Jump to content
Sign in to follow this  
ArielHost

[Resolved] Spammer Got Us Listed

Recommended Posts

A spammer/fraudster signed up for hosting with us and got our mailserver IP listed (66.90.73.63). The account was removed as soon as we became aware of the spam, and is set to delist from Spamcop in about 2 hours.

Is there a web site where I can easily check the other blocklists to see where else this "person" got us listed?

Share this post


Link to post
Share on other sites
Is there a web site where I can easily check the other blocklists to see where else this "person" got us listed?

34330[/snapback]

There are a number of them, I'm sure - dnsstuff (http://www.dnsstuff.com/) covers quite a few:

http://www.dnsstuff.com/tools/ip4r.ch?ip=66.90.73.63

Senderbase confirms your volume stats are/were through the roof, currently

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.7 16453%

Last 30 days 3.4 675%

Average 2.5

... and has a "click here" function to show real-time blacklists:

http://www.senderbase.org/search?searchStr...73.63&showRBL=1

Edited by Farelf

Share this post


Link to post
Share on other sites

Thanks for the link Farelf. It looks like the guy only got us into two lists; fortunately we shut it off pretty quickly, but some still got out.

Share this post


Link to post
Share on other sites

Thanks for keeping such a watchful eye on your system. Wish everyone did the same.

Share this post


Link to post
Share on other sites

That spammer was abusing your system by sending "Notification of limited account access." emails since Saturday night. Please be more attentive to SpamCop Reports. Please also be aware that your domain is eligible for listing in whois.rfc-ignorant.org under http://www.rfc-ignorant.org/policy-whois.php due to "Fax: +1.5555555555" in its registration, which should be changed immediately. Thanks!

Share this post


Link to post
Share on other sites
That spammer was abusing your system by sending "Notification of limited account access." emails since Saturday night.  Please be more attentive to SpamCop Reports.  Please also be aware that your domain is eligible for listing in whois.rfc-ignorant.org under http://www.rfc-ignorant.org/policy-whois.php due to "Fax: +1.5555555555" in its registration, which should be changed immediately.  Thanks!

34337[/snapback]

Jeff,

Unfortunately the notices were going to our data center instead of to us. We have corrected that and now should receive the notices directly, which would allow us to take quicker action.

Thanks for pointing out the error in the fax information; it is now corrected as well.

This person used a stolen credit card to sign up, which has also forced us to sign up for some additional services (FraudGuardian and Varilogix fraud callback service) to prevent these types of things from re-occuring. We think the same spammer tried to sign up again this morning with another stolen credit card, but this time FraudGuardian stopped them.

The interesting thing is that they are using AOL IP's to sign up. I've also sent email to AOL's abuse department, but I'm not holding my breath for any type of action.

Apologies to anyone affected, this has been a big hassle for us too.

Ariel

Share this post


Link to post
Share on other sites

Thanks for making those changes.

Unfortunately the notices were going to our data center instead of to us.  We have corrected that and now should receive the notices directly, which would allow us to take quicker action.

34341[/snapback]

Your correction does not seem to have taken effect yet - SpamCop's Parser still suggests sending Reports for 66.90.73.63 to abuse[at]fdcservers.net. The best way to get your own copies of Reports is to follow How can I get SpamCop reports about my network? (apologies if you already did that).

Share this post


Link to post
Share on other sites

Jeff,

I signed us up in the link you provided, so hopefully we now receive any spam reports from our server.

Thank you for your help,

Ariel

Share this post


Link to post
Share on other sites

You're welcome.

Share this post


Link to post
Share on other sites

Jeff,

This morning it said that our listing would be removed in 2 hours, but it is still showing up. Is there anything else that needs to be done on our end? The spew should be completely stopped at this point, but I would assume that there are some people who have not checked their email yet and may still report.

Ariel

Share this post


Link to post
Share on other sites

There have been a lot more reports made today. Have you checked this server to ensure you have stopped the spam run? Did the spammer open more than 1 account?

Share this post


Link to post
Share on other sites

At the time of this post;

66.90.73.63 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time.

There is a FAQ entry here just for that situation ... SCBL "will be delisted in 0 hours" (now shown as 'in a short time') explained

But as pointed out on that same 'status report' ... there are both spamtrap hits and user complaints feeding the listing ... there may be a connection, there may be more to the story .... SenderBase numbers do not look promising at this point ... setting a data point here for future comparison ...

http://www.senderbase.org/?searchBy=ipaddr...ing=66.90.73.63

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 4.4 .. 8818%

Last 30 days ... 3.4 ... 677%

Average ......... 2.5

Though noting that this is down from farelf's capture a few hours ago ....

Data Point - 1914 -5 GMT

Report on IP address: 66.90.73.63

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.0 .. 151%

Last 30 days .. 3.4 .. 678%

Average ........ 2.5

Share this post


Link to post
Share on other sites

Most of them have a subject line of: "Your account is limited"

This is a frequently a subject line used in PayPal (and other) phishes from compromised machines.

Share this post


Link to post
Share on other sites

The spammer only opened one account. We have been monitoring Exim logs all day and nothing unusual has been sent - although, since we cut him off last night, no doubt there will be other reports as people look at their email.

It was indeed Paypal phishing emails, and the spammer also used a stolen credit card to sign up with us (we've implemented extra anti-fraud procedures to combat this in the future).

Share this post


Link to post
Share on other sites

Thanks to everyone that provided help in this thread... looks like our Senderbase numbers are back to normal. Thank you very much to Jeff - now that we are getting copied on Spamcop reports, we can take action MUCH quicker if it happens again.

It's very sad that we now have to pay extra money per transaction for added fraud protection as well as have techs spend time monitoring logs (as opposed to helping customers), but there really isn't any other option... we certainly don't want a repeat of this situation!

Edit: Forgot to mention, the same "person" tried it again, but this time got flagged for fraud. Fortunately in both cases we informed the bank about the stolen credit card. Looks like the fraudster is located in Germany.

Edited by ArielHost

Share this post


Link to post
Share on other sites

Thanks for the update, it is much appreciated.

Spammers are like terrorists, they make all of our lives misserable, life would be so much better without them.

Share this post


Link to post
Share on other sites
Spammers are like terrorists ....

34401[/snapback]

I totally agree. For a small businesses like ours in the hosting industry, this kind of thing could easily put us out of business.

Share this post


Link to post
Share on other sites
Looks like the fraudster is located in Germany.

34398[/snapback]

If the spam was in English, it's a good bet that the fraudster was in the US and was just using resources in Germany. You and/or your bank could follow the money and product by investing a bit of money in ordering a small quantity of whatever the fraudster is selling so you can track where your money goes and where the product is shipped from. If the fraudster is in the US, add up all the extra money you have already spent (plus hours of labor converted to opportunity cost of that labor) and would have to spend going forward to provide ASAP the same level of service to your legitimate customers that they got before the incidents, and think about calling the FBI. From what I hear, they are most interested in such out-of-pocket damages that exceed $5,000.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×