Stomp Posted November 22, 2008 Share Posted November 22, 2008 I am constantly receiveing multiple spam from an advertising service named Cortez Data Services PO BOX 515381 ECM# 16095 Los Angeles, CA 90051 , they are sending me many emails everyday from a different email adress with each one advertising a different service. I have tried the unsubscibe option many times but obviously the agency named Cortez Data Services has no intentions to honor my request. Whats the purpose of continuing to send me emails other than to annoy and harass me when I am simply not interested and furthermore I live in a country outside of the USA where none of their services are avaliable to me. I have asked the company to stop over and over again via emails and the unsubscribe option without any sucess. Im frustrated and annoyed, furthermore there is no way to track or trace the company Cortez Data Services. I can not find any information about them on the web, I would very much appreciate any help.... Theres two unsubscribe options in every email they send me, one is for the company their advertising and the other one is from Cortez Data Services, the various services they advertise are weight loss, diet pills, credit report, reunion, which have their own unsubscribe option but then additionally every email also finishes off at the bottom by saying........ This advertisemnt was brought to you by Cortez Data Services If you no longer wish to receive future updates from us click our Instant Removal Link Here or Write Cortez Data Services PO BOX 515381 ECM# 16095 Los Angeles, CA 90051 I have checked the message source and found every email originating from the same ip range from... 128.168.142.105 128.168.242.157 128.168.240.139 128.168.240.142 128.168.250.233 Ive checked who is and found its come up with various names like Gold Hill Computers, Sunny View Media and Struthers Media Group, I dont know who their isp is, I have wrote to one of the "abuse[at]." in the whois results but theres been no change, I dont know what to do please help, Thanks Link to comment Share on other sites More sharing options...
g4mby Posted November 22, 2008 Share Posted November 22, 2008 Theres two unsubscribe options in every email they send me, one is for the company their advertising and the other one is from Cortez Data Services, the various services they advertise are weight loss, diet pills, credit report, reunion, which have their own unsubscribe option but then additionally every email also finishes off at the bottom by saying........ I've had some success with spam such as this. You're right, trying to un-subscribe will do no good at all. Where does SpamCop want to send reports? In my experience SpamCop has wanted to send all reports to the abuse address of a web hosting company. I've sent copies to their support, sales and webmaster addresses with an explanation as to why I was doing that. I also followed up with emails directly to these addresses attaching a copy of the spam and adding a comment about how frequent the spam is. When that has failed I have sent a copy of the spam to the domain registrar. That's what has worked for me and I've seen at least one website become unreachable but as soon as I've stepped up the level of reports the spam has only lasted a few days. Of course, I soon started to get the same type of spam from a different source as no doubt the spammer moved on to a different spam campaign with a fresh list of email addresses and new domains to send spam from. :angry: I'll probably never rid myself of this type of spam completely but at least I'm getting some satisfaction by causing them some inconvenience as I believe I am getting some positive results even though the success is short lived. I don't know this for sure but I think I've seen one spammer move from one web host to another after sending reports in the way I have described. The latest spam of this kind that I'm getting is being sent by nexusmaneuver.com who according to their website are "dedicated to developing creative and impactful marketing solutions that drive strong business results". In other words they send lots of spam! Link to comment Share on other sites More sharing options...
Stomp Posted November 22, 2008 Author Share Posted November 22, 2008 When that has failed I have sent a copy of the spam to the domain registrar. That's what has worked for me How do I find their domain registrar ? When I type in their ip adress into http://www.who.is several different names come up and im not sure which one is the isp, which one is the domain and which is the company sending me the emails, can you please help me with this. Also I got the ip adress directly from the message source so I dont know if its displaying the true ip of the sender or wether they are somehow routing it, but because all the emails from them have the same ip range I assumed it was genuine. also if it helps here is one example from the emails message source... X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MjtTQ0w9NA== X-Message-Status: n:0 X-SID-PRA: FICOScore <importantupdate[at]grovellingresist.net> X-Message-Info: 6sSXyD95QpVI6eC3326eKkw+pwif6waPdPemh+LKB1NizmcrD7KD6FPnyT/mZQEl6XyCsme938VSRnzAAgbcZccSVyxT1q7UIY1iw/I32e+dqVSP1j+pPw== Received: from ovrexusoe157.converseexcursion.net ([128.168.242.157]) by bay0-mc11-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Fri, 21 Nov 2008 09:20:29 -0800 Received: from diego2 (127.0.0.1) by ovrexusoe157.converseexcursion.net (PowerMTA v3.5r7) id h4rn180mnfge for <alphatek[at]hotmail.com>; Fri, 21 Nov 2008 09:11:29 -0800 (envelope-from <importantupdate[at]grovellingresist.net>) From: "FICOScore" <importantupdate[at]grovellingresist.net> To: alphatek[at]hotmail.com Subject: Check the important updates on your FICO Credit Report X-UID: zokszgvp MIME-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Return-Path: importantupdate[at]grovellingresist.net Message-ID: <BAY0-MC11-F6YnsDFZ90008d8da[at]bay0-mc11-f6.bay0.hotmail.com> X-OriginalArrivalTime: 21 Nov 2008 17:20:29.0697 (UTC) FILETIME=[73B74710:01C94BFD] Date: 21 Nov 2008 09:20:29 -0800 Link to comment Share on other sites More sharing options...
g4mby Posted November 22, 2008 Share Posted November 22, 2008 grovellingresist.net and converseexcursion.net are both registered to GO DATA 180 and that may be the name of the company behind the emails. The registrar is Moniker so I would try sending complaints to abuse[at]moniker.com. I can't quite work out the relevance of Gold Hill Computers and Struthers Media as Data102 also come into this. They may have seperate hosts for web and mail of course. Hope that helps a little. Link to comment Share on other sites More sharing options...
rconner Posted November 22, 2008 Share Posted November 22, 2008 How do I find their domain registrar ? When I type in their ip adress into http://www.who.is several different names come up and im not sure which one is the isp, which one is the domain and which is the company sending me the emails, can you please help me with this. Looking at the header you posted, I see that the source appears to be 128.168.242.157. What provider is responsible for this address? (Hint: put a "+" in front of the address to force ARIN to give you a full report) rconner$ whois +128.168.242.157 OrgName: Gold Hill Computers OrgID: GHC-4 Address: 2175 Cloverdale Drive City: Colorado Springs StateProv: CO PostalCode: 80920 Country: US NetRange: 128.168.0.0 - 128.168.255.255 CIDR: 128.168.0.0/16 NetName: DATA102 NetHandle: NET-128-168-0-0-1 Parent: NET-128-0-0-0-0 NetType: Direct Allocation NameServer: NS1.DATA102.COM NameServer: NS2.DATA102.COM Comment: RegDate: 1986-10-02 Updated: 2007-03-05 OrgAbuseHandle: DAT13-ARIN OrgAbuseName: Data102 Abuse Team OrgAbusePhone: +1-719-578-8842 OrgAbuseEmail: abuse[at]data102.com OrgNOCHandle: DNO44-ARIN OrgNOCName: Data102 Network Ops OrgNOCPhone: +1-719-578-8842 OrgNOCEmail: netops[at]data102.com OrgTechHandle: RKO33-ARIN OrgTechName: Kohutek, Randal OrgTechPhone: +1-719-578-8842 OrgTechEmail: randal[at]data102.com OrgName: Struthers Media Group OrgID: STRUT Address: 525 North Tryon St #1600 City: Charlette StateProv: NC PostalCode: 28202 Country: US NetRange: 128.168.240.0 - 128.168.255.255 CIDR: 128.168.240.0/20 OriginAS: AS20445 NetName: GLD01-128-168-240-0 NetHandle: NET-128-168-240-0-1 Parent: NET-128-168-0-0-1 NetType: Reallocated Comment: RegDate: 2008-10-28 Updated: 2008-10-28 RTechHandle: GLDNE-ARIN RTechName: GLD NetAdmin RTechPhone: +1-303-803-1893 RTechEmail: admin[at]grandlakedata.net OrgTechHandle: SMN6-ARIN OrgTechName: Struthers Media NOC OrgTechPhone: +1-866-966-9968 OrgTechEmail: admin[at]struthersmediagroup.com # ARIN WHOIS database, last updated 2008-11-21 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. This gives you an abuse contact (and other information) for the address. Who is operating this host? rconner$ host 128.168.242.157 157.242.168.128.in-addr.arpa domain name pointer ovrexusoe157.converseexcursion.net. Since the address and this name (ovrexusoe157.converseexcursion.net) both appear in the header you posted, we can presume that converseexcursion.net is responsible for sending the spam. Who has registered the domain converseexcursion.net? rconner$ whois converseexcursion.net Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: CONVERSEEXCURSION.NET Registrar: MONIKER ONLINE SERVICES, INC. Whois Server: whois.moniker.com Referral URL: http://www.moniker.com/whois.html Name Server: NS1.STRUTHERSMEDIA-DNS.COM Name Server: NS2.STRUTHERSMEDIA-DNS.COM Status: clientDeleteProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 18-nov-2008 Creation Date: 09-jul-2008 Expiration Date: 09-jul-2009 I have not reproduced the whole WHOIS printout here (you can do this yourself at http://www.geektools.com/whois.php, but we see that moniker.com is the registrar. I cannot find any obvious means to report abuse to moniker.com (which is sadly typical for many registrars), but you might find something useful here: http://www.moniker.com/contactus.jsp. I would not bother contacting the actual registrant, since the registrant info is likely to be fake (or if it is not, it belongs to a spammer who will not respond usefully). You can go a step or two further. I imagine that the spam you get mentions websites where you are supposed to go in order to place orders, etc., You can also trace the IP addresses of these sites, and even their domain registrations. For example, if the spam mentions a website "xyz.captaincrunch.foo" you can look up the IP address of this host and complain to the provider of this address; you can also look up the domain registration info for the domain ("captaincrunch.foo") and complain to the registrar (which may be someone other than moniker.com). Lastly, I'd encourage you to report these spams through SpamCop if you are not already doing so. This will not stop the spams from coming (at least not right away), but if you and enough other people report this spam often enough, the source addresses will be added to the SpamCop blocking list, which will limit the deliveries from this address to the many, many providers that use the SCBL. This will eventually get the attention of Gold Hill and force them to take action. Hope this is helpful, -- rick Link to comment Share on other sites More sharing options...
Wazoo Posted November 22, 2008 Share Posted November 22, 2008 From: "Wazoo" To: "SpamCop Deputies" Subject: existing override for converseexcursion.net (128.168.242.157) Date: Sat, 22 Nov 2008 01:10:34 -0600 Forum discussion at http://forum.spamcop.net/forums/index.php?showtopic=9910 although this probably isn't critical .. the poster does not appear to be using SpamCop. However, while researching some of the issues raised, I've got questions about the existing data seen in the parsing look-ups. http://www.spamcop.net/sc?action=showroute...typecodes=21,16 Reports routes for 128.168.242.157: routeid:38438244 128.168.0.0 - 128.168.255.255 to:abuse[at]twtelecom.net Administrator interested in all reports Friday, April 18, 2008 7:09:44 AM -0500 [Note added by 74.160.64.12 (adsl-160-64-12.asm.bellsouth.net)] BGP routing table entry for 128.168.0.0/16, version 1153776 Paths: (37 available, best #29, table Default-IP-Routing-Table) Not advertised to any peer 6939 4323 33302 216.218.252.164 from 216.218.252.164 (216.218.252.164) Origin IGP, localpref 100, valid, external 2914 3356 33302 129.250.0.11 from 129.250.0.11 (129.250.0.51) Origin IGP, metric 4, localpref 100, valid, external Community: 2914:420 2914:2000 2914:3000 65504:3356 http://www.spamcop.net/sc?track=converseexcursion.net Parsing input: converseexcursion.net Routing details for 128.168.128.2 Report routing for 128.168.128.2: abuse[at]twtelecom.net http://www.spamcop.net/sc?action=showroute...typecodes=21,16 Reports routes for 128.168.128.2: routeid:38438244 128.168.0.0 - 128.168.255.255 to:abuse[at]twtelecom.net Administrator interested in all reports Friday, April 18, 2008 7:09:44 AM -0500 [Note added by 74.160.64.12 (adsl-160-64-12.asm.bellsouth.net)] BGP routing table entry for 128.168.0.0/16, version 1153776 Paths: (37 available, best #29, table Default-IP-Routing-Table) Not advertised to any peer 6939 4323 33302 216.218.252.164 from 216.218.252.164 (216.218.252.164) Origin IGP, localpref 100, valid, external 2914 3356 33302 129.250.0.11 from 129.250.0.11 (129.250.0.51) Origin IGP, metric 4, localpref 100, valid, external Community: 2914:420 2914:2000 2914:3000 65504:3356 However, I'm not sure that this BGP is still the 'best' place??? 11/22/08 00:51:48 IP block 128.168.242.157 Trying 128.168.242.157 at ARIN Trying 128.168.242 at ARIN Gold Hill Computers DATA102 (NET-128-168-0-0-1) 128.168.0.0 - 128.168.255.255 Struthers Media Group GLD01-128-168-240-0 (NET-128-168-240-0-1) 128.168.240.0 - 128.168.255.255 Trace 128.168.242.157 ... 10.0.72.1 RTT: 8ms TTL:170 (No rDNS) 12.215.9.225 RTT: 11ms TTL:170 (12-215-9-225.client.mchsi.com ok) 12.215.4.18 RTT: 21ms TTL:170 (12-215-4-18.client.mchsi.com ok) 12.122.99.34 RTT: 18ms TTL:170 (tbr1.cgcil.ip.att.net fraudulent rDNS) 12.122.87.245 RTT: 31ms TTL:170 (ggr6.cgcil.ip.att.net probable bogus rDNS: No DNS) 192.205.35.78 RTT: 34ms TTL:170 (No rDNS) 129.250.2.249 RTT: 25ms TTL:170 (xe-0-1-0.r20.chcgil09.us.bb.gin.ntt.net ok) 129.250.5.28 RTT: 62ms TTL:170 (p64-2-1-0.r20.sttlwa01.us.bb.gin.ntt.net ok) 129.250.4.158 RTT: 81ms TTL:170 (po-2.r01.sttlwa01.us.bb.gin.ntt.net ok) 209.168.94.242 RTT: 65ms TTL:170 (xe-3-3.r01.sttlwa01.us.ce.gin.ntt.net ok) 63.251.160.86 RTT: 71ms TTL:170 (border2.t8-1-bbnet2.sef003.pnap.net probable bogus rDNS: No DNS) 64.94.137.194 RTT: 92ms TTL:170 (fshnetworks-1.border2.sef003.pnap.net ok) 72.5.222.10 RTT: 79ms TTL:170 (No rDNS) * * * failed * * * failed 11/22/08 00:56:02 IP block 72.5.222.10 Trying 72.5.222.10 at ARIN Trying 72.5.222 at ARIN Internap Network Services Corporation PNAP-09-2004 (NET-72-5-0-0-1) 72.5.0.0 - 72.5.255.255 FSH Network Services INC INAP-SEF-FSHNETWORKS-22249 (NET-72-5-222-0-1) 72.5.222.0 - 72.5.222.255 I don't see twtelecom.net as anywhere obvious in this short analysis for either the IP Address or the Domain involved. Link to comment Share on other sites More sharing options...
Stomp Posted November 22, 2008 Author Share Posted November 22, 2008 .... they all appear to be from the same ip range the domain names are different on each one, how is that possible when all the ip adresses are from the same range? The person sending the spam can 'forge' anything in the 'domain name', however, the receiving server identifies the IP address that the email is coming from. Spammers generally rotate among different email servers (I am not technically fluent, but I think they are called 'name servers' if they are sending email.) Most server admins now reject any mail that is not from an email server because so much spam is sent through infected computers. They know which computers are supposed to be sending email and which ones aren't. What the spamcop parser does is to look at all the header lines and accepts those that the parser can figure out are 'real' headers. There may be numerous header lines that are placed there by the spammer. I can read a simple header, but most discussions about why the parser chooses a particular header line as the last 'true' header are way over my head. In your initial post, you mentioned unsubscribing. The FTC says that a large majority of unsubscribes are fake and only mark your email address as a 'live one' The best rule to follow is to never unsubscribe from an email that you haven't subscribed to. Even emails I get legitimate companies who, for some reason, start sending me email (usually some dumbo in the marketing department insisted), I will not unsubscribe, but email someone else on their contact page and tell them that I never unsubscribe to any email I haven't subscribed to. And, even though you are learning a lot - which, IMHO, makes you a better consumer of email service - you cannot stop a spammer until those who are giving him connectivity wake up and realize that consumers are on to their culpability in furthering the spam problem. Basically, one is either part of the problem because of greed or ignorance or part of the solution in demanding that their internet service providers are responsible netizens. Blocklists are the only responsible way to handle spam, IMHO. Miss Betsy Link to comment Share on other sites More sharing options...
