Jump to content

Does Spamcop send report directly to spammer itself?


Appleseed
 Share

Recommended Posts

Sorry about the confusion with your post.

SpamCop does not sent spam reports to the spammer but to their ISP, etc.  If you could provide a Tracking URL it would help others see what the parser did with your spam.  It is hard to give an informed opinion based on just your post.

Link to comment
Share on other sites

Appleseed,

As a user like you, I am not able to see the any spam you may have reported.  So I second Lking's request for a tracking link.

1 minute ago, Lking said:

If you could provide a Tracking URL it would help others see what the parser did with your spam.  It is hard to give an informed opinion based on just your post.

Appleseed, what I suspect you are seeing is some users have signed up for an IP range, but then don't use an abuse address.  Those seem to be using a personal address instead.

Link to comment
Share on other sites

12 minutes ago, Appleseed said:

No problem, things happen^^

https://www.spamcop.net/sc?id=z6564775200zb0e68f15592a9b6948787f714e4ec177z
The SpamCop tracking URL shows the Gmail abuse address is probably bogus (Bitbin)
the IP of URL is a botnet
https://www.abuseat.org/lookup.cgi?ip=92.63.192.124
Front for child porn phishing spam operator.
Send report to response[AT]cert-gib[DOT]ru no working abuse address.

Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS



>

 

Link to comment
Share on other sites

17 hours ago, Appleseed said:

There is that gmail address im talking about. 

The address matches the cached entry returned from RIPE.  I am not sure I would trust the other RIPE email any more than the gmail address either.

SpamCop RIPE cached:

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '92.63.192.0 - 92.63.192.255'

% Abuse contact for '92.63.192.0 - 92.63.192.255' is 'vvsg180@gmail.com'

New RIPE query:

e-mail:          vigorv@mail.ru
e-mail:          hawk@diamondc.ru
upd-to:          stell_hawk@mail.ru
abuse: hawk@diamondc.ru

One quick note that you may not be aware of is that thanks to GDPR there might be times where the "-B" gets in the way and someone has performed a manual add.

SpamCop:

Reports routes for 92.63.192.124:
routeid: 78192297 92.63.192.0 - 92.63.192.255 to: vvsg180@gmail.com
Administrator interested in all reports
7/17/2019, 9:45:55 AM -0600 
[Note added by  (no name)]
Route added without comment

 

Link to comment
Share on other sites

On 8/10/2019 at 5:34 PM, petzl said:

https://www.spamcop.net/sc?id=z6564775200zb0e68f15592a9b6948787f714e4ec177z
The SpamCop tracking URL shows the Gmail abuse address is probably bogus (Bitbin)
the IP of URL is a botnet
https://www.abuseat.org/lookup.cgi?ip=92.63.192.124
Front for child porn phishing spam operator.
Send report to response[AT]cert-gib[DOT]ru no working abuse address.


Child porn spammer 
pictures under 18 or made to look under 18
NO PROOF OF AGE available! 
SENT TO MINORS



>

 

What I'm seeing at the tracking link is typical of mail I receive at an Outlook email account, where the top-most (most recent) Received header trips things up so that reports go to report_spam[at]hotmail.com - I usually delete or comment out the header in such situations, which is normally sufficient to get the report(s) sent to a more appropriate address.

Link to comment
Share on other sites

3 hours ago, lisati said:

What I'm seeing at the tracking link is typical of mail I receive at an Outlook email account, where the top-most (most recent) Received header trips things up so that reports go to report_spam[at]hotmail.com - I usually delete or comment out the header in such situations, which is normally sufficient to get the report(s) sent to a more appropriate address.

My template attracts Russia's attention it applies to all porn spam/ Not seen one with "proof of age" on file.

Link to comment
Share on other sites

10 hours ago, petzl said:

My template attracts Russia's attention it applies to all porn spam/ Not seen one with "proof of age" on file.

I've seen some with apparent connections to Russia. Thankfully my provider filters them out before they make it to my inbox or junk/spam folder.

Link to comment
Share on other sites

5 hours ago, Appleseed said:

This is same spam i get almost every day, but this one use google link instead of that russian site.

I dont know what that link does, but it is to google.com

https://www.spamcop.net/sc?id=z6566161130zd34619e4d85c8adc3716c597c9f69569z

Google seem to of taken link down?

Link to comment
Share on other sites

11 hours ago, petzl said:

Google seem to of taken link down?

The link still forwards.  Apparently, the link is a search where it clicks the "I feel lucky button" and forwards directly to the first returned google search result.

The "I feel lucky" button as being part of the URL:

btnI=bQm4

 

Link to comment
Share on other sites

On 8/16/2019 at 11:46 PM, gnarlymarley said:

The link still forwards.  Apparently, the link is a search where it clicks the "I feel lucky button" and forwards directly to the first returned google search result.

The "I feel lucky" button as being part of the URL:


btnI=bQm4

 

Thats good to know. The site where link goes, have again the same russian owner.

Link to comment
Share on other sites

  • 4 weeks later...
On 8/20/2019 at 1:00 AM, Appleseed said:

is it legit or not?

I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore.  I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server.  I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit.

Link to comment
Share on other sites

  • 4 weeks later...
On 9/12/2019 at 9:28 PM, gnarlymarley said:

I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore.  I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server.  I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit.

Ok, it seems that that guy is the same as OOO-Patent-Media etc. and their company Romanenko Stanislav Sergeevich are hosting those spamsite https://dnslytics.com/bgp/as47981

So vvsg180@gmail.com is their and also hawk@diamondc.ru and stell_hawk@mail.ru

So it is impossible to stop that spam, if SPAMCOP report to them. Just like i was guessing in my first post.  Spamcop report directly to spammer itself.

If someone could find who is host behind of their IP range 92.63.192.0-92.63.192.255, then the report could send directly to that ISP.

Edited by Appleseed
Link to comment
Share on other sites

4 hours ago, Appleseed said:

Ok, it seems that that guy is the same as OOO-Patent-Media etc. and their company Romanenko Stanislav Sergeevich are hosting those spamsite https://dnslytics.com/bgp/as47981

So vvsg180@gmail.com is their and also hawk@diamondc.ru and stell_hawk@mail.ru

So it is impossible to stop that spam, if SPAMCOP report to them. Just like i was guessing in my first post.  Spamcop report directly to spammer itself.

If someone could find who is host behind of their IP range 92.63.192.0-92.63.192.255, then the report could send directly to that ISP.

looks like their IPv4 peer is AS 31343 ( Intertelecom Ltd ) (got it from your dnslytics link ;) )

It seems that Intertelecom is the only peer Romanenko has, so it is likely that he is their customer... maybe they don't know what's going on in their "backyard/neighbourhood" and then again, maybe they do and the money they get is good enough for them...

 

Link to comment
Share on other sites

  • 2 weeks later...
On 10/11/2019 at 5:34 AM, RobiBue said:

looks like their IPv4 peer is AS 31343 ( Intertelecom Ltd ) (got it from your dnslytics link ;) )

It seems that Intertelecom is the only peer Romanenko has, so it is likely that he is their customer... maybe they don't know what's going on in their "backyard/neighbourhood" and then again, maybe they do and the money they get is good enough for them...

 

Thanks

BTW. This guy have is specialized to Smoke Loader and have a huge Necurs botnet.

Edited by Appleseed
Link to comment
Share on other sites

  • 2 weeks later...
On 9/12/2019 at 8:28 PM, gnarlymarley said:

I have had much thought on this, and I no longer trust much of the addresses that are called abuse or postmaster anymore.  I figure that as long as my address is munged in the report and I give out the minimal headers in the report (meaning the spam gets pulled from my border server and reported), they I am not sure it matters as they already have that information from when they connected to my email server.  I myself have not seen any repeat spam to be reported to vvsg180@gmail.com, so it very well could be legit.

I don't think it's legit. I have myself reported to that e-mail many times and i still get plenty of spam and phishing e-mails that still get's reported to that abuse email and nothing happens. I think it's owned by the spammer himself.

On 10/20/2019 at 3:27 PM, Appleseed said:

Thanks

BTW. This guy have is specialized to Smoke Loader and have a huge Necurs botnet.

Where can you find that information? Is there any other abuse address I can report to? This spammer have spammed me for years. The spammer hacks sites and e-mails and use them in a botnet.

 

 

Edited by klappa
Link to comment
Share on other sites

  • 3 weeks later...
  • 5 months later...
On 10/31/2019 at 9:21 AM, klappa said:

Where can you find that information? Is there any other abuse address I can report to? This spammer have spammed me for years. The spammer hacks sites and e-mails and use them in a botnet.

I did find it from Google when i was looking information of this spammer.

After i started to report him to that IPv4 peer company mentioned above (thanks RobiBue), they did change it to another one. Then i started to report those spams to that one also and now i havet got any spam from that spammer.

That guy own fashion clothes store or modeling place. It could be that he is selling those poor girls irl.

 

 

Now i keep getting new kind of spam what i cant report to Spamcop. Outlook wont allow copy that email source code.

Edited by Appleseed
Link to comment
Share on other sites

  • 2 weeks later...
On 4/27/2020 at 11:50 PM, Appleseed said:

Now i keep getting new kind of spam what i cant report to spamcop. Outlook wont allow copy that email source code.

That is why I prefer imap/ssl when possible because thunderbird always seems to work for me.  Maybe a webmail version of outlook might work for you, if you have one.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...