Results 1 to 17 of 17
Thread: OverSee.net your kidding me!?!?
-
11-06-2006, 08:32 PM #1Business Consultant Manager
- Join Date
- Feb 2004
- Location
- Fort Worth, TX
- Posts
- 2,586
OverSee.net your kidding me!?!?
It took me a little bit of effort to find out exactly who OverSee.net is. It appears that own a datacenter (???) in the Los Angeles, Calfornia area. Looks like they own a few Ad Display Website, which definitely catches my attention due to the problem i'll briefly mention.
----------
Starting 3 weeks ago 2 websites that I maintain started getting hit by form spam. A single IP Address (which is 204.13.162.10) was submitting roughly 50 - 125 form completions on our webiste. Below is an example of the form spam:
Name: kuala lumpur stock exchange, kuala lumpur stock exchange
Address: http://kualalumpur.dynamicprospectin...-exchange.html
City: ktksdag@cpiix.com
State: Puerto Rico
Zip: ktksdag@cpiix.com
Country: errereer
Phone: (er) ht-htt
Email: ktksdag@cpiix.com
Comments: piskasosiska 618621 http://kualalumpur.dynamicprospectin...-exchange.html kuala lumpur stock exchange kuala lumpur stock exchange kuala lumpur stock exchange kualalumpur.dynamicprospecting.biz/kuala-lumpur-stock-exchange.html [link=http://kualalumpur.dynamicprospecting.biz/kuala-lumpur-stock-exchange.html]kuala lumpur stock exchange[/link] * http://kualalumpur.dynamicprospectin...-malaysia.html hotel kuala lumpur malaysia hotel kuala lumpur malaysia hotel kuala lumpur malaysia kualalumpur.dynamicprospecting.biz/hotel-kuala-lumpur-malaysia.html [link=http://kualalumpur.dynamicprospecting.biz/hotel-kuala-lumpur-malaysia.html]hotel kuala lumpur malaysia[/link] *
The problem is eventhough we scrub these form leads really good a few of them do get by. And ofcourse clients get very upset to see things such as this. I posted the most non-offensive one I could find. Most of them are very vulgar, and very sexually offensive.
After a week of trying to cut down on the spam, I contacted the company that owns 204.13.162.10 (OverSee.net). I waited about a week and never saw a reply back from them. I contacted abuse@OverSee.net, webmaster@OverSee.net, support@OverSee.net etc.. etc.. The strange thing was, after I emailed them the form spam increased by a lot. It went from 50 - 150, to over 500+ daily.
I once again contacted OverSee.net about the situation (this was the 3rd email). In every single email that I sent them I explained the situation, and requested that they investigate why an IP Address they own is form spamming, which is 100% illegal in California. Heck I have even contacted the California Attorney General's office about this, and the lady I talked to said, "yes this is illegal".
I finally get a reply today from a NOC worker today, which just said, "we do not spam".. that was the full reply. What else can I do, so these people stop spamming our website. I have already lost a client at $2,500. So this has already hurt us financially.
Should I continue the California Attorney General's office route, or what else can I do to get these guys to stop. I know I can block the IP Address, and I guarantee you.. they will just switch it.
204.13.162.10 - - [05/Nov/2006:06:34:49 -0800] "GET / HTTP/1.1" 302 305 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US;
Its obviously a Linux Robot sending out the spam, so changing the IP is very simple. Also most of the websites that are form spam posted, are all either current of ex-members of the OverSee.net network... HUH!?!?Last edited by JGRoboMarketing; 11-06-2006 at 08:33 PM. Reason: Changed title
█ www.JGRoboMarketing.com / "Automate. Grow. Repeat"
█ Office: (800) 959-0182 / A KEAP Certified Developer (KCD)
-
11-06-2006, 08:38 PM #2Web Hosting Master
- Join Date
- Sep 2005
- Posts
- 551
Have your server silently reject emails from there... They will never know that their emails are not getting through..
-
11-06-2006, 08:48 PM #3Junior Guru Wannabe
- Join Date
- Sep 2006
- Location
- Chicago, Illinois, USA
- Posts
- 72
Doesn't dropping them take more resources?
Just bump them back. It'll cause more problems for them that way too.
-
11-06-2006, 09:01 PM #4Junior Guru Wannabe
- Join Date
- Sep 2002
- Location
- PA
- Posts
- 62
like the bouce back would actually go to the person who sent it? more likely bounced back to an innocent person... i would start reporting them to the spam lists too...
Xau
-
11-06-2006, 10:02 PM #5Been around for too long...
- Join Date
- Aug 2002
- Location
- DC
- Posts
- 3,643
Odd to see that Oversee.net has chosen these tactics, my experience years ago with them was nothing but positive for hosting ads.
Anyway, you can just block Oversee's netblock or just that single IP using iptables or an .htaccess block. iptables will block it from the whole server, and .htaccess will block it from whatever website the .htaccess file is for.
-
11-06-2006, 11:20 PM #6Business Consultant Manager
- Join Date
- Feb 2004
- Location
- Fort Worth, TX
- Posts
- 2,586
I'm having a really hard time blocking the IP Address using /etc/hosts.deny. What is my other option?
█ www.JGRoboMarketing.com / "Automate. Grow. Repeat"
█ Office: (800) 959-0182 / A KEAP Certified Developer (KCD)
-
11-07-2006, 12:08 AM #7Managed Service Provider
- Join Date
- Feb 2004
- Location
- Atlanta, GA
- Posts
- 5,662
Originally Posted by RealtorHost
You could ask your host to filter their netblock at the nearest hop above you.
-
11-07-2006, 01:06 AM #8Business Consultant Manager
- Join Date
- Feb 2004
- Location
- Fort Worth, TX
- Posts
- 2,586
Thanks WireSix i'll try that out. CastleAccess (our datacenter) is quite good on helping us with firewall/blocking IPs etc...
█ www.JGRoboMarketing.com / "Automate. Grow. Repeat"
█ Office: (800) 959-0182 / A KEAP Certified Developer (KCD)
-
11-07-2006, 01:12 AM #9Web Hosting Master
- Join Date
- Nov 2003
- Location
- Newport Beach, CA
- Posts
- 2,923
This isn't the most efficient manner, but you could add their IPs to your htaccess for a quick fix. just for the site with the form, or whatever.
<Limit GET HEAD POST>
order allow,deny
deny from 0.0.0.0 <--entire IP
deny from 0.0 <--- Range
allow from all
</LIMIT>Show your reciprocal links on your website. eReferrer
-
11-07-2006, 01:37 AM #10Junior Guru Wannabe
- Join Date
- Jul 2006
- Posts
- 69
If you want to limit them using HTTP... check out MOD_SECURITY...
If you want to limit them from even being able to get a single packet to your machine, add a rule in IPTABLES dropping everything from 204.13.160.0/22
-
11-07-2006, 03:46 AM #11Junior Guru Wannabe
- Join Date
- Oct 2004
- Posts
- 30
i doubt oversee would do such a thing, oversee is the business of domain monetization (they make millions of dollars doing just that), trust me, they don't need to spam.
Most probably one of their machines has been hacked and is being used to spam.
And it IS their responsibility to investigate the issue and neutralize the hack.Buying domains with serious traffic, PM me
-
11-07-2006, 10:36 AM #12Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Try this out:
iptables -I INPUT -s 204.13.160.0/22 -j DROPOrgName: Oversee.net
OrgID: OVERS-1
Address: 818 W 7th Street
Address: Suite 700
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US
NetRange: 204.13.160.0 - 204.13.163.255
CIDR: 204.13.160.0/22Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-07-2006, 01:11 PM #13Business Consultant Manager
- Join Date
- Feb 2004
- Location
- Fort Worth, TX
- Posts
- 2,586
Looks like iptables isn't installed on the server... its debian
█ www.JGRoboMarketing.com / "Automate. Grow. Repeat"
█ Office: (800) 959-0182 / A KEAP Certified Developer (KCD)
-
11-07-2006, 01:25 PM #14Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Originally Posted by RealtorHost
apt-get update && apt-get install iptables
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-08-2006, 07:28 PM #15Business Consultant Manager
- Join Date
- Feb 2004
- Location
- Fort Worth, TX
- Posts
- 2,586
hmm...
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.█ www.JGRoboMarketing.com / "Automate. Grow. Repeat"
█ Office: (800) 959-0182 / A KEAP Certified Developer (KCD)
-
11-08-2006, 07:31 PM #16Junior Guru Wannabe
- Join Date
- Jul 2006
- Posts
- 69
Are you running a VPS?
-
11-09-2006, 12:01 AM #17Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Either you are on a vps or your kernel needs to be rebuilt with iptables support.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance