Jump to content

[Resolved] How do I report the IP that belongs to a "bounce" spammer


NilsC
 Share

Recommended Posts

Not sure if this is in the correct forum, if it's not please move or delete.

For lack of another terminology I'm calling it a bounce spammer. I have reported a couple of hundred spams received on my email server. They all originate from the same IP and the emails have a fake From and a fake reply-to using random email addresses and my domain name. And I'm reporting the "bouncers" because they bounce the message late instead of rejecting it.

The IP sending the messages is [151.23.139.210] ([151.23.139.210]) Just over 700 bounces so far since midnight today. I used dig on the IP and I find no PTR record for that IP and I would like to know who is upstream from that IP so I can report it and have it shut down.

Email server is not configured with a catch all but all bounced messages and messages sent to non existing users are in bad msg queue.

Link to comment
Share on other sites

... The IP sending the messages is [151.23.139.210] ([151.23.139.210]) Just over 700 bounces so far since midnight today. I used dig on the IP and I find no PTR record for that IP and I would like to know who is upstream from that IP so I can report it and have it shut down. ...
Well, the 'normal' procedure would be to send manual reports to abuse[at]libero.it - http://www.spamcop.net/sc?track=151.23.139.210

but that IP address is already on the SCbl - http://spamcop.net/w3m?action=checkblock&a...=151.23.139.210

- with reports going to abuse[at]libero.it and with a large list of Other hosts in this "neighborhood" with spam reports.

I'm guessing you already know all that hence the requirement to go "upstream" which seems to be Infostrada (IUnet) - http://www.senderbase.org/senderbase_queri...=151.23.139.210 from the SenderBase net ownership detail. (I could make nothing out of the assignment records.)

http://www.abuse.net/lookup.phtml?domain=infostrada.it says

abuse[at]inwind.it (for infostrada.it)

abuse.inwind[at]libero.it (for infostrada.it)

Abuse net - http://www.abuse.net/lookup.phtml?domain=iunet.it says

postmaster[at]iunet.it (for iunet.it)

staff[at]iunet.it (for iunet.it)

helpdesk[at]infostrada.it (for iunet.it)

abuse[at]inwind.it (for iunet.it)

abuse.inwind[at]libero.it (for iunet.it)

Not sure any of that helps but I seem to recall libero.it has been/used to be responsive. With the beating they seem to be taking right now that may no longer be true?

Not sure if this is in the correct forum, if it's not please move or delete. ...
You're right it has nothing directly to do with reporting problems. But I think it might be instructive if left in this forum than it would be in the lounge (others may disagree). And we don't delete real requests for assistance in spam-related matters. Edited by Farelf
Link to comment
Share on other sites

Farelf has provided correct data for the query. However, I'd still request a Tracking URL showing the actual alleged 'bounced e-mail' .... in my mind, there's the question of whether this is a 'real' e-mail server or a compromised machine pretending to be an e-mail server, i.e. spammer is actually using this machine to 'send' these alleged bouces .. or the worst case, the IP address offered up isn't the right one.

Link to comment
Share on other sites

Here are 2 tracking links.

http://www.spamcop.net/sc?id=z1556840580z4...42ca728c494439z

http://www.spamcop.net/sc?id=z1556840583z2...2bfb34904295a2z

I appreciate any help and let me know if I was wrong when blaming the 151.23.139.210 IP.

Thank you,

Nils

I just reported this one

http://www.spamcop.net/sc?id=z1556840584z3...55ebb35ddf31c6z

Edited by NilsC
Link to comment
Share on other sites

Thanks for the additional data. Yes, you do have the correct target for the original source. However, the 'bounce' issue is what the SpamCop.net Parsing & Reporting system is trying to address. The system that actually sent you the 'bounce'/rejection notice shouldn't have actually accepted/received the e-mail in the first place.

Only looked at this one, as it paints the picture just fine.

