Hello people,

I just wanted to share our experience. We had a stupid spammer last night who emailed at least 100,000 messages in less than a couple of hours. The order came in, we checked it out, everything was legit, a valid (not free) email address, credit card AVS and CVV2 matched, everything good to go. Well, we created the account and in about two hours we saw that the server was overloaded (5.00 ++) so we checked the processes and there he was, sending thousands of messages through a script. There were at least 50 or more instances of sendmail running at the same time.

I guess my point it to watch out for these guys. We have not been so lucky, we have had three heavy duty spammers over the past 3 months even though we do intensive order screening. I guess I think all of us should use a database system to track these freaks. I recorded him in the "Host Abuse Registry" at http://www.hostabuse.com/ I really hope more hosting companies would use them. It is amazing the kind of crap that we can go through with these jerks.

Good luck to you all.

bastard!

I know how you feel. Luckly I was working on the server when my spammer hit, I dont know how many he got out, but I do know he had 6 lists with aprox 30,000 addys per list. They should all burn. Thats just IMHO

Yeah, I tared up his whole script, downloaded it and looked at it. The crook had close to 500,000 email addresses there. About 12 files with 40,000 addresses each!

Hi,

If you mean lstmrge.cgi, that it's a horrible thing :angry: . It can sendout 100K email per hour (maybe more).
We have such spammers each month.
P.S: Do you do anything with them after deleting their accounts? I mean to you charge them for spam?

Thanks.

so who was it?

someone should sue that spammer...until than i dont think that he'll stop it.

OK real simple,

I don't know this answer but I'm sure I've seen this somewhere else, infact I'm sure of it I just can not recall.

1) is there a way on the unix platform to restrict output of the mail server in question to whatever volume of mails per hour.
I know that earthlink has something like that. and I think that sendmail has an option for it also(not sure).


2) is there a way to scan on an hourly /daily / monthly basis for specific programs within the serves. If so then you could set up a batch program to look for known spamming software.

Mike from adehost

My company Adehost.com


update : sendmail note ( just might help ) not sure.

http://www.netmar.com/~will/sendmail.txt

update #2
http://cr.yp.to/mail.html

Originally posted by Angel78
someone should sue that spammer...until than i dont think that he'll stop it.

:agree: according to our TOS we can sue the spammers legaly. But we are not in USA how can we sue these turkeys :(

Yes, lstmrge.cgi is the one :angry:

Suing a spammer is difficult and costs thousands of dollars. Not worth it (at least not for us)

Our revenues do not justify suing a spammer and spending thousands of dollars to get nothing in return. It is sad, but it is the reality. What we can do though is create a powerful database and keep these crooks off-line.

I have had this script loaded on our servers about 45 different times. The thing is that all the credit card info matches, AVS oks it, but it will come back as a charge back...garuanteed.

As for stopping the script, we had to create a cron job to scan for the lstmrge.cgi file every 30 minutes and delete it if it was found.

Ever since we did this it stopped.

goodness0001,

Could you tell us what you put in the cron? Did you do "locate xxx.cgi" and then "rm xxx.cgi" ??

To save on system resources, be sure to only search where customer files are located so there is no need to search the whole file system.

find /path/to/start/searching/in/ -type f -name "lstmrge.cgi" | xargs rm -f

Originally posted by mahinder


:agree: according to our TOS we can sue the spammers legaly. But we are not in USA how can we sue these turkeys :(

I think someone in US should start a dedicated company for suing spammers. If I'm not mistaken, it also possible to collect damages from spammers, even if you don't include it in your TOS.

The business model would be roughly like this: spammer victim (web hosting company, ISP, or spammed user) ask the company to sue the spammer, company sue the spammer and collect, company get a portion of the money and the rest is given back to victim.

What do you think? Will this model really work?

Originally posted by goodness0001

find /path/to/start/searching/in/ -type f -name "lstmrge.cgi" | xargs rm -f

I think it is better to find out the user who uses it than just deleting it blindly. The user can always reupload if your remove it.

You don't get notified when the cronjob finds something so the suer can easily upload something again, mailing a warning maybe a better idea.

Maybe this is a better idea

find /usr/local/psa/home/vhosts/ -type f -name "lstmrge.cgi" | mail your@mail.address

Then you get notified and you can suspend the user

I kinda like the cron, but you will never know if there was a script working. I rather find out who the sucker is and terminate him/her. I feel with more control that way.

Originally posted by priyadi


I think someone in US should start a dedicated company for suing spammers. If I'm not mistaken, it also possible to collect damages from spammers, even if you don't include it in your TOS.

The business model would be roughly like this: spammer victim (web hosting company, ISP, or spammed user) ask the company to sue the spammer, company sue the spammer and collect, company get a portion of the money and the rest is given back to victim.

What do you think? Will this model really work?

I don't think so. There are laws in some places banning spam. For example, in Washington state, someone can basically have $200 USD from the sender of any email with an invalid return address. Hopefully, the same thing will move through the continent :D

Go to
http://shaun.ethernetnetworks.com/perl_index.shtml

Grab the filemonitor script. Modify it to find the sorts of files you want found (lstmrge should be one). Stick it in the cron to run whenever you want it to run, writing the results to a logfile (which can then be emailed to you). Very handy for finding spammers that immediately start running their scripts before the locate database updates. It's pretty similar to something we wrote for our use, and we tested it for someone we're helping with a ded. Works pretty well, it's easy to set up, and it's free.

Thanks Annette. This will certainly do a lot to catch the suckers on time. ;)

does that script run faster than an updatedb and locate calls with the filenames in question? Alabanza does something like the script does and it drags a server down - bigtime

Not even a blip, even on some of the baby boxes we tested, whether the output is directed to the screen or to a log. The mapsItna that Alabanza runs is horribly intrusive. This one is simply a good interface to recursive find for people that might not be comfortable doing these scans otherwise.

you might also want to consider writing something to tail the /var/log/ftpd.log or whatever wuftp (or what you respectively use) generates for uploaded and downloaded content. If it tail -f's the file (i dont know how to write this in perl/bash, but the concept is easy enough) then you should be able to catch them AS they upload it instead of like 1 hour later when your cronjob runs, potentially saving 100,000 spam victims....

Just an idea =)

Originally posted by priyadi


I think it is better to find out the user who uses it than just deleting it blindly. The user can always reupload if your remove it.

True. Perhaps a simple Perl script which finds and deletes the script, then mails you to let you know who had the script. Then you can send a "gentle reminder" of the terms of service, and just how much you will sue them for if they try to spam on your server. :-)

Take care,

Brian

Originally posted by bteeter
Then you can send a "gentle reminder" of the terms of service, and just how much you will sue them for if they try to spam on your server. :-)

LOL :D

You can't never be "gentle" with those people nor send them reminders. We terminate their accounts at once and send them a message (just to be formal) simply to let them know that we terminated their account for violation of the TOS.

Originally posted by bert


LOL :D

You can't never be "gentle" with those people nor send them reminders. We terminate their accounts at once and send them a message (just to be formal) simply to let them know that we terminated their account for violation of the TOS.

So do we - if they have sent spam. (4 already this month!)

Ideally, we could stop them from doing it in the first place and tell them they better straighten up or they will be terminated. I know that this is probably not possible, but it won't stop us from trying. Monitoring and scripting should be able to stop most of this nonsense before it starts.

I like someone else's idea of sending a registered letter with an invoice for our "spam fee" of $100. I plan on doing that for the last 4 spammers I terminated.

Take care,

Brian

I agree with you Brian; however these crooks sign up exclusively to send spam. It makes no sense to warn them, they will not stop. If you warn them they will either go spam somewhere else or they will continue to spam on your machine.

As for the $100.00 fee, it would be really nice, the problem is that nearly 99.999% of spammers put chargebacks so if you charge them the $100.00 fee, more than likely they will get that back from you as well.

Take care,

We have a TOS that clearly states we will charge $250.00 per case that we find blatant spamming from our servers.

We in fact found one, charged the $250.00, 2 weeks later, they did a chargeback, we "won" the chargeback because we require all customers to sign a simple credit card approval form that states they read our TOS and approve charges from WHN.

I should add, now that i found the script's name in these spam threads, he was using the script that everyones speaking of

Now that i found that sites, its so funny how they claim they can jump from host to host, but what this user wasnt aware of, was our spam policy, they *#($ bricks when they found the $250 charge on their bank card, which in turn (from what they claim) "bounced alot of checks"

I was laughing so hard when i heard that

Originally posted by AlaskanWolf
we require all customers to sign a simple credit card approval form

Don't mean to be rude or anything, but how many employees do you have working for you? I don't see that as a viable alternative when you have 10 to 15 signups per day and are a small (two man) operation.

Just my thoughts.

Do they physically sign it, or place a checkbox in a form indicating they have read and agreed to it?

Actually everything's automated, we don't have to do anything in terms of sending the customer the forms etc thanks to our inhouse billing program

We have a total of 6 employees working for us. We have had this policy (requiring the form to be faxed back) for about 2 years now, and I have a full cabinet full of credit card authorization forms.

Really, as much as hosts say "its a waste of time and will swade customers from signing up" that's their mindset, and those hosts are the ones that will be getting a freeze on their deposits when their chargebacks reach (2% i think) we lost 3 merchants before finally requiring the form, we have had our merchant acct for over 2 years now. We have had a very good success rate in customers faxing back the form, and when they cant fax, they send it via sendmail

At least I know that my merchant account is secured for a very long time and anytime I get a chargeback, we just look in the cabniet, pull out the cc form, and send it to our merchant. Having this spammers signature on file put the burdern on the spammer/customer because it clearly stated that they read our TOS and would abide by it...they got slammed because we had their signature on file, if we didnt have it onfile, 110% the chargeback would have been sent back to the spammers bank account

This has been discussed in previous threads anyway, they print it out, sign it and fax it back

Merchant's dont give a rat if you require them to "check mark" the form, you must have their signature

We have a PDF form at http://billing.www-hosting.net/AuthorizationForm.pdf

and a simple txt email that gets sent to them if they dont have Adobe Reader installed....90% of the forms we get back are with the PDF, other 10 are the simple text form

Damn, again two spammers on my server. Accounts deleted immidiatly of course.

is the original spammer advertising a web site on the spam ?

if so you should contact their host, and the hosts ISP

What really pisses me off even more then spammers are the fanatics who blame us for customers spamming. For example I had a customer sign up last week for modewebsites.com as their domain. Then on Friday I get an email from someone who did a lookup on our server name and got our email address to tell us this domain was spamming. I checked and the only thing on their site on our servers was a redirect to their main domain modwebsites.net and end a script to spam with. So of course we immediatly cancelled the account. Then today I get this nut emailing me saying that we are the spammers because when they did a reverse lookup on the modwebsites.com website it wasn't on our servers and then proceeded to make threats against us.

In colorado, there is a law against spamming. Everyone involved gets $10 - end user, and all providers upstream with equipment in colorado.

I saw another posting somewhere about the possibility of routing mx through a server in colorado to make some money! (Even after selling a judgement to a collection agency, there is going to be some money in 20,000 messages!)

The technical aspects of this are a little beyond me currently.

Hi,

I have just had my server taken down because of spammers. My provider unplugged my connection because they we getting spam complaints. This is not the first time and Im sure its not going to be the last if nothing is done.

I need a solution and know alot of other people with the same problem. We all need a solution and a good one!!

I have some knowlegde of cgi/php/mysql/linux and want to create a script that can be run ever 15/30/60 mins using cron. My current idea for the script is to check the logs and caclulate the emails send by each address in the last 24 hours. Then if the user has sent more that 500 emails the script will terminate or suspend the account sending them a polite email explaining why they have been removed.

This can simply be add to the TOS where the maximum email sent per day is 500.

What do you guys think? I am on ICQ if anyone wants to help me develope this further, I will be willing to share the script if every thing works ok.

that would be a good idea

JeremyL,

I hear ya. It can be worse. We have one now that is spamming using our one of our email addresses. Not hosted with us, not hacked in to one of our boxes, just running a Perl script from some server somewhere using our email address as the From:

Nice, huh?

I know I have posted in these forums before trying to downplay the impact of spam.

I stand corrected; These spammer people Suck.

Originally posted by priyadi


I think it is better to find out the user who uses it than just deleting it blindly. The user can always reupload if your remove it.

not only that, im sure it simple to just change the name of the cgi file.

What I would like to know is how to monitor for spammer. Such as quota works, when they go over quota i get an email.

Moving office today an just readin this board as the removal people pull the deskl from under me.

