Abuse of Spamcop horror story

[solarcurt]

My hosting company ipowerweb.com suspended my website xyzworks.com with no email telling me it was going down or why. I am clearly not spamming and can prove it easily, but that makes no difference, there is no chance to even make that point. Their abuse department is apparently overloaded, and the only contact with them is by email, and the only info I can get from them after 6 days and 15 emails, is it was a Spamcop report. This has cost me thousands of dollars of work in switching to a new hosting company and rebuilding our website, and loss of business due to our website and online store being down for several days while I worked on getting another hosting co working. So what am I supposed to do when I am injured this badly and the only info I have is a Spamcop report did it? (they sent me no copy of any spamcop report or link, and are not responding to emails)

I have emailed this to blproblem <at> spamcop along with my IP and my mailserver IP to try to track this down, but maybe someone here has a better idea?

[loafman]

My hosting company ipowerweb.com suspended my website xyzworks.com with no email telling me it was going down or why.  I am clearly not spamming and can prove it easily, but that makes no difference, there is no chance to even make that point. Their abuse department is apparently overloaded, and the only contact with them is by email, and the only info I can get from them after 6 days and 15 emails, is it was a Spamcop report.  This has cost me thousands of dollars of work in switching to a new hosting company and rebuilding our website, and loss of business due to our website and online store being down for several days while I worked on getting another hosting co working.  So what am I supposed to do when I am injured this badly and the only info I have is a Spamcop report did it?  (they sent me no copy of any spamcop report or link, and are not responding to emails)

I have emailed this to blproblem <at> spamcop along with my IP and my mailserver IP to try to track this down, but maybe someone here has a better idea?

Without an IP address to reference no one can address your problem...

...Ken

[Derek T]

I am clearly not spamming and can prove it easily,

How exactly?

1. Do you use a confirmed opt-in system if you use bulk email?

2. Can you be sure that spam is not being sent through a server you control?

If possible, please post here the IP of any email server you control and then 'we' can start helping: otherwise we are as much in the dark as you.

[DavidT]

Given what you've told us about your former web host, I wouldn't trust what they had to say. Why did you take it at face value? You'll need to give us the IP address that was supposedly complained about, however, if you want any sort of assistance.

DT

[solarcurt]

Given what you've told us about your former web host, I wouldn't trust what they had to say. Why did you take it at face value? You'll need to give us the IP address that was supposedly complained about, however, if you want any sort of assistance.

DT

16139[/snapback]

OK here is the IP address of the mail server that I used at ipowerweb, 66.235.203.191

[Derek T]

Senderbase says:

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 3.8 2418%

Last 30 days 3.4 1070%

Average 2.4

You are obviously hacked, probably SMTP/Auth - see FAQ

[solarcurt]

How exactly?

1. Do you use a confirmed opt-in system if you use bulk email?

2. Can you be sure that spam is not being sent through a server you control?

If possible, please post here the IP of any email server you control and then 'we' can start helping: otherwise we are as much in the dark as you.

16136[/snapback]

1. I did send 1 email to a confirmed opt-in list of about 300 of our customers who asked to be notified about free updates to our software when available, which I have been doing without complaint about once every 2 months for 3 years. In fact not even any 'remove' requests since these people own our software and want to know when there are free updates.

2. The only way I know to be sure of that would be to get info from the sysadmin and they wont even give me the spamcop report that they mention.

[dra007]

Your IP shows a LARGE INCREASE of activiry recently. This may be an indication of a virus/hacker attack on that server.

You are also listed in other places HERE!!

[solarcurt]

Senderbase says:

Volume Statistics for this IP 

Magnitude Vol Change vs. Average

Last day 3.8 2418%

Last 30 days 3.4 1070%

Average 2.4

You are obviously hacked, probably SMTP/Auth - see FAQ

16150[/snapback]

That mail server is a shared server with hundreds of customers on it that I dont control. If I were hacked, how could I find out? A large increase in volume would be normal since they are adding new customers on that server at a fast rate and just started putting customers on that server. I haven't even been able to access it for the past 5 days since I was shut down, so any volume there is not from me!

[solarcurt]

Your IP shows a LARGE INCREASE of activiry recently. This may be an indication of a virus/hacker attack on that server.

You are alos listed in other places HERE!!

16152[/snapback]

The second link you give is the wrong IP, it ends in 191. When I search there with 191 it says its listed in 2 of 264 tested, and you are always in at least 3 or more of them.

[solarcurt]

Senderbase says:

Volume Statistics for this IP 

Magnitude Vol Change vs. Average

Last day 3.8 2418%

Last 30 days 3.4 1070%

Average 2.4

You are obviously hacked, probably SMTP/Auth - see FAQ

16150[/snapback]

I looked at the FAQ and I dont think its SMTP/Auth since its a UNIX based server, and that sounds like a windows server problem. Also, ipowerweb is one of the biggest hosting companies with 230,000 hosted sites, I think they would know how to detect/avoid a hacked email server?

[DavidT]

Bottom line....since it was a shared server, only the host can really tell you what evidence they had. You need to be much more agressive with them.

DT

[Wazoo]

ipowerweb has a bit of a history with SpamCop ... try the Search function ... What's different about your story is that most (if not all) of the other issues deal with e-mail problems and the BL. Your complaint deals with termination of a web page, so not sure why you're bringing up the IP of an e-mail server to begin with. You say you received no complaints, but one would assume that any complaints from a SpamCop user would not go to you. These days, two years is a long time for some e-mail addresses .. you may have a confirmation from someone two years ago, but that specific e-mail address may have changed hands, one person dropping it due to being over-run with spam, another person delighted later to find that this address was "available" ...

[StevenUnderwood]

I looked at the FAQ and I dont think its SMTP/Auth since its a UNIX based server, and that sounds like a windows server problem.

No SMTP/Auth hack, while most prevalent on Microsoft Exchange servers because that is the default configuration, can happen on any mail server that:

a) allows SMTP/Auth from external IP addresses and

has 1 account with an insecure password

[solarcurt]

ipowerweb has a bit of a history with SpamCop ... try the Search function ... What's different about your story is that most (if not all) of the other issues deal with e-mail problems and the BL.  Your complaint deals with termination of a web page, so not sure why you're bringing up the IP of an e-mail server to begin with.  You say you received no complaints, but one would assume that any complaints from a SpamCop user would not go to you.  These days, two years is a long time for some e-mail addresses .. you may have a confirmation from someone two years ago, but that specific e-mail address may have changed hands, one person dropping it due to being over-run with spam, another person delighted later to find that this address was "available" ...

16162[/snapback]

It was termination of my hosting account which included the webpage, FTP and email. But the reason given by them was it was due to a Spamcop report which is clearly dealing with email.

[Wazoo]

It was termination of my hosting account which included the webpage, FTP and email.  But the reason given by them was it was due to a Spamcop report which is clearly dealing with email.

Just to clear things up, are "you" saying that the complaint (only one?) was specifically an e-mail issue or did ipowerweb? There is also the case of the spamvertised website at issue, which may have increased the "nuisance" decision at the ipowerweb abuse desk, both an output e-mail server and your URL for a hosted site. The difference here is how to ask the Deputies for what kind of assistance in figuring out what actually happened.

[StevenUnderwood]

It was termination of my hosting account which included the webpage, FTP and email. But the reason given by them was it was due to a Spamcop report which is clearly dealing with email.

Not necesarrily, there are 2 types of reports that can be sent out from spamcop.

The first states to the ISP that the IP in question was the source of the spam message. These reports are counted toward the blocklist.

The second states to the ISP that a web page on an IP they are responsible for was advertised in a spam message. These reports are notification only and do not lead to blocklisting.

There have been a few instances where the ISP, upon receiving the web page notification, immediatedly closed down the entire operation, like they did to you. If I am not mistaken, one of those might have been ipowerweb as well. Without the report information, there is no way for us to tell (deputies might be able to pull that information).

[Robert Slade]

Having just come to this thread, it looks like something has gone adrift with the responses. You say that your web site was suspended based on a Spamcop report. This seems to me a bit odd. Spamcop reports go to the abuse desk for the originating (mail) IP address and to the abuse desk for the IP address of the spamvertised web site. If the report was one for the web site, then the mail server address is irrelevant.

There can be several reasons for your Web site being reported. The first is unsolicited e-mails advertising it. It maybe legal in the US to send such a mail under the Canspam Act, it is not legal in other countries. In addition, any unsolicited mail is spam and can and will be reported.

Another cause is that some twisted individual has sent out e-mails advertising your site in order to close it down. This is sometimes known as a Joe Job – do a goggle for a full explanation.

If neither are the case, it is also possible that your e-mails to your opt-in list (you do a double opt in don’t you?) have been reported by a Spamcop user. Unfortunately, there are users who opt-in to lists and then report the mail because they don’t bother to check what they are reporting even though there is a warning on the reporting page. Spamcop, suspends these reporters when it happens.

You may be able to get some information on what happened from deputies <at> spamcop.net if you supply them with IP addresses etc of your site and mail servers.

However, in any case, your hosting ISP should be reacting better, abuse desks being overloaded usually means that they have a major problem and it looks to me that they are just doing a knee jerk reaction instead of investigating properly. The sightings show that their mail servers have a problem (probably the SPTP/auth hack); it maybe that your move to a different hosting service is a blessing in disguise.

BTW you are right the SMTP hack refers to an exchange problem.

Hope this helps,

[dra007]

Not really, there are also reports for web-advertized sites which come with the spam e-mail...

