No reporting addresses for 115.71.14.193?

[Steve]

Now that the parser has been updated to reflect the correct abuse POC (irt AT nic DOT or DOT kr), SC's parser refuses to forward spam to that address?🤔😑🤨😡🤬

https://www.spamcop.net/sc?id=z6857548165z7e7c70a47f487652bf4ce763cf932b91z

 

 

Quote

 

Finding IP block owner:

Routing details for 115.71.14.193
Report routing for 115.71.14.193: irt@nic.or.kr
I refuse to bother irt@nic.or.kr

Sorry, no reporting addresses found for 115.71.14.193.

Nothing to do.

 

 

 

Having said that, was there any reason for me to even contact the Deputies to have them update the address in the first place?!?!?!?

 

[ninth]

You already have a topic for this discussion and this spam email was reported manually to the correct address so what is the point? The ISP refused to accept reports about wikipedia and who can blame them considering the data is so corrupt from misinformation.

[RobiBue]

Frustration is completely understandable!

from the whois records:

% Abuse contact for '115.71.0.0 - 115.71.255.255' is 'irt@nic.or.kr'

 

6 hours ago, Steve said:

Routing details for 115.71.14.193
Report routing for 115.71.14.193: irt@nic.or.kr
I refuse to bother irt@nic.or.kr

Sorry, no reporting addresses found for 115.71.14.193.

Nothing to do.

 

1 hour ago, ninth said:

The ISP refused to accept reports about wikipedia

the mentioned IP address has nothing to do with Wikipedia. It's the senders' address who is in dispute here, and the reporting abuse email address which, just because it has nic embedded in its name is flagged (my presumption) as do not bother.

[ninth]

It looks like a case of impersonation or copyright. A recent email I received that looked like it was from a legit business with correct phone and address but the website was missing the security s from http when I ran it through the app.

Nic is the giant russian company ru-centre with millions of sites. 

Edited August 9, 2023 by ninth

[RobiBue]

OP spam is a plain old Nigerian 419 scam.

THIS IS Ambassador Mrs Mary Beth Leonard Ambassador to Nigeria. 
. 
I SHALL BE COMING TO YOUR COUNTRY FOR AN OFFICIAL MEETING ON TUESDAY AND I WILL BE BRINGING YOUR FUNDS 
THROUGH AN ATM MASTER CARD OF($4.8Million United State Dollars) ALONG WITH ME BUT THIS TIME I WILL NOT 
GO THROUGH CUSTOMS BECAUSE AS AN AMBASSADOR TO NIGERIA, I AM A US GOVERNMENT AGENT AND I HAVE THE VETO 
POWER TO GO THROUGH CUSTOMS. AS SOON AS I AM THROUGH WITH THE MEETING I SHALL THEN PROCEED TO YOUR ADDRESS. 
(SEND YOUR CELL PHONE NUMBER AND THE ADDRESS WHERE YOU WANT ME TO BRING THE PACKAGE).

the scammers more than likely found an open relay or maybe had some malware installed on the victim's server or PC:

Received: from gw.saesoldia.com (gw.saesoldia.com. [115.71.14.193])
        by mx.google.com with ESMTP id c16-20020a6566d0000000b00563eda35edesi3445418pgw.143.2023.08.07.05.46.09
        
Received: from [127.0.0.1] ([127.0.0.1])
           by gw.saesoldia.com ([127.0.0.1])
           with ESMTP id 1691412368.684522.140338211493632.gw

the bottom received line is a loop-back address, meaning internal server itself, therefore more than likely open relay, or malware...

The reason for the wikipedia link is that the scammers added the link as "proof" of who they are

Ambassador Mrs Mary Beth Leonard
TELEPHONE NUMBER
CHECK HERE VIEW MY DATA:https://en.wikipedia.org/wiki/List_of_ambassadors_of_the_United_States_to_Nigeria

yeah, view my data my a**...

and the proof that's a Nigerian 419 scam:

YOU SHOULD SEND THE FEE DIRECTLY TO THE CARGO REGISTRATION OFFICER WITH THE INFO BELOW-

amount ... $250

 

And like Steve was saying, the IP# 115.71.14.193, while SC had the reporting address corrected, it still refuses to send the report (most probably due to the NIC part in the email address, and SC refuses to bother any NIC...)

regex is a powerful tool, unfortunately it's not necessarily a smart tool, and bad things can happen if a regex is set up wrong... (like in the current thread for example)

[ninth]

And I thought the nigerians were only good at swindling lonely women out of their savings! The red flag for me was the @mail.com for a US ambassador. This reminds me of the marketplace scam where the buyer replies to an ad with a story like they are on an oil rig and they arrange a courier at a cost of $300 at the door pickup which they promise to repay with the payment for the item via fake payid receipt.

 

[Hanco]

Yeah, advance fee 419 scam. They go to junk mail daily for me.

i always add the exact same format to a user report:

• 419 scammer
• Gmail account abuse (Reply-To)
• (the reply-to address, usually but not always gmail)
• Gmail account abuse (reply requested in body) 
• (the email address mentioned in the email body text, if present, usually but not always gmail)

And I copy the report to abuse@gmail.com

i use keyboard short text/quick reply text to put that detail into the user report in the same format every time. In the hope the reply accounts are reviewed/shut down quickly. I think it’s working because 419 scammer  emails tend to stress how urgent replying is now!