Anyone receiving emails from IP address starting with 45.xx.xx.xxx?

[Steve]

The Russian emails I was getting a while ago seem to have stopped. I am now getting emails from IP addresses registered to a Turkish ISP. Several a day (usually in a row). Is anyone else receiving emails like this? The content of the emails are similar in nature as are the subject lines. I am including several tracking URLs from the most recent spam for reference.

https://www.spamcop.net/sc?id=z6720259818z887f0423809cc71a78701bf6302ad0a1z 

https://www.spamcop.net/sc?id=z6720260001z67552e38a126f2fa95c67fbfca768cdbz

https://www.spamcop.net/sc?id=z6720260172zf3d2e28345dca63be7a64e48c816e48fz

https://www.spamcop.net/sc?id=z6720260251z86e6a32d216388d374cd131e8374fbfez

https://www.spamcop.net/sc?id=z6720260318zb5b8734381d4bdc93de62693bba87d3cz

SC identifies the offenders' ISP as Meric Internet Teknolojileri A.s. (Meric Internet Technologies Inc.) with the reporting address abuse AT meric DOT net DOT tr. So far, since receiving emails associated with this ISP via the IP addresses registered to the offenders I have reported 72 emails from various IP addresses registered to this ISP, the first one having been submitted to SC on 7/17 at 11:48PM. Why hasn't the ISP done anything to curb or stop the spam originating from their network?🤔😕🤨🤷🏼‍♂️

 

Steve

[gnarlymarley]

10 hours ago, Steve said:

The Russian emails I was getting a while ago seem to have stopped. I am now getting emails from IP addresses registered to a Turkish ISP. Several a day (usually in a row). Is anyone else receiving emails like this?

I haven't see subject lines like those since maybe April.  In April I started adding to my reports that they need to patch their systems and it seems to have stopped mine.

They are probably on a rotation, so now that I said it out loud, my time to get them again is coming up.

[Steve]

Who, the ISP? Or SC?

[gnarlymarley]

I would put my note about them needing to patch in the "additional notes" section that would be sent with the report to the ISP.

[petzl]

6 hours ago, Steve said:

Who, the ISP? Or SC?

HOSTNAME    topgoodcoffee.com
Meric Internet Teknolojileri A.S.
https://check.spamhaus.org/listed/?searchterm=45.147.46.128
Suspected Snowshoe spam IP Range
Based on research, analysis of network data, our 'snowshoe' spam detection systems, intelligence sources and our experience, Spamhaus believes that this IP address range is being used or is about to be used for the purpose of high volume 'snowshoe' spam emission.

https://www.spamcop.net/w3m?action=checkblock&ip=45.147.46.128
Listing History
In the past 16.9 days, it has been listed 7 times for a total of 5.7 days
Other hosts in this "neighborhood" with spam reports
45.147.46.20 45.147.46.38 45.147.46.56 45.147.46.74 45.147.46.110 45.147.46.146 45.147.46.164 45.147.46.182 45.147.46.200 45.147.46.218 45.147.46.236 45.147.47.20 45.147.47.38 45.147.47.74 45.147.47.92 45.147.47.110

Always put in report notes "RESET PASSWORD" if they read abuse reports?
Might pay to also send to
https://www.first.org/members/teams/tr-cert
trcert[AT]usom[DOT]gov[DOT]tr

Edited August 15, 2021 by petzl

[Steve]

And like I said in the original post, I reported 72 emails within that range.

[petzl]

3 hours ago, Steve said:

And like I said in the original post, I reported 72 emails within that range.

Turkey is having forest fires/floods?
https://www.france24.com/en/live-news/20210814-no-survivors-of-turkey-fire-fighting-plane-crash-as-floods-kill-44

Always put in report notes "RESET PASSWORD" if they read abuse reports?
*Might pay to also send to*
https://www.first.org/members/teams/tr-cert
trcert[AT]usom[DOT]gov[DOT]tr

[Steve]

Still receiving said email from the 45.xx.xx.xxx IP range that is reported to abuse AT meric DOT net DOT tr. I have put RESET PASSWORD in the report notes but apparently they're not reading the reports? Also manually sending the spam to trcert[AT]usom[DOT]gov[DOT]tr. Not sure if they're reading the emails either because I'm still receiving them.

