Our competitor, spammed all our 2500+ customers with a following message:

"Switch your site to xxxx.com servers from their servers and get more reliable hosting, better control, lower price and 15% discount...."

The letter was actually much longer. They also mentioned we have downtimes (who doesn't?), our support is bad, etc. etc.

Moreover, they did it as if this message was sent from a private party, who moved a domain from us to them, not directly from them.

Did you ever meet such situation? What would you do?
I welcome any helpful advise and ideas :-)

I would email your clients, stating the full story and they will see the bad practices employed by your competitor.

Regards
Matt

I agree with Marc.
We send a monthly newletter to our customers, so I guess this time there would be a 'special edition'; I would not mention the other company though, I'd just explain that sort of practice, so that it wouldn't look like you're 'at war' with them, which is always bad.

-Chris.

Maybe a dumb question, but... how did they get your customer list?

Originally posted by cperciva
Maybe a dumb question, but... how did they get your customer list?
I was wondering the same thing.

> Maybe a dumb question, but... how did they get your customer list?

I've seen that before: would you believe it? They actually set up a basic account, or whatever account they feel like buying, thanks to your 30 days money back guarantee, and provided your customers have telnet/ssh access...all they have to do is read your configurationf files.
Ok this works only with one server at a time, but still...

-Chris.

Originally posted by cyansmoker
provided your customers have telnet/ssh access...all they have to do is read your configurationf files.


And why, precisely, are those configuration files world-readable?

Actually, I have a list of all domains in the user area (user area is a protected page with forum, news, etc - I try to build user community there).

They used info@userdomain.com address to spam all users on all our servers.

Could it be possible they payed one of your staff members to provide such list?

No, this list was not a secret. Any user of our system can see this list in the protected user area. So, I think, they get the list with a user which actually moved to them sometime ago. "User Area" is a page where we keep private forum for our users, post news and announcemnts, etc.

Our users sometime move to their servers, as well as their users move to us. It is normal.

By the way, some ISPs post their list on the web without even minimal protection. For example, express.ru put the list of all their
4000 customer domains on the Web.

Check it at http://www.express.ru/clients/

In the meantime, I think we will need to remove the list :-(

I'd be very wary about posting such a list, simply as a result of the various privacy regulations in different jurisdictions around the world. I'm sure there are some (probably several, in fact) places where you can't publicly identify one of your customers without their express permission.

It was just a list of domains. No descriptions, no company names.

Again, what shall I do?

- delete list ? (they already have it)
- send newsletter to customers (like Matt suggested)
- ban any email from competitor's network?!
- delete all incoming messages that contain their company name from mail server?!!!
- do nothing, simply trying to be better than they are?
- other helpful advises?

Anatole,

1-I'd send a newsletter, or if your do not regularly send one, at least send a plain ol' email,
2-I don't know what the purpose of your clients list is, but some webhosts offer an online sef-help forum where they could have grabbed your users coordinates too, so it may not be such a big deal...
3-I guess you could also filter all incoming messages that contain the other company's name...

cperciva:
it's very easy for any crook who has access to your servers to read Apache config. files, because they belong to apache or nobody, nothing one can't access thanks to a php script (you do not even have to write the script) or whatnot...

-Chris.

Originally posted by cyansmoker
cperciva:
it's very easy for any crook who has access to your servers to read Apache config. files, because they belong to apache or nobody, nothing one can't access thanks to a php script (you do not even have to write the script) or whatnot...


*cough* chmod 400 *cough*

Originally posted by cperciva


*cough* chmod 400 *cough*

cperciva, we are getting definitely off-topic now, but how does a chmod 400 prevent a php script -with apache privileges- from reading a file that belongs to apache?

-Chris.

Originally posted by cyansmoker
cperciva, we are getting definitely off-topic now, but how does a chmod 400 prevent a php script -with apache privileges- from reading a file that belongs to apache?


It wouldn't. But 1. scripts should be run through suexec, and 2. the configuration files should be owned by root, not by the the user you set up for apache. (Apache reads configuration files, binds to port 80, and opens its log files before dropping priviledges.)

Originally posted by cperciva


It wouldn't. But 1. scripts should be run through suexec, and 2. the configuration files should be owned by root, not by the the user you set up for apache. (Apache reads configuration files, binds to port 80, and opens its log files before dropping priviledges.)

Yeah, you are so right. Right after sending my reply I realized that apache is started as root then forks less 'mighty' children.

On the other hand, I observed that some hosts do not protect their apache configuration files, and I wonder whether it's because they use a control panel. I've observed this with cpanel, so could this be a reason for this, or just negligence?

On a different note, php is rarely forked as an external executable, it's much more preferable to use a static or dynamic library.

-chris.

Originally posted by cyansmoker
On a different note, php is rarely forked as an external executable, it's much more preferable to use a static or dynamic library.


Much more preferable if you're not worried about security, that is...

Originally posted by cperciva


Much more preferable if you're not worried about security, that is...

Well I think we're really spoiling the whole thread now. If you feel like discussing the advantages of using PHP through suexec vs as a library, I'd be happy to continue on the 'Technical/Security' forum.
I'm not trying to prove you wrong, it's just I've never considerered php ran as the apache user to be a major threat, now it seems like you do know more than that, so I'd be interested in reading about it...

-Chris.

Originally posted by Anatole
Our competitor, spammed all our 2500+ customers with a following message:

"Switch your site to xxxx.com servers from their servers and get more reliable hosting, better control, lower price and 15% discount...."

The letter was actually much longer. They also mentioned we have downtimes (who doesn't?), our support is bad, etc. etc.

Moreover, they did it as if this message was sent from a private party, who moved a domain from us to them, not directly from them.[/B]

First, how do you know it was from them. You mentioned something about it being sent (as if) from a private party?

Second, if you can prove it was sent by them, the email may contain libelous comments and if you can prove damages, you may be able to launch a case against them.

Third, I'd take down that list.

So they spammed to my users yesturday at 8:30...9:30 p.m.

Today, at morning, while checking my e-mail, I've got 3 messages from my customers with the following:

1. "Anatole, I'd like to warn you, that your competitor is spamming to me and suggests to move my domain. I thnk that many users have got such a message. Here is it ........ "

2. "I've got this annoying message! Please, put them in the antispam filter! :angry: "

3. "Anatole, how can you explain such a low price, they suggest? I am happy with your technical support, but $8 for unlimited traffic and 200MB with CGI/PHP/MySQL is a really good price :confused: "


Really, how many users will move their sites to the competitor on Monday? How do you like their pricing:
$8.95 for 200MB + cgi-bin + mysql + php + unmetered traffic + free domain registration?

Originally posted by Anatole
"Anatole, how can you explain such a low price, they suggest? I am happy with your technical support, but $8 for unlimited traffic and 200MB with CGI/PHP/MySQL is a really good price

Tell them as quick as you can that there is no such thing as "unlimited traffic". I would even make a page dedicated to the other host spamming and lying (without mentioning their name).

UNLIMITED :D

hostonce.com
2mhost.com
domainsvision.com
one2host.com
win2000hoster.com
gnxonline.com
dellz.com
and the list goes on . . .

and that is also on dirt cheap price. i think this UNLIMITED thing works. or else they must have stoped advertising this.

why do you think ?

Originally posted by mahinder
i think this UNLIMITED thing works. or else they must have stoped advertising this.

Fraud usually works, at least until the police step in.