/dev/null'ing report

[Farelf]

Yes, I'm getting a few devnulls in reports lately too - same/similar spam all the time but multiple sources (carefully selected one might think), almost always to devnull of one kind or another. I guess there can be many causes. The parsing system will list some:

No valid email addresses found, sorry!

There are several possible reasons for this:

• The site involved may not want reports from SpamCop.
  
• SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.
  
• SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.
  
• There may be no working email address to receive reports.
  

This one http://www.spamcop.net/sc?id=z54590113...cdedf7670595f8z

... went to ripe-ip-tech#dsi.ru[at]devnull.spamcop.net (reports disabled). Anyway, ripe-ip-tech[at]dsi.ru is a "person" address from RIPE, not really an abuse address (there is none for inetnum: 91.185.60.0 - 91.185.63.255). Now (cache refreshed) might go to nomaster[at]devnull.spamcop.net. But that's not literally true - still apparently dsi.ru:

C:\Documents and Settings\Admin>nslookup -type=ptr 91.185.61.220 8.8.8.8

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:

220.61.185.91.in-addr.arpa name = 91-185-61-220-irk.cust.dsi.ru

and http://www.abuse.net/ says

abuse[at]dsi.ru (for dsi.ru)

I don't know if SC has ever tried that address but I'm guessing it would be an exercise in futility in terms of stopping this particular spammer/spam gang anyway - he/they seem to be furtive, moving all the time even without reports going out. That way they don't hit that many DNSBLs. What a lot of effort they are putting into it! And most e-mail users would never even see it - sorted straight into spam/junk or silently dropped by any of the major e-mail service providers without ever going near the inbox.

[enigma1]

Well the spam I was referring to, is coming from various popular hosts.

http://www.spamcop.net/sc?id=z54593705...b2bc2ce7fd09f0z

And from the notes seems like it's pointless to notify them because they either bounce the reports there is no recipient.

[Farelf]

Apologies enigma1 - I led you into error by posting the "members" version of my tracking URL instead of the "www" version we all can read. My post and yours which replicated that have been edited to correct it.

Concerning that one of yours, another abuse address for "NetRange: 184.22.0.0 - 184.22.255.255", "CIDR: 184.22.0.0/16" from ARIN is hidden away under a non-standard line item "Comment: Abuse Dept:" where I suspect many automated retrieval systems mightn't find it - it is abuse[at]hostnoc.net

Since the regular line item "OrgAbuseEmail:" (nic[at]hostnoc.net) produces only bounces I wouldn't be holding out high hopes for the other one either, but I guess it should be tried. "Your" spam looks like it is from a completely different stream from "mine" and, as you say, the source server is more "mainstream" and high volume (and more liable to DNSBL listings) so I suppose should be taken more seriously (much more worthy of attention). If nothing else, that IP address (184.22.9.168) is accumulating bit of a history of SC hits even if ISP reports are going nowhere and, who knows? might make it into the SCbl sometime soon (which is the "main game") - if people keep reporting it. Keep up the good work!

[enigma1]

I was able to see the mail headers of your url. I had to login with my account and see it. I guess the www version can be seen by everyone.

I get quite few emails like this. And for some hosts the references go back to 2003 plus listings can be found in other sbls like spamhaus.

Now the thing I am not sure about is how often these hosts rotate the IPs. But I would think they need to keep them for sometime.

Something else I noticed is mail lists spammers use they must exchange with others right after they see the emails are rejected - as I block ip ranges if I see persistent spam coming from a particular host. So there are quite a few of those not listed in sc.