 

Steve

[petzl]

4 hours ago, Steve said:

Still receiving said email from the 45.xx.xx.xxx IP range that is reported to abuse AT meric DOT net DOT tr. I have put RESET PASSWORD in the report notes but apparently they're not reading the reports? Also manually sending the spam to trcert[AT]usom[DOT]gov[DOT]tr. Not sure if they're reading the emails either because I'm still receiving them.

Steve

If you can log into Google mail mark as Phishing

[Steve]

Just received another one of said emails. Reported it thru SC and to trcert[AT]usom[DOT]gov[DOT]tr. Also marked as phishing in Gmail.

[petzl]

4 hours ago, Steve said:

Just received another one of said emails. Reported it thru SC and to trcert[AT]usom[DOT]gov[DOT]tr. Also marked as phishing in Gmail.

Yes if going though Gmail as soon as one marks it phishing the email and links are stopped.

[gnarlymarley]

5 hours ago, petzl said:

if going though Gmail

I think if it gets marked enough times, then gmail will block it at the SMTP level.  (At least, that is what I have seen from my experience.  I am sure functionality is subject to change.)

[petzl]

8 hours ago, gnarlymarley said:

I think if it gets marked enough times, then gmail will block it at the SMTP level.  (At least, that is what I have seen from my experience.  I am sure functionality is subject to change.)

I only use web-gmail seems blocked as soon as I mark it phishing, most links are through google gmail cloud.
Don't know if they would block SMTP 
My Russian Crime gang gone silent or a year are back but down to one phishing attempt every few days
https://www.spamcop.net/sc?id=z6722646496z39beae5ed09980866a86f01b527a11fdz
I truncate most of their rubbish static also went through a oneandone email server 212.227.15.19 which I reported from my Gmail account
Spamcop did not report oneandone 217.136.236.221 ?
https://check.spamhaus.org/listed/?searchterm=217.136.236.221

[gnarlymarley]

1 hour ago, petzl said:

web-gmail seems blocked as soon as I mark it phishing

I think the web-gmail block only sends the email from that address to the spam folder.  I have one that keeps coming in to my spam folder even though it is listed as blocked.

[Steve]

Has anyone gotten an auto response back from the ISP just reporting the emails manually? I just tried doing that to the 2 most recent spams I received from their network. Will be waiting for a response to see if they take action and cease spam from their network.

[petzl]

On 9/6/2021 at 11:48 AM, gnarlymarley said:

I think the web-gmail block only sends the email from that address to the spam folder.  I have one that keeps coming in to my spam folder even though it is listed as blocked.

I now only use Gmail webmail if a email is marked "phishing" you get a warning "this email is dangerous links disabled."
Here is a screen shot of such a warning.
https://ibb.co/kBTDTmQ
It is from someone I bought pinhole glasses from today
hope they are not a scam?
Address they got from PayPal I use my SpamCop email address with PayPal.
I did not mark them Phishing must of been a Gmail computer.

Edited September 7, 2021 by petzl

[petzl]

On 9/6/2021 at 7:22 PM, petzl said:

I now only use Gmail webmail if a email is marked "phishing" you get a warning "this email is dangerous links disabled."
Here is a screen shot of such a warning.
https://ibb.co/kBTDTmQ
It is from someone I bought pinhole glasses from today
hope they are not a scam?
Address they got from PayPal I use my SpamCop email address with PayPal.
I did not mark them Phishing must of been a Gmail computer.

The article arrived yesterday,
Looks good, big problem with most Chinese made glasses the frame attacks centres on your eyes with the SHARP ear handles!
These ones are made for boofheads like mine

Edited September 21, 2021 by petzl

[postcd]

Several months later it seems that their spam@ mailbox still not being read or paid attention to reports.

Read/add some reviews:

https://www.trustpilot.com/review/meric.net.tr

https://www.mywot.com/scorecard/meric.net.tr

Anyone got some response from https://www.first.org/members/teams/tr-cert ?

Or by contacting them other way than abuse@ ?

On their contact page is info@

and

Call: +90 (850) 346 37 42

Edited January 7, 2022 by Lking
Edited to break the links so one will have to work hard to follow.

[gnarlymarley]

On 1/6/2022 at 5:00 AM, postcd said:

Several months later it seems that their spam@ mailbox still not being read or paid attention to reports.

That is part of the reason I use a block list and a firewall.  If their ISP doesn't want to play nice, then I sometimes block the whole range.  (Of course, I try to figure out if there might be any legitimate email from those IPs before blocking.)