Jump to content

AWS spam source


Recommended Posts

i am trying to report continuous voluminous spam originating from AWS and the reports i have been sending are not being acted upon. ie the spam is still continuing and i would like to include the CERT or FIRST authorities in USA

I did find an email address info{AT}us-cert.gov and phishing-report{AT}us-cert.gov but i want to be doubly sure that this is the correct email address to send the report to.

can anyone please suggest the correct reporting email address to the proper authorities ?

Link to comment
Share on other sites

  • 2 weeks later...

What address are you sending Amazon abuse reports to? abuse@amazonaws.com/ec2-abuse@amazon.com? If you do it through SC, they devnull the report as that address (abuse@amazonaws.com) is disabled for reports, but manually reporting it to abuse@amazonaws.com/ec2-abuse@amazon.com generates a confirmation email.

 

Steve

Link to comment
Share on other sites

On 8/5/2019 at 11:10 AM, Steve said:

What address are you sending Amazon abuse reports to? abusexamazonaws.com/ec2-abusexamazon.com? If you do it through SC, they devnull the report as that address (abusexamazonaws.com) is disabled for reports, but manually reporting it to abusexamazonaws.com/ec2-abusexamazon.com generates a confirmation email

Steve

I only got action by sending abuse reports to Amazons sales department. Explaining that abusexamazonaws.com have gone rouge!

Remove all @ symbols from email addies as spammer scan here for valid addresses (best is to use [AT]. I just put x over it)

Link to comment
Share on other sites

On 8/6/2019 at 11:27 AM, petzl said:

I only got action by sending abuse reports to Amazons sales department. Explaining that abusexamazonaws.com have gone rouge!

Remove all @ symbols from email addies as spammer scan here for valid addresses (best is to use [AT]. I just put x over it)

Found another address for AWS spoofing[AT]amazon[DOT]com
they want phishing message sent as attachment
https://www.amazon.co.uk/gp/help/customer/display.html?nodeId=201489190
Got a phishing spam that is using AWS URL's
email address probably sold by Facebook
https://www.spamcop.net/sc?id=z6564692784zcf8bc46efe5fe75fafde0e89a94da795z

Link to comment
Share on other sites

On 7/24/2019 at 8:41 PM, HeatherReid43 said:

I did find an email address info{AT}us-cert.gov and phishing-report{AT}us-cert.gov but i want to be doubly sure that this is the correct email address to send the report to.

Though, I believe you have some good addresses, I am not sure it will help.  After me seeing the joke of the do not call list for the past decade (more than the current administration), I would suspect that amazon.AWS thinks these addresses would be nothing more than an external rating system.  I do not believe they would actually stop the spam.  I use the SpamCop blocking list for that.  Each time you report, it feeds the algorithm behind the block list.

Link to comment
Share on other sites

13 hours ago, gnarlymarley said:

Though, I believe you have some good addresses, I am not sure it will help.  After me seeing the joke of the do not call list for the past decade (more than the current administration), I would suspect that amazon.AWS thinks these addresses would be nothing more than an external rating system.  I do not believe they would actually stop the spam.  I use the SpamCop blocking list for that.  Each time you report, it feeds the algorithm behind the block list.

AWS has a crime problem starting at it's abuse address, they seem in on it!
try here for latest abuse address
https://aws.amazon.com/security/report-suspicious-emails/

Edited by petzl
Link to comment
Share on other sites

  • 1 month later...

I hope I am not bringing out a thread from back from the grave
today i have received multiple instances of spam originating from AWS

here are today's pickings which were a bit slim but you will get an idea.

https://www.spamcop.net/sc?id=z6578131058z038800e35b2aceab343c4f604c4b0ec0z
https://www.spamcop.net/sc?id=z6578130863z7a4f36a23541fc3be43687bb4bff14cdz
https://www.spamcop.net/sc?id=z6577994490z50b76841e430101536d9bd8d71243fd2z
https://www.spamcop.net/sc?id=z6577984845z687e0d01a34a061585e573d5db505768z
https://www.spamcop.net/sc?id=z6577984835z393f8b1753d370ebedf7279c94ddd40dz
https://www.spamcop.net/sc?id=z6577984776z1d59efddc0b237a94bcde315cc4181bdz
https://www.spamcop.net/sc?id=z6577984735za80bb81f9d84975eecef1a3cfab72314z
https://www.spamcop.net/sc?id=z6577984681zf6cb4301fe59144094bccbe9af780894z
https://www.spamcop.net/sc?id=z6577984644za5a34099ad9c92d90b2080544c1c46b1z
https://www.spamcop.net/sc?id=z6577984543z95efe8ce27031c21e8c2cf9113d6cd40z


any idea how to stop this onslaught ?

Link to comment
Share on other sites

On 10/4/2019 at 4:47 AM, HeatherReid43 said:

I hope I am not bringing out a thread from back from the grave
today i have received multiple instances of spam originating from AWS
...
any idea how to stop this onslaught ?

I’m sending mine to:

abuse@amazonaws.com, abuse@amazon.com, ec2-abuse@amazon.com, ipmanagement@amazon.com

That seems to be working.

