Hi all!

I haven't been here for a decade or so, but there is a spammer that I'm
quite fed up with, but my spamfighting is a little rusty, so I'd like
some help if you can.

First, can I have a hat check on Bluehost.com, please? That's his ISP,
and he's been there for a while. I've sent first one detailed complaint
there, they said they had taken action. Then, he continued, they said
they had taken action, and now I just got another. I don't know if there
is a point sending more in their direction. If not, can anybody help me
find their upstream?

The specific spamvertized site is friluftsbutikken.com. It is run by a
company called "Romerike profilering":
https://www.purehelp.no/m/company/details/romerikeprofileringas/999329497
tracking that down, I find them to be associated with this man:
https://www.purehelp.no/m/role/viewBoardMember/46930801/joakimtonidahlbom
which is a name I recognize. He started his spam operation in 2009, and
has been bothering me ever since, but with low frequency.

Between 2012 and 2015, he had developed a sense of impunity so that he
stopped being shy about it, and used his full name in public
whois-registries, but after 2015, nobody does that anymore, so it became
harder to tell it is him. His operational pattern is to spam a lot for
a while, then get new domain names and wait a few months before a new
spam run. So, it is a whack-a-mole game.

For some time now, he has spamvertized what appears to be his own
operation or possibly his affiliate's operation, friluftsbutikken.com.
This has caused a major problem for an unrelated shop,
friluftsbutikken.no, and I am embarrassed to admit I fired a complaint
to them, and they said that they got a lot of these complaints. I've had
quite enough.

In addition to friluftsbutikken.com, his domains include habrev.com,
probrev.com, probrev.site. They seem to at least have Bluehost as their
DNS provider. He's also figured regularly on SURBL, but apparently not
now. I have a list about 30 domains that he have used earlier. The most
recent spam came from nyhetsbrev1.org.

As I said, I have sent complaints to Bluehost (the first in late June),
but they have had no effect. So, what do you suggest I do next?

Please see below for the most recent spam with most of it.

Cheers,

Kjetil

---------- Spam excerpt ------------
Return-Path: <bounces@nyhetsbrev1.org>
Delivered-To: kjetil@kjernsmo.net
Received: (qmail 10454 invoked by uid 121); 31 Jul 2021 06:37:57 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on pooh.kjernsmo.net
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_99,BAYES_999,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_IMAGE_RATIO_02,
HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Flag: YES
X-Virus-Checked: by ClamAV 0.103.2 on pooh
X-Virus-Found: No
Received: from server.nyhetsbrev1.org (HELO server.nyhetsbrev1.org)
(162.214.212.208)
by pooh (qpsmtpd/0.94) with ESMTP; Sat, 31 Jul 2021 08:37:54 +0200
Authentication-Results: pooh; auth=none
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=nyhetsbrev1.org; s=default; h=Content-Type:MIME-Version:List-Owner:
List-Subscribe:List-Unsubscribe:List-Help:Message-ID:From:Date:Subject:To:
Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
In-Reply-To:References:List-Id:List-Post:List-Archive;
bh=gdpu6nM4LMapFcIzxmn0PvECnLPNbz2SNc+Ieg5vxlI=;
b=Mo/IUHEc7YhqMOPg2lj4uZL0xk
9dqEo0odX+poh3i9UHE41SGIN8twKm5gTnB61WOjgKQMWByDeNxfkRfSX6adx/uqCsr/FOrGDcmxM
HMfAlyNWKt3uZ8Cpk9PYs+L1HXOWOYFL8CaxP0r1eg+k7QtRII5Gk2J2hmMEBFiDfzaVXcEUMKM0h
XrDj5Co8JCR9zTTJZJU95Cwx3ZhFOf3Kfa7Itg8WNbDnBW1r+9BK5vJNGZisJKUUOj9/hCNdC6aI/
kHgXPBsCP04uTMw9RmkbXCC6/xNxiIDMo/qhf1+pCOjjVHRfPqwZjY09G5fVafqytBCekSw/ktsH5
pkHkTF3g==;
Received: from nyhetsb2 by server.nyhetsbrev1.org with local (Exim 4.93)
(envelope-from <bounces@nyhetsbrev1.org>)
id 1m9id0-0002Ue-7d
for kjetil@kjernsmo.net; Sat, 31 Jul 2021 00:37:46 -0600
To: kjetil@kjernsmo.net
Subject: *** SPAM ***
=?UTF-8?Q?P=C3=85_LAGER_-_RASK_LEVERING_-_Sikre_deg_din_SUP_pakke_n?=
=?UTF-8?Q?=C3=A5_-_Med_5_=C3=A5rs_garanti!?=
X-PHP-Script: nyhetsbrev1.org/admin/index.php for 193.75.57.178
X-PHP-Originating-Script: 1003:class.phpmailer.php
Received: from cB2394BC1.dhcp.as2116.net [193.75.57.178] by
nyhetsbrev1.org with HTTP; Sat, 31 Jul 2021 06:37:33 +0000
Date: Sat, 31 Jul 2021 06:37:46 +0000
From: Friluftsbutikken <friluftsbutikken@nyhetsbrev1.org>
Message-ID: <a90571cc72ce4dc9840c44f5493ed899@nyhetsbrev1.org>
X-phpList-version: 3.4.5
X-MessageID: 6
X-ListMember: kjetil@kjernsmo.net
Precedence: bulk
List-Help:
<http://nyhetsbrev1.org/?p=preferences&uid=94c4bcffecada8c42551eaee3e536d51>
List-Unsubscribe:
<http://nyhetsbrev1.org/?p=unsubscribe&uid=94c4bcffecada8c42551eaee3e536d51&jo=1>
List-Subscribe: <http://nyhetsbrev1.org/?p=subscribe>
List-Owner: <mailto:noreply@nyhetsbrev1.org>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_a90571cc72ce4dc9840c44f5493ed899"
X-AntiAbuse: This header was added to track abuse, please include it
with any abuse report
X-AntiAbuse: Primary Hostname - server.nyhetsbrev1.org
X-AntiAbuse: Original Domain - kjernsmo.net
X-AntiAbuse: Originator/Caller UID/GID - [1003 991] / [47 12]
X-AntiAbuse: Sender Address Domain - nyhetsbrev1.org
X-Get-Message-Sender-Via: server.nyhetsbrev1.org: authenticated_id:
nyhetsb2/from_h
X-Authenticated-Sender: server.nyhetsbrev1.org:
friluftsbutikken@nyhetsbrev1.org
X-Source:
X-Source-Args: php-fpm: pool nyhetsbrev1_org
X-Source-Dir: nyhetsbrev1.org:/public_html/admin

This is a multi-part message in MIME format.

--b1_a90571cc72ce4dc9840c44f5493ed899
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Control Atlantic SUP pakke - Sikre deg din SUP pakke n=C3=A5 - Med 5 =C3=A5=
rs
garanti!

<http://nyhetsbrev1.org/lt.php?tid=3DMfsofQdTZu64mB9JPzGPNilIRQ9TTrISmnITD=
uqC2MTOx6szhp+hcLIl5xjLr2NZ>

=C3=98nsker du de beste opplevelsene kj=C3=B8per du et Control SUP.

Atlantic blir ekstremt stivt og er nesten like stivt som bambus!

Det gir sv=C3=A6rt h=C3=B8y stabilitet og gode egenskaper.

N=C3=85 KUN 4999,- INKLUDERT FRAKT (Ordin=C3=A6rpris 7499,-)

Control SUP gir deg mest SUP for pengene - 5 =C3=A5rs garanti!

LES MER OG KJ=C3=98P HER!
<http://nyhetsbrev1.org/lt.php?tid=3DMfsofQdTZu64mB9JPzGPNilIRQ9TTrISmnITDu=
qC2MTOx6szhp+hcLIl5xjLr2NZ>

<http://nyhetsbrev1.org/lt.php?tid=3DUj3b77TKfN+WOckJ8YXKsSlIRQ9TTtISmnITD=
uqC2MTOx6szhp/hcLIl5xjLr2NZ>

=C3=98nsker du de beste opplevelsene kj=C3=B8per du et Control SUP i 2 lags
materialet (double layer). 2 lags materialet blir ekstremt stivt og er
nesten like stivt som bambus! Det gir sv=C3=A6rt h=C3=B8y stabilitet og best
egenskaper.

N=C3=85 KUN 6999,- INKLUDERT FRAKT (Ordin=C3=A6rpris 8999,-)

Control SUP gir deg mest SUP for pengene - 5 =C3=A5rs garanti!

LES MER OG KJ=C3=98P HER!
<http://nyhetsbrev1.org/lt.php?tid=3DUj3b77TKfN+WOckJ8YXKsSlIRQ9TTtISmnITDu=
qC2MTOx6szhp/hcLIl5xjLr2NZ>

Vanntett b=C3=A6rev=C3=A6ske mobiltelefon 6,5=E2=80=B3

Ta med deg telefonen din uansett hvor du er med denne 6,5=E2=80=B3 vanntette
vesken. Vesken er laget i holdbart materiale med IPX8 vanntett rangering og
er laget slik at telefonen er lett =C3=A5 bruke, selv inne i vesken.

N=C3=A5 kun 189,- (Ordin=C3=A6rt: 249,-)

LES MER OG KJ=C3=98P HER!
<http://nyhetsbrev1.org/lt.php?tid=3DLNkSlm4yBrmfNdXio6t0cSlIRQ9TTtISmnITDu=
qC2MTOx6szhp+xcLIl5xjLr2NZ>

<http://nyhetsbrev1.org/lt.php?tid=3DLNkSlm4yBrmfNdXio6t0cSlIRQ9TTtISmnITDu=
qC2MTOx6szhp+xcLIl5xjLr2NZ>

<http://nyhetsbrev1.org/lt.php?tid=3DKpJfaEwB+3Wye/eUv3j0ailIRQ9TTtISmnITDu=
qC2MTOx6szhp8xcLIl5xjLr2NZ>

Trekopp - 270ml

Trekopp med l=C3=A6rrem. Turkoppen er h=C3=A5ndlaget av tre, slik at hver k=
opp er
helt unik. Stilig design og enkel =C3=A5 holde. Skinnreimen gj=C3=B8r at de=
n er
perfekt =C3=A5 feste utenp=C3=A5 tursekken. OBS: Ny og enda flottere modell.

N=C3=A5 kun 189,- (Ordin=C3=A6rt: 259,-)

LES MER OG KJ=C3=98P HER!
<http://nyhetsbrev1.org/lt.php?tid=3DKpJfaEwB+3Wye/eUv3j0ailIRQ9TTtISmnITDu=
qC2MTOx6szhp8xcLIl5xjLr2NZ>

Trekopp Spesial - 270ml

Trekopp med l=C3=A6rrem. Turkoppen er h=C3=A5ndlaget av tre, slik at hver k=
opp er
helt unik. Stilig design og enkel =C3=A5 holde. Skinnreimen gj=C3=B8r at de=
n er
perfekt =C3=A5 feste utenp=C3=A5 tursekken. OBS: Ny og enda flottere modell.

N=C3=A5 kun 199,- (Ordin=C3=A6rt: 269,-)

LES MER OG KJ=C3=98P HER!
<http://nyhetsbrev1.org/lt.php?tid=3DHUXmNWP3iQyeAHjOiO1ATylIRQ9TTkISmnITDu=
qC2MTOx6szhp/BcLIl5xjLr2NZ>

<http://nyhetsbrev1.org/lt.php?tid=3DHUXmNWP3iQyeAHjOiO1ATylIRQ9TTkISmnITDu=
qC2MTOx6szhp/BcLIl5xjLr2NZ>

<http://nyhetsbrev1.org/lt.php?tid=3DlVehU829/aimEpJhx2bZtSlIRQ9TTrISmnITD=
uqC2MTOx6szhp+hcLIl5xjLr2NZ>

=2D-

Avmelding nyhetsbrev
<http://nyhetsbrev1.org/lt.php?tid=3D47XS5ibda5WhpUfSRXHxgilIRQ9TTgISmnITDu=
qC2MTOx6szhp/hcLIl5xjLr2NZ>

On Wed, 4 Aug 2021 01:17:42 +0200, Kjetil Kjernsmo wrote:
>
> Hi all!
>
> I haven't been here for a decade or so, but there is a spammer that
> I'm quite fed up with, but my spamfighting is a little rusty, so I'd
> like some help if you can.
>
> First, can I have a hat check on Bluehost.com, please? That's his ISP,
> and he's been there for a while. I've sent first one detailed
> complaint there, they said they had taken action. Then, he continued,
> they said they had taken action, and now I just got another. I don't
> know if there is a point sending more in their direction. If not, can
> anybody help me find their upstream?

At least in the past Bluehost did terminate spammer accounts. Didn't had
any spam recently involving them that I would know if they changed the hat
color.

Seems to be spam targeted to you language. I find spam in languages other
than English more interesting.

To make things easier you can sign up at Spamcop. After doing so you have
to send one special email to them and click o a confirmation link. That
way their parser learns about you email ISP and not mistakes him as
spammer.

After that it copying the spam's source and paste it into their web
interface. They try to figure out who is involved and show a result. You
should have a quick look if that seems okay, then send. ISPs involved
will receive complains and be added to Spamcop's blacklist.

<https://www.spamcop.net/>
--
Andreas

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

zziOn Wednesday, 04 August 2021 01:17 +0200,
in article <seciqn$82r$1@dont-email.me>,
Kjetil Kjernsmo <kjetil@kjernsmo.net> wrote:

> Hi all!

> I haven't been here for a decade or so, but there is a spammer that
> I'm quite fed up with, but my spamfighting is a little rusty, so I'd
> like some help if you can.

> First, can I have a hat check on Bluehost.com, please? That's his
> ISP, [...]

Bluehost.com is one of the subsidiary brands of EIG (Endurance
International Group), one of the world's largest web hosting providers.
For a company this huge, they manage their network quite well.

https://www.spamhaus.org/sbl/listings/endurance.com

> The specific spamvertized site is friluftsbutikken.com.

$ dig +short friluftsbutikken.com
74.220.219.180

$ whois 74.220.219.180 | grep -iE ^\(org\|net\)\|@
NetRange: 74.220.192.0 - 74.220.223.255
NetName: BLUEHOST-NETWORK-2
NetHandle: NET-74-220-192-0-1
NetType: Direct Allocation
Organization: Unified Layer (BLUEH-2)
OrgName: Unified Layer
OrgId: BLUEH-2
OrgAbuseHandle: NOC2320-ARIN
OrgAbuseName: Network Operations Center
OrgAbusePhone: +1-801-765-9400
OrgAbuseEmail: abuse@bluehost.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/NOC2320-ARIN
OrgTechHandle: ENO74-ARIN
OrgTechName: EIG Network Operations
OrgTechPhone: +1-877-659-6181
OrgTechEmail: eig-net-team@endurance.com
OrgTechRef: https://rdap.arin.net/registry/entity/ENO74-ARIN
OrgNOCHandle: ENO74-ARIN
OrgNOCName: EIG Network Operations
OrgNOCPhone: +1-877-659-6181
OrgNOCEmail: eig-net-team@endurance.com
https://rdap.arin.net/registry/entity/ENO74-ARIN
RNOCEmail: support@bluehost.com
RTechEmail: netops@bluehost.com
RAbuseEmail: abuse@bluehost.com
network:Class-Name:network
network:ID: NETBLK-UL.74.220.192.0/19
network:Auth-Area: 74.220.192.0/19
network:Network-Name: UL-74.220.192.0/19
network:IP-Network: 74.220.192.0/19
network:Organization: Unified Layer
network:Tech-Contact: netops@unifiedlayer.com
network:Admin-Contact: netops@unifiedlayer.com
network:Abuse-Contact: abuse@unifiedlayer.com
network:Created: 20121119
network:Updated: 20121119
network:Updated-By: netops@unifiedlayer.com

[...]

> In addition to friluftsbutikken.com, his domains include habrev.com,
> probrev.com, probrev.site. They seem to at least have Bluehost as
> their DNS provider. He's also figured regularly on SURBL, but
> apparently not now.

$ dig +short habrev.com
162.241.90.162
$ dig +short probrev.com
162.241.90.246
$ dig +short probrev.site
162.241.90.246

$ whois 162.241.90.162 | grep -iE ^net\|@
NetRange: 162.240.0.0 - 162.241.255.255
NetName: UNIFIEDLAYER-NETWORK-16
NetHandle: NET-162-240-0-0-1
NetType: Direct Allocation
OrgAbuseEmail: abuse@bluehost.com
OrgTechEmail: eig-net-team@endurance.com
OrgNOCEmail: eig-net-team@endurance.com
network:Class-Name:network
network:ID: NETBLK-UL.162.241.90.162/32
network:Auth-Area: 162.241.90.162/32
network:Network-Name: UL-162.241.90.162/32
network:IP-Network: 162.241.90.162/32
network:Organization: ubrev.com
network:Tech-Contact: post@ndw.no
network:Admin-Contact: post@ndw.no
network:Abuse-Contact: post@ndw.no
network:Created: 20170104
network:Updated: 20210801
network:Updated-By: netops@unifiedlayer.com

$ whois 162.241.90.246 | grep -i ^net
NetRange: 162.240.0.0 - 162.241.255.255
NetName: UNIFIEDLAYER-NETWORK-16
NetHandle: NET-162-240-0-0-1
NetType: Direct Allocation
network:Class-Name:network
network:ID: NETBLK-UL.162.241.90.246/32
network:Auth-Area: 162.241.90.246/32
network:Network-Name: UL-162.241.90.246/32
network:IP-Network: 162.241.90.246/32
network:Organization: ubrev.com
network:Tech-Contact: post@ndw.no
network:Admin-Contact: post@ndw.no
network:Abuse-Contact: post@ndw.no
network:Created: 20170104
network:Updated: 20210801
network:Updated-By: netops@unifiedlayer.com

> I have a list about 30 domains that he have used earlier. The most
> recent spam came from nyhetsbrev1.org.

$ dig +short nyhetsbrev1.org
162.214.212.208

$ whois 162.214.212.208 | grep -iE ^\(org\|net\)\|@
NetRange: 162.214.0.0 - 162.215.255.255
NetName: UNIFIEDLAYER-NETWORK-15
NetHandle: NET-162-214-0-0-1
NetType: Direct Allocation
Organization: Unified Layer (BLUEH-2)
OrgName: Unified Layer
OrgId: BLcUEH-2
OrgAbuseHandle: NOC2320-ARIN
OrgAbuseName: Network Operations Center
OrgAbusePhone: +1-801-765-9400
OrgAbuseEmail: abuse@bluehost.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/NOC2320-ARIN
OrgTechHandle: ENO74-ARIN
OrgTechName: EIG Network Operations
OrgTechPhone: +1-877-659-6181
OrgTechEmail: eig-net-team@endurance.com
OrgTechRef: https://rdap.arin.net/registry/entity/ENO74-ARIN
OrgNOCHandle: ENO74-ARIN
OrgNOCName: EIG Network Operations
OrgNOCPhone: +1-877-659-6181
OrgNOCEmail: eig-net-team@endurance.com
OrgNOCRef: https://rdap.arin.net/registry/entity/ENO74-ARIN
network:Class-Name:network
network:ID: NETBLK-UL.162.214.212.208/32
network:Auth-Area: 162.214.212.208/32
network:Network-Name: UL-162.214.212.208/32
network:IP-Network: 162.214.212.208/32
network:Organization: ubrev.com
network:Tech-Contact: post@ndw.no
network:Admin-Contact: post@ndw.no
network:Abuse-Contact: post@ndw.no
network:Created: 20170104
network:Updated: 20210801
network:Updated-By: netops@unifiedlayer.com

NORID Handle...............: UH998R-NORID
Name.......................: UniWeb Hostmaster
Registrar Handle...........: REG990-NORID
Country....................: NO
Phone Number...............: +47.33333820
Email Address..............: hostmaster@uniweb.no

> As I said, I have sent complaints to Bluehost (the first in late
> June), but they have had no effect. So, what do you suggest I do
> next?

> Please see below for the most recent spam with most of it.

> ---------- Spam excerpt ------------
> Return-Path: <bounces@nyhetsbrev1.org>
> Delivered-To: kjetil@kjernsmo.net
> Received: (qmail 10454 invoked by uid 121); 31 Jul 2021 06:37:57 -0000
> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on pooh.kjernsmo.net
> X-Spam-Level: *********
> X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_99,BAYES_999,
> DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_IMAGE_RATIO_02,
> HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS autolearn=disabled
[...]
> Received: from server.nyhetsbrev1.org (HELO server.nyhetsbrev1.org)
> (162.214.212.208)
> by pooh (qpsmtpd/0.94) with ESMTP; Sat, 31 Jul 2021 08:37:54 +0200
[...]
> To: kjetil@kjernsmo.net
> Subject: *** SPAM ***
> =?UTF-8?Q?P=C3=85_LAGER_-_RASK_LEVERING_-_Sikre_deg_din_SUP_pakke_n?=
> =?UTF-8?Q?=C3=A5_-_Med_5_=C3=A5rs_garanti!?=
> X-PHP-Script: nyhetsbrev1.org/admin/index.php for 193.75.57.178
> X-PHP-Originating-Script: 1003:class.phpmailer.php
> Received: from cB2394BC1.dhcp.as2116.net [193.75.57.178] by nyhetsbrev1.org
> with HTTP; Sat, 31 Jul 2021 06:37:33 +0000

193.75.57.178 is the origin of this message.

% Abuse contact for '193.75.56.0 - 193.75.63.255' is 'abuse@globalconnect.no'
inetnum: 193.75.56.0 - 193.75.63.255
netname: VENTELO-DHCP-BERGEN
e-mail: noc@globalconnect.no
remarks: noc@globalconnect.no
abuse-mailbox: abuse@globalconnect.no
descr: BROADNET-NO-ROUTE

> Date: Sat, 31 Jul 2021 06:37:46 +0000
> From: Friluftsbutikken <friluftsbutikken@nyhetsbrev1.org>
> Message-ID: <a90571cc72ce4dc9840c44f5493ed899@nyhetsbrev1.org>
> X-phpList-version: 3.4.5
> X-MessageID: 6
> X-ListMember: kjetil@kjernsmo.net
> Precedence: bulk
> List-Help: <http://nyhetsbrev1.org/?p=preferences&uid=94c4bcffecada8c42551eaee3e536d51>
> List-Unsubscribe: <http://nyhetsbrev1.org/?p=unsubscribe&uid=94c4bcffecada8c42551eaee3e536d51&jo=1>

This is mailing list, to which you are subscribed. We have no way of
ascertainging how your address may have been added to this list,
apparently nearly a decade ago. It may be time to do something about
it. The lack of either or both does not portend well.

> List-Subscribe: <http://nyhetsbrev1.org/?p=subscribe>

This list address acquisition web form is unprotected, suggesting that
it may be used to submit any address. There's also nothing to suggest
the list uses a closed loop affirmative confirmation, ie. COI.
Whether or not this is in play is unknown.

"Subscription Bombing: COI, CAPTCHA, and the Next Generation of
Mail Bombs"
https://www.spamhaus.org/news/article/734/

> List-Owner: <mailto:noreply@nyhetsbrev1.org>

[...]

> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
> X-AntiAbuse: Primary Hostname - server.nyhetsbrev1.org
> X-AntiAbuse: Original Domain - kjernsmo.net
> X-AntiAbuse: Originator/Caller UID/GID - [1003 991] / [47 12]
> X-AntiAbuse: Sender Address Domain - nyhetsbrev1.org
> X-Get-Message-Sender-Via: server.nyhetsbrev1.org: authenticated_id: nyhetsb2/from_h
> X-Authenticated-Sender: server.nyhetsbrev1.org: friluftsbutikken@nyhetsbrev1.org
> X-Source:
> X-Source-Args: php-fpm: pool nyhetsbrev1_org
> X-Source-Dir: nyhetsbrev1.org:/public_html/admin
[...]

On 8/4/21 1:17 AM, Kjetil Kjernsmo wrote:
> First, can I have a hat check on Bluehost.com, please? That's his ISP,

two spams since 2011:
spam:mar12 70.88.105.173=comcast.net
s.id/yOA9z=topokhomes,com=faulkneragencym,com=162.241.24.227=bluehost.com
spam2011:18/12 209.85.160.169=google.com
liradato,com=74.220.207.122=bluehost.com

On 04.08.2021 02:08, Andreas Kohlbach wrote:
> At least in the past Bluehost did terminate spammer accounts. Didn't had
> any spam recently involving them that I would know if they changed the hat
> color.

Alright, good to hear! I guess they haven't had a lot of complaints, and
that they don't necessarily terminate on first offence. That's alright,
even though I told them about the history here. They really need to take
it down now, I think.

> Seems to be spam targeted to you language. I find spam in languages other
> than English more interesting.

Yeah :-) Interestingly, spamming private persons have been illegal for a
long time in Norway, but I have on several occasions filed a report with
the Consumer Protection Authorities, but they have taken no action. I
believe that's the reason why he developed a sense of impunity.

>
> To make things easier you can sign up at Spamcop.

Alright, thanks, I did. Unfortunately, it was too old (I've been on
offline holidays).

Thanks!

Kjetil

On 04.08.2021 05:12, David Ritz wrote:
> Bluehost.com is one of the subsidiary brands of EIG (Endurance
> International Group), one of the world's largest web hosting providers.
> For a company this huge, they manage their network quite well.
>
> https://www.spamhaus.org/sbl/listings/endurance.com

OK, good!

>> Received: from cB2394BC1.dhcp.as2116.net [193.75.57.178] by nyhetsbrev1.org
>> with HTTP; Sat, 31 Jul 2021 06:37:33 +0000
> 193.75.57.178 is the origin of this message.
>
> % Abuse contact for '193.75.56.0 - 193.75.63.255' is 'abuse@globalconnect.no'
> inetnum: 193.75.56.0 - 193.75.63.255
> netname: VENTELO-DHCP-BERGEN
> e-mail:noc@globalconnect.no
> remarks:noc@globalconnect.no
> abuse-mailbox:abuse@globalconnect.no
> descr: BROADNET-NO-ROUTE

Right, I should send them an email too.

> This is mailing list, to which you are subscribed. We have no way of
> ascertainging how your address may have been added to this list,
> apparently nearly a decade ago. It may be time to do something about
> it. The lack of either or both does not portend well.

Yeah, actually, I did try a simple unsubscribe at some point. I suspect
that they have a master list that they seed new domains with, so they
unsubscribe from a list hosted by a domain, and then, they throw away
the domain and resubscribe everyone when they get a new list up on a new
domain.

Thanks!

Kjetil

On Wed, 4 Aug 2021 12:06:27 +0200, Kjetil Kjernsmo wrote:
>
> On 04.08.2021 02:08, Andreas Kohlbach wrote:

[...]

>> Seems to be spam targeted to you language. I find spam in languages other
>> than English more interesting.
>
> Yeah :-) Interestingly, spamming private persons have been illegal for
> a long time in Norway, but I have on several occasions filed a report
> with the Consumer Protection Authorities, but they have taken no
> action. I believe that's the reason why he developed a sense of
> impunity.

The GDPR (General Data Protection Regulation) also applies in Norway
AFAIK. One can keep a spammer busy to reply to this (where did you have
my email address from?), while threatening him to take legal action if
he doesn't reply and take action appropriately.

>> To make things easier you can sign up at Spamcop.
>
> Alright, thanks, I did. Unfortunately, it was too old (I've been on
> offline holidays).

Yes, they only process spam newer than 24 hours. But I suppose your
spammer will spam you again, so you can file a complaint.

I used the spammer's registration option (PHPLIST) with a disposable
email address to see if he complies. There came a confirmation request
which said to ignore it if you haven't actually signed up (anyone can
register using any email address), known as double opt-in. If this
spammer sends me more mails I'm reporting him too.
--
Andreas

On 04.08.2021 19:18, Andreas Kohlbach wrote:
> The GDPR (General Data Protection Regulation) also applies in Norway
> AFAIK. One can keep a spammer busy to reply to this (where did you have
> my email address from?), while threatening him to take legal action if
> he doesn't reply and take action appropriately.
>

Right. Interesting, I might see if the Data Inspectorate is more
interested in taking action than the Consumer Protection is.

Bluehost responded that they had taken action again, BTW. Everything
still resolves, so I asked what that action would have been, but I have
had no response to that.

Kjetil

On Fri, 6 Aug 2021 12:40:05 +0200, Kjetil Kjernsmo wrote:
>
> On 04.08.2021 19:18, Andreas Kohlbach wrote:
>> The GDPR (General Data Protection Regulation) also applies in Norway
>> AFAIK. One can keep a spammer busy to reply to this (where did you have
>> my email address from?), while threatening him to take legal action if
>> he doesn't reply and take action appropriately.
>>
>
> Right. Interesting, I might see if the Data Inspectorate is more
> interested in taking action than the Consumer Protection is.
>
> Bluehost responded that they had taken action again, BTW. Everything
> still resolves, so I asked what that action would have been, but I
> have had no response to that.

They won't say what action they did to protect the privacy.

Perhaps they terminate the account or warn the user to do this if he
doesn't stop spamming. Assuming that, it's important to send another
complaint if he's spamming again to lose his account.
--
Andreas