Watch out for Jim Rind ,aka Jim Moore
Has valid cards in both names but signed up 2 days in a row for hosting with us.
I recognised him from a previous incident and told him to **** off yesterday but he came back with the other identity today.

I don't think we have ever had a spammer who has not run a chargeback.

We had a funny incident once though when a customer sent out loads of spam and claimed it was an opt in list, but one of the recipients was abuse@hostroute.com
I think that was the fastest spam termination ever.

It hasd a really bad effect though, I know that some of our IP's are blacklisted and we are having to set up a mail server on another IP range just so we can send welcome e-mails to customers (many just don't arrive now).

This is due to peopl eusing a script that renames itself each time it runs. It can take days and days to locate them and stop them unless you catch them red handed while they are doing it.

If you tackle them and get a response its usually - I just don't care.
SPamming is usually connected to some level of criminality and is theft of service.

Mind you we got an abuse repoirt this week for sending an annual renewal reminder to a customer "becauee I have not specifically asked to receive these it is spam".

I don't like either side in this argument.
The anti spam peoples postiion can be quite ludicrous.

Gordon

Originally posted by GordonH


Mind you we got an abuse repoirt this week for sending an annual renewal reminder to a customer "becauee I have not specifically asked to receive these it is spam".

I don't like either side in this argument.
The anti spam peoples postiion can be quite ludicrous.

Gordon

Gordon, I would advise the client that this information is required and inform them this is legit e-mail, you have a working relationship.

Mike

Originally posted by GordonH
It hasd a really bad effect though, I know that some of our IP's are blacklisted and we are having to set up a mail server on another IP range just so we can send welcome e-mails to customers (many just don't arrive now).

I can relate to that :(

It is very frustrating that we can't do much to stop the crooks.

Gordon,
We got an order from a "jim moore from new jersey". We figured that jim moore is probably someone whose credit card is being used without his permission, but I was unable to track him down.

The phone number and email address were provided by onebox, and the IP came from somewhere in germany or something.

I usually just play along by getting them to change the nameservers for their domain name and wasting their time.

Isn't there something we can do such a outgoing mail monitor? Sure has got to be one because with this problem as bad as it is, I am really surpised nobody has written anything to monitors the amount of outgoing email and sounds alarm if outgoing mail exceeds limit by one user.

Any ideas? Its a practical solution to monitor clients already on your server.


-John

I read about a mail monitoring program ( i think it was on the orbs site ) last year, but it was only unix based, what it did was limit the amount on mail sent by account to a limit set be they e-mail systems operator. If I recall right it's the same system that earthlink uses.


What I've been doing is limiting the e-mail server to 3000K (Bandwidth) per month out from an account, you would be surprised that only 7 accounts have surpassed this and only by a small amount, in a normal day they only send out about 5 e-mails. I myself send out about 25 per day and I've only gotten to about 1000k.

If you have my platform you can monitor it much better. just do a e-mail usage run every day any you will see whoms using what.

Mike from adehost

We actually had a client that had a friend or hosted someone which was a spammer as well as have porn on the machine. He send out emails to everyone including the link to the porn url he had put up and we removed it right away and stop his spamming. Bert, I hate spammers just as much. If you spam on our machines you not giong to stay for long.

Originally posted by TimPD
Bert, I hate spammers just as much. If you spam on our machines you not giong to stay for long.

If "I" spam?? :confused:

Not sure if this is something you can or can't do but for ages I've been wondering if there would be any way to rename "SENDMAIL" or place a semi-transparent layer between ANY script and Sendmail that checks to see how many people a script is attempting to send to, tracks the number of forks, etc.. being setup and simply places all the calls beyond a certain point into a holding file until such time as someone can manually verify i's not a spammer.

Then if it's not a spammer, it all continues on fine but if it is, then the file gets deleted and so does the spammer.

Of course there's a potential ethics issue but let's be honest who gives a **** when the spammers certainly don't. On top of that the delay may affect "legit" opt-in lists, etc... but I'm pretty sure that even those customers would understand and even welcome the approach if it means their server isn't being blocked and ultimately if it puts a dint in their own spam intake.

You could even consider a "trusted" list where long standing account holders can automatically bypass the system somehow...

Just a thought but I don't see why it's not possible...