Jump to content

[Resolved] Spammer Got Us Listed


ArielHost

Recommended Posts

A spammer/fraudster signed up for hosting with us and got our mailserver IP listed (66.90.73.63). The account was removed as soon as we became aware of the spam, and is set to delist from Spamcop in about 2 hours.

Is there a web site where I can easily check the other blocklists to see where else this "person" got us listed?

Link to comment
Share on other sites

Is there a web site where I can easily check the other blocklists to see where else this "person" got us listed?

34330[/snapback]

There are a number of them, I'm sure - dnsstuff (http://www.dnsstuff.com/) covers quite a few:

http://www.dnsstuff.com/tools/ip4r.ch?ip=66.90.73.63

Senderbase confirms your volume stats are/were through the roof, currently

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.7 16453%

Last 30 days 3.4 675%

Average 2.5

... and has a "click here" function to show real-time blacklists:

http://www.senderbase.org/search?searchStr...73.63&showRBL=1

Link to comment
Share on other sites

That spammer was abusing your system by sending "Notification of limited account access." emails since Saturday night. Please be more attentive to SpamCop Reports. Please also be aware that your domain is eligible for listing in whois.rfc-ignorant.org under http://www.rfc-ignorant.org/policy-whois.php due to "Fax: +1.5555555555" in its registration, which should be changed immediately. Thanks!

Link to comment
Share on other sites

That spammer was abusing your system by sending "Notification of limited account access." emails since Saturday night.  Please be more attentive to SpamCop Reports.  Please also be aware that your domain is eligible for listing in whois.rfc-ignorant.org under http://www.rfc-ignorant.org/policy-whois.php due to "Fax: +1.5555555555" in its registration, which should be changed immediately.  Thanks!

34337[/snapback]

Jeff,

Unfortunately the notices were going to our data center instead of to us. We have corrected that and now should receive the notices directly, which would allow us to take quicker action.

Thanks for pointing out the error in the fax information; it is now corrected as well.

This person used a stolen credit card to sign up, which has also forced us to sign up for some additional services (FraudGuardian and Varilogix fraud callback service) to prevent these types of things from re-occuring. We think the same spammer tried to sign up again this morning with another stolen credit card, but this time FraudGuardian stopped them.

The interesting thing is that they are using AOL IP's to sign up. I've also sent email to AOL's abuse department, but I'm not holding my breath for any type of action.

Apologies to anyone affected, this has been a big hassle for us too.

Ariel

Link to comment
Share on other sites

Thanks for making those changes.

Unfortunately the notices were going to our data center instead of to us.  We have corrected that and now should receive the notices directly, which would allow us to take quicker action.

34341[/snapback]

Your correction does not seem to have taken effect yet - SpamCop's Parser still suggests sending Reports for 66.90.73.63 to abuse[at]fdcservers.net. The best way to get your own copies of Reports is to follow How can I get SpamCop reports about my network? (apologies if you already did that).
Link to comment
Share on other sites

Jeff,

This morning it said that our listing would be removed in 2 hours, but it is still showing up. Is there anything else that needs to be done on our end? The spew should be completely stopped at this point, but I would assume that there are some people who have not checked their email yet and may still report.

Ariel

Link to comment
Share on other sites

At the time of this post;

66.90.73.63 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time.

There is a FAQ entry here just for that situation ... SCBL "will be delisted in 0 hours" (now shown as 'in a short time') explained

But as pointed out on that same 'status report' ... there are both spamtrap hits and user complaints feeding the listing ... there may be a connection, there may be more to the story .... SenderBase numbers do not look promising at this point ... setting a data point here for future comparison ...

http://www.senderbase.org/?searchBy=ipaddr...ing=66.90.73.63

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 4.4 .. 8818%

Last 30 days ... 3.4 ... 677%

Average ......... 2.5

Though noting that this is down from farelf's capture a few hours ago ....

Data Point - 1914 -5 GMT

Report on IP address: 66.90.73.63

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.0 .. 151%

Last 30 days .. 3.4 .. 678%

Average ........ 2.5

Link to comment
Share on other sites

The spammer only opened one account. We have been monitoring Exim logs all day and nothing unusual has been sent - although, since we cut him off last night, no doubt there will be other reports as people look at their email.

It was indeed Paypal phishing emails, and the spammer also used a stolen credit card to sign up with us (we've implemented extra anti-fraud procedures to combat this in the future).

Link to comment
Share on other sites

Thanks to everyone that provided help in this thread... looks like our Senderbase numbers are back to normal. Thank you very much to Jeff - now that we are getting copied on Spamcop reports, we can take action MUCH quicker if it happens again.

It's very sad that we now have to pay extra money per transaction for added fraud protection as well as have techs spend time monitoring logs (as opposed to helping customers), but there really isn't any other option... we certainly don't want a repeat of this situation!

Edit: Forgot to mention, the same "person" tried it again, but this time got flagged for fraud. Fortunately in both cases we informed the bank about the stolen credit card. Looks like the fraudster is located in Germany.

Link to comment
Share on other sites

Looks like the fraudster is located in Germany.

34398[/snapback]

If the spam was in English, it's a good bet that the fraudster was in the US and was just using resources in Germany. You and/or your bank could follow the money and product by investing a bit of money in ordering a small quantity of whatever the fraudster is selling so you can track where your money goes and where the product is shipped from. If the fraudster is in the US, add up all the extra money you have already spent (plus hours of labor converted to opportunity cost of that labor) and would have to spend going forward to provide ASAP the same level of service to your legitimate customers that they got before the incidents, and think about calling the FBI. From what I hear, they are most interested in such out-of-pocket damages that exceed $5,000.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...