rconner Posted November 22, 2008 Share Posted November 22, 2008 I was looking at all the other message source details from Cortez and I found that the domain name "converseexcursion.net" only appears on one of the emails, although they all appear to be from the same ip range the domain names are different on each one, how is that possible when all the ip adresses are from the same range? I'll show yous what I mean by posting the message source for 4 of the emails from Cortez....Fiirst of all, before we go too far down this road, folks on this forum usually prefer that we post spam mails or headers in the form of SpamCop tracking links. THis requires that you submit the mail to SpamCop. You do not have to complete the reports, but you do have to get a tracking URL and then post the tracking URL here instead of the actual spam. This reduces the volume of the post but more importantly ensures that we are looking at an accurate and valid copy of the message. See http://forum.spamcop.net/scwik/TrackingURL. If you aren't currently a SpamCop member, you would have to register in order to do this. As to your question, it is entirely possible that multiple hosts in multiple domains can have the same IP address. It is also possible for a single host name to resolve to multiple IP addresses. DNS is not a "one-to-one" situation. You should follow the process I gave above to work through each case. -- rick on edit: changed reference link for Tracking URL Link to comment Share on other sites More sharing options...
Stomp Posted November 22, 2008 Author Share Posted November 22, 2008 rconner, I'd like to post spam mails or headers in the form of SpamCop tracking links and submit the mail to SpamCop but Im a total noob at this and im not sure how to do all that, I followed the link you gave me and it has to many options in it, sorry but Im lost witha ll this Link to comment Share on other sites More sharing options...
rconner Posted November 22, 2008 Share Posted November 22, 2008 rconner, I'd like to post spam mails or headers in the form of SpamCop tracking links and submit the mail to SpamCop but Im a total noob at this and im not sure how to do all that, I followed the link you gave me and it has to many options in it, sorry but Im lost witha ll this I wish there were a Royal Road to Geometry here, but there is not. You simply need to work through the process. You seem to have the basic skill set for it. Here are some steps to follow. Register to use SpamCop (for free) if you are not already a member: http://www.spamcop.net/anonsignup.shtml Get the original, full, and unmodified SMTP packet of the spam mail you received. Follow these instructions if you need them: http://www.spamcop.net/fom-serve/cache/19.html Log in to the SpamCop website using your registration name and password. Paste the spam packet into the web form. Press the "Process spam" button and wait for the parser to analyze the message. On the results page, near the top, you will see "Here is your TRACKING URL..." this is the link you want to save and paste to the forums here. If you want to report the spam, click the "Send spam Report(s) Now" button, otherwise you can cancel them via the "Cancel" button. The tracking link is retained for your use even if you cancel the reports. Can't make it much simpler or more linear than that. -- rick Link to comment Share on other sites More sharing options...
Stomp Posted November 23, 2008 Author Share Posted November 23, 2008 Thanks very much for that, those intructions have made it alot more clear, I reckon they should sticky your step by step tips in a thread for other noobs like me Link to comment Share on other sites More sharing options...
Wazoo Posted November 23, 2008 Share Posted November 23, 2008 Thanks very much for that, those intructions have made it alot more clear, I reckon they should sticky your step by step tips in a thread for other noobs like me Wow! Some might say that Rick went way beyond the call when answering this comment with Tracking URLs for SpamCop submissions Link to comment Share on other sites More sharing options...
dzaidle Posted November 23, 2008 Share Posted November 23, 2008 Actually, it is rather simple: In your firewall or router, block the offending ISP(s) and/or domain(s). I use this for my company's entire server (globally blocking all offshore--from the US--IP addresses and individually blocking domestic IP addresses and domains), thus reducing our spam load by 95 percent and more. Link to comment Share on other sites More sharing options...
rconner Posted November 24, 2008 Share Posted November 24, 2008 Actually, it is rather simple: In your firewall or router, block the offending ISP(s) and/or domain(s). Yes, that would work if you run your own mail host and it is behind the firewall with you. You could also set up hosts.deny filters or probably even Sendmail rules to the same effect. Most of us end-users don't have the ability to take advantage of it, however, since we get all our mail from an MDA run by our providers, and we don't receive mail directly via outside SMTP connections. -- rick Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.