|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
chris4877
Sergeant
Premium Member
Joined: May 03, 2006
Posts: 115
|
 Posted: Mon Sep 22, 2008 1:03 pm Post subject: Spams Without Links to Spamvertised URLs |
|
|
Spams Without Links to Spamvertised URLs
Is there anything that can be done about the following types of spam described below?
They very rarely, if ever, contain any kind of spamvertised URL, so there is nothing to report to any web hosting admin, or via KnujOn, SIRT, Complainterator, for example.
Apart from reporting the spam itself to the sender's ISP (usually via SpamCop), where else could such reports be sent?
1. Deposit (419) Spams
These usually contain only mailto: links, sometimes a fax number.
2. Lonely Hearts Spams
Similar to No. 1, these usually contain only mailto: links. The From: and Reply-to: addresses are always fake. Sometimes they contain a .jpg attachment with a picture of a moderately attractive Russian or Eastern European minor female celebrity, who is very probably almost totally unknown to the outside world. I suspect that these pictures have probably been copied from websites or magazines, but they seem sometimes to have been "Photoshopped" to make them look as if they have been taken with a cheap digital camera or a mobile phone (cell phone) camera (i.e., taken by an amateur).
3. Fake Academic Qualifications
These usually contain only phone numbers, usually US-based.
4. Money Laundering (Masquerading as Fake Job Offers)
These usually contain only mailto: links or telephone or fax numbers. Very rarely, there is an actual URL pointing to the bogus international company which is offering the supposedly extremely lucrative position.
5. Malware Spams
These usually contain malware-infested attachments, along with a social engineering-type message designed to induce the unsuspecting recipient to open the attachment. It should be noted that these differ from spams containing actual links to malware distribution sites.
6. Pump-and-Dump Stock Spams
There is usually just a very brief plain text message. Occasionally the message is conveyed via an inline image, rather than plain text. (It should be noted that KnujOn does report these to the US SEC).
There doesn't seem to be any point reporting any of the above types of spam via KnujOn, SIRT, Complainterator or the like. Does anyone know where to report them?
I've been getting a lot of the above types of spam lately. In fact, in the last few months, they have reached a level of 15 - 20% of my total spam count, where previously they would have been less than 1%. (Nevertheless, having said that, it is still the case that the vast majority of the spam I receive is for fake pharmaceuticals, fake luxury items and online casinos).
Also, over the months of June, July and August 2008, I received almost 1000 spams containing malware links. On the other hand, so far this month, I have received fewer than 10 such messages, but the number of messages with malware attachments has increased from only 1 during July to 12 during August and then to 21 so far during September (with 8 days to go)!
Information, ideas or suggestions would be most welcome!
_________________
Chris Souter
|
|
| Back to top |
|
 |
AlphaCentauri
SIRT Handler
Premium Member
Joined: Nov 20, 2003
Posts: 2899
|
| Posted: Mon Sep 22, 2008 10:49 pm Post subject: |
|
|
Phone numbers can be reported to the phone companies that own them. Try looking them up at http://www.telcodata.us/telcodata/telco . Some will shut the numbers down, some won't.
Email addresses can be reported to the free email services. Yahoo is very good at shutting them down, or at least they reply promptly to say they are doing so. Sometimes it takes some work to find out where to report others, but I am often pleasantly surprised at how fast I get action from countries I might have expected to be more laissez-faire. (Don't even think of abusing a -.za free email account from South Africa.)
I have Spamcop.net set up with an extra reporting address for the SEC; when I get stock spam I just check that box when I confirm the spam.
Spamcop now accepts spam with malware attachments, so I send them there. In the case of email worms, I have contacted the originating ISP directly, assuming the source is someone who has me in his/her address book and might appreciate getting tipped off about the problem. But I haven't had one of those in several years now.
I haven't tried reporting the lonely hearts spam, but spamislame will often pursue those until the sponsor agrees to cut off the spamming affiliate.
As always, Spamcop works best for reporting the origin of any kind of spam -- if the IP is in the headers, the person logged into that IP address at the time the spam was mailed is usually the innocent owner of a compromised machine, and the Spamcop report may be the first notice he/she receives that there is a problem. (The caveat is that people need to inform Spamcop of any of their own mail servers, so they aren't reporting themselves.)
|
|
| Back to top |
|
|
chris4877
Sergeant
Premium Member
Joined: May 03, 2006
Posts: 115
|
| Posted: Tue Sep 23, 2008 1:33 am Post subject: |
|
|
Thanks, I'll try that and see how far I get. (I have to say I wonder how much notice a US telco will take of a complaint from "Down Under." 
| AlphaCentauri wrote: | | Email addresses can be reported to the free email services. |
So, I guess I'll just have to start looking up all their abuse addresses. What a royal PITA! 
| AlphaCentauri wrote: | | Yahoo is very good at shutting them down, or at least they reply promptly to say they are doing so. |
Well, that's something, at least! Most of the mailto: links I'm getting seem to be at Gmail. Like Yahoo, Google just sends out canned replies to these complaints and the complainant never hears any more about it, so there doesn't seem to be any way to find out whether action has actually been taken!
| AlphaCentauri wrote: | | Sometimes it takes some work to find out where to report others |
You're certainly not wrong there!
I recently got a MIRT-type spam referencing a site hosted by TPG, one of Australia's biggest ISPs. I always report these in full to SpamCop (so-called "confirmed" SpamCop reporting). I was astounded to find that TPG refuses SpamCop reports for this type of abuse, so I surfed on over to TPG's website, only to find that abuse has to be reported through a web form AND THE COMPLAINANT MUST BE A TPG CUSTOMER! I then did some more digging and, using a whois lookup, I found a couple of abuse addresses, to which I promptly sent my reports, complete with the SpamCop parsing report along with an attached, unmodified copy of the original spam. I never received any acknowledgement, so God only knows whether or not they did anything about it.
| AlphaCentauri wrote: | | I have Spamcop.net set up with an extra reporting address for the SEC |
I just let KnujOn do these automatically. 
| AlphaCentauri wrote: | | Spamcop now accepts spam with malware attachments, so I send them there. |
I use SpamAssassin and have a filter set up in Thunderbird to forward all SpamAssassin-marked spams to (1) KnujOn and (2) SpamCop "Quick" reporting. However, if I get a spam containing malware, I report it in full to SpamCop, adding a note to the originating ISP that the spam in question contains a malware attachment. AFAIK, SpamCop "Quick" reporting ignores (1) attachments and (2) URL links contained within attached messages forwarded for "Quick" reporting.
| AlphaCentauri wrote: | | In the case of email worms, I have contacted the originating ISP directly |
As I stated above, I do that by means of a SpamCop "Confirmed" report, with a virus warning note added to the SpamCop report.
| AlphaCentauri wrote: | | But I haven't had one of those in several years now |
Well, I've been getting heaps of them lately!  (I never knew this before, but apparently all the world's major credit card companies have now begun sending out their statements in the form of self-extracting executables to everyone, regardless of their status as a customer or non-customer! I suppose this is all being done in the name of greater efficiency and cost reductions. Airline companies and courier companies also seem to be doing the same thing). (Tongue firmly planted in cheek). 
| AlphaCentauri wrote: | | I haven't tried reporting the lonely hearts spam, but spamislame will often pursue those until the sponsor agrees to cut off the spamming affiliate. |
So, how should I go about getting them to him, or at least bringing them to his notice? (You can PM or email me on that if you think it's necessary).
| AlphaCentauri wrote: | | Spamcop works best for reporting the origin of any kind of spam |
I have been a proud member of SpamCop since 2005.  I also used the SpamCop WebMail service for a while, but I discontinued that after I switched to Gmail.
| AlphaCentauri wrote: | | the Spamcop report may be the first notice he/she receives that there is a problem |
Well, I must certainly back you up on that! My own ISP, Exetel, quite unlike TPG, takes SpamCop reports very seriously, a fact that I learned the hard way!
When I was using SpamCop WebMail, I was doing "Comfirmed" reporting of all spam received in that account, whether it was in the InBox, or in the "Held Mail" folder. I was doing this by forwarding the spam to my reporting address. Once, however, I made a BIG MISTAKE, by inadvertently REPORTING MY OWN REPORT EMAIL! I had done this at about midnight.
The next morning, at about 6:00am, I booted up the machine as usual, started up the browser to log onto SpamCop, and I was instead redirected to an Exetel webpage which contained a message that my internet access had been disconnected until such time as I could certify that my machine was free of malware, which I could do by filling out a web form on that page. Internet access would then be restored AFTER A FURTHER 3 HOURS!
This was only for a "first offence." I later discovered that a second offence would result in my account being cancelled, with restoration only available after the payment of a fairly hefty reconnection fee, along with, (AFAICR), an additional fee applicable in the case on an offender whose account was still within the contract period, whilst a third offence would result in total account cancellation with NO POSSIBILITY OF RESTORATION BY ANYONE AT THE SAME PHYSICAL (i.e., STREET) ADDRESS!
| AlphaCentauri wrote: | | The caveat is that people need to inform Spamcop of any of their own mail servers, so they aren't reporting themselves |
See my little story above.
Anyway, thanks for all your info, and especially for the email you sent me about the phone number spam!
BTW, you might like to have a look at my other post from last night. CC seems to be slowing down again, and has been slowly getting worse over about the last 7 days or so. I sincerely hope it's not another DDoS attack! 
_________________
Chris Souter
|
|
| Back to top |
|
|
pwillener
SRT Trainee
Premium Member
Joined: Apr 17, 2006
Posts: 1840
Location: Japan
|
| Posted: Wed Sep 24, 2008 6:12 am Post subject: |
|
|
Google accepts complaints about abused Gmail addresses at their web form http://mail.google.com/support/bin/request.py?contact_type=abuse_spoofing. I know that they only send out canned responses, but I also know that they usually act upon complaints in a timely manner.
Spamcop.net is very good at finding abuse addresses when you simply paste the offending email address into the reporting form. If you have a paid SC account, you can simply CC (user copy) the email abuse address.
|
|
| Back to top |
|
|
AlphaCentauri
SIRT Handler
Premium Member
Joined: Nov 20, 2003
Posts: 2899
|
| Posted: Wed Sep 24, 2008 11:30 am Post subject: |
|
|
| chris4877 wrote: | | I use SpamAssassin and have a filter set up in Thunderbird to forward all SpamAssassin-marked spams to (1) KnujOn and (2) SpamCop "Quick" reporting. |
I hope you don't autoreport any of my emails! I have a lot of trouble getting emails past spam filters when I report to registrars who have antispam filters on the addresses where we are supposed to report spam and don't seem to have the ability to whitelist senders. Spam filters can be a huge problem for spam fighters.
| chris4877 wrote: | | AlphaCentauri wrote: | | In the case of email worms, I have contacted the originating ISP directly |
As I stated above, I do that by means of a SpamCop "Confirmed" report, with a virus warning note added to the SpamCop report.
| AlphaCentauri wrote: | | But I haven't had one of those in several years now |
Well, I've been getting heaps of them lately! |
By "email worms," I mean the specific malware that goes into a person's address book and constructs emails using one of the addresses as the "from" and another as the "to," then sends copies of itself out. So any that you receive must be from people who have you in their address books, although you won't see the address of the person who is sending the malware in the "from" fields, only their other friends. I take more effort for those as it may be someone I know.
The recent spam-linked malware are other types, not email worms. I'm beyond my depth here, but I can at least parrot the names I see, "trojans," "droppers" and "downloaders."
As far as the site slowdown, I have no idea, but I'm pretty sure it's not a DDoS, as Robin mentioned trouble logging in and thought the problem was on her end. (She's a week and a half post dates right now if she hasn't delivered, so she's not getting involved in solving any problems for now.)
|
|
| Back to top |
|
|
Asterix
Guest
IP: 208.124.*.*
|
| Posted: Wed Sep 24, 2008 3:40 pm Post subject: Yahoo profiles |
|
|
| chris4877 wrote: |
Well, that's something, at least! Most of the mailto: links I'm getting seem to be at Gmail. Like Yahoo, Google just sends out canned replies to these complaints and the complainant never hears any more about it, so there doesn't seem to be any way to find out whether action has actually been taken!
|
With Yahoo you can check to see whether the account has been terminated. Just browse to http://profiles.yahoo.com/<userID> and see whether that page exists.
|
|
| Back to top |
|
|
spamislame
SIRT Handler
Joined: Apr 19, 2006
Posts: 217
|
|
| Back to top |
|
|
AlphaCentauri
SIRT Handler
Premium Member
Joined: Nov 20, 2003
Posts: 2899
|
| Posted: Thu Sep 25, 2008 10:01 pm Post subject: |
|
|
for email addresses @jmail.co.za:
support@jobs.co.za
and don't forget to add
fraud.alert@met.police.uk
to any reports, just in case they are operating in the UK.
