ArielHost Posted October 17, 2005 Share Posted October 17, 2005 A spammer/fraudster signed up for hosting with us and got our mailserver IP listed (66.90.73.63). The account was removed as soon as we became aware of the spam, and is set to delist from Spamcop in about 2 hours. Is there a web site where I can easily check the other blocklists to see where else this "person" got us listed? Link to comment Share on other sites More sharing options...
Miss Betsy Posted October 17, 2005 Share Posted October 17, 2005 Place to go to see what blocklists there are However, if you are lucky, spamcop often works like an early warning system and if you take prompt action, you won't have been listed elsewhere. Hope so! Glad to see evidence of responsible people on the Internet! Miss Betsy Link to comment Share on other sites More sharing options...
Farelf Posted October 17, 2005 Share Posted October 17, 2005 Is there a web site where I can easily check the other blocklists to see where else this "person" got us listed? 34330[/snapback] There are a number of them, I'm sure - dnsstuff (http://www.dnsstuff.com/) covers quite a few: http://www.dnsstuff.com/tools/ip4r.ch?ip=66.90.73.63 Senderbase confirms your volume stats are/were through the roof, currently Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.7 16453% Last 30 days 3.4 675% Average 2.5 ... and has a "click here" function to show real-time blacklists: http://www.senderbase.org/search?searchStr...73.63&showRBL=1 Link to comment Share on other sites More sharing options...
ArielHost Posted October 17, 2005 Author Share Posted October 17, 2005 Thanks for the link Farelf. It looks like the guy only got us into two lists; fortunately we shut it off pretty quickly, but some still got out. Link to comment Share on other sites More sharing options...
dbiel Posted October 17, 2005 Share Posted October 17, 2005 Thanks for keeping such a watchful eye on your system. Wish everyone did the same. Link to comment Share on other sites More sharing options...
Jeff G. Posted October 17, 2005 Share Posted October 17, 2005 That spammer was abusing your system by sending "Notification of limited account access." emails since Saturday night. Please be more attentive to SpamCop Reports. Please also be aware that your domain is eligible for listing in whois.rfc-ignorant.org under http://www.rfc-ignorant.org/policy-whois.php due to "Fax: +1.5555555555" in its registration, which should be changed immediately. Thanks! Link to comment Share on other sites More sharing options...
ArielHost Posted October 17, 2005 Author Share Posted October 17, 2005 That spammer was abusing your system by sending "Notification of limited account access." emails since Saturday night. Please be more attentive to SpamCop Reports. Please also be aware that your domain is eligible for listing in whois.rfc-ignorant.org under http://www.rfc-ignorant.org/policy-whois.php due to "Fax: +1.5555555555" in its registration, which should be changed immediately. Thanks! 34337[/snapback] Jeff, Unfortunately the notices were going to our data center instead of to us. We have corrected that and now should receive the notices directly, which would allow us to take quicker action. Thanks for pointing out the error in the fax information; it is now corrected as well. This person used a stolen credit card to sign up, which has also forced us to sign up for some additional services (FraudGuardian and Varilogix fraud callback service) to prevent these types of things from re-occuring. We think the same spammer tried to sign up again this morning with another stolen credit card, but this time FraudGuardian stopped them. The interesting thing is that they are using AOL IP's to sign up. I've also sent email to AOL's abuse department, but I'm not holding my breath for any type of action. Apologies to anyone affected, this has been a big hassle for us too. Ariel Link to comment Share on other sites More sharing options...
Jeff G. Posted October 17, 2005 Share Posted October 17, 2005 Thanks for making those changes. Unfortunately the notices were going to our data center instead of to us. We have corrected that and now should receive the notices directly, which would allow us to take quicker action.34341[/snapback] Your correction does not seem to have taken effect yet - SpamCop's Parser still suggests sending Reports for 66.90.73.63 to abuse[at]fdcservers.net. The best way to get your own copies of Reports is to follow How can I get SpamCop reports about my network? (apologies if you already did that). Link to comment Share on other sites More sharing options...
ArielHost Posted October 17, 2005 Author Share Posted October 17, 2005 Jeff, I signed us up in the link you provided, so hopefully we now receive any spam reports from our server. Thank you for your help, Ariel Link to comment Share on other sites More sharing options...
