We're under attack from fake spam complains from competition, we explained to our service provider but they said multiple spam issues will get our service suspended, please advice :(

Do the IP's in the email headers match your IP's?

Also... do you know why you are a victim to this? Do you know who it is? It seems a tad on the extreme side and very unlucky for you.

I would try find the IP of the sender and report them and also if you can... try find out why they do this? Is it just because you are competition? or did you upset them some how?

What landing page is being joe-jobbed? E.g. the spam you say you are not sending (I believe you!) must have a URL for your sites in it someplace, right? What kind of product or content does the URL push? Is it an affiliate-link type URL issued to one person, or like your www.domain.com landing page?

I suggest that you start looking for a new ISP, and as you speak to each one, ask to talk to the person in charge of abuse@ and the person who makes decisions on whether or not to cut customers off for spam. Carefully explain to them that you are the target of a "Joe Job," and show them example spam. You'll also want to demonstrate that, when possible, you are eliminating landing pages as you learn of them. Finally, and it makes me sick to suggest this, but you should consider posting in the news.admin.net-abuse.email newsgroup. Many of the posters there are nuts and will probably not be kind to you by any stretch of the word, but if they believe you are being "Joe Jobbed," they are resourceful people and may be able to help you.

it match one of our server's IP

I've no ideas who is the attacker.

I don't know much of the sender info, the datacenter just tell me it's from over 20 individual complains. They forwarded one copy to me and the sender IP is from Telus Communications, a ISP in Canada.

my company is always stay away from competition, I don't know why we're the target.

The spam email is adult-related content, the advertised domain is not hosted in any of our servers, the outgoing mail server is claimed to be our server's IP.

I'll try to negotiate with abuse department but they're not cooperative, and stated this is their policies... :(

Thank you for your link, I'll try to seek some help there.

Sorry... news.admin.net is not existing?

news.admin.net-abuse.email the Usenet/Newsgroup.

ok thanks... I got it

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&group=news.admin.net-abuse

Can you post the headers of one of the joe-job spams in question? I assume that your ISP is providing you with the messages when they receive complaints. If they do not do that, there is very little you can do. That's the problem with allowing your carriers to tie ToS to abuse@ complaints, without mandating that you be given the full complaints and headers -- though abuse@ folks sometimes think you'll use it for lesser purposes, without such headers there is nothing you can do about joe jobs, affiliates who may be spamming without your knowledge, and so on. Your ISPs really need to work with you here, or there's nothing you can do.

Can you post the entire email, with full headers, so that we can see exactly what was sent?

- Matt

Originally posted by nowisph
the outgoing mail server is claimed to be our server's IP.

Now that's unusual... It's pretty rare to encounter a spoofed sending ip, are you absolutely positively SURE there's no way this mail is coming from your server? No formmail scripts, smtp users, etc that could be doing this? Because faked sending IPs are part of the game and the anti-spammers pretty much know all the tricks spammers use to try and hide ips and are wise to them.

Yes, I'm pretty sure.

I think they just change the sending IP in email header then send to abuse@ our provider :rolleyes:

We can protect our servers from spamming, but we can't stop they complain to our service provider.

Originally posted by nowisph
Yes, I'm pretty sure.

I think they just change the sending IP in email header then send to abuse@ our provider :rolleyes:

We can protect our servers from spamming, but we can't stop they complain to our service provider.

Oof yeah actually modifying the header manually would be pretty malicious... No way at all to protect yourself, maybe ask your data center to firewall off port 25 completely to prove "hey it CANNOT send mail so it CANNOT be sending spam now can it?"

If you have a good relationship with your provider show them your logs, email headers have message ID's and that ID should show up in your log for that day.

Right... I'll do it. Thanks

We have been the target of something very similar in the last 48 hours ourselves.

Somebody working off of the altern.org domain has been sending SPAM that not only spoof's my company's email support address, but in fact they are claiming to be us!!

We received hundreds of SPAM complaints from SPAM organizations and frustrated users, to the extent that we had to place a HUGE disclaimer/link right at the top of our site until things slow down.

We of course contacted all the abuse departments on route to this domain's name servers, but 48 hours later no response from Rogers (mail being sent from here), Cogent, Allstream (Canada), or EV1 (name servers ultimate end up pointing here).

We proactively contacted all the RBL blacklists that we normally work with, but other than this, what else can we do to protect our name???

Has anybody run into this before?

Looks like these people are either hosting with merdre.net (a French hosting company of some sort), or ARE merdre.net (another good possibility), but how do you know who to go after? I've love to launch a massive lawsuit ... but who do you sue?!

Thanks for the help!!

We proactively contacted all the RBL blacklists that we normally work with, but other than this, what else can we do to protect our name???



May you explain how you work with those PBL? Usually if I call or email them, it take days for them to respond, at that time we're already get listed in blacklists...

Don't get my wrong, we definately DO get listed sometimes ... and that's why we know who they are!! But they are ususally pretty good about delisting once we've shown that we've isolated the violating spammer and shut 'em down.

I just wish they would be a little more co-operative in working WITH co-operative hosts to help both us as well as themselves in keeping the spammers at bay.

Did you ever get suspension of service by provider cause by these abuse issues?

We work very closely with our service provider on a regular basis to help resolve SPAM issues.

Originally posted by Nevidia
We have been the target of something very similar in the last 48 hours ourselves.

Somebody working off of the altern.org domain has been sending SPAM that not only spoof's my company's email support address, but in fact they are claiming to be us!!
Thanks for the help!!

Exactly the same situation happened with my hosting company.

I received first of all hosting offers from them...


*******************************
Dear support ;

We heard that you're interested in signing up for Webhosting and Search Engine Submission, We have several plans that you can choose from starting at $5 a month!, please email us to hosting@altern.org if you're still interested so we can discuss your needs.



* Please do not reply to this email, replies to this email will NOT be delivered to us, please send an email to hosting@altern.org for more info.


Thank you.

Best regards,
Anthony McCoy
********************************************




Later on same from hostingse@altern.org
Now: sesubmit@altern.org

They sending out the hosting spam offers from my support address.Guess what...how many bounced msg received.

Only today received 500 bounced msg.

altern.org is a free E-mail address provider,i even wrote an E-mail to root and explain the situation i asked to stop or delete that account.

At least this may slowing down those bastards but i also looking for some permanent solution.

Any suggestion?

-they still able to open new free account anytime
-they still able sendout hosting related spam using
my support address
-they even use so many servers to send out the msg

So what is the real solution for this?

We were once the victim of something similar to this, you just have to knock it through the DC's thick head that it's not coming from your server, perhaps switch to a different main IP temporarily to prove it to them (other e-mails will still have old IP). Dixiesys' idea wasn't a bad suggestion, you could try that if it's really becoming desperate.