nhraj700 Posted August 17, 2019 Share Posted August 17, 2019 (edited) Hey all, Looking for some input on what "you" would do in addition to what I am already doing. I am at wit's end and considering giving up on this one. I seem to have landed on some spambot or persistent POS spammer's list on an email address that typically has had no spam sent to it or was successfully filtered by the provider. Unfortunately this ordeal has burned up all of my Spamcop fuel. I am reporting every spam email to Spamcop, UCE, ORA.FDA, ACMA, Phishing at US CERT, Phishing at Antiphishing org. This attack is repetitive in content and seems to be repetitive in sources. What bothers me is sometimes I get auto-response from Spamcop stating ISP has taken care of the address but what is weird is it is usually dated the day or two before and I am reporting within seconds of getting it. Is the spammer sending some sort of auto-response to Spamcop to trick it? Below is hopefully enough of a list of tracking url's that might give someone with better experience to ascertain what steps I might take and see a pattern. [Edited to add offenders at a glance] These seem to be the major offenders over and over. proxad[dot]net cv[dot]net nl[dot]leaseweb[dot]com pratiksunucum[dot]com primary[dot]net dedibox[dot]fronline[dot]net hostnit[dot]com quadranet[dot]com vpls[dot]comus[dot]leaseweb[dot]com leaseweb[dot]de multacom[dot]com velia[dot]net netmyne[dot]com stackip[dot]net he[dot]net netbudur[dot]com ikoula[dot]com dacentec[dot]com heg-us[dot]com colocrossing[dot]com psychz[dot]net aknietteteeva[dot]gmail[dot]com [End Edit] Thanks in advance. https://www.spamcop.net/sc?id=z6566520311z41fa0c960e85e844a30002d278ed6f9az https://www.spamcop.net/sc?id=z6566520312z6ce0103f34a127b8f20ded2333c8d06az https://www.spamcop.net/sc?id=z6566520313z8a760a7cd8dfb78366d954b0e4460973z https://www.spamcop.net/sc?id=z6566520314z66c0ec5b5300a4a5734ad34540c62f58z https://www.spamcop.net/sc?id=z6566520315zf3db2a8604dcf93f6007a32efad861b7z https://www.spamcop.net/sc?id=z6566520316zdbd95a02f7dfb85453517bbbe5c1e117z https://www.spamcop.net/sc?id=z6566520317z41c2e155668cb8b886f066a4874c6d00z https://www.spamcop.net/sc?id=z6566520318z253fb3c16c5537e73d18db3203070de1z https://www.spamcop.net/sc?id=z6566520319z1164ef6a60b17d090a142ccff880defaz https://www.spamcop.net/sc?id=z6566520320z18000c74cc774082bb65d03342691fe8z https://www.spamcop.net/sc?id=z6566520321z2e7fa652d590841ded710d39b824bd9az https://www.spamcop.net/sc?id=z6566520322zb0a2689b23f9d3c7384e782de1208e93z https://www.spamcop.net/sc?id=z6566520323z1c9c291593ff190f20a0b056f59a85faz https://www.spamcop.net/sc?id=z6566520324z8a09b1f06b53160183624992abb3110cz https://www.spamcop.net/sc?id=z6566520325z04094c2130063750649dd06968ce07ccz https://www.spamcop.net/sc?id=z6566520326z5b3541758582127ae705892424c27e9bz https://www.spamcop.net/sc?id=z6566520327zb78c4a1273c690a265e02f49d1426372z https://www.spamcop.net/sc?id=z6566520328z2bb0a9838d540a0df0ebd1b5a7fa5b39z https://www.spamcop.net/sc?id=z6566520329z6166255f0056dd0c0183cddcb85d5c08z https://www.spamcop.net/sc?id=z6566520330z977931b5a816ec376b8d9d8e3faee0b6z Edited August 17, 2019 by nhraj700 Quote Link to comment Share on other sites More sharing options...
petzl Posted August 17, 2019 Share Posted August 17, 2019 (edited) 5 hours ago, nhraj700 said: Hey all, Looking for some input on what "you" would do in addition to what I am already doing. I am at wit's end and considering giving up on this one. I seem to have landed on some spambot or persistent POS spammer's list on an email address that typically has had no spam sent to it or was successfully filtered by the provider. Unfortunately this ordeal has burned up all of my Spamcop fuel. I am reporting every spam email to Spamcop, UCE, ORA.FDA, ACMA, Phishing at US CERT, Phishing at Antiphishing org. This attack is repetitive in content and seems to be repetitive in sources. What bothers me is sometimes I get auto-response from Spamcop stating ISP has taken care of the address but what is weird is it is usually dated the day or two before and I am reporting within seconds of getting it. Is the spammer sending some sort of auto-response to Spamcop to trick it? https://www.spamcop.net/sc?id=z6566520311z41fa0c960e85e844a30002d278ed6f9azhttps://www.spamcop.net/sc?id=z6566520312z6ce0103f34a127b8f20ded2333c8d06azhttps://www.spamcop.net/sc?id=z6566520330z977931b5a816ec376b8d9d8e3faee0b6z looked at 3 all seem to be free webhosting sites worldwide 67.229.79.114 abusexvpls.com 1st reported on Submitted: 8/7/201 Registrar Abuse Contact Email: mailto:abuse[AT]namecheap.comhttp://67.229.79.114 89.163.243.41 abusexmyloc.de 1st reported Submitted: 8/7/2019 Registrar Abuse Contact Email: mailto:abuse[AT]namecheap.comhttp://89.163.243.41 62.210.76.243 abusexonline.net 1st reported Submitted: 8/18/2019 Registrar Abuse Contact Email: mailto:abuse[AT]namecheap.comhttp://62.210.76.243 "Please enter your email address below to unsbscribe from future mailings." put in the appropriate abuse address, not yours if you must. this is a whack a mole reporting By using different IP addresses the spammer is avoiding blacklisting, seems that spammer is flooding you from all their free sites A good Website/registrar WhoIs ror windowshttp://www.gena01.com/win32whois/ NameCheap are US based so come under US law. Should have credit card details of criminal. “Book 'em, Danno. Murder One.” Edited August 17, 2019 by petzl Quote Link to comment Share on other sites More sharing options...
nhraj700 Posted August 19, 2019 Author Share Posted August 19, 2019 On 8/17/2019 at 3:01 PM, petzl said: NameCheap are US based so come under US law Petzl, Thank you for your input and recommended WIN program. NameCheap has indicated to me that while they don't host the data for these domains and can't check the server logs for spam abuse from the 30 or so I sent them through Spamcop reports, they however have opened up a case with Spamhaus. Is that a good thing and have you seen positive results from that or is this a "pass the buck" kind of move? They told me to report directly to the hosts, but I am assuming that isn't working as Spamcop is doing that through the reporting process. Out of the 30 I sent, only 5 domains showed up on the Spamhaus DBL list and according to NameCheap, that's what prompted them to open a case. Quote Link to comment Share on other sites More sharing options...
petzl Posted August 19, 2019 Share Posted August 19, 2019 (edited) 10 hours ago, nhraj700 said: They told me to report directly to the hosts, but I am assuming that isn't working as Spamcop is doing that through the reporting process. Out of the 30 I sent, only 5 domains showed up on the Spamhaus DBL list and according to NameCheap, that's what prompted them to open a case. Namecheap are the registrar all they have to do is change password access, seem spammer is using compromised accounts? so would think they can disown them, Spamhaus is also evidence in reports. NameCheap are the most abused by botnet spammers http://domainincite.com/22472-spamhaus-ranks-most-botted-tlds-and-registrars Not good publicity for NameCheap so they may look into it? Also report the host IP abuse (a few do something also use/report to the country CERT ) Also there is no need to use up SpamCop data just send as attachment from your email/Gmail account (mark as phishing) as attachment, much cheaper. for DDoS attack. put all addresses in the TO field. example of what I put in email body to give you a heads-up show spamhaus link in your case (if one is given) Namecheap are playing the fool noway they can't get a domain name from a IP address Traceroute will/should do this 67.229.79.114 = http://palterer.org abuse[AT]namecheap.com 89.163.243.41 = new.bedlamized.com abuse[AT]namecheap.com 62.210.76.243 agmaa.net abuse[AT]namecheap.com botnet source - ddos 36.27.123.65 antispamXzjnoc.hz.zj.cn see http://www.abuseat.org/lookup.cgi?ip=36.27.123.65 offending email forwarded also, can be read as text attachment with a text/ASCII editor like notepad or eml text reader Edited August 20, 2019 by petzl Quote Link to comment Share on other sites More sharing options...
nhraj700 Posted August 20, 2019 Author Share Posted August 20, 2019 20 hours ago, petzl said: so would think they can disown them I was able to have NameCheap shutdown 4 of the domains. Small win I guess especially in looking at the article link you supplied. 4 shutdown of the 11K domains used to run spam bots on NameCheap. Damn not a very good winning percentage. The big problem is what you alluded to. They keep changing the IP's and so therefore avoiding any kind of blacklisting. NameCheap won't act on it unless Spamhaus has them listed. I guess I am the only person in the world reporting these guys. In looking at AbuseAT they are squeaky clean. I can't believe when looking up these domain names, domain IP's and hosting Ip's on the Talos Reputation page there appears to be no trouble for them. Too weird. 20 hours ago, petzl said: Also report the host IP abuse (a few do something also use/report to the country CERT ) Since 90% of the IP's identified by reporting to SpamCop are US based providers, I am also sending to phishing-report at us-cert gov. Not sure if I need others? In looking at the First List how do you know who to send to in other countries and are there any addresses to forward to? I don't see any abuse addresses only team contacts. Probably not looking in the right spot. 20 hours ago, petzl said: Also there is no need to use up SpamCop data just send as attachment from your email/Gmail account (mark as phishing) as attachment, much cheaper. for DDoS attack. put all addresses in the TO field. You lost me on this one. Send to who, the Registrar, Host or Cert? And for DDOS attack? Is this what I am getting with a spambot. Or is that more of a server that's getting it not my home network? What addresses are you putting in the TO field. Domain Addresses or Host IP's? 20 hours ago, petzl said: Namecheap are playing the fool noway they can't get a domain name from a IP address NameCheap actually looked at all my SpamCop reports and converted the IP's to Domain names. So they appear to be playing nice. Quote Link to comment Share on other sites More sharing options...
petzl Posted August 20, 2019 Share Posted August 20, 2019 (edited) 8 hours ago, nhraj700 said: On 8/20/2019 at 6:08 AM, petzl said: Also there is no need to use up SpamCop data just send as attachment from your email/Gmail account (mark as phishing) as attachment, much cheaper. for DDoS attack. put all addresses in the TO field. You lost me on this one. Send to who, the Registrar, Host or Cert? And for DDOS attack? Is this what I am getting with a spambot. Or is that more of a server that's getting it not my home network? What addresses are you putting in the TO field. Domain Addresses or Host IP's? look at a SpamCop report, it will list what IP address it came from and a "key word" to look for, I use Opera web browser and "Ctrl + F" put a search bar on top, put/paste this keyword into it and you should easily see the offending IP, more importantly the server name picking it up. KEYWORD to use in future searches. "win32whois" will give the abuse addresses to post to. include the US cert and who ever. "" Best to do this from your Gmail web page, after opening email, click options "3 vertical dots" (top right) then select "Show original" a new page/tab will open showing you the IP "SPF: PASS with IP 111.111.111.111 Learn more" under that it will give the domain name "DKIM: 'PASS' with domain emails.XXXXXXX Learn more" Depending on spam you "forward as attachment" to (Always in the "To" field) abuse desks government agencies. this means you are telling recipients who is getting reports maybe raising your priority. put these abuse contacts in your address book or on notepad to copy/paste later, "phishing-report at us-cert gov" sounds good but most if not all Gov agencies sit on their elbows because they can't find their ass's, but looks threatening to abuse desks and you may get lucky and them VERY unluckySeems to me Namecheap are saying they are bring domains down, don't forget to check though.http://67.229.79.114 is still up? Edited August 21, 2019 by petzl Quote Link to comment Share on other sites More sharing options...
nhraj700 Posted August 21, 2019 Author Share Posted August 21, 2019 3 hours ago, petzl said: Seems to me Namecheap are saying they are bring domains down, don't forget to check though.http://67.229.79.114 is still up? I just did an experiment. I just happened to send in a report to US Cert, Spamcop, US Phishing and Anti-phishing org and the report came back from Spamcop stating that... Routing details for 67 229 173 51[refresh/show] Cached whois for 67 229 173 51 : abuse vpls comUsing abuse net on abuse vpls comNo abuse net record for vpls comUsing best contacts abuse vpls com ISP has indicated spam will cease; ISP resolved this issue sometime after 8/19/2019, 5:25:56 PM -0700 Message is 1 hours old What's weird is how did I get a fresh spam if VPLS fixed it? Anyhow, so I sent that particular spamcop report link and the offending domain name (redipping com) and IP to NameCheap and again created another ticket. I said to them look, VPLS admits this is spam so why don't you take care of this registrant. Maybe they'll move on it without having this domain on a SpamHaus blocking list. Fun Times!! Quote Link to comment Share on other sites More sharing options...
petzl Posted August 21, 2019 Share Posted August 21, 2019 (edited) 20 hours ago, nhraj700 said: 67 229 173 51 is out of action I checked, possible for servers to scan outgoing email? Also in Gmails webmail click spam for "report phishing" in options after opening email. Gmail will block from domains as opposed to blocking IP's if enough phishing hits just checked again, Thursday 22/08, it's back-up!http://67.229.173.51 Registrar Abuse Contact Email: mailto:abuse@namecheap.com Edited August 21, 2019 by petzl Quote Link to comment Share on other sites More sharing options...
nhraj700 Posted August 22, 2019 Author Share Posted August 22, 2019 On 8/20/2019 at 6:39 PM, petzl said: just checked again, Thursday 22/08, it's back-up!http://67.229.173.51 Registrar Abuse Contact Email: mailto:abuse@namecheap.com NameCheap won't do anything until Spamhaus does. Wished the average user could contact Spamhaus as whatever methods they use don't pick up on this attack. Is Dakota Green the spammer? https://whois.domaintools.com/redipping.com Quote Link to comment Share on other sites More sharing options...
petzl Posted August 22, 2019 Share Posted August 22, 2019 (edited) 8 hours ago, nhraj700 said: NameCheap won't do anything until Spamhaus does. Wished the average user could contact Spamhaus as whatever methods they use don't pick up on this attack. Is Dakota Green the spammer? https://whois.domaintools.com/redipping.com Seems to me Namecheap are "shining" on youSpamhaus does list domains surprised namecheap are not on it?Namecheap don't like negative publicity Quote Is Dakota Green the spammer? Bodgie, worthless , inferior; false. name address? probably email as well, try forward as attachment spammers spam to "green1.dakotaATgmail.com", if proven fake (bounces) you can try ICANN to deregister Namecheap for non-compliance.. Registrars are supposed to confirm accuracy? All domain sites contact information has to be true and accurate.SpamCop was once deregistered when it changed its fax number and neglected to update this. Joker.com did not support spammers This was during the "spam wars" where $$new blocklist opportunists$$ attacked SpamCop because of it's success and were dobbed in by competitor/s ASAP fax number was noticed changed. Namecheap seems to have security issues this is a reply in comments from article about Namecheap.Credit Card info stolen (last purchase: Namecheap)My last purchase was a DNS certificate through NameCheap. 24 hours later: $1,000 of fraud coming through on that card. Anyone else here having any issues? Edited August 23, 2019 by petzl Quote Link to comment Share on other sites More sharing options...
petzl Posted September 4, 2019 Share Posted September 4, 2019 On 8/23/2019 at 1:53 AM, nhraj700 said: NameCheap won't do anything until Spamhaus does you can block domain spam wiyh google not sure if iy goes to spam folder though?https://support.google.com/a/answer/2364632?hl=en Quote Link to comment Share on other sites More sharing options...
nhraj700 Posted September 5, 2019 Author Share Posted September 5, 2019 On 9/4/2019 at 6:08 AM, petzl said: you can block domain spam wiyh google not sure if iy goes to spam folder though? Looks like you have to have Google G Suite which is intended for Admin's running an email group for Companies, Schools and other groups. About all I can do is block addresses which go to spam folder. On another note I have been able to have about a dozen domains suspended, however the spammers quickly react by creating/using other ones. Quote Link to comment Share on other sites More sharing options...
petzl Posted September 5, 2019 Share Posted September 5, 2019 7 hours ago, nhraj700 said: Looks like you have to have Google G Suite which is intended for Admin's running an email group for Companies, Schools and other groups. About all I can do is block addresses which go to spam folder. On another note I have been able to have about a dozen domains suspended, however the spammers quickly react by creating/using other ones. I have a suspicion that Namecheap are behind the SpamCop forum spam flood also Namecheap seem to be run by "Igor Efimenko" from the Ukraine Quote Link to comment Share on other sites More sharing options...
Hanco Posted September 27, 2019 Share Posted September 27, 2019 (edited) Namecheap are not impressive. I am regularly reporting spam where the benefiting/target domain in the spam was created “today” (same date spam received), 1 day old (one of those this week) and just today there is a 1 and a 3 day old domain. Namecheap’s response: We are not host so we cannot check server logs... contact the host. Is it me? Are domains used in obvious spam emails, less than 24 hours, 1 or 3 days old, likely to be genuine customers of their business??? I report every one of the spams through SpamCop, I include the sender host of the email when possible (so many are AWS IPs now, and I report those directly to Amazon). I also report the hosted images. The spammer used to use Imgur exclusively, but they (and several others) handle my image ad reports very quickly now. It seems VERY hard to get the sender of this junk onto SURBL or other Namecheap recognized list. Only when they are does Namecheap do anything concrete at all. One day old spam promoted site example from today: highmarket.club A few others hiotoau.info was created via Namecheap the same day as the spam email was sent: 20 September arstoe.info was created via Namecheap the same day as the spam email was sent: 15 August iornfao.info was created via Namecheap the same day as the spam email was sent: 27 July Edited September 27, 2019 by Hanco Typo error Quote Link to comment Share on other sites More sharing options...
Hanco Posted September 27, 2019 Share Posted September 27, 2019 On 9/5/2019 at 10:54 AM, nhraj700 said: On another note I have been able to have about a dozen domains suspended, however the spammers quickly react by creating/using other ones. Every so often I get one suspended. But yes, they just move to another. When I first started reporting these guys it spurned a total onslaught of spam. 10 to 15 spams for the same junk every day for a few days. All sent from AWS IP addresses and, more often than not, pushing traffic to Namecheap domains, which are only setup to do redirects. The target sites never have an actual website at them. I think it is known as spamvertising. Quote Link to comment Share on other sites More sharing options...
Hanco Posted September 28, 2019 Share Posted September 28, 2019 Middle of the night and they are spamming for a new Namecheap domain again... camill.icu Hosted via (not necessarily “at” 51.77.39.82 : abuse@ovh.net, noc@ovh.net Camill.icu Namecheap registrar domain is only 4 days old Spammer also using free redirect services for links and including large unnecessary text blocks in <style> tags, and sending from Amazon network AWS IPs (again) and using Imgur image storage service (who delete anything I report to them pretty fast) Quote Link to comment Share on other sites More sharing options...
goodnerd Posted November 23, 2019 Share Posted November 23, 2019 Namecheap has quite a relationship with this spammer, perhaps because he utilizes so many services, including email and privacy protection in what appears to be hundreds, if not thousands of domains. I have never seen such a pro-spam attitude from a registrar, especially when it involves criminal activities including hacking of Twitter accounts, falsifying information, posing as other companies, and downright virus and malware attacks. Despite being informed of these issues Namecheap continues to allow the criminal operation and even grow by providing a base of operations. Namecheap will take no actions unless the domain name itself is blacklisted (not just the IP). Once the domain name is removed from a blacklist they then give the owner access once again to continue the crime wave. Namecheap is an Arizona based company. Their Attorney General email addresses are 'consumerinfo(at)azag.gov' and 'mark.brnovich(at)azag.gov'. I include them in all spam complaints to Namecheap with hopes the AG will open an investigation into this matter. I also Cc the spam complaints to the FTC and to whichever company Namecheap's client is posing as in their spams. Quote Link to comment Share on other sites More sharing options...
Hanco Posted December 10, 2019 Share Posted December 10, 2019 thought I’d look back and see... One day old 9/25 spam promoted site: highmarket.club - still registered hiotoau.info was created via Namecheap the same day as the spam email was sent: 20 September. Still registered. arstoe.info was created via Namecheap the same day as the spam email was sent: 15 August. Still registered. iornfao.info was created via Namecheap the same day as the spam email was sent: 27 July (shows ClientHold, ServerHold, ClientTransferProhibited) - they took some action on this one camill.icu registered 9/23 and appears action taken: ServerHold, ClientTransferProhibited Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.