(Perhaps including that as cc is part of why my reports to report_spam@hotmail.com always get accepted first try?)
|
|
| Back to top |
|
|
downie
PIRT Handler
Joined: May 19, 2006
Posts: 3984
|
| Posted: Fri Sep 26, 2008 3:08 am Post subject: |
|
|
| AlphaCentauri wrote: | f
and don't forget to add
fraud.alert@met.police.uk
to any reports, just in case they are operating in the UK.
|
I believe Met Fraud are only interested if there is a definite UK connection e.g a UK (+44) phone number, or a real UK address actually being used for correspondence.
UK portable numbers are detailed at
http://www.ofcom.org.uk/telecoms/ioi/numbers/numbers_administered/
(Excel format) so you can find out the telco,
common ones are
Magrathea
support magrathea-telecom.co.uk
Open Telecom
abuse open-telecom.co.uk
(insert @s above).
_________________
"For evil to triumph utterly, it is only necessary that good men do nothing."
|
|
| Back to top |
|
|
chris4877
Sergeant
Premium Member
Joined: May 03, 2006
Posts: 115
|
| Posted: Fri Sep 26, 2008 11:12 pm Post subject: |
|
|
Thank you very much, everyone for all your replies!
What a wealth of information!
You've all given me heaps of new stuff to study and learn about!
It has all been VERY MUCH APPRECIATED!
_________________
Chris Souter
|
|
| Back to top |
|
|
spamislame
SIRT Handler
Joined: Apr 19, 2006
Posts: 217
|
| Posted: Sat Sep 27, 2008 1:12 am Post subject: |
|
|
One side note:
Those "Russian lonelyheart" spam messages: they make for some great ammo.
Want to fill out a mortgage lead? Use their email address.
Got a 419 scam message? Respond and tell them to use that address as the response address.
That should keep them busy for a while. I've been doing that for a year or more. I'd love to see some of the back and forth between "britishlotterymanager@hotmail.com" (british lottery 419 scam) and "lola119@lnhhome.com" (UALadys Russian dating scam). 
SiL
|
|
| Back to top |
|
|
Tamianth
Cadet
Joined: Jul 11, 2008
Posts: 2
Location: USA
|
| Posted: Sun Sep 28, 2008 5:39 am Post subject: |
|
|
Those "Russian lonelyheart" spam messages: they make for some great ammo.
Want to fill out a mortgage lead? Use their email address.
Got a 419 scam message? Respond and tell them to use that address as the response address.
That should keep them busy for a while. I've been doing that for a year or more. I'd love to see some of the back and forth between "britishlotterymanager@hotmail.com" (british lottery 419 scam) and "lola119@lnhhome.com" (UALadys Russian dating scam). Twisted Evil
Thank you for a good laugh as well as a Idea Spamislame.. 
_________________
~Kathy
|
|
| Back to top |
|
|
Bia_B8R
Cadet
Premium Member
Joined: Jul 25, 2008
Posts: 4
Location: USA
|
| Posted: Sun Sep 28, 2008 8:55 am Post subject: Good info in this thread |
|
|
Hey AC & SIL!
Glad to find all the good info in this thread. I've already put it to good use. 
Hope you're having a good weekend...Bia
|
|
| Back to top |
|
|
AlphaCentauri
SIRT Handler
Premium Member
Joined: Nov 20, 2003
Posts: 2899
|
| Posted: Sun Sep 28, 2008 12:54 pm Post subject: |
|
|
Hi, Bia!
@ Tamianth:
You've discovered two of the little idiosyncracies of Castlecops forum: If you swipe the text and hit "quote," instead of enclosing it in quotes, it puts both open and close quotes at the end of the post. (Same with italics/bold/color etc.) And you can't go back to edit after fifteen minutes.
|
|
| Back to top |
|
|
Ervin01
Lieutenant
Premium Member
Joined: May 11, 2006
Posts: 166
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
