I don't know what the deal is but 4 of the last 8 accounts we have sold were all spammers. Within days of the accounts being opened, the account owners spammed and we had to cancel their accounts.

I'm wondering if it is the same person over and over again, but even so, why? We've never had to cancel anyone for spamming before this, and now 4 in a row. This is crazy!

The reason I think it is the same person is that they all used this script called lstmrge.cgi. I've tried to find information about it, but was unsuccessful. It looks like I'll have to write a cron which checks for and deletes this script.

Am I the only one having this problem??

Take care,

Brian

The script is sold compliments of the F**K heads over at (edit: I decided I would rather not make it obvious where others may grab this script.) and is called "Power CGI Bulk System". All I have to say is that I hope the makers rot in hell for all the time and money ( and the general pain in the ass ) this script has cost us and other web hosts.

Wonderful.

Well, I'm looking into ways to delete the script file on an automated basis. Even better would be a way to throttle email sending from a particular account.

If anyone has any better ideas, I'd love to hear them...

Thanks - Brian

I have been gotten spammers too.... Infact they dont even care if you cancel their account.... They paid $10 and i cancelled them on the 2nd day after I saw some weird load. With all those emails sent they think they got their money's worth and continue to look for other hosting companies.

-

We just cancelled one too who was using this same script, lstmrge.cgi..... maybe they're going from host to host... sounds like it.

Originally posted by Cyberwings
We just cancelled one too who was using this same script, lstmrge.cgi..... maybe they're going from host to host... sounds like it.

Probably. Reading from the site of the company that sells this script, they provide a list of "cheap, yet full featured hosts" to their customers.

I must be lucky enough to be on the top of that list. Or at least on that list. That is the only way I can see how I could have gotten 4 different people to sign up all using the same script.

If I get something put together to stop this nonsense before it starts, I will share it with everyone.

Take care,

Brian

Is it legal to post the spammers domains on the forum? We can make a giant list of spammer domains, because I'v had about 6 people sign up for mine and I found the same script with about 1000 email addresses.

Just a thought but perhaps you could write a simple bash or perl script to tail the FTP log, and look for the script when it first gets uploaded? Obviously there are plenty of ways for a dedicated spammer to circumvent this, but it might head off some of them. Coupled with a script that scanned the user directory's each night, or hour - I think this would be a decently effective solution, at least until you can figure something out that works a bit better. The majority of the spammers probably wouldn't even realize what was happening. Unless of course they read this post =X.

-Adam

How about a script that consistantly monitors the mail queue for mass amounts of files with the same file size, and deletes them before they ever get off the box? This seems like it would be easy to do.

-Brendan

I found this on their website:

"Three reasons why you should choose Power CGI Bulk System:

1 -You'll never have to be worried about losing your ISP account again, instead, concentrate on your web hosting account which can be VERY CHEAP! A full featured web host costs as little as $5 a month! If your site is shut down, simply find another host! There are thousands out there! Nothing to do with your ISP!

2 -Fast, ultra fast! Yet CGI based mailer is the fastest bulk mailing method because you're using your web host's HUGE bandwidth! A single T3 connection offers 45MPS bandwidth and most web hosts today offer at least multiple T3s and OC3(155MPS!) No bulk email software (no matter how fast they claim to be) can even rival!

3 -Reliable, super reliable! Using the UNIX system's sendmail your emails are virtually guaranteed to be delivered as long as the addresses are valid. A lot of those bulk email softwares will make it look like all the emails were delivered when actually they were NOT! Our system will guarantee the delivery. No filters can stop it! "

I think it would be a good idea to post the url, so ISPs, or web hosting companies can get informed about the proccess directly from the f$%*ers.

Anyway, thought the info above might help.

OkGoNow

How about putting a clause in the tos, if you are found to be running illegall bulk mailing scripts you will be billed 1. $75.00 violation fee and billed $69.00 per hour of server work/ investagtion associated with your account. yadadada

Originally posted by MarcD
How about putting a clause in the tos, if you are found to be running illegall bulk mailing scripts you will be billed 1. $75.00 violation fee and billed $69.00 per hour of server work/ investagtion associated with your account. yadadada

And how do you expect to collect? Most use illegal credit cards to set up their accounts.

It isn't really that big a secret where this particular bulk emailer software is available. You can find it quite simply by using the approriate search string at your favorite search engine.

Recommendations to combat spambags from appearing on your servers:

1. Familiarize yourself with known spamhausen. It doesn't make any difference which of the available resources you use, but you should use more than one in the event one of them overlooks a spammer that another finds. We maintain our own internal blacklist of known spammers and provide that list to our resellers as well. This way, they know the domains for which we are watching and it won't come as too much of a shock when we terminate an account they've set up as soon as we see it. I also maintain the same list at hostcoalition.org for the benefit of anyone who visits there, and incorporate domains that are not listed at the major anti-spam sites.
2. Scan your system(s) for known spamming scripts. If you don't write your own logger as we did, grab the filemonitor script from http:shaun.ethernetnetworks.com (http://shaun.ethernetnetworks.com) and use that. Don't set something in place, use it a lot at first, and then let it slide like people do with their new year's gym memberships. Set it in a cron and run at least once a day. Alternately, do a manual scan at least once a day.
3. Do something about formmail.pl and formmail.cgi. This falls out of the direct script category (like lstmrge) but can save you headaches in the long run. Make people rename their form to mail scripts if they're using formmail.*. Spammers scan sites looking for commonly-named scripts and it's a simple issue to send out batches of junk mail through some unsuspecting user's form. When that happens, not only do you get the complaints as a result of that junk mail, but you also get the tedium of seeking out the domain that has the bad script.
4. Ensure that you aren't running an open relay. If you are, you're leaving yourself open to abuse of your system(s) by nonclients and you'll find yourself in hot water - possibly to the point of getting yourself into the MAPS RBL or SPEWS.
5. Ensure that complaints can reach you in the event someone does decide to spam from your system(s). Do you have an abuse@ address available for complaints? Does it have an autoresponder so that people at least get an acknowledgement of their complaint? Go to http://www.abuse.net/addnew.html and take a look around. Submit your information to abuse.net so that when people lookup yourdomain@abuse.net it returns valid contact information for abuse complaints. Go to http://www.rfc-ignorant.org and look up any domains for which you have nameservers to make sure that if complaints do appear in the anti-spam newsgroups that you aren't derided for having invalid contact information in your WHOIS records.
6. Above all else, don't quibble when it comes to spammers. Don't give them second chances, don't tell complainers that you will "discuss" it with the account holder, and don't hesitate to term someone before you even notify them that you're doing so. The sooner you get a reputation for being extremely unfriendly toward spammers, the better.

Originally posted by OkGoNow
I found this on their website:

"Three reasons why you should choose Power CGI Bulk System:

1 -You'll never have to be worried about losing your ISP account again, instead, concentrate on your web hosting account which can be VERY CHEAP! A full featured web host costs as little as $5 a month! If your site is shut down, simply find another host! There are thousands out there! Nothing to do with your ISP!


Now that part just pisses me off!!!:angry: :angry: :angry:

Originally posted by MarcD
How about putting a clause in the tos, if you are found to be running illegall bulk mailing scripts you will be billed 1. $75.00 violation fee and billed $69.00 per hour of server work/ investagtion associated with your account. yadadada

We already did that, $100 per spam complaint received:

http://www.assortedinternet.com/hosting/faq/faq-usage.jsp

the problem is getting them to pay for it. If we had our own merchant account we would just charge their card, but we don't. We rely on 3rd part processors, so getting that fee is damn near impossible without legal action.

Take care,

Brian

Somebody posted the yesterday.

http://www.webhostingtalk.com/showthread.php?s=&threadid=32084&highlight=lstmrge.cgi

it has a command listed that you can run as a cron job to clear this out.


Simon

In your TOS set the penalty high enough. Send a PAPER invoice, registered mail, give 30 days to pay then turn over to you colection agency. You may not get the money but it messes up their credit rating. Every little bit helps

The other thing you can do, which is common in shellhosting, is voice verify any accounts you feel may be high risk. This means that at least if they uses a "carded" credit card, at least you have their real phone number, and you can actually call 522-tips or anything along those lines (possibly even visa?) and notify them you have someone using a stolen credit card at XXX phone number.

Dont know if this helps, but i do know most carding kiddies are a little smarter to sign up for anything thats gotta be voice verified.

Oh yeh, and you could always use something other then sendmail, I know a lot of webhosting providers use WUFTP (instant remote root in almost every version), and sendmail, but there are many supported alternatives which are actually much better, such as qmail, and vpopmail.

(oh yeh, and the latest version of formmail i picked up had new countermeasures to prevent people from using your formmail as a spamgate, just so ya know ^_^).

does anyone know of any programs that will do the opposite of spam - in other words sending 500,000 emails to just one email address? I would love to send "bulk emails" back to the monkeys who created this so-called "power cgi-bulk system" spam program. Would they complain or keep their mouths shut? Hmm... this would be an experiment I willing to try.

What do you all think? Any better "revenge" ideas?

Originally posted by SimonMc
Somebody posted the yesterday.

http://www.webhostingtalk.com/showthread.php?s=&threadid=32084&highlight=lstmrge.cgi

it has a command listed that you can run as a cron job to clear this out.


Simon

Excellent. Thanks for pointing that out.

But, there is a loop hole. If the've already run the script before you delete it, the script will just run to completion. We also need a cron to kill any running lstmrge.cgi processes. When I get some time, I'm going to put one together and post it here.

Thanks - Brian

Crystal,
Use the PHP mail function and put it in a loop. I know people that have done it with several hundred mails and it didn't bog down the server at all.

Brian

I just found this on the site of the company that makes and sells that spamming script...


We'll set up everything for you! Plus we'll offer UNLIMITED maintenance! That means if your web host shuts you down we'll simply set you up on another host! We'll tell you where and how to find the cheapest host!


These people should be taken to the closest bridge and thrown off....

Michael

Just adding that i had to cancel two accounts over the new year period for using this script. Maybe they're scanning these forums for hosts! :mad:

Originally posted by crystal
does anyone know of any programs that will do the opposite of spam - in other words sending 500,000 emails to just one email address? I would love to send "bulk emails" back to the monkeys who created this so-called "power cgi-bulk system" spam program. Would they complain or keep their mouths shut? Hmm... this would be an experiment I willing to try.

What do you all think? Any better "revenge" ideas?

Bad idea, probably the spammer's ISP admin will get pissed on you, and might treat you as a spammer. And the spammer himself will simply sign up with another ISP.

you could always try to milk $$$ out of the ppl who are making the spam program for "damages" etc. You would not likely get a cent, but maybe if enough people did it, there would be an impact. Apart from that, only way to get em is to drop to their level.

We need to come up with a better technical solution to fight this. What about this idea...

1. Block outgoing connection to port 25 for regular user, i.e. block all outgoing connection to port 25 except it is done by user root (or qmailr with qmail). This will prevent spammer sending mail directly, bypassing your MTA. Linux 2.4 already has this capability.

2. Add a UNIX group named mailuser. If a user is a member of this group, he will be able to send emails from server.

3. Restrict access to your MTA by setting permission. On sendmail, this will be chmod o-rwx /usr/sbin/sendmail, chgrp mailuser /usr/sbin/sendmail. On qmail, chmod o-rwx /var/qmail/bin/qmail-queue, chgrp mailuser /var/qmail/bin/qmail-queue

4. Now if a user is not a member of group mail user, he will not be able to send email.

5. When a user sign up for a first time. You don't add him to group mailuser immediately. You add it when he complains that he cannot send emails. A spammer usually send his bulk emails immediately when he got his account, this will prevent just that.

This, however, has a weakness, if this method is getting popular, spammer will be able to trick us into allowing him to send emails. A better solution would be creating a wrapper program around sendmail (or qmail-queue in qmail), when mail sending activity for a particular user reach a certain threshold, the wrapper shuts down his email access, and notify the admin. The admin then take an action against that spammer if he is really a spammer. Or simply raise the user's limit if he is using it legitimately.

if you have a mail group and qmail, and root, etc. are all in that group, the user should *never* bitch that they can't send email. The other thing is voice verify everyone that gets into that group, or.... do what a few of the "big boys" do and dont have a smtp, force the users to use their isp ones.

Originally posted by porcupine
do what a few of the "big boys" do and dont have a smtp, force the users to use their isp ones.

I was refering to legitimate use of sending email from the server, i.e. web mail, form mail, mailng list, etc. If I disallow outgoing email entirely, surely my users will get mad on me.

priyadi: perhaps, but a lot of larger companies provide pop3 accounts, but not smtp accounts, it's a common practise for a good chunk of the industry.

Originally posted by porcupine
priyadi: perhaps, but a lot of larger companies provide pop3 accounts, but not smtp accounts, it's a common practise for a good chunk of the industry.

Yes, you are right, but spammers won't send their bulk emails thru your SMTP server. It is not the most efficient method for them. However, if we can stop spammers from operating inside our servers, SMTP is still the second best method for them. But the solution is already exists: tar-pitting & limiting the number of recipient in a single SMTP session.

maybe webhostingtalk.com needs a file archive of some sort, certified scripts persay. (i dont know about you, but i wont run any script/program thats not come from a reliable source). Something to limit the amount of smtp activity within a certain amount of time.. just as you said.

Hi. I am new to the hosting Biz, I have an anti spam policy where obviously i close accounts which are spamming, has anyone got any advise on the best ways to check up on customers and see if they are spamming etc .

Why don't we all become members of "The hosters association"?

The association can contract a law firm that can assist it's members with actively pursuing spammers. Payed with the monthly donations of the companies that are members.

Every member could have a graphic on their site showing their membership of the hosting association and spammers would avoid those hosts because they know they will get prosecuted.

I know, I know:) But hey, it is a good idea. Just not very realistic :D

Originally posted by Pilgrim
Why don't we all become members of "The hosters association"?

The association can contract a law firm that can assist it's members with actively pursuing spammers. Payed with the monthly donations of the companies that are members.

Every member could have a graphic on their site showing their membership of the hosting association and spammers would avoid those hosts because they know they will get prosecuted.

I know, I know:) But hey, it is a good idea. Just not very realistic :D

hey pilgrim, i think you're on to something here. i thought about that too. anybody out there willing to take action? ;)

If only I was a lawyer.

hmm... if spam email is illegal, hence isn't the website providing solutions illegal? I realise it's probally not (we'll sell you cigarettes, it's up to you to kill yourself), however it's maybe worth a try.
:) :) :)

The software is not illegal. It is simply mailing list software.

The way in which it is used is wrong, though.

Originally posted by Pilgrim
Why don't we all become members of "The hosters association"?

The association can contract a law firm that can assist it's members with actively pursuing spammers. Payed with the monthly donations of the companies that are members.

Every member could have a graphic on their site showing their membership of the hosting association and spammers would avoid those hosts because they know they will get prosecuted.

I know, I know:) But hey, it is a good idea. Just not very realistic :D

Hey Pilgrim, I was wondering: how often do you experience trouble with spammers coming from The Netherlands ?
I'm not sure if you have that much Dutch clients, considering that your page is in English and all, but I'd like to know what your experiences are.

Originally posted by T_E_O
I'm not sure if you have that much Dutch clients, considering that your page is in English

I assume that most Netherlands know English. :)

Originally posted by Walter


I assume that most Netherlands know English. :)

Hehe, that's certainly true. But with an English page, he probably doesn't have a greater percentage of Dutch customers than any other host on the forum, except if he's getting many customers from word of mouth... :)

Hey Pilgrim, I was wondering: how often do you experience trouble with spammers coming from The Netherlands ?
I'm not sure if you have that much Dutch clients, considering that your page is in English and all, but I'd like to know what your experiences are.

Until now I have been really lucky I guess. I haven't had a "real" spammer yet. Only the occasional client who sends out a couple of hundred spam emails to attract more visitors to his/her site.

The number of Dutch clients that I have are ...uhm 3 (three).
Two of which are my colleagues ;)

Hehe, that's certainly true. But with an English page, he probably doesn't have a greater percentage of Dutch customers than any other host on the forum

Well, that's definatly correct. 95% is from the USA and the other 5% are from all over the world. Just as long as they speak English (or think they do). I also communicate in English with the Dutch customers

I don't think the Dutch market is worth targeting at the moment. Websites? Some. Own domainnames? Very few. No thank you. you can have that market ;)

Geesh, as a newcomer on the reseller game, this spam issue seems like a major problem.

Can someone not make some kind of business out of eg. blacklist.com or something like that where web hosts could collectively submit "bad apples" to this site that maintains a database of domain names that exploit the hosting industry?

Even if the web hosts had to pay a nominal annual fee to have access to the list, it'd be worth it, wouldn't it?

The question you gota ask yourself, is would everyone be able to submit, or only people who paid for the list. Problem with that idea is if everyone can't submit, you're not gonna have a good list, if everyone can, you'll get abuse, someone will make an enemy and get added. Other problem is, how do you identify a spammer? ip address? what about dynamic ranges? names? most are fly by night. Address, same as above. Credit card numbers they use? you can't report that, totally illegal. Theres no efficient way to track them on the internet when you think about it, otherwise someone prolly woulda by now.

I didn't say it would be easy...

... What i'm saying is with the design of the internet and how they operate, it's virtually impossible. The real way to deal with this crap is to have the whole net as static ip's, and have somewhere to report abuse based on ip's, open proxy's and gates would get shutdown real fast. Lets face it though, thats not gonna happen anytime soon, so the best you can do is protect yourself against the commonly used spam scripts by good monitoring etc. and learn from experience.

When radar came out to catch speeders on the road, someone came out with a radar detector. Then the cops came out with a "radar detector detector". Then someone came up with a "radar detector detector detector". And on and on.

The day someone comes up with a way to automatically detect and restrict spam in a host account is the day I want to sell all my stock market mutual funds and invest in their company...

I think this can all be solved by parents monitering their 8 year olds actions on the internet.

Originally posted by porcupine
...
The real way to deal with this crap is to have the whole net as static ip's, and have somewhere to report abuse based on ip's, open proxy's and gates would get shutdown real fast. Lets face it though, thats not gonna happen anytime soon, so the best you can do is protect yourself against the commonly used spam scripts by good monitoring etc. and learn from experience.

One word: IPv6 :D

A good way is for Web Hosts who trust each other and have enough new clients to privately share and input to this list.