Jeff G. Posted October 17, 2005 Share Posted October 17, 2005 You're welcome. Link to comment Share on other sites More sharing options...
ArielHost Posted October 17, 2005 Author Share Posted October 17, 2005 Jeff, This morning it said that our listing would be removed in 2 hours, but it is still showing up. Is there anything else that needs to be done on our end? The spew should be completely stopped at this point, but I would assume that there are some people who have not checked their email yet and may still report. Ariel Link to comment Share on other sites More sharing options...
Merlyn Posted October 17, 2005 Share Posted October 17, 2005 There have been a lot more reports made today. Have you checked this server to ensure you have stopped the spam run? Did the spammer open more than 1 account? Link to comment Share on other sites More sharing options...
Wazoo Posted October 17, 2005 Share Posted October 17, 2005 At the time of this post; 66.90.73.63 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time. There is a FAQ entry here just for that situation ... SCBL "will be delisted in 0 hours" (now shown as 'in a short time') explained But as pointed out on that same 'status report' ... there are both spamtrap hits and user complaints feeding the listing ... there may be a connection, there may be more to the story .... SenderBase numbers do not look promising at this point ... setting a data point here for future comparison ... http://www.senderbase.org/?searchBy=ipaddr...ing=66.90.73.63 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 4.4 .. 8818% Last 30 days ... 3.4 ... 677% Average ......... 2.5 Though noting that this is down from farelf's capture a few hours ago .... Data Point - 1914 -5 GMT Report on IP address: 66.90.73.63 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.0 .. 151% Last 30 days .. 3.4 .. 678% Average ........ 2.5 Link to comment Share on other sites More sharing options...
Merlyn Posted October 17, 2005 Share Posted October 17, 2005 Most of them have a subject line of: "Your account is limited" This is a frequently a subject line used in PayPal (and other) phishes from compromised machines. Link to comment Share on other sites More sharing options...
ArielHost Posted October 17, 2005 Author Share Posted October 17, 2005 The spammer only opened one account. We have been monitoring Exim logs all day and nothing unusual has been sent - although, since we cut him off last night, no doubt there will be other reports as people look at their email. It was indeed Paypal phishing emails, and the spammer also used a stolen credit card to sign up with us (we've implemented extra anti-fraud procedures to combat this in the future). Link to comment Share on other sites More sharing options...
Merlyn Posted October 18, 2005 Share Posted October 18, 2005 Good Job Link to comment Share on other sites More sharing options...
ArielHost Posted October 18, 2005 Author Share Posted October 18, 2005 Thanks to everyone that provided help in this thread... looks like our Senderbase numbers are back to normal. Thank you very much to Jeff - now that we are getting copied on Spamcop reports, we can take action MUCH quicker if it happens again. It's very sad that we now have to pay extra money per transaction for added fraud protection as well as have techs spend time monitoring logs (as opposed to helping customers), but there really isn't any other option... we certainly don't want a repeat of this situation! Edit: Forgot to mention, the same "person" tried it again, but this time got flagged for fraud. Fortunately in both cases we informed the bank about the stolen credit card. Looks like the fraudster is located in Germany. Link to comment Share on other sites More sharing options...
dbiel Posted October 18, 2005 Share Posted October 18, 2005 Thanks for the update, it is much appreciated. Spammers are like terrorists, they make all of our lives misserable, life would be so much better without them. Link to comment Share on other sites More sharing options...
ArielHost Posted October 18, 2005 Author Share Posted October 18, 2005 Spammers are like terrorists .... 34401[/snapback] I totally agree. For a small businesses like ours in the hosting industry, this kind of thing could easily put us out of business. Link to comment Share on other sites More sharing options...
Jeff G. Posted October 18, 2005 Share Posted October 18, 2005 Looks like the fraudster is located in Germany.34398[/snapback] If the spam was in English, it's a good bet that the fraudster was in the US and was just using resources in Germany. You and/or your bank could follow the money and product by investing a bit of money in ordering a small quantity of whatever the fraudster is selling so you can track where your money goes and where the product is shipped from. If the fraudster is in the US, add up all the extra money you have already spent (plus hours of labor converted to opportunity cost of that labor) and would have to spend going forward to provide ASAP the same level of service to your legitimate customers that they got before the incidents, and think about calling the FBI. From what I hear, they are most interested in such out-of-pocket damages that exceed $5,000. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.