I won't bother with all the data I developed using other tools, SpamCop.net's parser does just fine. The following is a Tracking URL that shows what's actually going on with the system sitting at that IP address. Spammer is in fact using it to 'send' these bad e-mails.

http://www.spamcop.net/sc?id=z1556866068zb...215d3ce4592d1bz shows results of;

Received: from [151.23.139.210] ([151.23.139.210]) by tsgimail2.tsgi.com with Microsoft SMTPSVC(6.0.3790.3959); Sat, 8 Dec 2007 08:11:06 -0500

no from

151.23.139.210 found

host 151.23.139.210 (getting name) no name

Possible spammer: 151.23.139.210

Received line accepted

Received: from standard-462974 ([122.168.166.39]:20083 "EHLO standard-462974" smtp-auth: <none> TLS-CIPHER: <none> TLS-PEER-CN1: <none>) by [151.23.139.210] with ESMTP id S22PQUHZWWVQKRTM (ORCPT <rfc822;bdpodayptfi%arl.i-n-s.com[at]tsgimail2.tsgi.com>); Sat, 8 Dec 2007 14:16:34 +0100

Invalid "received by"

151.23.139.210 listed in cbl.abuseat.org ( 127.0.0.2 )

151.23.139.210 is an open proxy

abuse[at]libero.it would be the appropriate reporting address, but some clarification text would need to be included to prevent the "it didn't come from here" reply .... and then one has to factor in the possible language issues involved.

BTW: http://www.spamcop.net/w3m?action=checkblo...=151.23.139.210

151.23.139.210 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 11 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week

Additional potential problems

DNS error: 151.23.139.210 has no reverse dns

Other hosts in this "neighborhood" with spam reports

151.23.138.215 151.23.138.232 151.23.138.233 151.23.138.253 151.23.139.5 151.23.139.21 151.23.139.39 151.23.139.41 151.23.139.46 151.23.139.47 151.23.139.49 151.23.139.51 151.23.139.52 151.23.139.77 151.23.139.105 151.23.139.109 151.23.139.120 151.23.139.131 151.23.139.152 151.23.139.153 151.23.139.154 151.23.139.170 151.23.139.175 151.23.139.188 151.23.139.194 151.23.139.197 151.23.139.211 151.23.139.221 151.23.139.230 151.23.139.236 151.23.139.239 151.23.139.242 151.23.139.248 151.23.140.16 151.23.140.22 151.23.140.41 151.23.140.62 151.23.140.69 151.23.140.77 151.23.140.80 151.23.140.96 151.23.140.108 151.23.140.131 151.23.140.145 151.23.140.164 151.23.140.165 151.23.140.182 151.23.140.200 151.23.140.202

http://www.senderbase.org/senderbase_queri...=151.23.139.210

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 4.1 .. 4049%

Last month .. 2.5

Link to comment
Share on other sites

Thank you to both of you, I sent a message using this in the subject line "spam apparently from 151.23.139.210" and I explained that it was a bounce sent to me where message was originating from their IP.

I will let you know what, if any, results from this.

However, the 'bounce' issue is what the SpamCop.net Parsing & Reporting system is trying to address. The system that actually sent you the 'bounce'/rejection notice shouldn't have actually accepted/received the e-mail in the first place.

Because of the bounce/rejection notice I went online to see what SpamCop.net rules was for reporting them. If they reject the message initially then the bounce is legit because it originated from my domain and should not be reported? When they accept the message and then send the bounce to me instead of originator it's (bounce) spam in my book.

Nils

Link to comment
Share on other sites

Because of the bounce/rejection notice I went online to see what SpamCop.net rules was for reporting them. If they reject the message initially then the bounce is legit because it originated from my domain and should not be reported? When they accept the message and then send the bounce to me instead of originator it's (bounce) spam in my book.

"originated from my Domain" isn't really the issue. As noted in thousnads of existing Posts/Discussions in here, that the e-mail addresses in the From: and Reply-To: lines are almost guaranteed these days to be forged in a spam e-mail. It's the e-mail server/source that's at issue.

SpamCop.net reversed an earlier decision about reporting of 'bounces' .. but as you have seen here, it's the originator of the 'bounce / rejection notice' that receives the notification.. This was becasue the spammers decided to use this 'feature' developed back in the days of trust (and immenent destruction) in a bad way, thus the flood became simply too immense to ignore.

Have you looked at the FAQ entry here? .. Why am I getting all these Bounces?

A legitimate 'bounce' / rejection notice would be if your e-mail server failed to delived your e-mail to another server in a direct connection transfer attempt.

Link to comment
Share on other sites

Thank you to both of you, I sent a message using this in the subject line "spam apparently from 151.23.139.210" and I explained that it was a bounce sent to me where message was originating from their IP.

I will let you know what, if any, results from this.

