efa Posted March 22, 2020 Posted March 22, 2020 (edited) hi, from some days I'm getting many (about 20/day) spams from two IP blocks: 91.192.40.0 - 91.192.43.255 : abuse@mapp.com 217.61.73.0 - 217.61.73.255 : abuse@airenetworks.es All the spam contain one link from this list: messaggispeciali.it nuoveoccasioni.it nuovepromo.it offertesenzasorprese.it offertesuperstellari.it promoconsigli.it promodalweb.it promogiornaliere.it promomigliori.it promozionidelmese.it and all contain the following domains: adviceme.it advicemenews.it trkadviceme.com responseconcepts.com All was reported on Spamcop ("Reports disabled for abuse@mapp.com" so not sent by Spamcop), but spam does not decrease. Here an example of tracking URL: http://www.spamcop.net/sc?id=z6624412645zda5fff963c7ab47ff120e5a1c69bb9cbz Note: As always with spam mail: - the spam was never requested by the receiver - following the removal link do not stop the spam bombing How can I check if at least the source IP was added to the SC blocklist? Edited March 23, 2020 by efa Quote
gnarlymarley Posted March 23, 2020 Posted March 23, 2020 You can check if an IP hit enough spam criteria by putting the IP into the box by "Numeric IP address" and clicking the button at https://www.spamcop.net/bl.shtml (which is found http://spamcop.net and clicking on blocking list). Quote
efa Posted March 23, 2020 Author Posted March 23, 2020 I had only the reporting page at address: http://spamcop.net Anyway, clicking on "Site Map" I found the SpamCop blocking list I just checked the IP block is not listed in the Blocklist. Do you know what are the spam criteria for an IP to be listed in the SC blocklist? thought that 20/spam report a day was good Quote
efa Posted March 23, 2020 Author Posted March 23, 2020 (edited) apparently the first block is not listed in any BL: https://talosintelligence.com/reputation_center/lookup?search=91.192.40.0 this appear strange to me given the number of spam I'm receiving Edited March 23, 2020 by efa Quote
petzl Posted March 23, 2020 Posted March 23, 2020 8 hours ago, efa said: apparently the first block is not listed in any BL: https://www.spamcop.net/sc?id=z6624412645zda5fff963c7ab47ff120e5a1c69bb9cbz Tried the Unsubscribe link? They have your email address anyway. 91.192.42.165 has had 8 spam reports over last 90 days, Might be spam laws in Germany but many of Germanys ISP's don't accept SpamCop reports? Ideally still report though SpamCop creates statistics which are used by anti-spam org's Pay to forward the spam you receive to "abuse[AT]mapp[DOT]com" include full text and body. Above that a preamble like Criminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS > Quote
efa Posted March 24, 2020 Author Posted March 24, 2020 As always with spam mail: - the spam was never requested by the receiver - following the removal link do not stop the spam bombing You say "Pay to forward the spam you receive to ..." because payed SC service will send the complaint to mail server source? Why you say to preamble with "Criminal phishing and DDoS" ? Quote
petzl Posted March 24, 2020 Posted March 24, 2020 6 hours ago, efa said: - following the removal link do not stop the spam bombing So this is phishing and you never subscribed! with bogus unsubscribe, they are also IP hoping to avoid block-listing, called snowshoe spamming 6 hours ago, efa said: You say "Pay to forward the spam you receive to ..." because payed SC service will send the complaint to mail server source? SpamCop not doing it this time report is "devnulled" 6 hours ago, efa said: Why you say to preamble with "Criminal phishing and DDoS" ? Even in your case it is! If you start getting flooded with spam you stand the chance of your email account being disabled, Happened to my Gmail account, Chinese attack, "abuse]AT]12321[DOT]cn" is the supposed corrupt Government report address, they claim they want reports Forwarded as attachment before acting. Quote
gnarlymarley Posted March 25, 2020 Posted March 25, 2020 On 3/23/2020 at 8:09 AM, efa said: apparently the first block is not listed in any BL: Being on a BL is only as useful if your email server/spam filter is configured to use it. A lot of providers discount BLs these days because some honest people can be blocked. On 3/23/2020 at 4:45 PM, petzl said: Pay to forward the spam you receive to "abuse[AT]mapp[DOT]com" include full text and body. Some admins have got overwhelmed by spam reports and just blocked all of SpamCop. Having a report sent by other means might cause the admin to ignore and block reports those too. I would prefer if the admins would just take action quicker rather than to just hit the delete all button. Quote
efa Posted March 27, 2020 Author Posted March 27, 2020 (edited) I have to understand if there is some I can do to stop this flooding. The source is fixed, so should be very simple to identify the responsible. Is there something I can do to add those source IP to the blocklist? Is it useful to continue to post those spam in Spamcop reporting form? Edited March 28, 2020 by efa Quote
petzl Posted March 28, 2020 Posted March 28, 2020 (edited) 3 hours ago, efa said: Is there something I can do to add those source IP to the blocklist? Is it useful to continue to post those spam in Spamcop reporting form? Keep reporting them they may get on he SpamCop Blocklist, Cisco is likely to add the spammers ISP, silently, add to their and owners/customers of their servers blacklist, which mean very few will even see them (they are bit binned/banned) Cisco is a major supplier of email servers which are spam free. Just post the SpamCop trace URL's likehttps://www.spamcop.net/sc?id=z6624412645zda5fff963c7ab47ff120e5a1c69bb9cbz Edited March 28, 2020 by petzl Quote
gnarlymarley Posted March 28, 2020 Posted March 28, 2020 13 hours ago, efa said: I have to understand if there is some I can do to stop this flooding. The source is fixed, so should be very simple to identify the responsible. If the administrator doesn't care (or is even supportive of the spammer's actions), then that it will continue. What I did in the past (because they kept jumping around on IPs) was to block the whole IP range first in a firewall, then I did my own block list. This got their attention and they moved on to another ISP. 9 hours ago, petzl said: Keep reporting them they may get on he SpamCop Blocklist, Cisco is likely to add the spammers ISP, silently, add to their and owners/customers of their servers blacklist, This might be an issue as if you have the block list enable, then the reports stop and the IP falls off the list quicker. Hopefully, they run across a spamtrap which I believe it will continue to accept spam while it is on the block list. Quote
petzl Posted March 28, 2020 Posted March 28, 2020 (edited) Quote This might be an issue as if you have the block list enable, then the reports stop and the IP falls off the list quicker. Hopefully, they run across a spamtrap which I believe it will continue to accept spam while it is on the block list. Cisco have their own ways of creating blocklists for their email servers, This is what makes them sought after. There is nothing to set-up, no false-positives nor false -negatives. Has evolved from it's "Senderbase" days Edited March 28, 2020 by petzl Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.