Tag Archives: spam

🤣🤪

in my attempts to break free of #twit™ #turd™, i have created a reddit profile. i joined the r/incense subreddit, and almost immediately got banned for “spam”. the “spam” i am guilty of disseminating was the phrase “i’ve got resins for sale: pure frankincense, copal, and loban (seperately)… i’ve also got a big chunk of palo santo.” which i posted in response to ONE person.

it’s not “spam”. i didn’t advertise anything, i didn’t include links to my business, and i didn’t “mass mail” anybody: this was in response to ONE person.

nevertheless, the moderator that banned me was disinterested in discussing it, because “we both know what spam is”, and, as i am a “newbie” at reddit, i didn’t feel like arguing about it…

but… 😉

i was searching for other subreddits which may or may not be similar to r/incense, when i came across this post… in r/incense 🤣

someone else's reddit ad in a subreddit from which i was banned... 😉
someone else’s reddit ad in a subreddit from which i was banned… 😉

and it got 14 upvotes! 👍👍😉 this is, also, NOT spam (as it is on my own web site): a link to 999 Lord Krishna Puja Agarbatti, if anybody reading this is interested in purchasing some. 😉

why?????? 😕

when i woke up this morning, at approximately 8:30, i checked my email, and i had over identical 1,000 spam messages, in my spam folder, and more coming in as i watched… now, at 9:45, i have deleted approximately 1,000 MORE identical spam messages… and there are more coming in at this very moment…

ETA: as of 11:00, i have deleted at least 1,000 MORE identical spam messages… 🙄 if i don’t read it the first time, what could POSSIBLY make a person think that i’ll read it the 5,000th time?

WHY do people do this?

<sigh> 🙄

i suppose it’s similar to asking why people write scripts to delete all the data in unknown peoples’ cloud drives.

as winston churchill said, it doesn’t take all kinds, but there are all kinds. 🙄

YAAAAAA!!!! 😈

i got home from my circus class this afternoon, and discovered approximately 1000 IDENTICAL spam messages in my spam recepticle. over the course of the next half an hour or so, i deleted approximately 500 more IDENTICAL spam messages…

so i decided to do some research. what i came up with is that EVERY ONE of those spam messages had been sent from an IP address in the range of 37.32.0.0/16, in iran.

so i blocked it.

and NO MORE SPAM from that range of IP addresses. not a single one! 👍

THIS is why i do it! 😈

why i do it, part ∞

Re:[## 78615541 ##] ABUSE VIOLATION: Give your feedback, get a $75 8J+NqPCfjag

Zoho Campaigns has a zero tolerance policy towards spam, and we do everything we can to curtail it. Thank you for sharing the email header. We have taken punitive action against the user as per our terms of use.

i don’t get these notices often, because of various “spam policies” held by the offending parties, but, occasionally, i get solid validation that the spammer i reported has been flattened by the mallet.

it feels good.

why??? 🤷

why do people who use IPVanish still try to crack my web sites?

why do people who use IPVanish seem to think that i WOULDN’T have a 30-character passphrase and 2FA enabled on my web sites?

why do people who use IPVanish STILL try “Admin123” and other idiotically simple logins from easily tracable IP addresses (despite IPVanish)?? 😕😒

what i know

this morning, my wife got what appeared to be a “legitimate” email, but it was delivered to my spam box.

here’s what i know:

it purports to be from the “Colorado State University” department of “Veterinary Continuing Education”, with the URI “CSUvetCE dot com”.

it was delivered by way of an open relay in germany, using at least two other open relays in other, eastern european countries.

my wife CLAIMS that the “Colorado State University, Department of Veterinary Continuing Education” is a legitimate business for which several of her colleagues work.

there is an EXTREMELY good chance that, if someone from the “Colorado State University, Department of Veterinary Continuing Education” were to send my wife an email message, it would come through the mailservers at colorado state university, IN COLORADO, and NOT through several open relays in other countries.

it was addressed to my wife, using an email address for ME, which i haven’t used in at least 5 years.

when i visited the “manage my subscriptions” page at “CSUvetCE dot com”, it listed my wife’s name, only her last name was in the “first name” slot, and her first name was in the “last name” slot, followed by my email address, the physical address where she works, except that instead of being on mercer island, it was listed as being in “medina”, which is a suburb of bellevue, about ten miles away from the actual address location, on the mainland. and, it listed the zip code as being the one where we currently live, which is neither mercer island, nor medina.

the same “manage my subscriptions” page has her listed as the “chief executive officer” of “at home veterinary services”. she does NOT work for “at home veterinary services”, and she is NOT the “chief executive officer”.

when i tried to change the “STATUS” of her subscription from “subscribed” to “unsubscribed”, it didn’t work. i tried it multiple times, and every time the page reloaded, the status said “subscribed”.

so i checked… “CSU” is CHICAGO state university, and their URI is “CSU.EDU”. COLORADO state university’s URI is “colostate.edu”, and the ACTUAL “Colorado State University, Department of Veterinary Continuing Education” is at “cvmbs.colostate.edu”.

now, i don’t KNOW whether or not “CSUvetCE dot com” is a spammer scam or not, but i know that EVERYTHING i have found so far leads me to the conclusion that it is a spammer scam. 😒

also i don’t know why someone would go to SO! MUCH! TROUBLE! to put together a web site that tries its DAMNEDEST to look like a legitimate business, just to lure the relatively few people who are in the veterinary industry into submitting their information to a spam list.

but, as i said… EVERYTHING i have found so far leads me to the conclusion that it’s PRECISELY what they have done…

weird.

ETA: okay, this is getting weirder now… after a bit more poking around, i found an announcement on this page which appears to indicate that CSUvetCE dot com is, in fact, a legitimate page, and not a spammer scam… which, then, makes me wonder EVEN MORE about why the email was sent via open relays to an address that had OBVIOUSLY been scraped from who knows where… like… does the Colorado State University Department of Veterinary Continuing Education care THAT LITTLE about the ethics of the emails they’re sending out? do they even CARE?? 😒

ETA, part 2: i wrote to them, asking why they have a scraped address on a form that doesn’t work. their response said they couldn’t find that address on their mailing list. i wrote back with all the details, including a screen shot and a URI to the spot they said they couldn’t find. they haven’t responded… yet…

i’m back to thinking that this might be a spammer scam masquerading as a legitimate business, and the legitimate business doesn’t have the first clue what is going on. 😒

damn right they’re blocked! 🤬

i got the following notification from my anti-cracker service:

A user with IP addr 2001:41d0:305:1000::1250 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username '[login]' to try to sign in.
The duration of the lockout is 2 months.
User IP: 2001:41d0:305:1000::1250
User hostname: hr914433990.reseller.mis.ovh.net
User location: France

i’ve been seeing these login attempts using “[login]” for some time now — and why, in the name of all that’s holy, would ANYONE use, or allow another person to use “[login]” as a username, is beyond my limited imagination, but that’s not the main reason this notification caught my eye…

it’s because of the user hostname, which is a reseller host at ovh.net 🙄

i’ve been dealing with spam and cracking attempts from OVH for AT LEAST ten years. unfortunately, it’s nothing new… but this is the first time they’ve tried to get around my blocks by using an IPv6 address.

and it wasn’t OVH directly, it was a reseller, but the fact is still plain that OVH STILL enables spammers and crackers to work with impunity from their networks.

