Results 1 to 17 of 17
  1. #1
    Join Date
    Feb 2004
    Location
    Fort Worth, TX
    Posts
    2,586

    OverSee.net your kidding me!?!?

    It took me a little bit of effort to find out exactly who OverSee.net is. It appears that own a datacenter (???) in the Los Angeles, Calfornia area. Looks like they own a few Ad Display Website, which definitely catches my attention due to the problem i'll briefly mention.
    ----------

    Starting 3 weeks ago 2 websites that I maintain started getting hit by form spam. A single IP Address (which is 204.13.162.10) was submitting roughly 50 - 125 form completions on our webiste. Below is an example of the form spam:


    Name: kuala lumpur stock exchange, kuala lumpur stock exchange
    Address: http://kualalumpur.dynamicprospectin...-exchange.html
    City: ktksdag@cpiix.com
    State: Puerto Rico
    Zip: ktksdag@cpiix.com
    Country: errereer
    Phone: (er) ht-htt
    Email: ktksdag@cpiix.com
    Comments: piskasosiska 618621 http://kualalumpur.dynamicprospectin...-exchange.html kuala lumpur stock exchange kuala lumpur stock exchange kuala lumpur stock exchange kualalumpur.dynamicprospecting.biz/kuala-lumpur-stock-exchange.html [link=http://kualalumpur.dynamicprospecting.biz/kuala-lumpur-stock-exchange.html]kuala lumpur stock exchange[/link] * http://kualalumpur.dynamicprospectin...-malaysia.html hotel kuala lumpur malaysia hotel kuala lumpur malaysia hotel kuala lumpur malaysia kualalumpur.dynamicprospecting.biz/hotel-kuala-lumpur-malaysia.html [link=http://kualalumpur.dynamicprospecting.biz/hotel-kuala-lumpur-malaysia.html]hotel kuala lumpur malaysia[/link] *


    The problem is eventhough we scrub these form leads really good a few of them do get by. And ofcourse clients get very upset to see things such as this. I posted the most non-offensive one I could find. Most of them are very vulgar, and very sexually offensive.

    After a week of trying to cut down on the spam, I contacted the company that owns 204.13.162.10 (OverSee.net). I waited about a week and never saw a reply back from them. I contacted abuse@OverSee.net, webmaster@OverSee.net, support@OverSee.net etc.. etc.. The strange thing was, after I emailed them the form spam increased by a lot. It went from 50 - 150, to over 500+ daily.

    I once again contacted OverSee.net about the situation (this was the 3rd email). In every single email that I sent them I explained the situation, and requested that they investigate why an IP Address they own is form spamming, which is 100% illegal in California. Heck I have even contacted the California Attorney General's office about this, and the lady I talked to said, "yes this is illegal".

    I finally get a reply today from a NOC worker today, which just said, "we do not spam".. that was the full reply. What else can I do, so these people stop spamming our website. I have already lost a client at $2,500. So this has already hurt us financially.

    Should I continue the California Attorney General's office route, or what else can I do to get these guys to stop. I know I can block the IP Address, and I guarantee you.. they will just switch it.

    204.13.162.10 - - [05/Nov/2006:06:34:49 -0800] "GET / HTTP/1.1" 302 305 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US;

    Its obviously a Linux Robot sending out the spam, so changing the IP is very simple. Also most of the websites that are form spam posted, are all either current of ex-members of the OverSee.net network... HUH!?!?
    Last edited by JGRoboMarketing; 11-06-2006 at 08:33 PM. Reason: Changed title
    www.JGRoboMarketing.com / "Automate. Grow. Repeat"
    █ Office: (800) 959-0182 / A KEAP Certified Developer (KCD)

  2. #2
    Join Date
    Sep 2005
    Posts
    551
    Have your server silently reject emails from there... They will never know that their emails are not getting through..

  3. #3
    Join Date
    Sep 2006
    Location
    Chicago, Illinois, USA
    Posts
    72
    Doesn't dropping them take more resources?

    Just bump them back. It'll cause more problems for them that way too.

