bobk Posted March 28, 2019 Share Posted March 28, 2019 Shortly after I report a spam I get eight or ten new spams right away. It's as if abuse@colocrossing.com is the spammer itself! Should I continue to report the spams? Are the new ones just there to track me? What to do? Quote Link to comment Share on other sites More sharing options...
RobiBue Posted March 28, 2019 Share Posted March 28, 2019 1. welcome to the spamcop forum. We're mainly just SC users trying to help others in the fight against spam. Sometimes we can, sometimes we can't... That said, some spam messages contain URLs which, if triggered, will cause more spam to be sent to you. Sometimes the ISP is "spammer friendly" and provides the spammer with your email address to "listwash" their DB or provides them with the email headers and they extrapolate your address through tracking codes they inserted in the headers. If you have a Tracking URL (see Jeff G's welcoming post) and would provide it, it would be easier to analyze the reasons for your "multiplying spam" problems and find out a way to alleviate it. I used to have similar problems with some spammers and by not reporting the links, only the source of the email, it reduced the spam volume drastically. I also went in manually to report the links to the hosting companies and removing the tracking extension from the report, to prevent anybody from triggering more spam if they accidentally (or purposely) click on the link. Quote Link to comment Share on other sites More sharing options...
Lking Posted March 28, 2019 Share Posted March 28, 2019 Yes Bob, welcome! As RobiBue suggested a Tracking URL would be helpful. It is quite possible that your spammer is clever enough to hide your email address in the spam AND dumb enough to send you more spam because you reported them to SpamCop. Not being a spammer I don't see how "asking" to be reported by sending more spam to a know reporter fits into a business model. But then I am not a dumb spammer; see Rule #3 "Spammer Rules." What RobiBue suggest is quite possible. Another possibility is that your email has made its way onto a list being passed/sold around among spammers and so your volume of spam is currently on the rise. I is also possible that your email ISP has somehow changed their spam filtering and as a result you are seeing more spam that slips through to your inbox. Be assured by things will change again. In the meantime, help the internet community by reporting all the spam you have time to report. Your good karma will be rewarded. Quote Link to comment Share on other sites More sharing options...
petzl Posted March 28, 2019 Share Posted March 28, 2019 (edited) 8 hours ago, bobk said: Should I continue to report the spams? Are the new ones just there to track me? What to do? Keep reporting, places like Facebook sell your email addresses to anyone who buys them. I doubt if colocrossing is dobbing you into spammer. Once your email address is taken it is then sold to other spammers so going from 1 spam to many is "normal" The best defense is attack. There is a bit of a learning curve. A good and easy effective tool for doing this is a free SpamCop account Once set-up you can simply send to SpamCop spam "forward as a attachment" for reporting You will be given a supersecret reporting address so do not divulge this to anyone, Always in this discussion group disable/change the @ to [AT] and . to [DOT] in email addies With malicious links change them so they don't work, For instance I change com to cxm as well as a few x's in other places SpamCop will default munge your email addy unless you tell it not to. spam sometimes has links in spam like invisible coded images to send a confirmation that email has been received. Most email now blocks images from automatically opening for this reason Edited March 28, 2019 by petzl Quote Link to comment Share on other sites More sharing options...
bobk Posted March 29, 2019 Author Share Posted March 29, 2019 Thanks all. I've had a spamcop account for 17 years and never before encountered well over 50 spams per day in my spam folder, and two dozen more within minutes of my reporting, all from the same source. I wonder if their intention in sending so many right away would be to get me to get tired reporting those bogus ones and leave the other older ones alone. These are all from cloudflare dot com. All until just recently were also from volia dot net from the Ukraine, I believe. All of the spams are using the same scripted header, with various creative bodies. Several times I have even tried to eliminate whatever code I could from the emails when I report them; I'm not sure if that helped any. I even contacted cloudflare separately using a throwaway email address (hosted by cloudflare!), and got back a form letter response saying something about their notifying the sender if they could. 6936557925 and 6936557926 are examples of one such spam reported without any alteration other than spamcop's munging. https://www.spamcop.net/sc?id=z6533678221z064eda6e37e20da61d4c35285b02f946z Quote Link to comment Share on other sites More sharing options...
RobiBue Posted March 29, 2019 Share Posted March 29, 2019 9 minutes ago, bobk said: Thanks all. I've had a spamcop account for 17 years and never before encountered well over 50 spams per day in my spam folder, and two dozen more within minutes of my reporting, all from the same source. I wonder if their intention in sending so many right away would be to get me to get tired reporting those bogus ones and leave the other older ones alone. These are all from cloudflare dot com. All until just recently were also from volia dot net from the Ukraine, I believe. All of the spams are using the same scripted header, with various creative bodies. Several times I have even tried to eliminate whatever code I could from the emails when I report them; I'm not sure if that helped any. I even contacted cloudflare separately using a throwaway email address (hosted by cloudflare!), and got back a form letter response saying something about their notifying the sender if they could. 6936557925 and 6936557926 are examples of one such spam reported without any alteration other than spamcop's munging. https://www.spamcop.net/sc?id=z6533678221z064eda6e37e20da61d4c35285b02f946z Yep, just like I thought, those sigarpi.com links are some of those tracking links. Hitting them, triggers a scri_pt on their server that “assumes” that you’re interested in their products and they send a spew of their junk to the address linked to the number. At least that’s the way it looks. See here... unfortunately nothing has been done about it Deselect the cloudflare report and you should be ok... I know, it’s not perfect, but you’d get less spam and eventually they’ll die out. Haven’t had one since last October... Quote Link to comment Share on other sites More sharing options...
bobk Posted March 29, 2019 Author Share Posted March 29, 2019 Thanks RobiBue. That seems exactly right. When I followed your "here" link, though, your examples of how you munged cloudflare would not load: https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez . I'm hoping it's easier than putting an x on 30+ instances of the name. What do you mean by deselecting the cloudflare report? The only way I can tell it's from them now is to recognize the scri_pt in the header. Quote Link to comment Share on other sites More sharing options...
