Persistent spam from bangmodhosting.com

[captkirk]

For the last few months I have been getting 20 to 30 spam emails a day from bangmodhosting.com / bangmod.co.th and reporting most of them. And most of them have stayed the same or the same type. Your are a winner/you have a reward/survey response from companies like Walmart, Ace Hardware, State Farm, etc. All require a click on a button who's link does not look like a survey link at all of course!

Spamassassin marks almost all of these as spam.

Some have SPF/DKIM/DMARC headers purporting to come from Google/Yahoo/Microsoft and routing thru those mailservers.

Some even spoof the headers showing the email came from my email to my email!

Anyway, besides just complaining, I am curious as to how these guys are not listed on any blacklists I have looked at and how any email server would not block these emails as soon as the send button was pushed!

I will be glad to post the raw source of one of these if anyone wants to have a look.

Also would love any suggestions.

[petzl]

7 hours ago, captkirk said:

I will be glad to post the raw source of one of these if anyone wants to have a look.

Email blocklists are by IP address not domain
To repot a domain it needs to be to the registrar 
Name:        bangmodhosting.com
IP:        103.27.200.74
Domain:    bangmodhosting.com
   Registrar Abuse Contact Email:  mailto:abuse-contact[AT]publicdomainregistry[DOT]com

[ninth]

17 hours ago, captkirk said:

Also would love any suggestions.

Run it thru the SC app and post the report here for discussion. That way you will find out the true source of the spam and the crooks will be listed on the SC blocklist.

Going it alone does not seem to be working for you? Consider using a private email service?

[RobiBue]

this is a screenshot of my inbox (spam only) of the last 5-6 days (top-most just reported this morning):

top-most: https://www.spamcop.net/sc?id=z6862927956zf058e0bc88a451cd86b58917bcc0e2e0z
second-top: https://www.spamcop.net/sc?id=z6862876096z7da6505d55ea3f03a9345d59a7fa5816z

about 95% have been online.net spam and 95% of those from their proxad.net/iliad-enterprises.fr "division"

the rest are hotmail/microsoft and google... haven't had a Y! spam in a while...

[captkirk]

Which one you want? The report? https://www.spamcop.net/sc?id=z6862928707z93e35888c12d29600ebe07cd27d79ff9z

Or the full diagnostic report?

I am really puzzled by Received-SPF: pass (google.com: domain of captkirk@dmzgraphics.com designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65;

Unless it is a result of having a google account for online document sharing.

 

spam_report.txt

[RobiBue]

just to clarify:
this spam does seem to have originated at google (there's a BUT at the end):

https://toolbox.googleapps.com/apps/messageheader/

adding the whole header in that tool shows the following: (as image(s) since I doubt that the formatting will remain)

 

I also went ahead and verified the DKIM record:

https://powerdmarc.com/dkim-record-lookup/

 

BUT:

either the spammer found a way to send the spam from google through an open proxy (116.206.125.107:52034 (port 52034) )
OR
managed to spoof the DKIM record and inject the headers below the 116.206.125.107 proxy.

I say that because there is a "disconnect" between these two Received lines:

Received: from [116.206.125.107] (port=52034 helo=nsacct.org)
	by a2plcpnl0219.prod.iad2.secureserver.net with esmtp (Exim 4.95)
	id 1qkPWK-00CryP-Gv
	for x;
	Sun, 24 Sep 2023 06:51:42 -0700
Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65])
        by mx.google.com with SMTPS id o8-20020a17090a9f8800b0025678d34362sor791813pjp.5.2023.06.26.06.46.26
        for <x>
        (Google Transport Security);
        Mon, 26 Jun 2023 06:46:26 -0700 (PDT)

 

Personally, I wouldn't trust anything below the first of these two... (my opinion and 2¢)

 

P.S. (edit)
forgot to mention that 116.206.125.107 is listed in several blocklists...

https://www.spamcop.net/sc?track=116.206.125.107

Statistics:

116.206.125.107 listed in bl.spamcop.net (127.0.0.2)
More Information.
116.206.125.107 not listed in cbl.abuseat.org
116.206.125.107 listed in dnsbl.sorbs.net ( 1 )

and https://dnslytics.com/dns-blackhole-list/116.206.125.107

Edited September 24, 2023 by RobiBue
added blocklist entries

[petzl]

3 hours ago, RobiBue said:

Personally, I wouldn't trust anything below the first of these two... (my opinion and 2¢)

 

Seems abuse desk is asleep at the wheel, Aside from SpamTrap hits there are many user reports going back 4 days on this IP.
https://www.spamcop.net/w3m?action=checkblock&ip=116.206.125.107
Other hosts in this "neighborhood" with spam reports
116.206.124.177 116.206.124.217 116.206.125.41 116.206.125.106 116.206.125.108 116.206.125.109 116.206.125.110 116.206.125.112 116.206.125.113 116.206.125.114 116.206.125.115 116.206.125.116 116.206.125.117 116.206.125.118 116.206.125.119 116.206.125.120 116.206.125.125 116.206.125.126

Looked at another IP in range same spewing spam
https://www.spamcop.net/w3m?action=checkblock&ip=116.206.125.118

Edited September 24, 2023 by petzl

[ninth]

On 9/25/2023 at 1:17 AM, captkirk said:

Which one you want? The report? https://www.spamcop.net/sc?id=z6862928707z93e35888c12d29600ebe07cd27d79ff9z

Or the full diagnostic report?

I am really puzzled by Received-SPF: pass (google.com: domain of captkirk@dmzgraphics.com designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65;

Unless it is a result of having a google account for online document sharing.

 

spam_report.txtUnavailable

Great and did you send the abuse reports recommended by spamcop to the responsible hosting service and the SC blocklist? The report to amazon failed typical. Best not to post private info like email address on a public forum Captain. If I can add a comment to the interesting research done by other members the issue is IP forgery and this has been discussed here recently. It's all an illusion as to where the spam is sent from and points to a hacked mail server compromised security system at your end: 

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust this Received line.

Edited September 26, 2023 by ninth
add

[captkirk]

I have reported these nearly identical spam emails probably hundreds of times evidently wasting fuel haha. bangmod is the most prolific, but there are several others that are about as bad.

I find it rather alarming that the spoofed from email purports to be from my domain to my domain. Hosted on GoDaddy by the way. But I am using cpanel workspace email, not their expensive 365 which they are trying to force everyone to pay for. They don't seem to support the workspace email anymore.

Now gbcloud.net has become my prime offender!

In any case, I sure hope they are not spoofing my domain to send spam to other folks!

I am still curious as to how these ISPs allow so much spam to get thru repeatedly.

BTW, I did think about obscuring my email in the post, but it has been out and about for 30 years now, but I did it in this snippet:

Received: from [116.206.125.116] (port=36086 helo=ielectrify.com) by a2plcpnl0219.prod.iad2.secureserver.net with esmtp (Exim 4.95) id 1qlBab-00HXB8-Ka for email@domain.com; Tue, 26 Sep 2023 10:11:21 -0700
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com. [2607:f8b0:4864:20::62f]) by mx.google.com with ESMTPS id m14-20020a056a00080e00b0069024c6a9a8si13094907pfk.389.2023.09.26.06.33.17 for <email@domain.com> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Sep 2023 06:33:17 -0700 (PDT)
Received: by mail-pl1-x62f.google.com with SMTP id d9443c01a7336-1c5c91bec75so61402495ad.3 for <email@domain.com>; Tue, 26 Sep 2023 06:33:17 -0700 (PDT)

Looks to my untrained eye, that the last (first) two Received froms are bogus, since the time stamps go from Tue, 26 Sep 2023 06:33:17 -0700 (PDT) to Tue, 26 Sep 2023 10:11:21 -0700 when it finally gets to a bangmod IP and domain.

Regardless, I have gotten about 50 spam emails from the good folks at bangmod and gbcloud since 8am and it's only 4pm...

Thanks for all the insights!

[ninth]

I would get on to godaddy if you have not already, in my experience they are very cooperative and will delete spammers using their good name once they are aware. You are flooded with spam and quite rightly upset so find out why the cloud services are not taking action - are they to blame? Make some noise to the other players involved up the chain not just host ISP and report to other blocklists. The report says google has been hacked by spammers? We pay for using the data voice computer equipment and waste time handling spam, we have a right to privacy and own the accounts therefore should have a say in who calls us or sends sms and emails. 

[gnarlymarley]

If they are sending from your domain, you might want to look into SPF. SPF and SRS were originally designed to protect the mail from headers and stop the spoofing.