Page 1 of 2 12 LastLast
Results 1 to 25 of 27
  1. #1
    Marketing Mistress Lectrickitty's Avatar
    Join Date
    June 15th, 2005
    Location
    Broken Bow, OK
    Posts
    336
    I PO'd somebody!
    Today I'm getting spammed from my own domain!

    How can they do this and what can I do to stop it?

    My mail box is loaded with spams that appear to come from me. If they are sending this out to thousands of people, it could end up costing me my hosting and domain.

    Here's the full header from one of the spams I'm getting. I changed my domain name to xxxxxxxxx. As you can see they have my domain name plastered all over the place.


    Return-Path: <support@xxxxxxxxx.com>
    Received: from mx4.internal (mx4.internal [10.202.2.203])
    by server1.messagingengine.com (Cyrus v2.3-alpha) with LMTPA;
    Mon, 20 Feb 2006 13:55:55 -0500
    X-Sieve: CMU Sieve 2.3
    X-Resolved-to:
    me@myemail.com
    X-Delivered-to: me@myemail.com
    X-Mail-from: support@xxxxxxxxx.com
    Received: from server2.adulthost4u.net (unknown [72.232.50.98])
    by mx4.messagingengine.com (Postfix) with ESMTP id 49787114
    for <me@myemail.com
    >; Mon, 20 Feb 2006 13:55:39 -0500 (EST)
    Received: from [200.95.48.86] (helo=36928058)
    by server2.adulthost4u.net with smtp (Exim 4.52)
    id 1FBGCV-0001nL-AD; Mon, 20 Feb 2006 10:56:02 -0800
    Received: from pesa.com (indubitable.tenchiclub.com [114.248.104.72])
    by singapore.net with SMTP id 7SYRD0A5H3
    for <
    support@xxxxxxxxx.com>; Mon, 20 Feb 2006 10:55:42 -0800
    Received: from finial.we-help-u.biz (we-help-u.biz.amqa.com [89.128.20.55])
    by grungecafe.com with SMTP id 9KPAXDARN4
    for <
    support@xxxxxxxxx.com>; Mon, 20 Feb 2006 15:53:42 -0300
    From: "
    support@xxxxxxxxx.com" <support@xxxxxxxxx.com>
    To: "Support" <
    support@xxxxxxxxx.com>
    Subject:
    support@xxxxxxxxx.com
    X-Sender: support@xxxxxxxxx.com
    User-Agent: The Bat! (v1.51) Educational
    X-Priority: 3 (Normal)
    MIME-Version: 1.0
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server2.adulthost4u.net
    X-AntiAbuse: Original Domain - xxxxxxxxx.com
    X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
    X-AntiAbuse: Sender Address Domain - xxxxxxxxx.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    Message-Id: <
    20060220185539.49787114@mx4.messagingengine.com>
    Date: Mon, 20 Feb 2006 13:55:39 -0500 (EST)
    [color=blue]"Those who give up their freedom for a little security deserve neither freedom nor security" - Benjamin Franklin[/color]

  2. #2
    ABW Ambassador DesignerWiz's Avatar
    Join Date
    January 18th, 2005
    Location
    U.S.A
    Posts
    2,777
    You need to have the form mail sender check that all sendmails are actually being sent by the server itself through authorized access areas requiring password protection or alternative protection methods.

    If you write me at ray (at) designerwiz.com I can send you a form.cgi script that can help protect you from unauthorized usage as well as it mailing you when someone tries using your sendmail.
    Ray Thomas
    Webmaster Resources: http://DesignerWiz.com
    ABW Board Category: Programming / Coding
    http://forum.abestweb.com/forumdisplay.php?f=190

  3. #3
    Marketing Mistress Lectrickitty's Avatar
    Join Date
    June 15th, 2005
    Location
    Broken Bow, OK
    Posts
    336
    Quote Originally Posted by DesignerWiz
    You need to have the form mail sender check that all sendmails are actually being sent by the server itself through authorized access areas requiring password protection or alternative protection methods.

    If you write me at ray (at) designerwiz.com I can send you a form.cgi script that can help protect you from unauthorized usage as well as it mailing you when someone tries using your sendmail.
    You have mail from dancerdoll
    [color=blue]"Those who give up their freedom for a little security deserve neither freedom nor security" - Benjamin Franklin[/color]

  4. #4
    ABW Ambassador buy_online's Avatar
    Join Date
    January 18th, 2005
    Location
    Richmond, VA
    Posts
    3,234
    They may be using your domain as a return address for spams they are sending out, you know, something to put in the "reply to" field. And you're it! All done automatically of course - and by the thousands...

    Welcome to the club.

    Fred

  5. #5
    Life is Supposed to be Fun! Rexanne's Avatar
    Join Date
    January 18th, 2005
    Location
    Los Angeles
    Posts
    12,360
    Quote Originally Posted by buy_online
    They may be using your domain as a return address for spams they are sending out, you know, something to put in the "reply to" field. And you're it! All done automatically of course - and by the thousands...

    Welcome to the club.

    Fred
    Great club to be a member of, huh? LOL - I get hundreds of pieces of junk a day from "myself." It also worries me that others are getting the same crap that appears to be from me.

    Guess there's no way to stop it. Where there is potential to scam, there are scammers. I'd love to be able to nail these creeps.
    Peace,

    Rexanne

    Rexanne.com
    Loving Everyone's Child Creates Magic


  6. #6
    Marketing Mistress Lectrickitty's Avatar
    Join Date
    June 15th, 2005
    Location
    Broken Bow, OK
    Posts
    336
    In the past few hours, I've been getting the spam every 2 minutes. I haven't got any for the past 30 minutes since I banned the addy's and did a few other things (see list below). I got lucky and hit on something that works. I've been contacting hosting companies and registars all day. Haven't heard back from any, but I figure it'll take a while for them to read the mail and take any type of action.

    Some of the things I've been doing:

    1. whois lookups
    2. call the contact # (all phone #'s were non working)
    3. send notices to registars that contact phone #'s are non working
    4. contacted their hosting companies reporting spammers abuse of TOS.
    5. uninstalled programs that were installed using fantascio (36 of them!)
    6. banned the ip addy's I found in the headers of the spam.
    7. deleted the all important guest book that was getting computer generated spam. (saved all the entries and will rebuild the book using a different program)

    Planning to use form.cgi script from Ray.

    Ok, maybe it was overkill, but so far it seems to have worked.

    Now, lots of work to do on my pages. Since I dumped all the quick programs that do everything automaticly I'll have to go back to hand coding everything. I may reinstall the fantascio programs one at a time.

    Dang-it, I HATE spam!!! (keeping my fingers crossed that it doesn't show back up)
    [color=blue]"Those who give up their freedom for a little security deserve neither freedom nor security" - Benjamin Franklin[/color]

  7. #7
    Life is Supposed to be Fun! Rexanne's Avatar
    Join Date
    January 18th, 2005
    Location
    Los Angeles
    Posts
    12,360
    Quote Originally Posted by Lectrickitty
    In the past few hours, I've been getting the spam every 2 minutes. I haven't got any for the past 30 minutes since I banned the addy's and did a few other things (see list below). I got lucky and hit on something that works. I've been contacting hosting companies and registars all day. Haven't heard back from any, but I figure it'll take a while for them to read the mail and take any type of action.

    Some of the things I've been doing:

    1. whois lookups
    2. call the contact # (all phone #'s were non working)
    3. send notices to registars that contact phone #'s are non working
    4. contacted their hosting companies reporting spammers abuse of TOS.
    5. uninstalled programs that were installed using fantascio (36 of them!)
    6. banned the ip addy's I found in the headers of the spam.
    7. deleted the all important guest book that was getting computer generated spam. (saved all the entries and will rebuild the book using a different program)

    Planning to use form.cgi script from Ray.

    Ok, maybe it was overkill, but so far it seems to have worked.

    Now, lots of work to do on my pages. Since I dumped all the quick programs that do everything automaticly I'll have to go back to hand coding everything. I may reinstall the fantascio programs one at a time.

    Dang-it, I HATE spam!!! (keeping my fingers crossed that it doesn't show back up)
    Good job on being proactive ElictricKitty.
    Peace,

    Rexanne

    Rexanne.com
    Loving Everyone's Child Creates Magic


  8. #8
    I like traffic lights
    Join Date
    January 18th, 2005
    Location
    Southern hemisphere - away from Fukushima
    Posts
    2,936
    That's not spam coming from your server, it's spoofing.

    Load SPF TXT records into your DNS for your domain name, and that will reduce their ability to try to pretend to be you.

    It's very simple to do and very effective. More effective once everyone turns on SPF for their mail servers.

  9. #9
    I like traffic lights
    Join Date
    January 18th, 2005
    Location
    Southern hemisphere - away from Fukushima
    Posts
    2,936
    As an aside, all my domains that I don't have email set up for, I have SPF records in the DNS that allowed SPF compatible mail servers to know that ANY mail claiming to be from that domain is SPAM.

  10. #10
    Member
    Join Date
    May 31st, 2005
    Location
    NY
    Posts
    116
    Quote Originally Posted by Drewbert
    As an aside, all my domains that I don't have email set up for, I have SPF records in the DNS that allowed SPF compatible mail servers to know that ANY mail claiming to be from that domain is SPAM.
    Drewbert,
    To clarify...would you set the SPF records to "no e-mails are sent from this domain" or "e-mails are only sent from xxxxx.com" (which is the domain/registration company)?

    Thanks in advance for your help.
    [FONT=Comic Sans MS]Depend on no one but yourself...[/FONT] :winking:

  11. #11
    ABW Ambassador DesignerWiz's Avatar
    Join Date
    January 18th, 2005
    Location
    U.S.A
    Posts
    2,777
    Hi Lectrickitty,

    I never received the mail response you sent yesterday ... weird.

    I see that you have things corrected now based on your comments. If you need anything else ... just give me a PM here to ensure I get the message and I'll be happy to help you any way I can.
    Ray Thomas
    Webmaster Resources: http://DesignerWiz.com
    ABW Board Category: Programming / Coding
    http://forum.abestweb.com/forumdisplay.php?f=190

  12. #12
    Marketing Mistress Lectrickitty's Avatar
    Join Date
    June 15th, 2005
    Location
    Broken Bow, OK
    Posts
    336
    I just checked and no more spam is arriving via my domain. I think banning the ip addy's is probably what stopped it. If it starts up again in the future that will be my first response is to ban any new ip addy's from the headers.

    Fell off a roof and hurt my back last night. I won't be spending much time online until it heals. Ray, I'll probably PM you in a day or 2 ( or when I can set in a chair without pain).

    Thanks
    [color=blue]"Those who give up their freedom for a little security deserve neither freedom nor security" - Benjamin Franklin[/color]

  13. #13
    ABW Ambassador DesignerWiz's Avatar
    Join Date
    January 18th, 2005
    Location
    U.S.A
    Posts
    2,777
    Ouch!!! Rest well & heal.
    Ray Thomas
    Webmaster Resources: http://DesignerWiz.com
    ABW Board Category: Programming / Coding
    http://forum.abestweb.com/forumdisplay.php?f=190

  14. #14
    Marketing Mistress Lectrickitty's Avatar
    Join Date
    June 15th, 2005
    Location
    Broken Bow, OK
    Posts
    336
    Quote Originally Posted by Drewbert
    As an aside, all my domains that I don't have email set up for, I have SPF records in the DNS that allowed SPF compatible mail servers to know that ANY mail claiming to be from that domain is SPAM.
    Can you give "paint by number" instructions on how to do that?

    Pretty please with sugar on it.
    [color=blue]"Those who give up their freedom for a little security deserve neither freedom nor security" - Benjamin Franklin[/color]

  15. #15
    I like traffic lights
    Join Date
    January 18th, 2005
    Location
    Southern hemisphere - away from Fukushima
    Posts
    2,936
    Quote Originally Posted by Lectrickitty
    Can you give "paint by number" instructions on how to do that?

    Pretty please with sugar on it.

    http://openspf.org

    And web hosting service worth their salt will know how to set it up, and if not, should have someone there who realises how important it is and does it anyway.

    After leaning on them a bit, the major registrars how also do DNS service (enom etc) began to put them in as a default for all their parked names.

  16. #16
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    There is a formal method of reporting domains with false WHOIS data, but unfortunately I can't find it and it's bookmarked on my other machine. However, reporting the spamvertised domain to the domain registrar can sometimes help shut it down.

    Usually, these things tend to go away, especially if the spamvertised site gets shut down.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  17. #17
    Marketing Mistress Lectrickitty's Avatar
    Join Date
    June 15th, 2005
    Location
    Broken Bow, OK
    Posts
    336
    Spam is back. I banned a bunch more ip's today. Did more whois lookups and reports.

    Getting soooo tired of this. It's becoming a full time job to fight the spammers. I'm about ready to dump the domain name. www.mydomain.com will soon be a household word for spam if I don't get control of this mess. I'm now getting several hundred spams a day with my domain as the "reply to" addy. The full header shows other domains sending it, but most people don't bother viewing the full header, they just assume I'm sending it.

    I'm tempted to ask them to turn off my email and see if that does any good.

    Very bad days ahead, I can feel them coming.

    It worries me that my host may jump on this as an excuse to cancel my hosting. You see, I have an unlimited account that I've had for many many years with a contract that it's renewable with those terms forever. I only pay $10 per year. They are looking for excuse to dump all their unlimited accounts.

    I want to protect my hosting account at all costs, even if it means dumping a good domain name. I can always point another name to that ip addy.
    [color=blue]"Those who give up their freedom for a little security deserve neither freedom nor security" - Benjamin Franklin[/color]

  18. #18
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    No no no no no - don't dump your domain name, nobody cares if spam is going out with your domain on it. It happens all the time. As long at the CONTENT of the spam doesn't include a reference to your site, then there should be no damage (other than all the bounce messages).

    Although, if you can turn off your email it might be a try. In fact, I'm beginning to think that I should create a domain that's just used for private email and nothing else at all - that might help in these circumstances.

    I did have a similar thing happen to me last year. Eventually it stopped because their site was taken down.

    What does the latest spam look like?
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  19. #19
    Marketing Mistress Lectrickitty's Avatar
    Join Date
    June 15th, 2005
    Location
    Broken Bow, OK
    Posts
    336
    Quote Originally Posted by Dynamoo
    What does the latest spam look like?
    Most of them have this message in them:
    Watch the stream of potential customers passing by your web site.
    What if they’ll never see your website in the sea of lnet information?

    Don’t let that happen anymore!

    Make your website a visible isIand in this sea by reqistering with major Search Engines.
    Let our professionaIs do it for you.

    See detaiIs here.

    Best reqards,
    Suzie Payne


    ____________________________________________________
    not interezted...
    The links go to pages on geocities and yahoo. A few of the pages go to sites in UK and Aust. It's obviously a worldwide scam. They are all signed with a different name and all have the following message in the headers

    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server2.adulthost4u.net
    X-AntiAbuse: Original Domain - xxxxxxxx.com
    X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
    X-AntiAbuse: Sender Address Domain - xxxxxxxx.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    xxxxxxxx = my domain name The header information above that is usually from different domains. I've banned about 50 of them so far, but each email will have new domains to ban.

    I feel like I'm fighting a loosing battle. I vote that all spammers should get the death penalty!
    [color=blue]"Those who give up their freedom for a little security deserve neither freedom nor security" - Benjamin Franklin[/color]

  20. #20
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    804
    Hi,

    The bad part is even if you are banning the ips, the spams are still going out with your return address on them, you just don't know about them anymore. The only way to combat this is to keep reporting the emails to everyone involved in them (registrars, isps, email hosts, paypal, mastercharge, visa) and get them shut down as fast as they can send them out.

    I usually check out the sites that they link to and see what they have for images....many times they throw on a verisign, thawte (sic), paypal, mc, visa image to look official. These companies can get them shut down a heckuva lot faster than you can.

    The real problem is domains are throwaway now....they can buy them for a couple of dollars apiece and they don't really care if they get shut down...they just send the next batch out with a new domain. ISPs are a dime a dozen now too and there are a bunch of them overseas that don't care what comes through them.

    Good luck,

    Ken MacKenzie

  21. #21
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Ewwww.. I'm guessing that the domains resolve back to 58.20.164.246 which is in China. There's no point contacting them, these Chinese network operators are invariably corrupt and in the pocket of the spammers.

    In which case, the best bet is to go after the domains with the registrar (usually abuse@ whoever registered it). That can take a little longer, but it will usually put a temporary stop to the spamming.. and when they start up again, they might well move on to forging another domain.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  22. #22
    Marketing Mistress Lectrickitty's Avatar
    Join Date
    June 15th, 2005
    Location
    Broken Bow, OK
    Posts
    336
    Quote Originally Posted by Dynamoo
    Ewwww.. I'm guessing that the domains resolve back to 58.20.164.246 which is in China.
    no, nothing from there yet. Here's a sampling of the IP addresses I've blocked: (not all, just a few of them)

    72.41.111.221
    206.166.192.77
    89.128.20.55
    200.95.48.86
    114.248.104.72
    117.192.28.126
    220.83.236.22
    10.202.2.203
    210.157.28.116
    205.158.62.105
    10.202.2.200
    54.218.95.57
    193.110.240.11
    193.110.240.10
    210.188.198.173
    209.160.41.28
    66.111.4.2
    201.239.138.24

    it's scary that one (not in the list above) is only 2 numbers off of my domain! How do you know 58.20.164.246 is in China? I'd like to trace the ones I'm getting and find out where they are coming from. Can you explain to me how to do that?
    [color=blue]"Those who give up their freedom for a little security deserve neither freedom nor security" - Benjamin Franklin[/color]

  23. #23
    Full Member
    Join Date
    January 18th, 2005
    Location
    Des Moines, IA
    Posts
    298
    I'm fighting the same kind of battle right now. Its cost me over $500 so far and my frustration is mounting.

    I'm using http://www.whois.sc to trace IP addresses and find out if they have been black listed for sening out spam.

    Doses anyone have an idea about how good their database is on blacked sites?

    Ray

  24. #24
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    804
    Probably the most up to date site is http://www.spamhaus.org. You'll find everything you always wanted to know about spamming there.

    Ken

  25. #25
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Quote Originally Posted by Lectrickitty
    no, nothing from there yet. Here's a sampling of the IP addresses I've blocked: (not all, just a few of them)
    Ah, I mean the spamvertised web site, not the sending machine. That's probably just some random trojanised machine on a broadband connection.

    I'm with Ray, whois.sc is an excellent service (if a bit slow sometimes). I subscribe to the silver membership for $149/year which gives access to some of the more powerful tools.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

+ Reply to Thread
Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •