Jump to content

October 2019 - A month different to others?


Hanco

Recommended Posts

Has this happened before?

Look at that green “spam submitted” line in the screenshot I attached. Normally spam submitted leads to a higher volume of reports.

October though? We see a significant amount of spam reported with reports not sent.

If my experience is anything to go by, there was a major increase from one group of spammers (phishing activity actually, but not the overt fake Apple sites, Amazon, Walmart, Netflix etc login pages)

And it was mostly email coming from Amazon IP addressees, which I always see SpamCop track but not send reports. Instead, I send the reports directly myself.

But is that what this month’s driver was? The group behind these daily deals of loan offers, warranty offers, cures for bizarre conditions etc.? They seemed to be quiet, then boom, daily 12-25 emails. Mostly sites with domain names from Namecheap (they said to someone in response to a domain abuse report, that they have a “huge volume” of support requests at the moment)

It seems like volume is down now (or the jerks behind the flow do not work weekends) and Amazon are “caught up” on the backlog of reports. Maybe the green line will go back below the blue...

380D0FE1-610F-41B4-B62B-9E95F94BDFDC.jpeg

Link to comment
Share on other sites

Such a high level of reports to a spammer's ISP might generate a high level of bounces. We know that spamcop won't keep sending reports that are bound to bounce (and only waste more email bandwidth). Maybe that's the reason for a high submitted:sent ratio?

Link to comment
Share on other sites

I did notice on the source of spam page lately there are a lot of "ISP has indicated spam will cease" from IP ranges such as 89.34.26.0/24 and 195.29.0.0/16 where it appears that they are just marking the option to prevent reports from being submitted.  (It seems to be more than one IP in their range.)  It appears they have been doing this for more than 48 hours and marking this maybe every six hours as the time after the message seems to jump up by around six hours.  Could this be part of the why the spikes have changed?
 

Link to comment
Share on other sites

Seems like my email abuser has switched to using now-dns.com

Reports are sent by SpamCop to the host of the subdomains, but that is VPSVILLE.RU which doesn’t seem bothered to act with any level of pace.

That’s one source. The other..

Much of the email volume is repetitive and has links to a Google Storage API location... there I can view XML showing all the subject lines and outline content they generate. And ALL of them redirect to “hwManyMore.com” (how many more? Well at least the jerk has a sense of humour I suppose?

Link to comment
Share on other sites

  • 4 weeks later...

A lot of the spams that I reported that were originating from the AmazonAWS servers were never sent to any address at Amazon but instead used addresses like  abuse#amazonaws.com@devnull.spamcop.net 

I also filed every spam complaint directly on the AmazonAWS reporting page, even when I was getting 50+ a day from this spammer.  Amazon took it a little more serious when the spammer started forging their name and logos in the fake Amazon Gift Card spam attack.  I got some virus spams from the spammer after getting that one shut down.  They always seem to point back to a common registrar.

 

Link to comment
Share on other sites

4 hours ago, goodnerd said:

A lot of the spams that I reported that were originating from the AmazonAWS servers were never sent to any address at Amazon but instead used addresses like  abuse#amazonaws.com@devnull.spamcop.net 

I also filed every spam complaint directly on the AmazonAWS reporting page, even when I was getting 50+ a day from this spammer.  Amazon took it a little more serious when the spammer started forging their name and logos in the fake Amazon Gift Card spam attack.  I got some virus spams from the spammer after getting that one shut down.  They always seem to point back to a common registrar.

 

Always helps with a SpamCop Track
https://www.spamcop.net/sc?id=z6594340561z125f42ee61982fdb92980529b765f19bz
always put in abuse report been going on for many many months.
Banned all Amazon and subsidiaries purchases because of inept AWS abuse responses to AmazonAWS DDoS multiple IP email attacks 
Criminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS 

52.45.175.153   abuse[AT]amazonaws.com

spam text headers and body

Link to comment
Share on other sites

I didn't bother posting any tracking links because I was not sure others could see historical data from reports I filed.

The party that utilizes AmazonAWS, numerous exposed Twitter accounts, Bit.ly and imgur image hostings now seems to be shrinking back to smaller country servers like vspnet.lt, home.pl, arax.md, and occasionally krypt.com. 

I've been dealing with this little man for quite a while now.  That spammer even set up a fake Twitter account under my Gmail email address and occasionally sends me direct virus spams but yet he still can't stop spamming me.  Go figure.  I guess it's like the old Robert Soloway case where the man thought he was untouchable and above the law.


Their account at digitalocean.com wasterminated on 11/22 (outlandisher.pw):
 

Quote

Hi there,

Thanks for making this report.  We identified and terminated the user responsible for this incident.

Regards,

Security Operations
Digital Ocean Security

 

Link to comment
Share on other sites

1 hour ago, goodnerd said:

Their account at digitalocean.com was terminated on 11/22 (outlandisher.pw):

They can get millions of different email accounts here
https://sendgrid.com/marketing/sendgrid-services-cro/
Try it out! Send 40,000 emails for 30 days, then 100/day forever.
Sign up for free. No credit card required.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...