frailwords Posted October 19, 2007 Share Posted October 19, 2007 One of my hosting customers got reported to our data center for spam, which in turn, the DC came down on us and requested that the site be taken down for spam abuse. However, I did some checking, and I'm a bit confused. For one, the server that he is on is not BL'ed by SpamCop. Two, when I check the reports that they reference, from what I can tell of the headers, the emails originated from an entirely different host and IP. So, the question is, why would SpamCop have hammered my DC with spam reports this morning (they sent 4 emails within a 30 min period - the DC's AUP states that on the 3rd AUP violation that action must be taken against the site within 30 mins of the received complaint) about a site that sent spam from another IP and totally different network? I'm a bit confused. Here's a link to one of the reports: http://www.spamcop.net/sc?id=z1483528659zc...c227651fdd5c5az Is SpamHaus notifying the current DC just because that is where it is hosted now? Thanks For Your Time and Explanation, Don Link to comment Share on other sites More sharing options...
Miss Betsy Posted October 19, 2007 Share Posted October 19, 2007 Spamcop sends two kinds of reports: the first kind is to the source of the email, the abuse desk of the computer that actually sent the email. This report is also added to the spamcop blocklist where an algorithym decides whether it appears on the blocklist. Server admins use the spamcop blocklist to filter spam. The reports are generated by people who receive spam email - unsolicited email that they don't want. If you got four reports, then there were four people who reported a spam - or one person who got four of the same email. The second kind of report is sent to the abuse desk of the web site that is advertised in the spam. It often has no connection to the network the spam is sent from. This report is informational and does not get counted towards the blocklist. Some people do keep blocklists based on spamvertized websites, however. If your client is wirewarez and is advertising his new site via a mailing list that he bought, then he is spamming, sending unsolicited email to people who don't want it. If your client is using a mailing list that they built that was not confirmed subscription, then they are possibly sending their email to people who didn't sign up (typos, new person for that email address, etc.). The fact that it is being sent by someone else may be that your client is paying someone to distribute the news about his new website. Is SpamHaus notifying the current DC just because that is where it is hosted now? SpamHaus and SpamCop are two different entities. A person, using SpamCop, is notifying the current DC because he wants the current DC to know that s/he has received an unsolicited email advertising this site. Your job is to find out what your client is doing. If your client is responsible for the email, then he is breaking the AUP. Miss Betsy Link to comment Share on other sites More sharing options...
turetzsr Posted October 19, 2007 Share Posted October 19, 2007 Hi, Don, ...From the report to which you kindly provided the link (thank you for that), the reports seem to have gone to abuse[at]ev1servers.net (for spam source 216.40.236.82) and to abuse[at]hostfresh.com and postmaster[at]hostfresh.com (for spamvertized URL http://wirewarez.com/). Which is your DC? Link to comment Share on other sites More sharing options...
Merlyn Posted October 19, 2007 Share Posted October 19, 2007 email server has lots of spam coming from it Submitted: Thursday, October 18, 2007 8:17:12 PM -0400: WIREWAREZ.COM 2568255512 ( http://wirewarez.com/ ) To: postmaster[at]hostfresh.com 2568255507 ( http://wirewarez.com/ ) To: abuse[at]hostfresh.com 2568255501 ( 216.40.236.82 ) To: abuse[at]ev1servers.net -------------------------------------------------------------------------------- Submitted: Thursday, October 18, 2007 5:40:42 PM -0400: WIREWAREZ.COM 2568093025 ( http://wirewarez.com/ ) To: abuse[at]unix-server.com 2568092996 ( http://wirewarez.com/ ) To: abuse[at]netdirekt.de 2568092976 ( http://wirewarez.com/ ) To: support[at]netdirekt.de 2568092973 ( http://wirewarez.com/ ) To: postmaster#netdirekt.de[at]devnull.spamcop.net 2568092957 ( http://wirewarez.com/ ) To: abuse[at]gblx.net 2568092945 ( 216.40.236.82 ) To: abuse[at]ev1servers.net -------------------------------------------------------------------------------- Submitted: Thursday, October 18, 2007 3:13:52 PM -0400: Http://WireWarez.Com 2567892489 ( http://wirewarez.com/ ) To: abuse[at]unix-server.com 2567892455 ( http://wirewarez.com/ ) To: abuse[at]netdirekt.de 2567892440 ( http://wirewarez.com/ ) To: support[at]netdirekt.de 2567892439 ( http://wirewarez.com/ ) To: postmaster#netdirekt.de[at]devnull.spamcop.net 2567892409 ( http://wirewarez.com/ ) To: abuse[at]gblx.net 2567892395 ( 216.40.236.82 ) To: abuse[at]ev1servers.net -------------------------------------------------------------------------------- Submitted: Wednesday, October 17, 2007 10:51:47 PM -0400: Http://WireWarez.Com 2566305758 ( http://wirewarez.com/ ) To: abuse[at]unix-server.com 2566305757 ( http://wirewarez.com/ ) To: abuse[at]netdirekt.de 2566305755 ( http://wirewarez.com/ ) To: support[at]netdirekt.de 2566305754 ( http://wirewarez.com/ ) To: postmaster#netdirekt.de[at]devnull.spamcop.net 2566305750 ( http://wirewarez.com/ ) To: abuse[at]gblx.net 2566305745 ( 216.40.236.82 ) To: abuse[at]ev1servers.net -------------------------------------------------------------------------------- Submitted: Wednesday, October 17, 2007 8:10:32 PM -0400: Http://WireWarez.Com 2566117057 ( http://wirewarez.com/ ) To: abuse[at]unix-server.com 2566117047 ( http://wirewarez.com/ ) To: abuse[at]netdirekt.de 2566117039 ( http://wirewarez.com/ ) To: support[at]netdirekt.de 2566117038 ( http://wirewarez.com/ ) To: postmaster#netdirekt.de[at]devnull.spamcop.net 2566117034 ( http://wirewarez.com/ ) To: abuse[at]gblx.net 2566117033 ( 216.40.236.82 ) To: abuse[at]ev1servers.net -------------------------------------------------------------------------------- Submitted: Wednesday, October 17, 2007 9:24:55 AM -0400: CONTACT MR. WALTER ATKINSON TO FILE YOUR CLAIMS 2565392030 ( 216.40.236.82 ) To: abuse[at]ev1servers.net -------------------------------------------------------------------------------- Submitted: Saturday, October 13, 2007 11:49:46 PM -0400: REFERENCE NUMBER: MA/02/453876752/NL 2558461161 ( 216.40.236.82 ) To: abuse[at]ev1servers.net -------------------------------------------------------------------------------- Submitted: Saturday, October 13, 2007 1:17:47 AM -0400: You Have Won (Make Your Claims) Congratulations !!! 2556770699 ( 216.40.236.82 ) To: abuse[at]ev1servers.net -------------------------------------------------------------------------------- Submitted: Saturday, October 13, 2007 1:03:52 AM -0400: REFERENCE NUMBER: MA/02/453876752/NL 2557506239 ( 70.169.32.71 ) To: abuse#cox.net[at]devnull.spamcop.net 2557506237 ( 68.230.241.39 ) To: abuse#cox.net[at]devnull.spamcop.net 2557506177 ( 216.40.236.82 ) To: abuse[at]ev1servers.net -------------------------------------------------------------------------------- Submitted: Friday, October 12, 2007 11:55:27 PM -0400: REFERENCE NUMBER: MA/02/453876752/NL 2556663479 ( 216.40.236.82 ) To: abuse[at]ev1servers.net Link to comment Share on other sites More sharing options...
Wazoo Posted October 19, 2007 Share Posted October 19, 2007 One of my hosting customers got reported to our data center for spam, Using one of the SpamCop FAQ links at the top of thise page ... jump/scroll down to the section; Help for abuse-desks and administrators These are questions commonly asked by Internet Service Providers. Users of SpamCop need not read this (skip on down a few sections), but may find it interesting. You have probably arrived here because of a SpamCop report. Please read the introduction for information about the report you are viewing. Introduction - What is this thing? How does it work? SpamCop Report Types ^^^^^^^^^^^^^^^ Note the various type of reports and actions involved. which in turn, the DC came down on us and requested that the site be taken down for spam abuse. However, I did some checking, and I'm a bit confused. For one, the server that he is on is not BL'ed by SpamCop. Two, when I check the reports that they reference, from what I can tell of the headers, the emails originated from an entirely different host and IP. All of this seems to suggest a "spamvertised site" situation. So, the question is, why would SpamCop have hammered my DC with spam reports this morning (they sent 4 emails within a 30 min period This would suggest that four Reports were made by SpamCop.net users, suggesting that four spam e-mail were involved. - the DC's AUP states that on the 3rd AUP violation that action must be taken against the site within 30 mins of the received complaint) about a site that sent spam from another IP and totally different network? I'm a bit confused. I'm confused also ... I've never seen an AUP written like that. Sounds interesting but dangerous. Is SpamHaus notifying the current DC just because that is where it is hosted now? Hos did SpamHaus get involved here? Link to comment Share on other sites More sharing options...
Merlyn Posted October 19, 2007 Share Posted October 19, 2007 I am a little confused here The spam originated from EV1 servers and it is definately spamming (right now) Last day 3.8 1446% Last month 2.6 I know you're not representing the EV1 sewer because they never respond. I have sent them abuse reports forever and they never take a machine/site down or even respond. The spamvertised site is registered through an address in the UK with a google dropbox and hosted in Hong Kong. I do not believe you are from HostFresh because Hong Kong never removes spammers. Who are you? Link to comment Share on other sites More sharing options...
DavidT Posted October 24, 2007 Share Posted October 24, 2007 Who are you? Merlyn, it's indeed a bit suspicious, in that "frailwords" hasn't been back here (at least not logged in) since posting. Furthermore, the spamvertized domain, "wirewarez.com" is trying to forward traffic to "thecandidforumz.com" but that site is either down or not quite ready yet, in that it was only registered yesterday. hmmmmm DT Link to comment Share on other sites More sharing options...
Merlyn Posted October 24, 2007 Share Posted October 24, 2007 Merlyn, it's indeed a bit suspicious, in that "frailwords" hasn't been back here (at least not logged in) since posting. still spamming too! Submitted: Tuesday, October 23, 2007 9:31:37 AM -0400: RE: WINNER, 2577009511 ( 216.40.236.82 ) To: abuse[at]ev1servers.net --------------------------------------------------- Submitted: Tuesday, October 23, 2007 7:22:03 AM -0400: RE: WINNER 2576083313 ( 216.40.236.82 ) To: abuse[at]ev1servers.net -------------------------------------------------- Submitted: Tuesday, October 23, 2007 7:20:28 AM -0400: Dear Winner!! 2576081231 ( 216.40.236.82 ) To: abuse[at]ev1servers.net Link to comment Share on other sites More sharing options...
frailwords Posted October 28, 2007 Author Share Posted October 28, 2007 Well, interesting responses, although they didn't seem to really answer my original questions here. And I apologize for not finding my way back - I've actually been sick some lately, and I'm actually a bit amused that a couple of you got a bit bent trying to figure out just who I was. Interesting ... Let's see, no, I'm not from EV1, and I'm definitely not out of HK. Actually, my boxes are in a DC out of Germany (netdirekt), and it seems that we actually got caught up in the spam reports because a domain we were hosting was mentioned in the spam. Anyway, we removed the domain that day and managed to figure out what was going on. I simply forgot to check back here after I got a bit under the weather. Thanks, and so the masked hoster disappears again ... Thanks, Don Link to comment Share on other sites More sharing options...
Merlyn Posted October 28, 2007 Share Posted October 28, 2007 Oh, so you're the spammer behind wirewarez.com ? Link to comment Share on other sites More sharing options...
frailwords Posted October 28, 2007 Author Share Posted October 28, 2007 Merlyn: Hmmmm, no, I'm not. Not quite sure how you got that out of my reply, but anyway ... as Miss Betsy was so kind to point out in her earlier post (which clarified my whole sitation): The second kind of report is sent to the abuse desk of the web site that is advertised in the spam. It often has no connection to the network the spam is sent from. This report is informational and does not get counted towards the blocklist. Some people do keep blocklists based on spamvertized websites, however. And this was where we fell. Our DC's abuse desk received the emails because wirewarez.com was listed in the body of the email. What confused us at first was that we had no account by that name. Well, a bit of investigation found it tagging along as an add-on domain of another one of our customers. We investigated, and although we found that wirewarez.com had not sent even one email out according to the server logs, the account that had added them on offered to get rid of them due the possibility of them doing it again (and they didn't want their account tied up with it). So, wirewarez.com made a brief 2-3 pitstop on our servers before heading back out to spammers haven. And regardless, we would have gotten rid of them anyway, as we actively pull spammers from our servers, a quite rare occurrence in the offshore hosting business it seems. As Always, Don Link to comment Share on other sites More sharing options...
Miss Betsy Posted October 28, 2007 Share Posted October 28, 2007 Thanks for coming back and explaining the situation. I hope some of the discussion helped you in 'actively' pulling spammers. I hope that you continue to have good health. If I can figure out to mark this as 'Resolved' I will. Miss Betsy Link to comment Share on other sites More sharing options...
Merlyn Posted October 28, 2007 Share Posted October 28, 2007 Well, that explains it. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.