Jump to content

spam from 91.192.40.0 - 91.192.43.255 and 217.61.73.0 - 217.61.73.255


Recommended Posts

Posted (edited)

hi,

from some days I'm getting many (about 20/day) spams from two IP blocks:

91.192.40.0 - 91.192.43.255 : abuse@mapp.com
217.61.73.0 - 217.61.73.255 : abuse@airenetworks.es

All the spam contain one link from this list:

messaggispeciali.it
nuoveoccasioni.it
nuovepromo.it
offertesenzasorprese.it
offertesuperstellari.it
promoconsigli.it
promodalweb.it
promogiornaliere.it
promomigliori.it
promozionidelmese.it

and all contain the following domains:
 

adviceme.it
advicemenews.it
trkadviceme.com
responseconcepts.com

 

All was reported on Spamcop ("Reports disabled for abuse@mapp.com" so not sent by Spamcop), but spam does not decrease.

Here an example of tracking URL:

http://www.spamcop.net/sc?id=z6624412645zda5fff963c7ab47ff120e5a1c69bb9cbz

Note: As always with spam mail:
- the spam was never requested by the receiver
- following the removal link do not stop the spam bombing

 

How can I check if at least the source IP was added to the SC blocklist?

 

Edited by efa
Posted

You can check if an IP hit enough spam criteria by putting the IP into the box by "Numeric IP address" and clicking the button at https://www.spamcop.net/bl.shtml (which is found http://spamcop.net and clicking on blocking list).

Posted

I had only the reporting page at address: http://spamcop.net

Anyway, clicking on "Site Map" I found the SpamCop blocking list

I just checked the IP block is not listed in the Blocklist.

Do you know what are the spam criteria for an IP to be listed in the SC blocklist?

thought that 20/spam report a day was good

 

 

Posted
8 hours ago, efa said:

apparently the first block is not listed in any BL:

https://www.spamcop.net/sc?id=z6624412645zda5fff963c7ab47ff120e5a1c69bb9cbz
Tried the Unsubscribe link? They have your email address anyway.
91.192.42.165 has had 8 spam reports over last 90 days,
Might be spam laws in Germany but many of Germanys ISP's don't  accept SpamCop reports?
Ideally still report though SpamCop creates statistics which are used by anti-spam org's
Pay to forward the spam you receive to "abuse[AT]mapp[DOT]com" include full text and body.
Above that a  preamble like

Criminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS
>

 

Posted

As always with spam mail:
- the spam was never requested by the receiver
- following the removal link do not stop the spam bombing

 

You say "Pay to forward the spam you receive to ..." because payed SC service will send the complaint to mail server source?

 

Why you say to preamble with "Criminal phishing and DDoS" ?

 

Posted
6 hours ago, efa said:

- following the removal link do not stop the spam bombing

So this is phishing and you never subscribed! with bogus unsubscribe, they are also IP hoping to avoid block-listing, called snowshoe spamming

6 hours ago, efa said:

You say "Pay to forward the spam you receive to ..." because payed SC service will send the complaint to mail server source?

SpamCop not doing it this time report is "devnulled"

6 hours ago, efa said:

Why you say to preamble with "Criminal phishing and DDoS" ?

Even in your case it is! If you start getting flooded with spam you stand the chance of your email account being disabled,
Happened to my Gmail account,
Chinese attack, "abuse]AT]12321[DOT]cn" is the supposed corrupt Government report address,
they claim they want reports Forwarded as attachment before acting. 

Posted
On 3/23/2020 at 8:09 AM, efa said:

apparently the first block is not listed in any BL:

Being on a BL is only as useful if your email server/spam filter is configured to use it.  A lot of providers discount BLs these days because some honest people can be blocked.

On 3/23/2020 at 4:45 PM, petzl said:

Pay to forward the spam you receive to "abuse[AT]mapp[DOT]com" include full text and body.

Some admins have got overwhelmed by spam reports and just blocked all of SpamCop.  Having a report sent by other means might cause the admin to ignore and block reports those too.  I would prefer if the admins would just take action quicker rather than to just hit the delete all button.

Posted (edited)

I have to understand if there is some I can do to stop this flooding.

The source is fixed, so should be very simple to identify the responsible.

Is there something I can do to add those source IP to the blocklist?

Is it useful to continue to post those spam in Spamcop reporting form?

Edited by efa
Posted (edited)
3 hours ago, efa said:

Is there something I can do to add those source IP to the blocklist?

Is it useful to continue to post those spam in Spamcop reporting form?

Keep reporting them they may get on he SpamCop Blocklist, Cisco is likely to add the spammers ISP, silently, add to their and owners/customers of their servers blacklist,
which mean very few will even see them (they are bit binned/banned) Cisco is a major supplier of email servers which are spam free.
Just post the SpamCop trace URL's
like
https://www.spamcop.net/sc?id=z6624412645zda5fff963c7ab47ff120e5a1c69bb9cbz

Edited by petzl
Posted
13 hours ago, efa said:

I have to understand if there is some I can do to stop this flooding.

 The source is fixed, so should be very simple to identify the responsible.

If the administrator doesn't care (or is even supportive of the spammer's actions), then that it will continue.  What I did in the past (because they kept jumping around on IPs) was to block the whole IP range first in a firewall, then I did my own block list.  This got their attention and they moved on to another ISP.

9 hours ago, petzl said:

Keep reporting them they may get on he SpamCop Blocklist, Cisco is likely to add the spammers ISP, silently, add to their and owners/customers of their servers blacklist,

This might be an issue as if you have the block list enable, then the reports stop and the IP falls off the list quicker.  Hopefully, they run across a spamtrap which I believe it will continue to accept spam while it is on the block list.

Posted (edited)
Quote

This might be an issue as if you have the block list enable, then the reports stop and the IP falls off the list quicker.  Hopefully, they run across a spamtrap which I believe it will continue to accept spam while it is on the block list.


Cisco have their own ways of creating blocklists for their email servers, This is what makes them sought after.
There is nothing to set-up, no false-positives nor false -negatives. Has evolved from it's "Senderbase" days

 

Edited by petzl

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...