Steve Posted August 8, 2023 Share Posted August 8, 2023 Now that the parser has been updated to reflect the correct abuse POC (irt AT nic DOT or DOT kr), SC's parser refuses to forward spam to that address?🤔😑🤨😡🤬 https://www.spamcop.net/sc?id=z6857548165z7e7c70a47f487652bf4ce763cf932b91z   Quote  Finding IP block owner: Routing details for 115.71.14.193Report routing for 115.71.14.193: irt@nic.or.krI refuse to bother irt@nic.or.kr Sorry, no reporting addresses found for 115.71.14.193. Nothing to do.    Having said that, was there any reason for me to even contact the Deputies to have them update the address in the first place?!?!?!?  Quote Link to comment Share on other sites More sharing options...
ninth Posted August 8, 2023 Share Posted August 8, 2023 You already have a topic for this discussion and this spam email was reported manually to the correct address so what is the point? The ISP refused to accept reports about wikipedia and who can blame them considering the data is so corrupt from misinformation. Quote Link to comment Share on other sites More sharing options...
RobiBue Posted August 8, 2023 Share Posted August 8, 2023 Frustration is completely understandable! from the whois records: % Abuse contact for '115.71.0.0 - 115.71.255.255' is 'irt@nic.or.kr' Â 6 hours ago, Steve said: Routing details for 115.71.14.193Report routing for 115.71.14.193: irt@nic.or.krI refuse to bother irt@nic.or.kr Sorry, no reporting addresses found for 115.71.14.193. Nothing to do. Â 1 hour ago, ninth said: The ISP refused to accept reports about wikipedia the mentioned IP address has nothing to do with Wikipedia. It's the senders' address who is in dispute here, and the reporting abuse email address which, just because it has nic embedded in its name is flagged (my presumption) as do not bother. Quote Link to comment Share on other sites More sharing options...
ninth Posted August 9, 2023 Share Posted August 9, 2023 (edited) It looks like a case of impersonation or copyright. A recent email I received that looked like it was from a legit business with correct phone and address but the website was missing the security s from http when I ran it through the app. Nic is the giant russian company ru-centre with millions of sites. Edited August 9, 2023 by ninth Quote Link to comment Share on other sites More sharing options...
RobiBue Posted August 10, 2023 Share Posted August 10, 2023 OP spam is a plain old Nigerian 419 scam. THIS IS Ambassador Mrs Mary Beth Leonard Ambassador to Nigeria. . I SHALL BE COMING TO YOUR COUNTRY FOR AN OFFICIAL MEETING ON TUESDAY AND I WILL BE BRINGING YOUR FUNDS THROUGH AN ATM MASTER CARD OF($4.8Million United State Dollars) ALONG WITH ME BUT THIS TIME I WILL NOT GO THROUGH CUSTOMS BECAUSE AS AN AMBASSADOR TO NIGERIA, I AM A US GOVERNMENT AGENT AND I HAVE THE VETO POWER TO GO THROUGH CUSTOMS. AS SOON AS I AM THROUGH WITH THE MEETING I SHALL THEN PROCEED TO YOUR ADDRESS. (SEND YOUR CELL PHONE NUMBER AND THE ADDRESS WHERE YOU WANT ME TO BRING THE PACKAGE). the scammers more than likely found an open relay or maybe had some malware installed on the victim's server or PC: Received: from gw.saesoldia.com (gw.saesoldia.com. [115.71.14.193]) by mx.google.com with ESMTP id c16-20020a6566d0000000b00563eda35edesi3445418pgw.143.2023.08.07.05.46.09 Received: from [127.0.0.1] ([127.0.0.1]) by gw.saesoldia.com ([127.0.0.1]) with ESMTP id 1691412368.684522.140338211493632.gw the bottom received line is a loop-back address, meaning internal server itself, therefore more than likely open relay, or malware... The reason for the wikipedia link is that the scammers added the link as "proof" of who they are Ambassador Mrs Mary Beth Leonard TELEPHONE NUMBER CHECK HERE VIEW MY DATA:https://en.wikipedia.org/wiki/List_of_ambassadors_of_the_United_States_to_Nigeria yeah, view my data my a**... and the proof that's a Nigerian 419 scam: YOU SHOULD SEND THE FEE DIRECTLY TO THE CARGO REGISTRATION OFFICER WITH THE INFO BELOW- amount ... $250 Â And like Steve was saying, the IP# 115.71.14.193, while SC had the reporting address corrected, it still refuses to send the report (most probably due to the NIC part in the email address, and SC refuses to bother any NIC...) regex is a powerful tool, unfortunately it's not necessarily a smart tool, and bad things can happen if a regex is set up wrong... (like in the current thread for example) Quote Link to comment Share on other sites More sharing options...
ninth Posted August 11, 2023 Share Posted August 11, 2023 And I thought the nigerians were only good at swindling lonely women out of their savings! The red flag for me was the @mail.com for a US ambassador. This reminds me of the marketplace scam where the buyer replies to an ad with a story like they are on an oil rig and they arrange a courier at a cost of $300 at the door pickup which they promise to repay with the payment for the item via fake payid receipt. Â Quote Link to comment Share on other sites More sharing options...
Hanco Posted August 15, 2023 Share Posted August 15, 2023 Yeah, advance fee 419 scam. They go to junk mail daily for me. i always add the exact same format to a user report: 419 scammer Gmail account abuse (Reply-To) (the reply-to address, usually but not always gmail) Gmail account abuse (reply requested in body) (the email address mentioned in the email body text, if present, usually but not always gmail) And I copy the report to abuse@gmail.com i use keyboard short text/quick reply text to put that detail into the user report in the same format every time. In the hope the reply accounts are reviewed/shut down quickly. I think it’s working because 419 scammer  emails tend to stress how urgent replying is now! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.