22/19 05:27:49 AUS Eastern Daylight Time --- reading URL http://rrnntqutxtf.charlie-washington.infx/?eid=bWlnYWwwMEBob3RtYWlsLmNvbXwzMDcxNjM --- contacting host rrnntqutxtf.charlie-washington.info [139.60.161.75] on port 80 HTTP/1.1 302 Found Server: nginx/1.10.2 Date: Thu, 21 Feb 2019 18:21:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Powered-By: PHP/5.3.3 Location: http://www.geoearnings.cxm/lgtrack/OTcuMTY?email=bWlnYWwwMEBob3RtYWlsLmNvbQ%3D%3D --- connection closed THEN URL http://www.geoearnings.cxm/ gives me another redirection 52.71.44.153 abuse@amazonaws.com USA - Washington Final redirection https://www.localflirtbuddies.cxm 52.48.235.139 abuse[AT]amazonaws.com Ireland get Cert address from herehttps://www.first.org/members/teams/ include Child porn spammer pictures under 18 or made to look under 18 NO PROOF OF AGE available! SENT TO MINORS > amazonaws.com send your complaints to spammer,These are the Cybercriminals amazon are contacting in this case"Thank you for submitting your abuse report. We have begun our investigation into the source of the activity or content you reported.We've determined that an Amazon EC2 instance was running at the IP address you provided in your abuse report. We have reached out to our customer to determine the nature and cause of this activity or content in your report." Link to comment Share on other sites More sharing options...
MIG Posted February 21, 2019 Author Share Posted February 21, 2019 31 minutes ago, petzl said: I get 139.60.161.75 abuse[AT]hostkey.us bounces/bitbin try SALES[AT]HOSTKEY.COM First URL --- 02/22/19 05:27:49 AUS Eastern Daylight Time --- reading URL http://rrnntqutxtf.charlie-washington.infx/?eid=bWlnYWwwMEBob3RtYWlsLmNvbXwzMDcxNjM --- contacting host rrnntqutxtf.charlie-washington.info [139.60.161.75] on port 80 HTTP/1.1 302 Found Server: nginx/1.10.2 Date: Thu, 21 Feb 2019 18:21:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Powered-By: PHP/5.3.3 Location: http://www.geoearnings.cxm/lgtrack/OTcuMTY?email=bWlnYWwwMEBob3RtYWlsLmNvbQ%3D%3D --- connection closed THEN URL http://www.geoearnings.cxm/ gives me another redirection 52.71.44.153 abuse@amazonaws.com USA - WashingtonFinal redirection https://www.localflirtbuddies.cxm 52.48.235.139 abuse[AT]amazonaws.com Ireland get Cert address from herehttps://www.first.org/members/teams/ Hey Petzl, Thank you. The bit I don't understand is why SC parser doesn't also drag up amazonaws? I do always report to Amazonaws when I know they're in the loop, I was relying on SC to detect... They've always been very responsive to every report I forwarded. Now with your advice it seems as if I'll have to do additional interrogation to find any buried related sources. I'm happy to do the extra digging, just wish I'd known it was necessary. The last 30+- have all had hostkey, was starting to get po'd; happy now I can do something extra. Cheers! grass🦗hoppe Link to comment Share on other sites More sharing options...
petzl Posted February 21, 2019 Share Posted February 21, 2019 6 minutes ago, MIG said: The bit I don't understand is why SC parser doesn't also drag up amazonaws? SC just looks at link provided the link in this case is a redirect link with a abuse address that bounces. Try to be better than SpamCop is you have the time In the case of porn spammers send to the CERT of that country as well. Link to comment Share on other sites More sharing options...
MIG Posted February 21, 2019 Author Share Posted February 21, 2019 39 minutes ago, petzl said: SC just looks at link provided the link in this case is a redirect link with a abuse address that bounces. Try to be better than SpamCop is you have the time In the case of porn spammers send to the CERT of that country as well. SC, I see! Thanks. Time, I always have the time if it means pulverising a spammer. Even if they do mutate like ebola. CERT of that country, cool, I did not know that. Thank you! If you don't mind please chk [ https://www.spamcop.net/sc?id=z6523510515zc7e28a23652bcebaa6a110ff76938540z ] I'd like to make sure I understand your methodology please. Cheers! Link to comment Share on other sites More sharing options...
petzl Posted February 21, 2019 Share Posted February 21, 2019 21 minutes ago, MIG said: understand you methodology please just get the bogus abuse email address right "granatnetou[AT]gmail.com" Ukraine bogus addresshttps://www.first.org/members/teams/cert-ua URL abuse[AT]hostkey.us bounce try saleshttps://www.us-cert.gov Link to comment Share on other sites More sharing options...
MIG Posted February 21, 2019 Author Share Posted February 21, 2019 [ hostkey] http://www.webhostingtalk.com/showthread.php?t=1443432 Link to comment Share on other sites More sharing options...
MIG Posted February 21, 2019 Author Share Posted February 21, 2019 On 2/22/2019 at 7:48 AM, petzl said: just get the bogus abuse email address right "granatnetou[AT]gmail.com" Ukraine bogus addresshttps://www.first.org/members/teams/cert-ua URL abuse[AT]hostkey.us bounce try saleshttps://www.us-cert.gov [hostkey.us]sales I got that, I'm trying to understand NetDemon in relation to your posts. Cheers. Link to comment Share on other sites More sharing options...
petzl Posted February 21, 2019 Share Posted February 21, 2019 20 minutes ago, MIG said: [hostkey.us]sales I got that, I'm trying to understand NetDaemonin relation to your posts. netdemon offers a safe txt browser. I use this to get IP's of URL's I get spammed by Russian crime gang and not keen on clicking link. They sometimes try to download ransomware to your computer. Link to comment Share on other sites More sharing options...
MIG Posted February 24, 2019 Author Share Posted February 24, 2019 On 2/22/2019 at 8:13 AM, petzl said: netdemon offers a safe txt browser. I use this to get IP's of URL's I get spammed by Russian crime gang and not keen on clicking link. They sometimes try to download ransomware to your computer. Hey Petzl, grass🦗hopper prefers VirusTotal, sames results without the dead links. Cheers. Link to comment Share on other sites More sharing options...
petzl Posted February 24, 2019 Share Posted February 24, 2019 6 hours ago, MIG said: Hey Petzl, grass🦗hopper prefers VirusTotal, sames results without the dead links. Cheers. Netdemon gives the IP address. Just tried it yes it works well thanks https://www.virustotal.com/#/url/87a1133f47025b43f18b4af7431bc40fb324c2ca6ff58f922e98ea7093ce8d3e/detection Link to comment Share on other sites More sharing options...
MIG Posted February 25, 2019 Author Share Posted February 25, 2019 http://www.all-nettools.com/toolbox/url-deobfuscator.php can be handy as well. Cheers grass🦗hopper Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.