Because of the bounce/rejection notice I went online to see what SpamCop.net rules was for reporting them. If they reject the message initially then the bounce is legit because it originated from my domain and should not be reported? When they accept the message and then send the bounce to me instead of originator it's (bounce) spam in my book.

Nils

In troubleshooting, it is important to be very precise. Who did you send a message to? I assume that it is the abuse address for original spam: abuse[at]libero.it IMHO, it would have been more to the point to tell them that 151.23.139.210 is an open proxy and that it is listed at spamcop and cbl.abuseat.org

Spamcop calls them 'misdirected bounces' There are two kinds of 'bounces' and no one describes the same way. I think you have the correct concept. An email that is rejected by the receiving server is a legitimate method of saying that an email is undeliverable. An email that is accepted by the receiving server that, then, sends an email stating undeliverability to the return path is no longer an acceptable method.

'From your domain' does not necessarily mean that the email was sent by an email server under your control. It is the IP address of the email server that is important. The email server may only send email from your domain or it may send email from many domains.

The kind of 'bounce' that can be reported via spamcop are the kind where the receiving server has sent an email to the return path. If the original spam is included, it cannot be reported via spamcop. You can, however, use spamcop to find the correct abuse address, cancel the spamcop report, and send a report manually to the abuse address stating that spam is coming from this IP address under their control and that you know this because you received an email to the forged return path that the original spam was not deliverable.

There are two people who could get reports: one, the server admin who is sending NDRs to the return path and the server admin who is allowing spam to leave his network. Spamcop only allows you to report via spamcop misdirected bounces or spam that is delivered directly to you. Some people ignore the spam contained in a misdirected bounce, figuring that someone else /is/ getting the spam and will be reporting it. Others, like you, take the time to send a manual report to the server admin where the spam originates as well as reporting the server admin who actually sent the 'bounce' containing the spam.

At least, that's what I think you have done, but am not sure because you haven't been precise and you still seem to be unsure that you understand what the spamcop rules are concerning misdirected bounces.

Miss Betsy

Link to comment
Share on other sites

In troubleshooting, it is important to be very precise. Who did you send a message to? I assume that it is the abuse address for original spam: abuse[at]libero.it IMHO, it would have been more to the point to tell them that 151.23.139.210 is an open proxy and that it is listed at spamcop and cbl.abuseat.org

Correct, I sent the report to abuse[at]libero.it noting that the 151.23.139.210 IP is the originator of the spam

Spamcop calls them 'misdirected bounces' There are two kinds of 'bounces' and no one describes the same way. I think you have the correct concept. An email that is rejected by the receiving server is a legitimate method of saying that an email is undeliverable. An email that is accepted by the receiving server that, then, sends an email stating undeliverability to the return path is no longer an acceptable method.

I read the FAQ and I agree again, it's the misdirected bounces I consider spam. I receive the other kind when a user types a non existent email address or have a spelling error fat finger day.

'From your domain' does not necessarily mean that the email was sent by an email server under your control. It is the IP address of the email server that is important. The email server may only send email from your domain or it may send email from many domains.

Looking at the original email (not the bounce part) they (original spammer) are not claiming to send from my domain, they have a fake email as return address that may be construed as me sending the email when they bounce the message "misdirected"/late.

I own and control the email server, it's dedicated to us and it's only 5 domain names that send and receive email from my IP.

The kind of 'bounce' that can be reported via spamcop are the kind where the receiving server has sent an email to the return path. If the original spam is included, it cannot be reported via spamcop. You can, however, use spamcop to find the correct abuse address, cancel the spamcop report, and send a report manually to the abuse address stating that spam is coming from this IP address under their control and that you know this because you received an email to the forged return path that the original spam was not deliverable.

I only report the bouncer, not the original spammer via SpamCop, I started this post to deal with the original spammer.

There are two people who could get reports: one, the server admin who is sending NDRs to the return path and the server admin who is allowing spam to leave his network. Spamcop only allows you to report via spamcop misdirected bounces or spam that is delivered directly to you. Some people ignore the spam contained in a misdirected bounce, figuring that someone else /is/ getting the spam and will be reporting it. Others, like you, take the time to send a manual report to the server admin where the spam originates as well as reporting the server admin who actually sent the 'bounce' containing the spam.

Only report the misdirected bouncer via SpamCop. I can't ignore the spam contained in the misdirected bounce, if they are clueless enough to bounce to the return path I "assume" they are clueless when it comes to reporting spam.

At least, that's what I think you have done, but am not sure because you haven't been precise and you still seem to be unsure that you understand what the spamcop rules are concerning misdirected bounces.

Miss Betsy

Miss Betsy, it was a long day yesterday, I was sloppy writing my post and I may have used terminology that is not the "right" way of expressing my issue and what I was doing about it. The misdirected bounce is spam to me and can be reported, the spam contained within the message can not be reported via SpamCop by me. I'm reporting those manually. I hope we agree now :) I was around when SpamCop did not let us report 'misdirected' bounces so it took me awhile to catch up on what was legit or not. Manually reporting the originator may have shut off that conduit for now (or he's moved on to someone else's domain name) since I only received 7 misdirected bounces overnight compared to 700 last night. I hate to think of how many got through.

btw: I have the server set to page me when anomalies happen. This was done because I had an email address compromised and turned into a spam conduit. This blocked my IP because of spam sent using my server. Since that incidence I have tried to stay on top of spam, including reporting via SpamCop and manually. One problem with tightening down the mail server is all the mis configured mail servers out there that are sending legit emails. If it was up to me their emails would bounce until they fixed their server. Since I'm not writing the pay check, I have to accept a lot of extra spam.

Thanks for all the help,

I'll try to be more active here,

Nils

Can someone check this report link? http://www.spamcop.net/sc?id=z1557396155za...1b4ae3c39dba04z This message seem to be from the originator directed directly to me but the reporting address is not the one we agreed to.

Edited by NilsC
Link to comment
Share on other sites

Can someone check this report link? http://www.spamcop.net/sc?id=z1557396155za...1b4ae3c39dba04z This message seem to be from the originator directed directly to me but the reporting address is not the one we agreed to.

Wondering if you posted the 'correct' spam submittal .... I don't see the connection to the other spam stuff in this Topic. It appears to have come directly from yet another compromised computer.

This looks like they are trying to deliver the spam and are sending me the note that the message is delayed! Is this reportable? http://www.spamcop.net/sc?id=z1557396157z1...bd63b97f169256z

Mose spam from the same computer seen in your previous dialog, same issue involved. Although I'm not sure about the stated error condition (addresses are munged out, so not sure if that's what the "loops back to myself' is actually referencing ... but, based on that, you will be receiving a 'failed' message on 11 Dec, replacing this 'delayed' notification. Definitely a 'misdirected Bounce' .....

Link to comment
Share on other sites

Wondering if you posted the 'correct' spam submittal .... I don't see the connection to the other spam stuff in this Topic. It appears to have come directly from yet another compromised computer.

My error I read it backwards

but, based on that, you will be receiving a 'failed' message on 11 Dec, replacing this 'delayed' notification. Definitely a 'misdirected Bounce' .....

What I tried to say is this still considered a bounce, since the message goes to To: Internal spamcop handling: (level3) only and not to the bouncer.

Link to comment
Share on other sites

What I tried to say is this still considered a bounce, since the message goes to To: Internal spamcop handling: (level3) only and not to the bouncer.

To which I responded .... "Defintely a 'Misdirected Bounce" .. which is reportable ... I also pointed out that based on the content of the notification, you are to be receiving yet another on 11 Dec when the alleged re-try attempts times out.

As far as the reporting address goes .... a fine example of something I pointed out in another Topic/Discussion in which that poster has an issue with my answers <g> .... turning on Full/Technical Details in the parse results would allow you to see this bit of logic/decision process ....

Tracking message source: 67.72.93.10:

Routing details for 67.72.93.10

De-referencing level3.net[at]abuse.net

abuse net level3.net = abuse[at]level3.net, abuse[at]level3.com

Report routing for 67.72.93.10: abuse[at]level3.net, abuse[at]level3.com

abuse[at]level3.net redirects to abuse[at]level3.com

I know this ISP's abuse address:level3[at]admin.spamcop.net

This is an ISP that has asked SpamCop.net for 'special' handling of reports about thier IP Blocks. Please see Why am I sending a Report to SpamCop?

Guess it's time to point out that you really shouldn't leave your parse result pages 'open' .... there is an opportunity that someone else may come along, perhaps add some commentary or something just as nasty, and then hit the 'Submit' button on your behalf. If you're not sure about actually submitting these reports, please hit the 'Cancel' button.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...