Jump to content

I am getting more spam when I report


bobk

Recommended Posts

Shortly after I report a spam I get eight or ten new spams right away. It's as if abuse@colocrossing.com is the spammer itself!

Should I continue to report the spams? 

Are the new ones just there to track me?

What to do?

Link to comment
Share on other sites

1. welcome to the spamcop forum. We're mainly just SC users trying to help others in the fight against spam. Sometimes we can, sometimes we can't...

That said, some spam messages contain URLs which, if triggered, will cause more spam to be sent to you. Sometimes the ISP is "spammer friendly" and provides the spammer with your email address to "listwash" their DB or provides them with the email headers and they extrapolate your address through tracking codes they inserted in the headers.

If you have a Tracking URL (see Jeff G's welcoming post) and would provide it, it would be easier to analyze the reasons for your "multiplying spam" problems and find out a way to alleviate it.

I used to have similar problems with some spammers and by not reporting the links, only the source of the email, it reduced the spam volume drastically.

I also went in manually to report the links to the hosting companies and removing the tracking extension from the report, to prevent anybody from triggering more spam if they accidentally (or purposely) click on the link.

Link to comment
Share on other sites

Yes Bob, welcome! As RobiBue suggested a Tracking URL would be helpful.

It is quite possible that your spammer is clever enough to hide your email address in the spam AND dumb enough to send you more spam because you reported them to SpamCop. Not being a spammer I don't see how "asking" to be reported by sending more spam to a know reporter fits into a business model. But then I am not a dumb spammer; see Rule #3 "Spammer Rules."  What RobiBue suggest is quite possible.

Another possibility is that your email has made its way onto a list being passed/sold around among spammers and so your volume of spam is currently on the rise.  I is also possible that your email ISP has somehow changed their spam filtering and as a result you are seeing more spam that slips through to your inbox.  Be assured by things will change again.  In the meantime, help the internet community by reporting all the spam you have time to report. Your good karma will be rewarded.

Link to comment
Share on other sites

 

8 hours ago, bobk said:

Should I continue to report the spams? 

Are the new ones just there to track me?

What to do?

Keep reporting, places like Facebook sell your email addresses to anyone who buys them.
I doubt if colocrossing is dobbing you into spammer.
Once your email address is taken it is then sold to other spammers so going from 1 spam to many is "normal"
The best defense is attack. 
There is a bit of a learning curve. 

A good and easy effective tool for doing  this is a free SpamCop account
Once set-up you can simply send to SpamCop spam "forward as a attachment" for reporting
You will be given a supersecret reporting address so do not divulge this to anyone,
Always in this discussion group disable/change the @ to [AT] and . to [DOT] in email addies 
With malicious links change them so they don't work, For instance I change com to cxm as well as a few x's in other places

SpamCop will default munge your email addy unless you tell it not to.
spam sometimes has links in spam like invisible coded images to send a confirmation that email has been received.
Most email now blocks images from automatically opening for this reason 

Edited by petzl
Link to comment
Share on other sites

Thanks all.

I've had a spamcop account for 17 years and never before encountered well over 50 spams per day in my spam folder, and two dozen more within minutes of my reporting, all from the same source.  I wonder if their intention in sending so many right away would be to get me to get tired reporting those bogus ones and leave the other older ones alone.

These are all from cloudflare dot com.  All until just recently were also from volia dot net from the Ukraine, I believe.  All of the spams are using the same scripted header, with various creative bodies. Several times I have even tried to eliminate whatever code I could from the emails when I report them; I'm not sure if that helped any.

I even contacted cloudflare separately using a throwaway email address (hosted by cloudflare!), and got back a form letter response saying something about their notifying the sender if they could. 

6936557925 and 6936557926 are examples of one such spam reported without any alteration other than spamcop's munging.

https://www.spamcop.net/sc?id=z6533678221z064eda6e37e20da61d4c35285b02f946z

Link to comment
Share on other sites

9 minutes ago, bobk said:

Thanks all.

I've had a spamcop account for 17 years and never before encountered well over 50 spams per day in my spam folder, and two dozen more within minutes of my reporting, all from the same source.  I wonder if their intention in sending so many right away would be to get me to get tired reporting those bogus ones and leave the other older ones alone.

These are all from cloudflare dot com.  All until just recently were also from volia dot net from the Ukraine, I believe.  All of the spams are using the same scripted header, with various creative bodies. Several times I have even tried to eliminate whatever code I could from the emails when I report them; I'm not sure if that helped any.

I even contacted cloudflare separately using a throwaway email address (hosted by cloudflare!), and got back a form letter response saying something about their notifying the sender if they could. 

6936557925 and 6936557926 are examples of one such spam reported without any alteration other than spamcop's munging.

https://www.spamcop.net/sc?id=z6533678221z064eda6e37e20da61d4c35285b02f946z

Yep, just like I thought, those sigarpi.com links are some of those tracking links. Hitting them, triggers a scri_pt on their server that “assumes” that you’re interested in their products and they send a spew of their junk to the address linked to the number.

At least that’s the way it looks.

See here...

unfortunately nothing has been done about it :(

Deselect the cloudflare report and you should be ok...

I know, it’s not perfect, but you’d get less spam and eventually they’ll die out. Haven’t had one since last October...

Link to comment
Share on other sites

Thanks RobiBue. That seems exactly right.  

When I followed your "here" link, though, your examples of how you munged cloudflare would not load: https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez . I'm hoping it's easier than putting an x on 30+ instances of the name.

What do you mean by deselecting the cloudflare report?  The only way I can tell it's from them now is to recognize the scri_pt in the header.

Link to comment
Share on other sites

5 hours ago, bobk said:

Thanks RobiBue. That seems exactly right.  

When I followed your "here" link, though, your examples of how you munged cloudflare would not load: https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez . I'm hoping it's easier than putting an x on 30+ instances of the name.

What do you mean by deselecting the cloudflare report?  The only way I can tell it's from them now is to recognize the scri_pt in the header.

Yeah, unfortunately the spam examples get removed by SC to conserve space (there are so many reports a DB can hold without having to add more HDD...) and when I checked my inbox, the spam from back then had already been deleted as well...

 but I found examples in my sent folder:

Quote

<img alt="Droid or Apple? Find Your New Cell Phone Today! Fresh Deals!" border="0" height="176" src="http://airlinehop.com/?--ID-number-1-(munged)--" width="23"/></td> <td bgcolor="#FFFFFF" height="175" valign="top" width="276"> <span style="font-family: Bookman Old Style; color: #242424; font-weight: 700"> <font style="font-size: 12pt">Search: <a href="http://airlinehop.com/?--ID-number-8-(munged)--">Cell Phones</a></font></span><p> <span style="font-family: Bookman Old Style; color: #242424"> Ready For A New Phone? <br/> <i>ANDROID</i> or <i>APPLE</i>? <br/> Browse Newest Models NOW!<br/>

I had written a quick and dirty scri_pt, which would replace the numbers after the host name with the text “?—ID-number-<n>-(munged)—“ where <n> is the last digit of the number... and then sent it off to SC for reporting...

Link to comment
Share on other sites

6 hours ago, bobk said:

What do you mean by deselecting the cloudflare report?  The only way I can tell it's from them now is to recognize the scri_pt in the header.

When you submit a spam, at the bottom of the screen you should see something like the following.  By clicking on the checked boxes you can deselect a report and not sent a spam report to anyone of the suggested recepents.

Quote
Report spam to:

Re: 146.111.121.4 (Administrator of network where email originates)
To: security@mail.cuny.edu (Notes)

Re: http://andreahumphrey.com/o_ultranationalist_ma... (Administrator of network hosting website referenced in spam)
To: fbl-spamcop@ext.godaddy.com (Notes)

Re: https://tigermail.qcc.cuny.edu/unsubscribe.html (Administrator of network hosting website referenced in spam)
To: security@mail.cuny.edu (Notes)

Re: User Notification (Notes)
To:

 

Link to comment
Share on other sites

10 hours ago, RobiBue said:

I had written a quick and dirty scri_pt, which would replace the numbers after the host name with the text “?—ID-number-<n>-(munged)—“ where <n> is the last digit of the number... and then sent it off to SC for reporting...

Hey RobiBue,

Have you ever seen a 🦗 begging? Stand by to witness this miracle:

If your "dirty"  scri_pt  is safe to share may I have a copy please?

My litlle 🦗paws are fair worn out from modifying scummy spam urls...

Cheers!

Link to comment
Share on other sites

8 hours ago, MIG said:

Hey RobiBue,

Have you ever seen a 🦗 begging? Stand by to witness this miracle:

If your "dirty"  scri_pt  is safe to share may I have a copy please?

My litlle 🦗paws are fair worn out from modifying scummy spam urls...

Cheers!

Uhmmm... scri_pt is safe, but I do have 2 confessions to make:

  1. Currently I have no access to the pc I wrote the scri_pt on, and
  2. The scri_pt is a vba scri_pt for win word where I just dropped the spam in, ran the scri_pt, and attached the resulting text files to an email addressed to my reporting SC address...

The scri_pt works roughly as follows:

search for an https?:// domain name with regex and replace the numerical path (or ?argument) with the —ID...— line

that’s basically the idea.

fun to play and test reg(ular) ex(pressions) https://regex101.com/r/wN6cZ7/478 (already set up for domain names)

and SO has a nice answer for the whole URL: https://stackoverflow.com/questions/27745/getting-parts-of-a-url-regex

sorry that I can’t be of more help atm... working these answers off a tablet...

Link to comment
Share on other sites

Hey RobiBue,

Thank you!

What I've been doing is manually searching for any "http"

Example: <a href=3D"https: // odnogrupniki.com.ua / =away.php?url=3Dhttp://  recover.wokdorkers/?10809809944215154550025261733"> , removing everything except https: // odnogrupniki.com.ua /, dropping the result in SC Parser.

2 outcomes, SC Parser recognises the links & I think, in another post, you provided info that each time full links were parsed the spammer got a positive hit, that urinated me off so any action I can take to limit benefits for spammers, is good for me😎

I think I need to 101 regular expressions/Regex to get my🦗head around your solution😉

Cheers!

 

Edited by MIG
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...