Today I got the most weird email in my live :P
Somebody was spamming at my name.
Here its the copy of the message


Hi, my name is Jorge Catena and I'm from DowntownHosting.

We are specialists in quality Web Hosting solutions at affordable prices,
along with the best technical support and customer service in the industry.
Whether you need a reliable host for your web site, we have the right
solution for you!

With the Control Panel and Web Host Manager, our servers are perfect for
Webmasters and Resellers.

Virtual Hosting

We offer 8 packages to meet your needs. All plans come with Cpanel3 This
tool is a point and click interface that lets you manage all aspects of your
website, Microsoft® FrontPage® 2000 server extensions, your own SMTP and POP
server, Nightly Backups, Cgi recognized from any folder, PHP4 with Zend
Optimizer, SSH 24x7access, Site works with or w/o www and more... Sign up
for one year and get 2 months FREE!

Reseller program

We offer one of the more lucrative Reseller plans around. All resellers
receive 35% off all resold packages, this allows you to set your prices as
you see fit.


Seems that the idiot, copy our front page text, but he forgot that our name is downtownhost.com not downtownhosting.com

I noticied of it, because some people started to complain about this annoying email, I just requested to the people the email header to track the spammer.

What else can I do?

The email header is the only source to trace. Nothing else i can think of to mark down those spammer.

I just got the header

Return-Path: <anonymous@plesk.rackshack.net>
Received: from rly-xe01.mx.aol.com (rly-xe01.mail.aol.com [172.20.105.193]) by air-xe04.mail.aol.com (v84.16) with ESMTP id MAILINXE42-0506105416; Mon, 06
May 2002 10:54:16 -0400
Received: from plesk.rackshack.net ([216.40.246.32]) by rly-xe01.mx.aol.com (v84.10) with ESMTP id MAILRELAYINXE17-0506105357; Mon, 06 May 2002 10:53:57
-0400
Received: (qmail 12950 invoked by uid 10002); 6 May 2002 13:48:26 -0000
Message-ID: <20020506134826.12949.qmail@plesk.rackshack.net>


I'm reporting this to rackshack.

Originally posted by Jedito
I just got the header

Return-Path: <anonymous@plesk.rackshack.net>
Received: from rly-xe01.mx.aol.com (rly-xe01.mail.aol.com [172.20.105.193]) by air-xe04.mail.aol.com (v84.16) with ESMTP id MAILINXE42-0506105416; Mon, 06
May 2002 10:54:16 -0400
Received: from plesk.rackshack.net ([216.40.246.32]) by rly-xe01.mx.aol.com (v84.10) with ESMTP id MAILRELAYINXE17-0506105357; Mon, 06 May 2002 10:53:57
-0400
Received: (qmail 12950 invoked by uid 10002); 6 May 2002 13:48:26 -0000
Message-ID: <20020506134826.12949.qmail@plesk.rackshack.net>


I'm reporting this to rackshack.

Looks more like that is your server at RS which received the mail? This mail came from an AOL account.

No, the spamm was received in an AOL email address, and was sent through a RS server.

Received: from plesk.rackshack.net ([216.40.246.32]) by rly-xe01.mx.aol.com (v84.10) with ESMTP id MAILRELAYINXE17-0506105357; Mon, 06 May 2002 10:53:57

Yeah.

Just out of curiosity, what does the "From" field have?

Was sent through a formmail or an mailinglist script, because the seems that was anonymous@plesk.rackshack.net.
But spoofed to make it look like sent from jorgec@downtownhost.com

Anybody know if I can start legal actions against the host how did this?

I individualized the host that did it, curiusly, its a host that write in WHT.

Originally posted by Jedito
Anybody know if I can start legal actions against the host how did this?

I individualized the host that did it, curiusly, its a host that write in WHT.

Of course you can. This is one of the reasons I asked what the "From" field had. I am not a lawyer so I will never state recommendations on legal stuff, but I would definitally contact one. Especially if this person Spammed 1000s of people.

Thanks :)
They deliverately tried to hurt DTH image, I had to answer near 100 emails with apologies, and showing that we wasent the spammers.

I am familiar with this type of header. It is sent out by FormMail.pl. Server owner needs to search for UID 10002 and shut down their FormMail.pl. This script is banned on our system due to the fact it is very insecure. There are pograms available to ping domains searching for that script. Once they find one, the spam thru it....and the account owner never knows till his account is shut down.

I think that was intentionally send from the host which it come from.

I received a complain telling "this is the second host that spamm me today" I explain to this guy the situation, and asked if he can tell me which was the other host spamming, surpriselly, the other host spamming have the IP 216.40.246.32.
Seems like he was trying to clean their trace spamming with our company name, and with his company name.

BTW, he's still spamming, I reported it to RS, but seem like his abuse dept. its slow.

You may want to ask which e-mail came first. The other host's or yours. Also it seems like somebody was trying to ruin your reputation. Did you have any "major" conflicts with any clients or hosts in the past?

Well.. he keep sending emails like comming from downtownhost.

I had an small argument with this host in WHT some time ago, but if he think that it worth to ruin he's bussines image, he took major importance on it than I.

Jedito, no it has nothing to do with your name or your domain, but it is spam

Recent spam run (http://groups.google.com/groups?as_q=downtownhosting&as_ugroup=news.admin.net-abuse.*&num=100&as_scoring=d&hl=en)

They are a rackshack spammer. just report 'em

I already did it awhile ago.
But seems that their abuse dept its taking a nap.
This Bastard sent 10 rounds of email to the same addresses in 1 hour, and he keep sending it.

Are you sure he's still sending it? Maybe he sent out a lot at once. Well I guess the next thing that I say may not make much sense but if he is still sending it you may want to go on the rackshack chat and get them to check any "major" outgoing e-mails at the moment and they could shut down the server but be careful even if it is a host because it may be one of his clients.

Yes, he's still sending, I got reports that some people got the same email 10 times in the past hour.

I tried to talk in the chat with the RS tech, but they said that they are not allowed to unplug a server, I must wait until their abuse dept take actions about this, In the middle time, I have to keep getting email with insults and complains.

I would send out a legitimate message to all of your clients explaining what is going on, if possible. This way, they will understand that the other messages aren't coming from you. If they know you are aware of it, they may be a bit nicer when replying and simply tell you about it instead of snapping at you for it.

I'd also like to know who's really sending the messages? Just curious so I know who to avoid and watch out for.

Good luck,

Oh that's really bad. That guy must have a serious problem. In the mean time to avoid the insults and complaint you may want to add a auto responder explaining the situation.

Originally posted by markblair
I would send out a legitimate message to all of your clients explaining what is going on, if possible. This way, they will understand that the other messages aren't coming from you. If they know you are aware of it, they may be a bit nicer when replying and simply tell you about it instead of snapping at you for it.

I'd also like to know who's really sending the messages? Just curious so I know who to avoid and watch out for.

Good luck,

I sent a personal email to everyone who was complaining and insulting me, explaining them the situation, but its hard to manage, when you get (now more than 1000) emails saying "****-off idiot, stop spamming me" or things like that.


BTW, I prefer to not make the company name public until contact an attorney.

That's a good plan, but once you find out more about who's doing this you may want to contact them directly because for all you know it could be a previous client of yours that still holds a grudge. Pointing finger at a host that's innocent may have consequences.

I'm almost sure that who is the spammer, but since, I'm not totally sure, I wont do his name public, but its quite surpriselly that the server where the spam its send its same host than was spammed today to the same people.

that's good to hear. did you get a chance to confront them yet?

No, I don't want deal with them, if they they spammed, they are idiots, if an account in his server its doing it for 6 hours without they know it, they are idiots too.

Originally posted by Jedito
Yes, he's still sending, I got reports that some people got the same email 10 times in the past hour.

I tried to talk in the chat with the RS tech, but they said that they are not allowed to unplug a server, I must wait until their abuse dept take actions about this, In the middle time, I have to keep getting email with insults and complains.

?? And they cant go in and shut down the script being used?? Some techs...

Originally posted by Jedito
No, I don't want deal with them, if they they spammed, they are idiots, if an account in his server its doing it for 6 hours without they know it, they are idiots too.
Hopefully you don't mean that for all the hosts. We had a similar incident. Well somebody was spamming from our server but their batches were small so our resources were still at 0.00-0.05 and we didn't catch on for a bit, but with new software comes new monitoring tools :D

You might want to write a note on the homepage of your website explaining the situation. Maybe this would reduce the number of complaints you receive from non-customers.

Good luck !

ping centihost.com -> 216.40.246.32


http://groups.google.com/groups?hl=en&threadm=98A41882-610D-11D6-97E7-003065D3FF28%40rug.ac.be&rnum=1&prev=/groups%3Fq%3D%2522216.40.246.32%2522%26hl%3Den

Note: That's not to say they weren't a victim too, or that it's not one of their clients, or that it's not some script exploit, or...

Originally posted by Tim_Greer
ping centihost.com -> 216.40.246.32


http://groups.google.com/groups?hl=en&threadm=98A41882-610D-11D6-97E7-003065D3FF28%40rug.ac.be&rnum=1&prev=/groups%3Fq%3D%2522216.40.246.32%2522%26hl%3Den

Note: That's not to say they weren't a victim too, or that it's not one of their clients, or that it's not some script exploit, or...

I don't know if he was the spammer, everything make it look like it was, but certenly, he don't know how to manage a server or at least, he didn't take care of his server.

That may not be the case. I have quite a few years of linux experience and there was a guy that slipped under my nose for a few hours because he changed his script name from lstmrge.cgi to redirect.cgi . I'm sure most of the hosts came in contact with lstmrge.cgi or formail.pl at one point in their business. But in this case it does seem quite obvious he doesn't know how to manage a server and is new to this especially considering he (or his clients) sent such big batches.

Originally posted by MrLister
That may not be the case. I have quite a few years of linux experience and there was a guy that slipped under my nose for a few hours because he changed his script name from lstmrge.cgi to redirect.cgi . I'm sure most of the hosts came in contact with lstmrge.cgi or formail.pl at one point in their business. But in this case it does seem quite obvious he doesn't know how to manage a server and is new to this especially considering he (or his clients) sent such big batches.

10 hours???

Not for that long, 10 hours is too long of a time.