Were your target sites hosted by Lithuania outfit vpsnet? All mine were (australy.win, australy.bid, bulkoffers.win) 

The target site australy.bid went onto SURBL Phishing blacklist Sunday/yesterday.

Not sure why/how, but the good news is that Nanecheap finally deleted the registration for the domain. That is something they refused to do several times (on February 6 and Feb 8 this year for example) despite emails for “number 1 milf site” etc!!

My level of frustration with Amazon (and with Namecheap) reaches far too high a level at times LOL

Link to comment
Share on other sites

Today alone I have received over 30 spam/phishing emails with the host name of amazonaws. 99% of these emails refer to a website or reply email of "s.free.fr".  I have reported each and everyone and I have discovered that the ec2 host numbers are registered to MarkMonitor.com.

  If the information in each email looks the same, I send a copy of these emails with their headers, hostname and ip numbers to abuse@amazonaws.com, spam@fightspam.gc.ca (I live in Canada), abusecomplaints@markmonitor.com, ipmanagement@amazon.com, hostmaster@amazon.com, stop-spoofing@amazon.com, and ec2-abuse@amazon.com

As fast as I report an email, I get another one and they are mostly an amazonaws host from the Registrar Mark Monitor LLC. I am even getting 2 of the same email. Because of the number I have submitted since the first of October, I have seen a slowdown in amazonaws abuse reports being sent back to me. I have yet to see a response from Mark Monitor. I have even sent an email to them and Mark Monitor with a plea to stop the harassment. If it continues much longer I think I will file an official complaint with our Canadian government and the RCMP.

Link to comment
Share on other sites

1 hour ago, NanaBird said:

As fast as I report an email, I get another one and they are mostly an amazonaws

Hammering my Gmail account as well always mark them phishing and report from my Gmail.
Criminal  phishing, bogus reply address, bogus unsubscribe, DDoS attack on my email account
stop-spoofing[AT] amazon.com, abuse[AT] amazonaws.com, abuse[AT] amazon.com, ec2-abuse[AT] amazon.com, ipmanagement[AT] amazon.com, phishing-report[AT] us-cert.gov.
The links are "tinyURL" and go  to a free picture site of a text document. but don't look at all

Link to comment
Share on other sites

1 hour ago, NanaBird said:

s.free.fr

You are dealing with a group of very well known spam/phishing jerks (at least, we’ll known to me)

Namecheap are almost exclusively the domains they (1) Create, or (2) Takeover.

The s.free.fr is a redirect site (short url) so the actual sites are not linked to in their malicious emails. Thus reducing risk of their actual redirect site being listed on SURBL or such.

Their actual site is not the ultimate destination either, but a redirect dance site to wherever they fancy sending you.

You'll also probably find they use other sites for image hosting (to deliver to their malicious emails when opened). Often they use “imgur.com” - and imgur will happily delete those as against their terms of service. Report here, if you want to help make the malicious emails look more odd than they do already 😏

https://help.imgur.com/hc/en-us/requests/new

Link to comment
Share on other sites

1 hour ago, NanaBird said:

. If it continues much longer I think I will file an official complaint with our Canadian government and the RCMP.

Hope that helps. I include the authorities on all my Amazon reporting. Not sure it has any impact here in this country. Canada may be different...

Edited by Hanco
Typo
Link to comment
Share on other sites

3 minutes ago, Hanco said:

Thanks that's where I get sent but don't bother clicking every link or any link that often
Seem AWS is backing this. Not a friend of Namecheap they seem the ones flooding spam to this blog
Domain name blocking will be the only way to block this, if Gmail get enough phishing marks they will block domain and won't advertise they have done so.
So far the only way to do this is by "sh*t list" as I haven't seen a effective way of gathering domain evidence.
IP gathering of domains is hard as spam is hopping through domain IP's

Link to comment
Share on other sites

2 minutes ago, petzl said:

clicking every link or any link that often

Oh absolutely. I try hard NOT to click the links. Ever.

The Imgur team are good guys. They’ve got really quick at deleting. I send in my submissions in a very recognizable format they know will be a genuine report of ad images.

Today, this jerk’s domain site hosted by Linode was pulled really quickly (within minutes of me getting their email. The images were also deleted very quickly.

So quickly did this all happen in fact, that the dense idiot behind this process was sending out emails from the Amazon hosted mail service with “image not found” errors in the body and still linking to the non-existent site.

Shame Namecheap and Amazon cannot get their acts together. Be more like Imgur and Linode.

Link to comment
Share on other sites

5 hours ago, Lking said:

You might try    stop-spoofing@amazon.com

I think the Amazon business divides the IPs. Sometimes EC2 responds, other times IP Management, and other times a more general address. I first noticed the split when SpamCop wanted to report rather than switch @ for # 

 

Link to comment
Share on other sites

This may be wrong to mention here but it closely links with the only source of spam I deal with (these jerks) - I noticed SURBL .org was offline a while today. It was in a quiet period for the spamming (at least to me) so maybe they were using their resources for other reasons than spamming? DDOS anyone?

(Leaving to get some aluminum foil for a new hat now)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...