FUCK OVH! 🤬😠👎👎‼

and add 2001:41d0::/32 to my block list! 🙄

Rule #3

Rule #3 states “Spammers are stooOOpid.”

if you need an example of rule #3, i have one for you:

the spammer sent mail from a computer called… get this…

UCEBOX.CO.ZA

😝😂🤣🤪🤦😠🤬

for those of you who still don’t “get” it, not only is the computer in south africa, home to all things shady and illegal, but “UCE” stands for “Unsolicited Commercial Email”… in other words, “spam”.

it’s as though they’re saying, “fuck yeah, we’re so gawd-damned proud of the illegal spam we send, that we’re going to name our computer after it, and nobody will care, even if they do notice!”

people should have to take an intelligence test before being allowed into the human race.

seriously.

spam update

i have now, officially, blocked IP address ranges in the following countries:

afghanistan
albania
angola
argentina
aruba
australia
austria
bangladesh
belarus
belgium
bhutan
bolivia
bosnia & herzegovina
brazil
british virgin islands
bulgaria
cambodia
canada
chile
china
colombia
congo
cote d’ivoire
croatia
czech republic
denmark
ecuador
egypt
el salvador
estonia
finland
france
georgia
germany
ghana
greece
guatemala
honduras
hong kong
hungary
iceland
india
indonesia
iran
iraq
ireland
israel
italy
japan
jordan
kazakhstan
kenya
kyrgyzstan
latvia
lithuania
luxembourg
macao
malaysia
mexico
moldova
monaco
mongolia
morocco
myanmar
netherlands
new zealand
nigeria
norway
pakistan
panama
paraguay
peru
philippines
poland
romania
russia
serbia
seychelles
singapore
slovakia
south africa
south korea
spain
sweden
switzerland
taiwan
tajikistan
tanzania
thailand
Trinidad & tobago
turkey
UK
ukraine
uruguay
USA
uzbekistan
vietnam

the big winners are china, russia, and india, and the runners up are spain, uzbekistan and kazakhstan…

and the good ol’ united states of ‘merica makes an appearance, as well.

before i started blocking whole swaths of IP addresses, the CPU usage on my server was between 75% and 100%, pretty much always. since i started blocking IP address ranges, my CPU usage is between 2% and 5%… which means that my web sites respond more quickly.

a side benefit is that, often, the same IP address ranges that are used by spammers, are also used by crackers, skript-kiddies, and other miscreants, so by absolutely blocking them (using both the IP Blocker and the Global Email Filters) i kill two birds with one stone. 😉

the down side is that i’ve been catching a few false positives, which are messages from people within north america, but, through no fault of their own, sent their messages at EXACTLY the right time, so that the date in their message ID gets caught by the rule that’s supposed to catch IP addresses… 😖

but, honestly, there have been fewer than 10 false positives in the last 6 months (they tend to come in spurts: i’ve caught 3 today, but haven’t seen one for months), whereas, if left unfettered, i would have received, easily, 100 times that many spam messages PER DAY, so, in all, i’m almost ready to make my list available to anybody else who wants to cut down on the people who send you spam… 😉

new regex stuff!

logical operators! thanks ian! 😉

+ () [] - |

(stuff that remains the same)+(stuff that changes) – otherwise known as “capture groups”

[89] = 8 or 9

[0-4] = 0, 1, 2, 3, or 4

| = logical OR

so…

\D(85\.157\.47\.)+(12[89]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])\D

means “capture everything in 85.157.47.128/25”

which, up until now, has meant “make a separate rule for every IP address between 85.157.47.128 and 85.157.47.255” — 128 SEPARATE RULES, which takes A LONG time, and slows down processing speed.

this is a BIG step forward!

WOO!!! 😎👍

ETA 200205: even more WOO!!! because ian directed me to a RegEx Numeric Range Generator, which means that i don’t have to figure them all out myself! WOO!!! 😎👍

calm… i hope no storm…

the past three full days now, i have gotten SIGNIFICANTLY less spam than normal… like, normally i’ll get anywhere from two to six DOZEN spam messages a day, and, since saturday, i have gotten, maybe two dozen total

i’ve been blocking ranges of IP addresses in argentina and peru and china and india and denmark and kazakhstan and iran and lithuania and brazil and germany and LOTS of ranges for russia, and luxembourg and vietnam and turkey and indonesia and romania and the UK and georgia (the country, not the state in the united states), and nigeria and egypt and cambodia and myanmar (and that’s only up to the 45.0.0.0/8 range) like a mad fiend, for about two months prior to saturday… and all of those places are places from which i have never received email that was not spam…

literally, i’ve been blocking JUST ranges connected with the 1LfYcbCsssB2niF3VWRBTVZFExzsweyPGQ “bitcoin porn sextortion” scam since october 4th. 🤬

maybe i’ve finally caught up with the script. i’ve got 1,043 filter rules, and a fair portion of them are IP ranges…

but it feels weird… nobody has complained that they’re not getting important emails, and the false positives that have been coming through are usually either dealt with by changing “contains” to “matches regex”, or by deleting rules that i don’t need any longer… like the one for the .mp TLD, which was giving me false positives all the time because of mailchi.mp, which, while spammy, is not universally spammy, and, as far as i can tell, is the only NON-spammy use of the .mp TLD… but i decided that, instead of figuring out how to rule out legitimate use of a spammy TLD, i just started banning the countries that the spam was coming from…

but it feels weird… i’ve been on edge for a couple of days now, and i’m pretty sure it’s directly related to my relationship with the computer and the ‘net… 😒

but not entirely related… i had a pair of blue sunglasses that i got before i went to oregon to busk, a few months ago, and i lost them about a week ago. since then i’ve been losing a whole bunch of other things — keys, tools, credit cards, that sort of thing — and i’ve been finding them again, usually in the same day, sometimes within the same 15 minutes or so… but i haven’t been able to find my sunglasses, and it PISSES ME OFF because the reason i got them, primarily, was to help aleviate some of my depression, and they have worked ADMIRABLY for that purpose… and i remember thinking, if i put them… wherever it was that i put them… 😕 and left them there for too long, i would probably not remember where they were, the next time i looked for them… 😒

it’s possible that they’re somewhere around the house, but i’ve looked at least three times in every place i can think of, and quite a few that i couldn’t have thought of in a long time, and have nothing to show for it except a much cleaner house. they’re not in the car, as far as i can tell, nor are they in my tuba case, or my tuba bag.

moe is going away for a few days — travelling for stuff related to her book — starting friday, which means that i won’t be able to go busking. and then panto starts (shudder) saturday: two shows, and two shows on sunday, which means that i won’t even be here to take care of the pets for significant portions of both days… fortunately, i’m picking her up at the airport after sunday’s shows are over.

and, on the unicycle side of things, i think i am actually learning to ride the unicycle… i have been consistently riding, in a “more-or-less” controlled fashion, in a marginally straight line, without falling over, half to three-quarters of the way across the gym, for two weeks now. and, i just got “certified” to come in and use the gym for practicing unicycle on days that we’re not having class, so i actually have a place to practice.

/8 blocks

i now have three /8 blocks in my email filters.

25.0.0.0/8 in the UK, 53.0.0.0/8 in germany, and 133.0.0.0/8 in japan.

the “standard” email filters, built on “and/or” and “contains/does not contain”, break down when you’re dealing with 16.75 MILLION addresses.

they break down because you can’t just filter on 25. which appears in the middle and end of IP addresses, in message ID numbers, and, occaisionally, in the body of the message.

the result is A LOT of false positives: email which i can’t forward to the correct recipient, because it will get filtered AGAIN

which is quite annoying. 😒

so, with the help of my friend robert, i built a regular expression to handle it:

\D25\.\d{1,3}\.\d{1,3}\.\d{1,3}\D

finds non-digit character followed by “25.”, followed by three repititions of one to three digits, interspersed by periods, followed by another non-digit character.

technically, this regex could be adapted to accomodate any IP address, which means that, theoretically, i have a whole new, easier, and faster method of processing spam. 😈

the next step is to learn how to search for a specific range of digits… 😈

ETA 191127 i discovered that you can’t specify a range of digits with a regex. for that, you need a script, which is too much work. also, i determined that i DON’T need the white space character at the beginning and end of the regular expression, because, sometimes, the IP address is surrounded by parentheses, square brackets, or both.

ETA 191128 i changed it from white space character — \s — to non-digit character — \D — because some IP addresses are surrounded by parentheses or square brackets, but some are surrounded by white space characters. the only thing \D doesn’t capture is an empty string, so the IP address can’t be the first thing in the line of text.

and, even with the \D, this regex, modified to capture 27.16.0.0/12 in china, captures 2.2019.11.27.23.41.02, which is part of the message ID on a LEGITIMATE message. 😖😒😠🤬

this is why i’m rerouting these messages, rather than summarily deleting them, which is my inclination… summarily deleting what i think is spam has come back to bite me in the ass often enough that i don’t do it any longer. 😒

oy 😒

this morning i added a second /8 block to my email filters.

for those of you wondering what i’m talking about, a /8 block is the largest block of IP addresses allocated by the IANA.

16,777,216 individual IP addresses.

my first filtered /8 block was in japan. my second one was in germany.

and i STILL get spam from japan and from germany. 😒

it doesn’t seem like it was that long ago that spam was something in a monty python skit, and before that, it was a canned meat byproduct.

it’s not even UCE any longer, because most of it is devoted to scams of one kind or another. actual, commercial email is a tiny fraction of the volumes of script-generated spam, these days.

spam times 16,777,216²… which is a number so large my scientific calculator chokes on it… which is to say, it says 2.81474976711e+14 rather than giving me a number i can understand. 😒

knock wood…

for the first time in a VERY long time, i booted up my computer, checked my email, and did NOT have at least 10 “bitcoin-porn-scam-spam” messages in my spam folder…

in fact, i had NO “bitcoin-porn-scam-spam” messages in my spam folder… or anywhere else…

there was spam in my spam folder, but no “bitcoin-porn-scam-spam” messages.

maybe this is a good sign.

ETA: not as good a sign as i would have hoped, but on the plus side, i now have blocks on more of uzbekistan, kazakhstan, bangladesh, and south africa than i did before.

oh well… 🤷

spammers spamming spam! 🤬

just as a reminder, this has been posted at the Hybrid Elephant Contact Us form:

PLEASE NOTE: This contact form is solely for the use of Hybrid Elephant customers who need to get in contact with us. Every message that is sent with this form includes a unique IP address in the header, which identifies the computer from which the message was sent. If you use this form to spam us, all you will accomplish is to put your IP address on the list of IP addresses which are PERMANENTLY BANNED from accessing Hybrid Elephant for any reason. Please DO NOT USE THIS FORM to send us advertisements or solicitations. It WILL NOT WORK! You have been warned!

this morning, i got spam from my response form (big surprise).

the difference, this time, is that the following message was included at the end of the spam:

IMPORTANT NOTICE: This message has been posted via a Contact Us form on your site. Contact forms are publicly accessible and they can be used for posting messages by anyone. We don’t use, hold or archive your e-mail addresses.

yes, contact forms can be used by anyone, but, particularly when an anti-spam message like the one previously posted is present, a concientious user of internet won’t use it unless that person is also a “Hybrid Elephant customers who need to get in contact with us”.

the message that you sent me was definitely NOT because of a need to contact me about something having to do with my business. 😒

and the fact that you say you “don’t use, hold or archive your e-mail addresses” is a moot point, because you ALREADY HAVE used my email address, and the fact that you have already used it means that, very likely, it is stored somewhere on your system, and probably gets backed up with everything else on your computer, which, for all intents and purposes, is “using, holding and archiving”… 🤬

so, the IP address from which this spam was sent is 85.203.22.215, which is part of the 85.203.22.208/28 range, located in monaco.

as of now, 85.203.22.208/28 (16 individual IP addresses) is no longer able to access my domains for any reason whatsoever.

thanks, spammer.

the message also contained references to wexxluxurycars dot com, which also goes on my block list.

thanks, spammer.

the IP address to which that domain name corresponds is 198.46.134.35, which is located in new york. because of the fact that it’s in new york, that IP address goes on my email block list, with today’s date, so that, in case i get an inquiry regarding it at some future point, i can state, unequivocally, that it was added to the list on that date, in case the person inquiring wants me to remove it…

which i will do ONLY if they can convince me that they are no longer associated with spam.

thanks, spammer.

and, of course, nobody is going to be seriously affected by all of this falderal (except, possibly, me), because the message was, doubtlessly, sent by a script that scans for “Contact Us” forms, and dumps meaningless spam into them automatically, without any one person having to do anything other than launch the script, which is why i’ve taken to blocking CIDR ranges outside of north america with no further warning. if people are going to be that careless with their own security, it’s up to people like me to take their security seriously, for them.

thanks, spammer. 🤬

random reminder

great swaths of the internet from the following countries have been permanently banned from viewing my web sites and sending me email, due to ongoing, egregious spamming activity:

albania
angola
argentina
aruba
australia
bangladesh
belarus
belgium
bosnia
brazil
british virgin islands
bulgaria
canada
chile
china
colombia
congo
denmark
denmark
egypt
finland
france
germany
guatemala
herzegovina
hong kong
iceland
india
indonesia
ireland
israel
italy
japan
kenya
latvia
lithuania
macau
malasia
mexico
moldova
netherlands
nigeria
norway
pakistan
panama
philippines
poland
romania
russia
serbia
seychelles
singapore
slovakia
south africa
spain
sweden
switzerland
taiwan
thailand
turkey
UK
ukraine
uruguay
viet nam

and more than a few from the united states, for good measure. 😒

spam is bad. stop spam on internet.

tee…

i’ve recently taken to blocking great swaths of IP addresses in foreign countries, which only send me spam.

she has HUGE… tracts of land…

i have undertaken this policy because using a utility that automatically blocks IP addresses from foreign countries costs money (😒) and using a utility would only work on hybridelephant dot com, and nowhere else.

so, i learned about CIDR, learned how to identify host countries based on IP addresses, and learned how to block IP addresses based on CIDR numbers…

now, instead of blocking a single IP address — which is pointless, because spammers know that a single IP address only works until the spamees figure it out and block it, so they move on to the next one — i block entire swaths of IP addresses: the most common are the /24 range, which blocks 256 (28) IP addresses, and the /16 range, which blocks 65,536 (216) addresses.

and i can block spam from those IP addresses on ALL of my domains, not just hybridelephant dot com. 😉

which brings me to the point of this post: i recently blocked the third IN A SERIES of IP addresses from bangladesh: now i have 185.222.56.0/24, 185.222.57.0/24, AND 185.222.58.0/24 blocked.

which, technically, means that i could block 185.222.56.0/23 and 185.222.58.0/24 with the same effect, because 185.222.56.0/24 plus 185.222.57.0/24 equals 185.222.56.0/23

i love that i am able to do this.

i also love that i am able to understand this as much as i do… which is not very much, but enough that i have been successful in reducing the amount of spam i get by a SIGNIFICANT amount, and not affected my legitimate mail in the slightest degree. 😈

seriously…

i put a notice on hybrid elephant’s contact form, a few months ago:

PLEASE NOTE: This contact form is solely for the use of Hybrid Elephant customers who need to get in contact with us. Every message that is sent with this form includes a unique IP address in the header, which identifies the computer from which the message was sent. If you use this form to spam us, all you will accomplish is to put your IP address on the list of IP addresses which are PERMANENTLY BANNED from accessing Hybrid Elephant for any reason. Please DO NOT USE THIS FORM to send us advertisements or solicitations. It WILL NOT WORK! You have been warned!

this morning i received spam from the contact form, which said “my apologies for reaching out cold like this, just trying to see who I can help.”

if you’re really interested in helping, there’s a snail-mail address, AND a phone number posted on the same page as the contact form — which contains the warning mentioned previously. there’s absolutely no reason why you could not have called me on the phone, or written me a snail-mail message, instead of using our contact form SPECIFICALLY for something that i have warned you NOT to use it for.

not only that, but the header indicates that you’re one of those suckers who bought into the spam that has been going around recently, which says that you can send your spam through contact forms, because they’re already approved. i know this because your return address is to a server in scottsdale, arizona, but the message was sent through 105.235.192.0/21, which is located in nigeria. not only that, but the domain name you registered is hosted by microsoft, and registered at godaddy, both of which are known, notorious spam havens, despite what they may say in their advertisements… so your domain name also goes into my spam filter.

congratulations, spammer: you have successfully participated in BLOCKING yourself, your domain, and a /21 range (2,048 individual IP addresses) in nigeria. you will never again be able to access any of my domains, for any reason, any email that you send to me will go unread, and there is absolutely NO WAY i will ever use your “instagram marketing” service… primarily because i do not now, and never have had an instagram account, and i do not intend to open one in the future.

which you could have found out just as easily over the telephone, and you wouldn’t have blocked yourself. spam doesn’t work. give it up.

🤬

spam update

as of 190729, the following IP addresses, and top-level domains are BLOCKED from my web sites, for egregious spamming behaviour:

5.104.108.0/24 – germany
5.188.210.0/24 – russia
5.226.136.0/21 – UK
23.19.0.0/19 – russia
23.82.128.0/22 – VIRGINIA, USA
31.13.191.0/24 – sweden
37.120.135.0/24 – italy
37.120.159.0/24 – UK
45.12.176.0/22 – india
45.81.0.0/22 – UK
51.15.0.0/18 – france/belgium
51.38.157.0/26 – poland
51.89.30.128/26 – denmark
77.81.105.0/24 – romania
77.81.106.0/24 – romania
80.211.253.0/24 – aruba/italy
85.25.236.0/22 – germany
85.204.49.0/24 – romania
85.204.50.0/24 – romania
85.206.165.8/29 – lithuania/canada
85.254.72.0/24 – latvia
86.109.170.0/24 – spain
88.201.208.0/20 – russia
88.247.0.0/18 – turkey
88.247.64.0/20 – turkey
89.36.224.0/25 – romania
89.44.138.0/23 – romania
89.238.128.0/18 – UK
92.101.192.0/22 – russia
93.125.99.0/24 – belarus/canada
95.37.128.0/17 – russia
95.216.0.0/15 – finland
103.39.132.0/22 – india
103.62.92.0/22 – india
103.76.22.0/23 – indonesia
103.113.3.0/24 – indonesia
103.138.238.0/24 – india
104.245.144.0/22 – canada
105.174.0.0/15 – angola
109.93.128.0/17 – serbia
109.158.0.0/16 – UK
109.175.96.0/19 – bosnia and herzegovina
109.245.80.0/21 – serbia
118.107.180.0/24 – hong kong
133.0.0.0/8 – japan (this represents 16,777,216 individual IP addresses, the largest block allocated by the IANA 🤬)
134.90.149.176/29 – norway
139.99.0.0/17 – singapore
142.59.228.0/22 – canada
150.95.104.0/21 – vietnam
151.106.10.154/31 – china/france
151.106.12.240/28 – romania
157.157.87.0/24 – iceland
168.196.0.0/22 – argentina
176.9.0.0/16 – bulgaria
177.36.246.0/24 brazil
178.17.160.0/21 – moldova
178.17.168.0/21 – moldova
178.162.208.0/21 – germany
178.162.220.0/22 – germany
178.175.128.0/18 – moldova
181.214.60.0/22 – brazil
181.215.96.0/19 – brazil (london, columbia, chicago)
182.50.128.0/19 – singapore
182.52.0.0/15 – japan/thailand
182.56.0.0/14 – india
183.80.144.0/20 – vietnam
183.89.0.0/16 – thailand
185.9.147.0/24 – russia
185.93.3.0/24 – UK
185.94.189.128/27 – romania
185.103.110.0/24 – finland
185.125.32.0/22 – turkey
185.128.27.0/24 – italy
185.156.173.0/24 – france
185.206.224.0/24 – denmark
185.220.101.0/25 – germany
185.222.58.0/24 – bangladesh
185.230.127.0/24 – germany
185.234.0.0/22 – ireland/UK
188.209.52.0/24 – macau
193.56.28.0/24 – UK
193.201.224.0/22 – ukraine
195.181.166.0/24 – UK
199.249.230.0/24 – TEXAS, USA
200.40.96.0/24 – uruguay
201.138.46.0/24 – mexico
203.113.160.0/19 – vietnam

.bid – auctions
.br – brazil
.casa – “house”
.cf – central african republic
.club – groups, organizations, assemblies, communities, general
.cn – china
.date – online dating
.direct – general
.do – dominican republic
.download – technology
.es – spain
.faith – religion and churches
.fun
.gq – equatorial guinea
.hk – hong kong
.host – network companies
.icu – entrepreneurs and business owners
.life
.live
.loan – banks and lenders
.md – moldova
.moda – “fashion”
.mp – northern mariana islands (and anyone using mailchi.mp)
.ms – montserrat
.ooo
.online
.party – nightclubs and social gatherings
.pro – professions/professionals
.racing – racing
.review – public reviews
.ru – russia
.site
.space – as a creative space
.store – stores
.stream
.top
.trade – businesses
.webcam – web cam shows and video sharing
.website
.win – games, micro$oft windoesn’t
.world
.xyz
.za – south africa

if you recognise your IP address, or if you are one of the unfortunates whose web sites have one of the preceding TLDs, i’m sorry, but it had to be done… maybe if you contacted your ISP and complained, they might do something about it. 😒

spam

this kind of thing REALLY annoys me! 🤬

Hi! hybridelephant.com

We make available

Sending your message through the feedback form which can be found on the sites in the Communication section. Contact form are filled in by our software and the captcha is solved. The superiority of this method is that messages sent through feedback forms are whitelisted. This method increases the odds that your message will be read.

Our database contains more than 25 million sites around the world to which we can send your message.

The cost of one million messages 99 USD

FREE TEST mailing of 50,000 messages to any country of your choice.

i put this up on my contact form, but it doesn’t seem to have done any good… in fact, i think it may have encouraged them:

PLEASE NOTE: This contact form is solely for the use of Hybrid Elephant customers who need to get in contact with us. Every message that is sent with this form includes a unique IP address in the header, which identifies the computer from which the message was sent. If you use this form to spam us, all you will accomplish is to put your IP address on the list of IP addresses (789 as of 190601) which are PERMANENTLY BANNED from accessing Hybrid Elephant for any reason. Please DO NOT USE THIS FORM to send us advertisements or solicitations. It WILL NOT WORK! You have been warned!

HAHAHAHAHAHAHAHAHA!!! 🤪🤣

last year i switched away from my then-new host provider after a very short period of time because it turned out that they were a spam-haven.

before i switched, it got so bad that i set up a monitor at MXToolbox to check whether or not my IP address had been listed at any blacklists.

the host provider was incensed at this, and swore up and down that they had robust anti-spam policies that were enforced with an iron fist, but i switched away from them shortly afterwards, anyway.

today i got a notice from the monitor. apparently 69.162.87.36 is running an open relay and has a poor reputation

so much for “robust anti-spam policies enforced with an iron fist”. 🤣🤣🤣🤣🤣

anti-spam

the following is a list of the TLD names that i have blocked from sending email to any email address at Hybrid Elephant:

.bid
.br – Brazil
.cf – Central African Republic
.club
.cn – China
.date
.direct
.do – Dominican Republic
.download
.es – Spain
.faith
.fun
.gq – Equatorial Guinea
.hk – Hong Kong
.host
.icu
.live
.loan
.ooo
.online
.party
.pro
.racing
.review
.ru – Russia
.space
.store
.stream
.top
.trade
.webcam
.win
.world
.xyz
.za – South Africa

if you are from any of these TLDs, you might as well give up on the idea of sending email to me.

related post

eeeenteresting! 😉

i got this email message today. it’s not from somebody i know, which usually indicates that it is spam, but in this case, i was, initially, lead to a different conclusion. on the surface, the message looked like this:

I would like to buy your arts
Date: Friday 181116 09:02AM
From: Piper Dover <Marcel at thermaclick dot biz>
To: (my email address)
Good morning! I found your projects in the internet and I need to make a gift for my father.
If it is not hard for you please, help me with the order.
Write me back when you will be on your workplace, please..
Kind regards, I expect your reply, I will send all details that I am interested in.

this is… okay, the person doesn’t speak english too well, but they’re able to convey, which is the important part. but “found your projects in the internet” is a little troubling, because, as far as i know, these days, “my projects” are all on my domains — przxqgl.info, puggryduckling.com, hybridelephant.com and friendlyswastika.art — which, admittedly, are “in the internet” and would even probably be referred to as such by people who don’t understand “the internet”, but it’s still something that makes me wonder. another thing that caught my attention right away is that it is “From:” Piper Dover, whose email address is “Marcel at thermaclick dot biz”. i don’t know about you, but i don’t know ANY “real” person whose email address contains a name that is not their real name… which means that, either, this person’s name is not “piper”, or this person’s name is not “marcel”, and, very likely, both of them. NOT a good sign. “make a gift for my father” also makes me wonder, because the “gifts” that i have are not ones that i would think of as ones that i would give to my father, but it takes all kinds, and it’s possible that they were actually referring to my pipes, or bongs… or, maybe, they want me to make something in the style of something else that they’ve seen “in the internet”. also troubling are the “help me with the order” and “when you will be on your workplace” statements, as both of them are irrelevant.

but where the message started to get strange was when i looked at the headers…

yes, i ALWAYS look at the headers for “suspicious” emails, before i do anything else. don’t you? if not, WHY NOT?? 😕

… where i discovered that, if i had “replied” to this message, it would not have gone to “Marcel at thermaclick dot biz”, but, instead, would have gone to “isabellayehudit28 at gmail dot com”, because of a header called “Reply-To:” which nobody knows about these days, but has been a standard part of email for as long as email has been around… and who is “isabella yehudit 28”??? why is she getting in the way of my communicating with “piper” or “marcel” or whoever he is?

at this point, i reached the conclusion that it was, in fact, spam, and proceeded to report it as such. it turned out that the message was sent from the russian federation, thermaclick dot biz is blocked by URIBL, and the message is Base64-Encoded, all of which are STRONG indicators of spammy activity.

the point being that even experts can get confused sometimes, so don’t rely on what they say, but do the extra steps necessary to prove it for yourself. 👍

interesting

the past few weeks (maybe as much as a couple months) i have been getting anywhere from 4 to 24 “porn spam scam” emails per day — you know the ones, where the guy claims to be a “hacker” who has “taken over” your computer, is emailing you “from your own email address”, doesn’t speak english too well, and demands some random amount in bitcoin to prevent him from revealing your “pornographic indiscretions” to “everyone on your contact list” (😒) — and i have been reporting EVERY! SINGLE! ONE! to their upstream provider, and to the bitcoin abuse web site… but for the past couple of days, i have noticed that the constant stream has dropped off considerably: two days ago, i received two messages, yesterday i only received one, and, so far, today, i haven’t received any.

i also noticed that, a few days ago, i started seeing specific SpamAssassin rules that are targeted towards the porn-spam-scam racket (bitcoin address recognition and “from:” address spoofing are the two big ones), but considering the massive influx of porn-spam-scam messages over the past couple of months, i would have expected a much more gradual drop-off.

anti-spam, anti-fraud information

the past couple of months i have been getting an inordinate amount of spam that goes something like this:

Hello!
I’m a member of an international hacker group.

As you could probably have guessed, your account X was hacked, because I sent message you from it.

Now I have access to you accounts!
For example, your password for X is X

Within a period from July 17, 2018 to October 3, 2018, you were infected by the virus we’ve created, through an adult website you’ve visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we’ve gotten full damps of these data.

We are aware of your little and big secrets…yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one…

Transfer $800 to our Bitcoin wallet: 14bXUoPwruptLamUfKTuMW39Qy1q4ohX9w
If you don’t know about Bitcoin please input in Google “buy BTC”. It’s really easy.

I guarantee that after that, we’ll erase all your “data” ?

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

You should always think about your security.
We hope this case will teach you to keep secrets.
Take care of yourself.

please note: THIS IS FAKE NEWS!

whoever it is that sent it DOES NOT have access to my, or anyone else’s email account, despite what they may want you to think.

how do i know this? i have received at least 10 messages which are almost exactly identical to this one, down to the inconsistent english, carriage returns, and even the supposedly unique bitcoin wallet ID. the only significant difference in all of these messages is in the headers, which most people never see.

i want to go through this message, statement by statement, and show you exactly WHY it is fake news, and you shouldn’t buy into their scam.

first,

I’m a member of an international hacker group.

no you are not a member of an international hacker group. if you were, you wouldn’t have to tell me so. you are, in fact, a skript-kiddie who thinks he can make money by using other peoples’ code to mess up my internet: you are a vandal and a criminal, and i WILL track you down and turn you in, because it’s easy-peasy. 😠

As you could probably have guessed, your account X was hacked, because I sent message you from it.

any real hacker can tell you that you don’t actually have to have access to the account that’s on the “FROM:” line in your email, in order to make it look like you have access to that account. the fact is, i can send email to anybody i like, put whatever email address i like on the “FROM:” line, and 98% of the time, it will go through to the recipient without any difficulty. this is because the “FROM:” line is one of the easiest parts of the email to spoof. i have sent email that looks like it was coming from Bill Gates, and, if you didn’t know that i was sending it, and you have no way of looking at the email headers, you would think it was Bill Gates, and not me.

but you would be wrong.

then:

Now I have access to you accounts!
For example, your password for X is X

this password (which i have “X”ed out) is an authentic password from me, but because i have kept a list of every password i used, and where i used it, i KNOW that it is AT LEAST five years old, and has been superceded many times by more potent passwords. nevertheless, i also KNOW EXACTLY where i used this password last, so the first thing on my list is to write to the administrators of that place, and let them know that they’ve experienced a security breach.

then, just to make sure, i CHANGE MY PASSWORD AGAIN!!! just because they don’t really know anything is no reason not to be cautious times five… 👍

once again:

Within a period from July 17, 2018 to October 3, 2018, you were infected by the virus we’ve created, through an adult website you’ve visited. So far, we have access to your messages, social media accounts, and messengers. Moreover, we’ve gotten full damps of these data.

surprise! i KNOW that this is fake news, because i KNOW that i have not visited adult web sites. EVER! this may be a little more difficult for some other people, but for me, it’s a no-brainer: you are much less likely to be infected with a virus if you don’t visit adult web sites. the “full damps” of these data are imaginary.

not only that, but starting on 10 july — which is before the alleged “infection” — i was not even near my computer, much less using it, for at least a week, and i haven’t even had any social media accounts or messengers since about a week later. FAIL!

and, just as an aside… what are “full damps” anyway? i would have called them “downloads”… i have never heard the word “damps” used to mean “downloads”… do these people even speak english???

if you actually do visit adult web sites, you may be taken aback by this claim, but keep in mind the first part of the message, where they claimed to have access to my email account: they were wrong then, so the probability is quite high that they are wrong now, as well.

We are aware of your little and big secrets…yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

i admit that my tastes are quite weird, but the fact that you “saw and recorded” me doing those things is a lie: i don’t even have a webcam, or any kind of device that could record me doing stuff that i don’t even do in front of my computer anyway.

once again, if you have a webcam on your computer, it may be a good idea to cover it with a piece of tape when you’re not using it, but the fact is, people who write you out of the blue and claim to have access to your computer, are lying, more likely than not.

now we come to the real reason people send out spam like this:

Transfer $800 to our Bitcoin wallet: 14bXUoPwruptLamUfKTuMW39Qy1q4ohX9w
If you don’t know about Bitcoin please input in Google “buy BTC”. It’s really easy.

yeah, bitcoin is really easy to hide your transactions and make them more anonymous, but if the person who is asking you to send them bitcoin for stuff that they have been lying about, then it is also harder for you to get your money back when you figure out that you have been lied to… which is why it’s always a good idea to make sure that the information you have been given is NOT a lie before you make your transaction.

in this case, they’re lying about the virus, the adult web site, the visual and audio recording, and the amount of data they claim to have collected, so i am confident that, if i were to look up their bitcoin wallet address, there’s a good chance that it, too, will have been shut down for fraudulent activity. yes, it is possible for that to happen, and in cases like this, it is fairly frequent.

ETA: i’m wrong about this one. the bitcoin wallet at 14bXUoPwruptLamUfKTuMW39Qy1q4ohX9w is active, showing 17 transactions (at this time) worth 1.95616527 BTC, or, $12,949.81 USD at this time… all the more reason to realise that THIS IS A SCAM!!! if you’re interested in reporting scam bitcoin wallets, you can do so here, as i have.

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

this “timer” is more impetus for you to act immediately, without checking any of the above mentioned information for inconsistencies. i know that it’s not true because i have received several messages like this, over the past two months, and nothing has ever happened to me, my “data” has not been mailed to my contacts (as will be seen in the next statement), simply because 1) they don’t have any of my contact information, and 2) they don’t have any data.

they’re just trying to scare me, and it’s not working.

Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

see? they’re threatening to send “all your messages and videos” — which they don’t have — “to all your contacts” — which they also don’t have — unless you send $800 to a bitcoin wallet which no longer exists.

by this time, you are EITHER freaking out and reading up on converting regular money to bitcoin, or you, like me, are laughing out loud, and wondering why other people are so stupid.

because, if you think about it, $800 is a fairly small amount of money to extort from someone who is willing to give it to you without doing their homework… so what is preventing them from saying your data has been erased, but, actually has been put into a separate category of data that can be used to extort more money from you, at a later time?

of course, if they don’t have any of that data (as in my case) i have nothing to worry about, but for people who might have data like that, who knows what they may do, even if everything else is a lie?

finally, a LEEEETLE TINY BIT of common sense, to finish things up:

You should always think about your security. We hope this case will teach you to keep secrets. Take care of yourself.

basically, if it’s on internet, it’s not a secret. if your computer is on internet, there’s a remote chance that something like this really may happen to you at some point, if you also keep your secrets on your computer. thus, the logical conclusion is that if you keep your secrets somewhere other than on your computer (or your tablet, or your cell phone), you won’t have any problems deleting the message when you get spam like this.

for those of you who may remember the screed i wrote about how to report spam: if you receive a message like this, that would be a good place to start. 😉

how to report spam

i use this spam policy, along with maintaining robust global email filters, running SpamAssassin, and blocking IP addresses that are used for abuse. the result of using these procedures has resulted in my having to get this far MAYBE as many as 10 times in a day, and some days i don’t have any spam at all. YOUR MILEAGE WILL VARY! and, remember… the more you do it NOW, the fewer spam messages everyone gets down the road!

this is written from the perspective of a person who uses an email client and a web browser. if you ONLY use a browser (if you use webmail), there may be extra, intermediary steps that are not written down here.

the first thing you need to know is how to extract headers from your email messages, which is different depending on how you get your email.

  1. once you’ve extracted the headers, go to this URI:

    https://www.iptrackeronline.com/email-header-analysis.php

    leave wherever you have extracted the headers — the “message source” — open, because you’re going to need to copy more of the message, later.

  2. for now, paste only the headers into the form, and click “Submit header for analysis”.

    the analysis is WAY more information than you need, but the information you DO need is right near the top: under the header “Email header analysis report” will be a table that contains “All valid IP Addresses found in the header”, and usually the top one (or, possibly, two) will have an asterisk (*) next to them, which is the “Probable originating IP address”.

  3. copy that address. if it’s two, copy the first one, do the next steps, and then come back and copy the second one and do the next steps for that number, as well.
  4. now, go to this URI:

    https://centralops.net/co/DomainDossier.aspx

    paste the IP address in the “domain or IP address” field, check the following three boxes:

    domain whois record
    network whois record
    DNS record

    and hit the “Go” button.

    then, i find that it’s easiest to use the “Edit” -> “Find In This Page” function of my browser, to search for every instance of the commercial at symbol – @ – which is used in email addresses.

  5. now, go back to the message source, where you extracted the headers (remember that?)

    select and copy the entire message, including the headers. now you can close the message source.

  6. select the message in your inbox, and choose “Forward”.
  7. this will open a new message, with the message you’re complaining about inside a forwarding header. select everything EXCEPT the forwarding header, and delete it. then paste the message source that you copied in where the other stuff used to be.
  8. then, go back to the web browser, and find every email address for the IP address you’re complaining about, and put them into the “To:” line of your new, forwarded message.

    SOMETIMES the information will tell you something like “Report abuse only to…” or something like that. you can do that, if you want to, but frequently the “abuse” address is disabled, and the other addresses aren’t, so i’ve found that it’s a good idea to send email to EVERY address, whether or not it says to.

    if your search at iptrackeronline.com came up with two “Probable originating IP addresses”, now is the time to go back to step 3), copy the second IP address, and continue from there.

    you’ll end up with a forwarded message that contains the raw, text-only message, which is addressed to at least two, and sometimes as many as 9 or 10 email addresses.

  9. if you’re REALLY hung up on privacy, at this point, you can search for YOUR email address using the “Edit” -> “Find” feature of your email client. if you do this, replace every instance of your email address with an X to make it obvious that you haven’t done anything except remove your address from the header. seriously, if you do this, and mess around with the headers too much, eventually someone will complain about it, and YOU’RE supposed to be the one who is complaining, here.

FINISHING TOUCHES:
i usually like to mark my new message “Urgent”, and i also like to get a “Return Receipt” (which is not available on all email clients). i also like to insert the words “ABUSE VIOLATION” in the subject line, prior to the original, forwarded header, so that they know that you’re complaining, and not just sending more spam.

if you (like me) run your email through SpamAssassin, or something like it, you may have a special header section that gives you reasons why this particular message is (or is not) spam. sometimes this will include things like URIBL_BLOCKED information, which gives you the URIs that are used in the message, which are blocked by various spam lists. if you get an identifiable URI, you can use the “Edit” -> “Replace…” feature in your email client to replace these URIs with human-readable, but machine-invisible equivalents, which will further attest to the fact that you’re complaining, and not just sending more spam.

——

it is important to remember that all of this information is time sensitive: if you don’t get around to reporting spam until two or three days later, it has considerably less effect than a report that is made as soon as the spam message is received. generally, if more than 12 hours has passed, i just trash the spam and continue with my life.

about half of the reports i send produce some kind of response. about half of the responses i get are automated, either telling me that the message has been received, or telling me that it has not been received for one reason or another. a few of them are, actually, human responses, usually saying that they’ve forwarded the message to their client (the spammer), or saying that there’s nothing they can do about it. this is where requesting a return receipt is helpful: if you get a return receipt, there’s a good chance that someone at least saw your message. even if the return receipt says “not read”, you know that it’s a good address, and that someone saw your complaint, even if they didn’t do anything about it.

step 9) is important if they say they have forwarded your message to the spammer, because if you have not replaced all of the instances of your email address with an X, then the spammer now has your email address, surprise! they can do whatever they like with it, which usually means sending you more spam. in extreme cases, they send a SHIT-TON of spam (like, 500,000 messages) or try to send you viruses or malware, so it’s really important to do ALL nine steps.

believe me, speaking from personal experience, cleaning up after a 500k message bomb is no fun. 😕

in the case of someone who says there’s nothing they can do about it, that’s the point where i go back to the IP address that i complained about originally, and put the /16 or /24 into my IP blocker (depending on how egregious the abuse has been).

also, i put commonly used words and phrases that typify abuse (things like “ALMIGHTY GOD” and “flight simulator” and “Pílula” and “电子邮“) into my global email filters, and update them with new information frequently.

occasionaly — VERY occasionaly — i get a response such as this one, which makes all of this rigamarole worth while.

also, why i only accept plaintext email (and why you should, as well)

spam spam spam spam spam spam spam spam spam spam MALLET!

i never get tired of this… 😎

[#RNZ-396-23469]: ABUSE VIOLATION: RE: PAYMENT INVOICE
From: Namecheap Legal & Abuse Team <[email protected]>
To: you know who
Date: 180520 12:37 am
Spam Status: Spamassassin
Hello,

Thank you for your report.

While the gaushmedical.us domain name is registered with Namecheap, it is hosted with another company. That is why we cannot check the logs for the domain and confirm if it is involved in sending unsolicited emails.

However, it seems the domain name is blacklisted by SURBL. Since we consider SURBL to be a trusted organization, we opened a case regarding the domain name. Please allow about 48 hours for our further investigation.

Thank you for letting us know about the issue.


[#RNZ-396-23469]: ABUSE VIOLATION: RE: PAYMENT INVOICE
From: Namecheap Legal & Abuse Team <[email protected]>
To: you know who
Date: 180521 08:19 pm
Spam Status: Spamassassin
Hello,

Please be informed that as a result of the investigation, the domain gaushmedical.us was suspended. It was null-routed and locked in our system, so the spamming activity should end once the propagation is over.

Thank you for letting us know about the issue.


whois gaushmedical.us
Domain Name: gaushmedical.us
Registry Domain ID: DC3FBD2D4DC1743DE92E082A91D15BEDE-NSR
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2018-05-22T03:18:40Z
Creation Date: 2018-05-15T06:56:45Z
Registry Expiry Date: 2019-05-15T06:56:45Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: C29C72D760FD14C7FAD8D886E1C016E55-NSR
Registrant Name: New Oru
Registrant Organization:
Registrant Street: Hertzstr. 4
Registrant Street:
Registrant Street:
Registrant City: Heidelberg
Registrant State/Province: Heidelberg
Registrant Postal Code: 69126
Registrant Country: DE
Registrant Phone: +49.8635999192
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Registry Admin ID: CBBCDFB2B18654CFC972C6274C0858A93-NSR
Admin Name: New Oru
Admin Organization:
Admin Street: Hertzstr. 4
Admin Street:
Admin Street:
Admin City: Heidelberg
Admin State/Province: Heidelberg
Admin Postal Code: 69126
Admin Country: DE
Admin Phone: +49.8635999192
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID: C3200FE79814B420EB1FA838AEBEF9060-NSR
Tech Name: New Oru
Tech Organization:
Tech Street: Hertzstr. 4
Tech Street:
Tech Street:
Tech City: Heidelberg
Tech State/Province: Heidelberg
Tech Postal Code: 69126
Tech Country: DE
Tech Phone: +49.8635999192
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: blockedduetospam.pleasecontactsupport.com
Name Server: dummysecondary.pleasecontactsupport.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2018-05-22T04:57:32Z <<<

😂

spam

as of today, these are the TLDs i have blocked from sending email to my server, because of spam:

  • .bid
  • .date
  • .faith
  • .fun
  • .live
  • .online
  • .party
  • .stream
  • .trade
  • .website
  • .win

if your web site is under any one of these TLDs, you’re not going to be able to communicate with me over email, so you might as well give up now. it’s not going to work.

ETA: 180520 add to the previous list:

  • .club
  • .top

… give it up, folks. 😐

why i only accept plaintext email (and why you should, as well)

a couple days ago, a friend mentioned the fact that i only accept plaintext email, and asked if HTML email was against my religion. i said “yes”, and this is why i don’t accept rendered, HTML-formatted email. it is a story with a moral at the end, so pay attention.

today, i got an email that said it was from “DHL Customer Support <[email protected]>” and the subject line was “DHL Shipment Notification”…

keep in mind that the “From:” address is one of the easiest things about any email message to forge. among the other easy things to forge are the “Subject:” line, the “To:” line, and the body of the message, which is one of the reasons it’s not uncommon to get spam from “yourself”.

the spam i got contained the following message:

Notification for shipment event group “Delivery Exception” for &email&;
Dear Customer,

This is a notification that your package has experienced an exception, kindly follow the link to update your address: https://www.dhl.com/address_update

however, because of the fact that i only accept plaintext email, this is what i saw:

<p align=”LEFT”><span style=”font-size:12px;”><span style=”font-family:times new roman,times,serif;”>This is a notification that your package has experienced an exception, kindly follow the link to update your address:</span> <strong> </strong><font color=”#0000ee”><strong> <a href=”https://chicagoturfpros.com/wp-includes/css/dhl/[email protected]”><span style=”font-family:times new roman,times,serif;”>https://www.dhl.com/address_update</span></a></strong><span style=”font-family:times new roman,times,serif;”> </span></font></span></p>

for those who look carefully, particularly at the bigger sections of the text, you will discover that there’s a link — a href= — and the target of that link is chicagoturfpros.com…

BUT the apparent target of the link is actually dhl.com. this is compounded by the fact that SOMEONE has taken a lot of time and care to make it look like the dhl.com web site, even though it isn’t.

180513 badware
180513 badware

if i accepted rendered HTML-formatted email, i, very likely, would not have seen the fact that, instead of going to dhl.com, i was actually going to chicagoturfpros.com — WHICH IS EXACTLY WHAT THE SPAMMERS WANT TO HAPPEN!

because of the fact that the link also includes my email address, there is also the very strong probability that: 1) i would have clicked the “update address” button without noticing that i’m giving my personal information to “chicagoturfpros.com” or whoever is controlling their web site, and 2) even if i didn’t click the “update address” button, my email address is now a part of the web log for “chicagoturfpros.com” (or whoever is controlling their web site), which means that, even if they didn’t get my personal information, they have what is now a “valid” email address, with which they can, then, send me more spam.

because of the fact that i DO NOT ALLOW rendered, HTML-formatted email on my computer, they (whoever “they” is) don’t get ANY information from me.

which is precisely why you should NEVER allow your email client to render HTML-formatted email.

if you have a regular email client, not accepting rendered HTML-formatted email should be as simple as going to the settings and deselecting “Use HTML by default” or whatever your email client has (this is one of the differences in all email clients). if you use IMAP (web mail) you may or may not have that capability, so your mileage may vary. i very strongly recommend that you use an email client which is compatible with IMAP, and reply from that, even if you do use web mail. it makes things a hell of a lot easier, especially when you’re dealing with spam and identity theft.

i realise this is a lost cause, and that pretty much everyone sends, and receives HTML-formatted email by default, these days, but identity theft is still a MASSIVE problem, and it’s only being made worse by the default preponderance of HTML-formatted email. if you don’t want to have your identity stolen, ONLY ACCEPT PLAINTEXT EMAIL. it won’t guarantee that your identity won’t get stolen, but it will go a long way to make it a lot more difficult to do so.

this has been a public service announcement.

ETA: wordpress is concerned enough about my security that, yesterday, it sent me three notices concerning the fact that the link i provided above, which isn’t even a link, but just a text representation of what the link looks like, is a security risk, and offered to delete the page for me. THAT’S why i only accept plaintext mail. 👍

for further information, read In Apple Mail, There’s No Protecting PGP-Encrypted Messages which gives a contemporary example of why HTML-formatted email is evil.

Rule 3

an example of Rule 3, spammers are stooOOpid…

at 3:24 pm, today, this happened:

180501 stupid crack attempt
180501 stupid crack attempt

at 3:26 pm, today, i blocked 88.99.0.0/16 from accessing my web site.

you may not fit the definition of a spammer, but you are definitely stooOOpid. is it possible that you are a machine? you have not done your owner a favour, you know.

meta spam

i got spam the other day.

big surprise…

i reported it to the upstream provider, as i usually do. one of the upstream addresses to which i sent a report was [email protected]

today i got a return receipt from that address. it said “Не прочтено” which means “not read”.

seriously, i wonder why a company as big as Rostieliekom would maintain an “[email protected]” address and not have it respond to an abuse report. 😕

dear OVH

dear OVH,

i have been reporting, and blocking spam from your network for at least 5 years. i have at least 500 different addresses that you have used to hide behind, so that when the spam-reporting gets too extreme, you just start a new, incomprehensible email address… yes, i’m talking about [email protected] and [email protected] and [email protected] and [email protected] and EVERY FUCKING thing in between…

through my moderate poking around, i have discovered that most of these addresses are for Florent Demuynck, Stephane LeSimple, Falco Schmutz, Grillion Alexis, Tarik Benammar, Edouard Vanbelle, Benjamin Ficheland, Laurent Allard, and others (some of whom may or may not still be employees of OVH), and/or their boss, Octave Klaba.

today, for the first time, i have actually blocked someone from OVH for trying to login to this blog… YES, MY BLOG has been probed by 158.69.223.8.

this is a warning: if i EVER catch you or any of your minions poking around my web again, i will block you so fast that it’ll make your head spin.

i’m on to you OVH. don’t push me, or you’ll feel my mallet! 😠

hey, check it out…

so i got another 2,500 spam messages starting this morning, but i FINALLY figured out where the settings are on my server that let me do things like filter spam that all has the same subject line, but different senders, and how to block all messages that have a sender from a certain IP-address-range, or from a certain country…

no help from my host provider, naturally… i’m seriously getting the impression that, despite the fact that they’re home office is in great britain, they hire people from india, russia or south america to do tech support, and english is NOT their primary language… and if i have more than one question per response, they only answer the last one, and totally ignore all of the others. it took me four days and a great deal of consternation to get them to delist my IP address from hotmail, which is something, if i were to do it myself, would take about half an hour. 😒

spam spammers spamming

i am digging my way out from under an inundation of spam messages which arrived between around 1:00 am and around 4:00 pm yesterday. all told there were around 10,000 messages, but they were arriving in 10 to 12 message batches, about 500 every five minutes or so, and only started to decrease around 3:30.

but, at the same time, i sent two LARTs to the spammer’s upstream provider, yesterday, and today i got confirmation(!) that they had disabled their Luser’s email capabilities. i realise that they may just be blowing me off, and the gap will very quickly be filled with another spammer, but it’s good to know that my mallet is still quick and strong… 😎

ketchup

i isolated 10 “good enough” tracks from the raw files, but none of them were more than 6 minutes, and i wanted at least one that was 10 minutes or more, so i’m going back to fort worden next tuesday to try it all again. i’ve also bought a recording device of my own, which should make things more interesting, if nothing else.

i woke up the other day and tried to log in to my email account and discovered that everything was offline, and when i went to the host provider to determine why, i discovered that my account had been suspended because they received a spam complaint about me… except that, when i looked at the complaint they received, i recognised it immediately as one that i had sent to an upstream provider a couple of days before, and what they had done was forward it to the upstream provider on the “From:” line, instead of reading the headers to determine that they were, in fact, the people responsible… and, because of the fact that i NEVER receive spam complaints, they arbitrarily suspended my accounts, instead of reading the headers to determine who was actually responsible. 😕 since then i have received about 10,000 spam messages, in 1000 message increments, from people whose php servers have been compromised such that, simply by reading the headers and knowing where to click, i can actually see the spammers online interface on the compromised server…

but I was the one whose account was suspended for spamming. if it weren’t for the fact that i’m still recovering from my bout of changing host servers every few months, a few years ago, i would seriously consider switching, but… in spite of everything, the host server i currently use has been better than any of the others that i have found, for the price.

by the way, here is the place to get your email headers analysed, and here is the place to get information about the IP numbers you’ll get from analysing your email headers. basically it’s the same thing that spamcop used to do. i suppose there’s a way to automate it so that i don’t have to go through all the steps to figure out who gets the LARTs, but i like getting my hands dirty, because i know it’s being done correctly this way. 😏

i have a gig next saturday with the fremont philharmonic at “dudefest” and another gig on sunday at the peace arch in blaine with the sousa band. i’m probably going to spend sunday night in bellingham… depending…

by the way…

just because i no longer have an address @spamcop.net DOES NOT indicate that i am any less than totally annoyed by spam messages that get sent my way.

an example could be found this morning, when i woke up, logged into my email client and discovered that i had over 1500 individual messages “From:” myself which were HTML formatted messages in brazilian portugese (indicating that, in reality, they were not “From:” myself), and, as i sat there and watched, another 500 messages appeared and were downloaded within the space of 5 minutes…

they all appear to have originated on cloudapp.net, which is owned by microsoft. it was set up on a “host” that is called zpx09.cloudapp.net, but it doesn’t have a whois or mx entry, which doesn’t surprise me a great deal, but what does surprise me is that there appears to be a script interface at http://zpx09.cloudapp.net/caminho-ranger-32.php which looks like this:

150722 spam script interface

great… now i can send my own spam. unfortunately, but not surprisingly, there is no indication to who the script belongs, but my guess is that if i write to microsoft, they will, eventually, take the script down and ban zpx09.cloudapp.net, if nothing else…

and while i was writing this, another 700 messages came in… time to block brazil, again. 😕

ETA: as of 6:00 pm there are 1500 more messages, for a grand total of over 3000 in a 12 hour period… and microsoft doesn’t even seem to care… 😐

spam comment update

i adjusted the settings on my Limit Login Attempts plugin again, so that the first attempted login as “admin” (or anything other than the correct login name) results in a 720 minute (12 hour) block, and the second attempted login results in a 672 hour (28 day) block…

and STILL i have an estimated 5 attempted logins per day, and about half of them are blocked for 28 days… 😮

and, not only that, but two IP addresses — both from baghdad — have been blocked a total of 18 times (one has been blocked 10 times, and one has been blocked 8 times) since i installed the plugin, about 6 months ago.

and, so far, nobody has guessed the correct login name. 😎 although there have been some fairly obvious attempts, and some attempts — like “QhYQFvutnN” and “DouglasSevy” — that make me wonder what is really going on…

note

the only user other than “admin” that i have blocked since 141208 has been “QhYQFvutnN” which is really bizarre… i wonder what makes… you know, never mind. forget i said anything.

chuckle…

now that i am not so reliant on spamcop, i’ve bumped up my spam-fighting in some other ways that are proving to be rather interesting. the most recent item in this ongoing battle is that i have installed a plugin that limits login attempts for people whom i have not granted credentials to login. basically you get two attempts, and if your guesses are wrong, you are blocked from accessing the blog for an hour. at that point, you have two more tries, and if you fail those, you’re locked out for 2 days…

i figured that this wouldn’t be a problem for people who actually know the password, and it would be another major roadblock for people who think they can guess it (hint: don’t even bother).

i installed the plugin two days ago, and i’ve already gotten four five IP addresses that have been blocked for 2 days… it’s actually kind of amusing to watch — i get an email every time someone fails to login, so i get to watch as they try and fail and get blocked… 👿

and, to be honest, i am not sure that 2 days is long enough… i think i’ll wait and see, but i’m thinking that 30 days is more like what i am trying to achieve here… 👿

do not send email via spamcop.net to contact me any longer!

effective IMMEDIATELY, my email address is NO LONGER @spamcop.net…

there has apparently been a pretty extreme change of attitude at Cisco (the owner of spamcop), resulting in two things that are very bad, both for me, and for the internet at large. the first is that they are no longer providing email service @spamcop.net, and the second is that they are arbitrarily deleting “false-positives” — a message that appears to be spam, but actually is a legitimate message — without allowing me to check and forward those messages which are legitimate.

the result is that i am NO LONGER receiving email @spamcop.net they SAY that they will forward “legitimate” mail for one year, but they also say that they will delete any mail which appears to be spam, according to their “Cisco reputation system”, which i know to occasionally find false positives among people who occasionally email me… so i HIGHLY RECOMMEND that, from now on, if you want to contact me personally, you send mail to salamandir at hybridelephant dot com (ganesha at hybridelephant dot com is still good for business related issues),

it’s been more than 10 years… it’s the end of an era. 🙁

spam WTF?!?

i’ve got a directory of addresses to report spam originating from certain domains. quite a few of these domains include an upstream domain (which, theoretically, is responsible for making sure the hosted domain doesn’t send spam) that is enom dot com.

just out of curiosity, i typed host enom.com into a terminal, and it gave me 98.124.253.221

then i typed dig -x 98.124.253.221 soa which told me that rightside.co is the SOA for that IP address. whois rightside.co gave me enom dot com, which uses nameservers provided by akam.net

rightside.co or The Rightside Group owns enom dot com, and a bunch of other registry-related web sites…

host akam.net returns nothing….

[email protected]:~$ host akam.net
[email protected]:~$

however, i have a sneaky way to get around things that return nothing in my terminal, and that is DomainTools dot com. they tell me that akam.com is owned by Akamai Technologies… the people who are responsible for serving between 15 and 30 percent of all web traffic…

so, to conclude, quite a number of the people behind the domains responsible for the spam i receive on a daily basis, ultimately, buy their server time from akamai technologies.

i’ve read that up to 80% of all internet traffic is spam, and it’s all coming from a company that serves between 15 and 30 percent of all web traffic…

how does that make ANY sense whatsoever?!? 😛

reminder

having facebook send me spam advertising your web page is NOT a way to get me to pay attention to you, except, probably, in the way that you don’t want, okay?

thanks. 😡

dear 183.60.243.188

dear 183.60.243.188, CHINANET Guangdong province network, Data Communication Division, China Telecom, CN.

you have been banned from this network.

TWICE.

once on 140127 and once today, 140208.

the reason you have been banned is because you tried to access a part of our web that is off limits to people who aren’t supposed to be there, in other words, the “admin” section of our web site. the reason you aren’t supposed to be there is because people who access our admin section should know the password, and be honourable and “sattvah” enough NOT to do evil with the information that resides there (which is one of the reasons why i decided to put the “admin” section of the web site somewhere OTHER than in the directory called “/admin”)…

because of the fact that you tried, TWICE to access that part of the site, without a request to lift the ban the first time, the possibility that you are EVER going to be allowed to access any of the site, at all, in the future, is, at this point, practically non existent.

get a clue, spam-boy… you’re not going to break in, so you might as well just give up.

Don’t Like Spam? COMPLAIN ABOUT IT!

Don’t Like Spam? Complain About It. — i have been a contributing member of spamcop for close to 10 years — since february, 2004, even before i was directly involved in the electronic communications industry — and, every now and then, i get the impression that what i am doing doesn’t actually accomplish anything… so when i read an article like the one linked above, it does me a world of good to see that people like brian krebs recommends that people use services like spamcop. it is also a good source of information that i wouldn’t be able to find anywhere else, like detailed information regarding the origins of the flashback worm, and the fact that people like me are labeled “abusers” by the people who send out spam…

what it comes down to, is that, if you’re fed up with spam arriving in your inbox, the best thing you can do to stem the tide, is to complain about it, early and often. you may not notice a significant change in the number of spam messages you receive, immediately, but over time, not only your personal allotment of spam will decrease, but the amount of spam everybody receives will decrease, and everybody will be happier…

well, everybody except the people who are really the abusers, but we don’t care about their feelings anyway. 😎

skript-kiddie stupidity

i have been getting a lot of comment-spam recently, that is along the lines of this:

{
{I have|I’ve} been {surfing|browsing} online more than {three|3|2|4}
hours today, yet I never found any interesting article like yours.
{It’s|It is} pretty worth enough for me. {In my opinion|Personally|In my view},
if all {webmasters|site owners|website owners|web owners} and bloggers made good
content as you did, the {internet|net|web} will bee {much more|a
lot more} useful than ever before.|...

i don’t really understand the purpose behind such things… moreso than i don’t understand why people send spam at all, i mean probably 85% to 90% of ALL internet traffic is spam, and, as far as i have been able to tell, only a very minute fraction of a percentage of internet users actually think spam is a good thing, but… this is a new low: a person who uses a faulty, undoubtedly third-party script to drop faulty comment spam into a blog that WILL NOT publish it the way it was received…

it makes me understand a lot more how people like ken at popehat have policies like pasting. although i’m sure that, in this case, what they’re most interested in is a hyperlink, and i’m not going to do that for ’em, because their comment is obviously spam… and low quality spam (if there could be such a thing).

mwah hah hah hah hah!!

i went to the magnolia seafair parade this morning and didn’t boot up my computer for the day until a few minutes ago. when i logged into my email, 6 messages appeared in my inbox, all of which had the subject “IP Banned 2013/08/03 08:5X:XX am” where the “X”s are no more than 30 seconds apart. the first was from 123.151.39.42 and the rest were from 123.151.39.41, which are in beijing, china, and, apparently, represent some sort of automated malware scanner…

but it’s kind of amusing, because they’re both from very similar IP addresses, which means that there’s probably some sort of malware that has taken over that computer and when it runs into an IP ban with one, it just tries the next one. what it doesn’t know is that after two banned attempts from the same /16, i just ban the entire /16… so it vainly tried to get into a number of known weaknesses in the site with at least 3 different user-agents, but because of the fact that the entire network was banned it FAILED FIVE MORE TIMES before it went somewhere else.

if this had been from borneo instead of china, i would be a lot more interested, but as it is…

PLONK!!!