  4. #4
    Join Date
    Sep 2002
    Location
    PA
    Posts
    62
    like the bouce back would actually go to the person who sent it? more likely bounced back to an innocent person... i would start reporting them to the spam lists too...

    Xau

  5. #5
    Join Date
    Aug 2002
    Location
    DC
    Posts
    3,643
    Odd to see that Oversee.net has chosen these tactics, my experience years ago with them was nothing but positive for hosting ads.

    Anyway, you can just block Oversee's netblock or just that single IP using iptables or an .htaccess block. iptables will block it from the whole server, and .htaccess will block it from whatever website the .htaccess file is for.

  6. #6
    Join Date
    Feb 2004
    Location
    Fort Worth, TX
    Posts
    2,586
    I'm having a really hard time blocking the IP Address using /etc/hosts.deny. What is my other option?
    www.JGRoboMarketing.com / "Automate. Grow. Repeat"
    █ Office: (800) 959-0182 / A KEAP Certified Developer (KCD)

  7. #7
    Join Date
    Feb 2004
    Location
    Atlanta, GA
    Posts
    5,662
    Quote Originally Posted by RealtorHost
    I'm having a really hard time blocking the IP Address using /etc/hosts.deny. What is my other option?

    You could ask your host to filter their netblock at the nearest hop above you.

  8. #8
    Join Date
    Feb 2004
    Location
    Fort Worth, TX
    Posts
    2,586
    Thanks WireSix i'll try that out. CastleAccess (our datacenter) is quite good on helping us with firewall/blocking IPs etc...
    www.JGRoboMarketing.com / "Automate. Grow. Repeat"
    █ Office: (800) 959-0182 / A KEAP Certified Developer (KCD)

  9. #9
    Join Date
    Nov 2003
    Location
    Newport Beach, CA
    Posts
    2,923
    This isn't the most efficient manner, but you could add their IPs to your htaccess for a quick fix. just for the site with the form, or whatever.


    <Limit GET HEAD POST>
    order allow,deny
    deny from 0.0.0.0 <--entire IP
    deny from 0.0 <--- Range
    allow from all
    </LIMIT>
    Show your reciprocal links on your website. eReferrer

  10. #10
    Join Date
    Jul 2006
    Posts
    69
    If you want to limit them using HTTP... check out MOD_SECURITY...

    If you want to limit them from even being able to get a single packet to your machine, add a rule in IPTABLES dropping everything from 204.13.160.0/22

  11. #11
    Join Date
    Oct 2004
    Posts
    30
    i doubt oversee would do such a thing, oversee is the business of domain monetization (they make millions of dollars doing just that), trust me, they don't need to spam.

    Most probably one of their machines has been hacked and is being used to spam.

    And it IS their responsibility to investigate the issue and neutralize the hack.
    Buying domains with serious traffic, PM me

  12. #12
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Try this out:

    iptables -I INPUT -s 204.13.160.0/22 -j DROP
    OrgName: Oversee.net
    OrgID: OVERS-1
    Address: 818 W 7th Street
    Address: Suite 700
    City: Los Angeles
    StateProv: CA
    PostalCode: 90017
    Country: US

    NetRange: 204.13.160.0 - 204.13.163.255
    CIDR: 204.13.160.0/22
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  13. #13
    Join Date
    Feb 2004
    Location
    Fort Worth, TX
    Posts
    2,586
    Looks like iptables isn't installed on the server... its debian
    www.JGRoboMarketing.com / "Automate. Grow. Repeat"
    █ Office: (800) 959-0182 / A KEAP Certified Developer (KCD)

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by RealtorHost
    Looks like iptables isn't installed on the server... its debian

    apt-get update && apt-get install iptables

    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Join Date
    Feb 2004
    Location
    Fort Worth, TX
    Posts
    2,586
    hmm...

    FATAL: Module ip_tables not found.
    iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    www.JGRoboMarketing.com / "Automate. Grow. Repeat"
    █ Office: (800) 959-0182 / A KEAP Certified Developer (KCD)

  16. #16
    Join Date
    Jul 2006
    Posts
    69
    Are you running a VPS?

  17. #17
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Either you are on a vps or your kernel needs to be rebuilt with iptables support.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •