Ashocka Posted July 1, 2004 Share Posted July 1, 2004 A domain I look after (jazzalburywodonga.com) has been shut down after I reported spam coming through it. Here's what the host says; Hello Geoff, The account has been suspended for spamming.. Please see attached as this nearly got the whole server blacklisted... Thank you, Andrew Admin www.ozehosts.com Here is the attached email From: "Geoff Deering" <1081953545[at]reports.spamcop.net> To: <abuse[at]gnax.net> Subject: [spamCop (216.180.225.138) id:1081953545]Search engine traffic Date: Friday, June 25, 2004 3:37 PM [ SpamCop V1.350 ] This message is brief for your comfort. Please use links below for details. Email from 216.180.225.138 / Sat, 26 Jun 2004 10:10:02 +1000 http://www.spamcop.net/w3m?i=z1081953545zc...1d9973b74284b8z [ Offending message ] Return-Path: <melville[at]t-online.de> Delivered-To: x Received: (qmail 32175 invoked from network); 25 Jun 2004 14:15:53 -0000 Received: from unknown (192.168.1.101) by blade2.cesmail.net with QMQP; 25 Jun 2004 14:15:53 -0000 Received: from mail.acslink.net.au (203.11.105.126) by mailgate.cesmail.net with SMTP; 25 Jun 2004 14:15:52 -0000 Received: from amavis by mail.acslink.net.au with scanned-ok (Exim 3.36 #1 (Debian)) id 1Be0lf-0006hS-00 for <x>; Sat, 26 Jun 2004 10:10:03 +1000 Received: from tahoe.dnsrouter.com ([216.180.225.138]) by mail.acslink.net.au with esmtp (Exim 3.36 #1 (Debian)) id 1Be0le-0006gz-00 for <x>; Sat, 26 Jun 2004 10:10:02 +1000 Received: from [217.129.240.127] (helo=217.129.240.127) by tahoe.dnsrouter.com with smtp (Exim 4.34) id 1BdrUW-0002eZ-Ki for x; Fri, 25 Jun 2004 10:15:51 -0400 From: Andrea Davis <melville[at]t-online.de> To: x Subject: Search engine traffic Date: Fri, 25 Jun 2004 14:04:47 +0000 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0000_28DCC10D.9B8EC6C9" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - tahoe.dnsrouter.com X-AntiAbuse: Original Domain - jazzalburywodonga.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - t-online.de X-Source: X-Source-Args: X-Source-Dir: Message-Id: <E1Be_________z-00[at]mail.acslink.net.au> X-Virus-Scanned: by AMaViS perl-11 X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade2.cesmail.net X-spam-Level: *** X-spam-Status: hits=3.6 tests=FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_TAGS, HTML_20_30,HTML_MESSAGE,HTML_TAG_EXISTS_TBODY,RCVD_NUMERIC_HELO version=2.63 X-SpamCop-Checked: 192.168.1.101 203.11.105.126 216.180.225.138 217.129.240.127 X-SpamCop-Disposition: Blocked bl.spamcop.net This is a multi-part message in MIME format. ------=_NextPart_000_0000_28DCC10D.9B8EC6C9 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0001_04DC6531.8CCC6409" ------=_NextPart_001_0001_04DC6531.8CCC6409 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Good Day Thirty-three percent of users think that if a company has a top ranking on a search engine, it is a leader in its field. Are you a leader? You can be, and we want to help. We have a CD duplication site with over 1391 number 1 positions and over 6232 top 10 positions. We have a book resource site with more than 1000 number 1 positions and over 5225 top 10 positions. (44,000 search engine visitors in a few short months) We even have a very niche pen site that has over 86 number 1 positions and over 556 top 10 positions. We want to partner with you to help insure the success of your business. When you open an account today, your first 5,000 targeted search engine visits on the keyword terms that you've approved will be just 10c each. Your 99-dollar keyword analysis is also free as well as a free 30-minute Internet marketing consultation. For more information please complete the form at: http://WWW.SEO-PROFITS.COM Due to the highly effective techniques we use, we can only take a limited number of accounts per targeted industry. Offer only valid for x customers. Please act now to receive 10,000 targeted search engine visitors from major search engines at just 10c each as well as the free keyword analysis and the free 30-minute consultation. I hope that you will let us help you make 2004 your best year yet. Feel free to contact us at support[at]seo-profits.com if you need us to make any changes to your email preferences. ------=_NextPart_001_0001_04DC6531.8CCC6409 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit <HTML><HEAD><TITLE>Expert Search Engine Optimization for x and Yahoo</TITLE> </HEAD> <BODY> <CENTER> <TABLE cellSpacing=0 cellPadding=0 width=600 align=center border=0> <TBODY> <TR> <TD> <P><SPAN class=newsletter>Good Day <P>Thirty-three percent of users think that if a company has a top ranking on a search engine, it is a leader in its field. <P>Are you a leader? You can be, and we want to help. We have a CD duplication site with over 1391 number 1 positions and over 6232 top 10 positions. <P>We have a book resource site with more than 1000 number 1 positions and over 5225 top 10 positions. (44,000 search engine visitors in a few short months) <P>We even have a very niche pen site that has over 86 number 1 positions and over 556 top 10 positions. <P>We want to partner with you to help insure the success of your business. When you open an account today, your first 5,000 targeted search engine visits on the keyword terms that you've approved will be just 10c each. Your 99-dollar keyword analysis is also free as well as a free 30-minute Internet marketing consultation. <P></SPAN> <P>Complete this form to find out more. <P> <FORM action=http://www.seo-profits.com/submit.php method=post> <TABLE cellSpacing=2 cellPadding=2 width="100%" border=0> <TBODY> <TR> <TD><B>Name</B><BR><INPUT maxLength=35 size=25 name=name></TD> <TD><B>Email Address</B><BR><INPUT maxLength=50 size=25 name=email></TD></TR> <TR> <TD><B>Phone </B>(Area Code + Number)<BR><INPUT maxLength=20 size=25 name=phone></TD> <TD><B>Country</B><BR><SELECT name=country> <OPTION value="Please Choose" selected>Please Choose</OPTION> <OPTION value="USA EAST">USA East</OPTION> <OPTION value="USA CENTRAL">USA Central</OPTION> <OPTION value="USA WEST">USA West</OPTION> <OPTION value=Canada>Canada</OPTION> <OPTION value="United Kingdom">United Kingdom</OPTION> <OPTION value=Other>Other</OPTION></SELECT> </TD></TR> <TR> <TD><B>Web Site Address</B><BR><SPAN class=tinytype>http://www.</SPAN><INPUT maxLength=35 size=16 name=website></TD> <TD><B>Please call me in the</B><BR><SELECT name=timetocall> <OPTION value=morning selected>Morning</OPTION> <OPTION value=afternoon>Afternoon</OPTION> <OPTION value=evening>Evening</OPTION></SELECT></TD></TR></TBODY></TABLE><INPUT type=submit value=submit> </FORM> <P>Due to the highly effective techniques we use, we can only take a limited number of accounts per targeted industry. Offer only valid for x customers. Please <B><A href="http://www.seo-profits.com/">act now</A></B> to receive 5,000 targeted search engine visitors from major search engines at just 10c each as well as the free keyword analysis and the free 30-minute consultation. <P><BR> <P><SPAN class=tinytype>I hope that you will let us help you make 2004 your best year yet. Feel free to contact us at support[at]seo-profits.com if you need us to make any changes to your email preferences.<BR> <P></SPAN></P></TD></TR></TBODY></TABLE></CENTER></BODY></HTML> ------=_NextPart_001_0001_04DC6531.8CCC6409-- ------=_NextPart_000_0000_28DCC10D.9B8EC6C9-- Can someone please explain to me how this has been intrepreted as me sending the spam? Haven't the hosts (ozehosts.com) read the email incorrectly? Why was it sent to them in the first place? Or have I been unconsciously spamming people? Geoff Link to comment Share on other sites More sharing options...
JosephK Posted July 1, 2004 Share Posted July 1, 2004 A very quick parsing by hand leads me to guess that the SpamCop parser is getting confused by the header Received: from amavis by mail.acslink.net.au // 203.11.105.126 with scanned-ok (Exim 3.36 #1 (Debian)) id 1Be0lf-0006hS-00 for <x>; Sat, 26 Jun 2004 10:10:03 +1000 since "amavis" can not be identified. Bad server config, maybe? This assuming that the server(s) at [216.154.195.*] are the ones being falsely accused. My second guess is that SC gets confused at Received: from unknown (192.168.1.101) // internal server by blade2.cesmail.net with QMQP; // 216.154.195.43 25 Jun 2004 14:15:53 -0000 due to the internal server being in the middle of the chain. My very quick guess is that the spam is coming in at tahoe.dnsrouter.com ([216.180.225.138]) which may or may not be accurately reporting where it got the message from. OK, and a bit more research shows your jazzalburywodonga.com server to be Name: tahoe.dnsrouter.com IP Address: 216.180.225.138 Given that, looks like you might have an open proxy or open relay or a bad mailform scri_pt on your server. Link to comment Share on other sites More sharing options...
Ashocka Posted July 1, 2004 Author Share Posted July 1, 2004 Which would be the hosting service's server, as I am running virtual without any IP, wouldn't it? Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 1, 2004 Share Posted July 1, 2004 I don't know a lot about headers, but I would say that the spammer was 217.129.240.127 which is on SORBS and a bunch of other lists. I checked the link in the email you posted and apparently spamcop now chooses that IP number. Tracking message source: 217.129.240.127: Routing details for 217.129.240.127 [refresh/show] Cached whois for 217.129.240.127 : abuse[at]netvisao.pt Using abuse net on abuse[at]netvisao.pt abuse net netvisao.pt = abuso[at]netvisao.pt Using best contacts abuso[at]netvisao.pt Sorry, this email is too old to file a spam report. You must report spam within 3 days of receipt. This mail was received on 25 Jun 2004 14:15:52 -0000 Message is 5.8 days old However when the report was made, it did send reports to 216.180.225.138 Reports regarding this spam have already been sent: Re: 216.180.225.138 (Administrator of network where email originates) Reportid: 1081953545 To: abuse[at]gnax.net Reportid: 1081953547 To: abuse[at]mfn.com If there was a mistake, it was either temporary or has been fixed. This is a lesson to you to check where your reports are going before you send them! Hope you can convince your host to reinstall you if you promise to read where the spamcop report is going before sending. Miss Betsy Link to comment Share on other sites More sharing options...
Ashocka Posted July 1, 2004 Author Share Posted July 1, 2004 There are all sorts of things wrong with the simple assumption this ISP came too. They did not even notify us that our account was shut down, no course of reproach. We didn't find out until we went to post. This is just one of the reasons I now am setting up my own hosting server, that I find so many hosts update stuff and don't even send out a broadcast to inform clients of changes. Often this has happened and things have broken. It's just sloppy on their part . They do not double check such things and jump to the first assumption. Geoff Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 1, 2004 Share Posted July 1, 2004 There are all sorts of things wrong with the simple assumption this ISP came too. They did not even notify us that our account was shut down, no course of reproach. We didn't find out until we went to post. This is just one of the reasons I now am setting up my own hosting server, that I find so many hosts update stuff and don't even send out a broadcast to inform clients of changes. Often this has happened and things have broken. It's just sloppy on their part . They do not double check such things and jump to the first assumption. Geoff That is their perrogative. It is up to the ISP to make the determination of the source of the spam. Perhaps they folowed spamcops logic and trusted it, though right now, that parse points to: 217.129.240.127 with reports going to: abuse[at]netvisao.pt Your duty as a spamcop reporter is to check where your reports are going. It looks to me like you reported your own ISP as a spammer. They did not take that kindly and shut you down. From: "Geoff Deering" <1081953545[at]reports.spamcop.net> To: <abuse[at]gnax.net> Subject: [spamCop (216.180.225.138) id:1081953545]Search engine traffic Date: Friday, June 25, 2004 3:37 PM I have been having a long conversation in this very forum about accurate reports and the next post I see is the fallout from an innaccurate report. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.