And you never stated the nature of the busines...that my give us some clue (i.e. pyrated software, enlargement pills, mortgage quotes, etc.)

[solarcurt]

You say that your web site was suspended based on a Spamcop report. This seems to me a bit odd. Spamcop reports go to the abuse desk for the originating (mail) IP address and to the abuse desk for the IP address of the spamvertised web site. If the report was one for the web site, then the mail server address is irrelevant.

If neither are the case, it is also possible that your e-mails to your opt-in list (you do a double opt in don’t you?) have been reported by a Spamcop user. Unfortunately, there are users who opt-in to lists and then report the mail because they don’t bother to check what they are reporting even though there is a warning on the reporting page. Spamcop, suspends these reporters when it happens.

You may be able to get some information on what happened from deputies <at> spamcop.net if you supply them with IP addresses etc of your site and mail servers.

However, in any case, your hosting ISP should be reacting better, abuse desks being overloaded usually means that they have a major problem and it looks to me that they are just doing a knee jerk reaction instead of investing properly.  The sightings show that their mail servers have a problem (probably the SPTP/auth hack); it maybe that your move to a different hosting service is a blessing in disguise.

16175[/snapback]

Yes that helps I will send it to the deputies. Think of the chaos that errors in using spamcop are making when hosting companies shut a company down due to one complaint and no way to even find out more details! I think it is the case of someone who opted into the list and then forgot they were on it and reported it through spamcop. I want to find out if thats the case.

[solarcurt]

Not really, there are also reports for web-advertized sites which come with the spam e-mail...

And you never stated the nature of the busines...that my give us some clue (i.e. pyrated software, enlargement pills, mortgage quotes, etc.)

16179[/snapback]

The business is software for Civil Engineering & Land surveying that runs on PocketPCs. Not a likely target for spamvertizing. I am not sure what you mean there are reports for web-ad sites with the spam email? What sites and what email?

[solarcurt]

Just to clear things up, are "you" saying that the complaint (only one?) was specifically an e-mail issue or did ipowerweb?  There is also the case of the spamvertised website at issue, which may have increased the "nuisance" decision at the ipowerweb abuse desk, both an output e-mail server and your URL for a hosted site.  The difference here is how to ask the Deputies for what kind of assistance in figuring out what actually happened.

16172[/snapback]

ipowerweb has said that it was 1 email reported by spamcop causing the total shutdown. They said "We have provided the link that we recieve from spamcop, you will need to contact them for more infotmation." (their spelling errors included) and then they didnt give me a link!

I don't know what you mean about the spamvertised website or how that relates to me?

[turetzsr]

...Sorry to hear of your problems. Yes, spammers have spoiled things for everyone!

ipowerweb has said that it was 1 email reported by spamcop causing the total shutdown.  They said "We have provided the link that we recieve from spamcop, you will need to contact them for more infotmation." (their spelling errors included)  and then they didnt give me a link!

16187[/snapback]

...If that's what they did, then it sounds to me as if you are well rid of such an irresponsible hosting service. Too bad you had to learn how bad they were the hard way and at such cost.

I don't know what you mean about the spamvertised website or how that relates to me?

16187[/snapback]

...If you're certain it's an e-mail report at issue (and I don't know why you'd trust the word of the ipowerweb yo-yos, under the circumstances), then spamvertising almost certainly has nothing to do with your problem. It would only if the URL of your web site were included in the body of a spam (which, as you point out, is unlikely, unless someone were deliberately trying to get you in trouble [see Joe Job, as referenced elsewhere in this thread]).

[Miss Betsy]

Think of the chaos that errors in using spamcop are making when hosting companies shut a company down due to one complaint and no way to even find out more details! I think it is the case of someone who opted into the list and then forgot they were on it and reported it through spamcop. I want to find out if thats the case.

I hope you do find out what happened so that it makes you feel better. However, spamcop only sent a report - (if it did - so far you have no evidence that they didn't simply screw up and cancel you instead of someone else or that it was a report from someone who was not using spamcop) . Your hosting company is the one who made the decision to shut you down. If they did so on the strength of one report, which, if what you have said is accurate, should have demonstrated by its content that it was not necessarily spam, you are much better off without them. A competent hosting company treats spamcop reports as reports, not mandates. There are several different avenues to resolve a problem. And, they should know that one report will not cause an IP address to be listed.

And I hope that in the rush to find another site that you have not jumped out of the frying pan into the fire.

Miss Betsy

[Wazoo]

And I hope that in the rush to find another site that you have not jumped out of the frying pan into the fire.

Checking earlier today, I saw that the web site is currently residing at powweb, and there's a number of regular posters over in the newsgroups that also have stuff hosted there. I handle a number of sites there. If you recall way back when, I was pointing to them as an example of laying out these Forums. Only the thought that this user was already ticked off at the world prevented me from making comments on what I could make out of the web-site.