RobiBue Posted March 29, 2019 Share Posted March 29, 2019 5 hours ago, bobk said: Thanks RobiBue. That seems exactly right. When I followed your "here" link, though, your examples of how you munged cloudflare would not load: https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez . I'm hoping it's easier than putting an x on 30+ instances of the name. What do you mean by deselecting the cloudflare report? The only way I can tell it's from them now is to recognize the scri_pt in the header. Yeah, unfortunately the spam examples get removed by SC to conserve space (there are so many reports a DB can hold without having to add more HDD...) and when I checked my inbox, the spam from back then had already been deleted as well... but I found examples in my sent folder: Quote <img alt="Droid or Apple? Find Your New Cell Phone Today! Fresh Deals!" border="0" height="176" src="http://airlinehop.com/?--ID-number-1-(munged)--" width="23"/></td> <td bgcolor="#FFFFFF" height="175" valign="top" width="276"> <span style="font-family: Bookman Old Style; color: #242424; font-weight: 700"> <font style="font-size: 12pt">Search: <a href="http://airlinehop.com/?--ID-number-8-(munged)--">Cell Phones</a></font></span><p> <span style="font-family: Bookman Old Style; color: #242424"> Ready For A New Phone? <br/> <i>ANDROID</i> or <i>APPLE</i>? <br/> Browse Newest Models NOW!<br/> I had written a quick and dirty scri_pt, which would replace the numbers after the host name with the text “?—ID-number-<n>-(munged)—“ where <n> is the last digit of the number... and then sent it off to SC for reporting... Quote Link to comment Share on other sites More sharing options...
Lking Posted March 29, 2019 Share Posted March 29, 2019 6 hours ago, bobk said: What do you mean by deselecting the cloudflare report? The only way I can tell it's from them now is to recognize the scri_pt in the header. When you submit a spam, at the bottom of the screen you should see something like the following. By clicking on the checked boxes you can deselect a report and not sent a spam report to anyone of the suggested recepents. Quote Report spam to: Re: 146.111.121.4 (Administrator of network where email originates)To: security@mail.cuny.edu (Notes) Re: http://andreahumphrey.com/o_ultranationalist_ma... (Administrator of network hosting website referenced in spam)To: fbl-spamcop@ext.godaddy.com (Notes) Re: https://tigermail.qcc.cuny.edu/unsubscribe.html (Administrator of network hosting website referenced in spam)To: security@mail.cuny.edu (Notes) Re: User Notification (Notes)To: Quote Link to comment Share on other sites More sharing options...
bobk Posted March 29, 2019 Author Share Posted March 29, 2019 Thanks again! I might skip reporting altogether since voila dot net is in the Ukraine, and they have already gotten dozens of spamcop reports from me. Quote Link to comment Share on other sites More sharing options...
MIG Posted March 30, 2019 Share Posted March 30, 2019 10 hours ago, RobiBue said: I had written a quick and dirty scri_pt, which would replace the numbers after the host name with the text “?—ID-number-<n>-(munged)—“ where <n> is the last digit of the number... and then sent it off to SC for reporting... Hey RobiBue, Have you ever seen a 🦗 begging? Stand by to witness this miracle: If your "dirty" scri_pt is safe to share may I have a copy please? My litlle 🦗paws are fair worn out from modifying scummy spam urls... Cheers! Quote Link to comment Share on other sites More sharing options...
RobiBue Posted March 30, 2019 Share Posted March 30, 2019 8 hours ago, MIG said: Hey RobiBue, Have you ever seen a 🦗 begging? Stand by to witness this miracle: If your "dirty" scri_pt is safe to share may I have a copy please? My litlle 🦗paws are fair worn out from modifying scummy spam urls... Cheers! Uhmmm... scri_pt is safe, but I do have 2 confessions to make: Currently I have no access to the pc I wrote the scri_pt on, and The scri_pt is a vba scri_pt for win word where I just dropped the spam in, ran the scri_pt, and attached the resulting text files to an email addressed to my reporting SC address... The scri_pt works roughly as follows: search for an https?:// domain name with regex and replace the numerical path (or ?argument) with the —ID...— line that’s basically the idea. fun to play and test reg(ular) ex(pressions) : https://regex101.com/r/wN6cZ7/478 (already set up for domain names) and SO has a nice answer for the whole URL: https://stackoverflow.com/questions/27745/getting-parts-of-a-url-regex sorry that I can’t be of more help atm... working these answers off a tablet... Quote Link to comment Share on other sites More sharing options...
MIG Posted April 6, 2019 Share Posted April 6, 2019 (edited) Hey RobiBue, Thank you! What I've been doing is manually searching for any "http" Example: <a href=3D"https: // odnogrupniki.com.ua / =away.php?url=3Dhttp:// recover.wokdorkers/?10809809944215154550025261733"> , removing everything except https: // odnogrupniki.com.ua /, dropping the result in SC Parser. 2 outcomes, SC Parser recognises the links & I think, in another post, you provided info that each time full links were parsed the spammer got a positive hit, that urinated me off so any action I can take to limit benefits for spammers, is good for me😎 I think I need to 101 regular expressions/Regex to get my🦗head around your solution😉 Cheers! Edited April 6, 2019 by MIG Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.