Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : How to save mailbox from spam

[ppaul81]

Hello all,

I am here for suggestions for my issues regarding spam emails from theplanet.com. Recently a new website named: amulyammail.com, from which I everyday get a spam mail to my inbox & even they have no Unsubscribe at the footer of the email. Now After checking the WHOIS I even tried contacting the person: 'vijji.geek@hotmail.com' But still no response. Now on 16th I finally forwarded the mail to ThePlanet abuse team, But till yet no action from them even not an email also.ThePlanetAbuse-C3171595A & ThePlanetAbuse-C3383129X . Now Can someone help where to report this spam IP, so that I would get blacklisted and should be heavily penalized. In the mean-time I have forwarded the copy to : enforcement@sec.gov for investigation. I hope this would make other bad guys think twice before sending spam mails.

Thanks.
P Paul

[bsh]

I can't speak for ThePlanet, but they may indeed be trying to contact their customer to resolve the issue. Most providers allow a grace period based on the severity of the claim. Also, any evidence you can provide to them may expedite things rather than saying, "I'm getting spammed from X - terminate them now!"

[Ixape]

I doubt The Planet will be able to do much if the email isn't originating from their network.

Contact Hotmail instead.

[woods01]

The sec has nothing to do with e-mail unless it's involving a semi-legitimate/questionable investment firm which I doubt the spam is involving.

Always forward your spam to the federal trade commission @ spam@uce.gov.

My experiences with theplanet's abuse team is they actually do handle abuse complaints.

We all get spam from time to time.

Take a few pointers from what I just did to help cut back on spam.

Require SPF
Dump spamassasin scores above 7
enable dkim

If you are not your e-mail administrator contact who-ever that would be to help you.

ISPs aren't required to do anything regarding abuse complaints in general unless of course it would involve immediate serious threats or copyright complaints.

[alons]

Which email provider are you using ?
Is it GMail, then their mail filter can help you mark it as SPAM so that any further email you get from them will be marked as spam.
BTW, what is the FROM Headers ?
If its from a single website you can simply add a filter

[ppaul81]

Delivered-To: XXXXXXX.XXXXX@XXXXX.com
Received: by 10.220.182.204 with SMTP id cd12cs32372vcb;
Tue, 19 Oct 2010 12:08:38 -0700 (PDT)
Received: by 10.42.179.136 with SMTP id bq8mr5019319icb.162.1287515317920;
Tue, 19 Oct 2010 12:08:37 -0700 (PDT)
Return-Path: <noreply@amulyammail.com>
Received: from amulyammail.com (mailserver2.amulyammail.com [69.64.86.32])
by mx.google.com with ESMTP id j22si27917774yha.34.2010.10.19.12.08.37;
Tue, 19 Oct 2010 12:08:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of noreply@amulyammail.com designates 69.64.86.32 as permitted sender) client-ip=69.64.86.32;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of noreply@amulyammail.com designates 69.64.86.32 as permitted sender) smtp.mail=noreply@amulyammail.com
Received: from mailserver2.amulyammail.com (mailserver2.amulyammail.com [127.0.0.1])
by amulyammail.com (8.13.8/8.13.8) with ESMTP id o9JJI6EG007353
for <XXXXXXX.XXXXX@XXXXX.com>; Wed, 20 Oct 2010 00:48:06 +0530
Date: Wed, 20 Oct 2010 00:48:06 +0530 (IST)
From: TimesJobs <noreply@amulyammail.com>
To: XXXXXXX.XXXXX@XXXXX.com
Message-ID: <4494992178314864640.1287515886612.AMail@bounce4.amulyammail.com>
Subject: Great Opportunities You Missed in September
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Mailer: AMail_1.0

[tomydurden]

Quote:

Originally Posted by ppaul81

Delivered-To: XXXXXXX.XXXXX@XXXXX.com
Received: by 10.220.182.204 with SMTP id cd12cs32372vcb;
Tue, 19 Oct 2010 12:08:38 -0700 (PDT)
Received: by 10.42.179.136 with SMTP id bq8mr5019319icb.162.1287515317920;
Tue, 19 Oct 2010 12:08:37 -0700 (PDT)
Return-Path: <noreply@amulyammail.com>
Received: from amulyammail.com (mailserver2.amulyammail.com [69.64.86.32])
by mx.google.com with ESMTP id j22si27917774yha.34.2010.10.19.12.08.37;
Tue, 19 Oct 2010 12:08:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of noreply@amulyammail.com designates 69.64.86.32 as permitted sender) client-ip=69.64.86.32;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of noreply@amulyammail.com designates 69.64.86.32 as permitted sender) smtp.mail=noreply@amulyammail.com
Received: from mailserver2.amulyammail.com (mailserver2.amulyammail.com [127.0.0.1])
by amulyammail.com (8.13.8/8.13.8) with ESMTP id o9JJI6EG007353
for <XXXXXXX.XXXXX@XXXXX.com>; Wed, 20 Oct 2010 00:48:06 +0530
Date: Wed, 20 Oct 2010 00:48:06 +0530 (IST)
From: TimesJobs <noreply@amulyammail.com>
To: XXXXXXX.XXXXX@XXXXX.com
Message-ID: <4494992178314864640.1287515886612.AMail@bounce4.amulyammail.com>
Subject: Great Opportunities You Missed in September
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Mailer: AMail_1.0

These headers don't indicate the email has come from within our network. It looks like it originated from within codero.com's network. According to http://www.codero.com/legal/, you can forward complaints to legal@codero.com


Our abuse team has processes in place to handle all reported abuse issues. They have to work with the administrators of the servers to resolve issues to ensure the scope of the issue doesn't impact innocent parties. Due to privacy and security concerns, they will not be able to discuss details of the issue with you.

[ppaul81]

Here is the WHOIS data at: http://whois.domaintools.com/amulyammail.com
Server Type:Apache-Coyote/1.1
IP Address:67.19.48.84 Reverse-IP | Ping | DNS Lookup| Traceroute
IP Location:United States - Texas - Dallas - Theplanet.com Internet Services Inc
Response Code:200
Domain Status:Registered And Active Website
------------------------
Below is the chat with CODERO representative:

Jay South: Hello p paul, how may I help you?

p paul: Hello

p paul: Do you host : amulyammail.com

p paul: Is you there ?

Jay South: Let - yes I'm here - me check.

Jay South:
#~ > ping amulyammail.com
PING amulyammail.com (67.19.48.84) 56(84) bytes of data.
64 bytes from mail.amulyammail.com (67.19.48.84): icmp_seq=1 ttl=53 time=29.8 ms
64 bytes from mail.amulyammail.com (67.19.48.84): icmp_seq=2 ttl=53 time=29.5 ms

--- amulyammail.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 29.535/29.681/29.827/0.146 ms
#~ > whois 67.19.48.84
[Querying whois.arin.net]
[Redirected to rwhois.theplanet.com:4321]
[Querying rwhois.theplanet.com]
[rwhois.theplanet.com]
%rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-THEPLANET-BLK-11
network:Auth-Area:67.18.0.0/15
network:Network-Name:TPIS-BLK-67-19-48-0
network:IP-Network:67.19.48.80/29
network:IP-Network-Block:67.19.48.80 - 67.19.48.87
network:Organization-Name:amulyam
network:Organization-City:Hyderabad
network:Organization-Zip:500025
network:Organization-Country:IND
networkescription-Usage:customer
networkerver-Pri:ns1.theplanet.com
networkerver-Sec:ns2.theplanet.com
network:Tech-Contact;I:abuse@theplanet.com
network:Admin-Contact;I:abuse@theplanet.com
network:Created:20091219
network:Updated:20091220

%referral rwhois://root.rwhois.net:4321/auth-area=.
%ok
#~ >

Jay South: so... no.

p paul: Fine this means this IP belongs to : theplanet.com . Am I right ?

Jay South: Yes, I believe so. I'm not sure - but that's the whois on the IP, and its not in our range.

p paul: Can U plz check and inform your seniours that someone from Theplanet.com Tomy Durden has accused that this IP from which I regularly get spam mail belongs to codero.

p paul: plz check : http://www.webhostingtalk.com/showthread.php?p=7075694

------------------------------

[HiVelocity]

There are several methods to stop the spam on your account , we use mailfoundry on our internal email , and I believe we offer that to our clients as well, it works pretty well ,but it like most other solutions is not 100% perfect. The only way I know of to completely stop all spam is to shut down your email box , and for most this is not really the preferred method. Some things you can do to help slow the flood down are to keep your address from being added to lists , and to be sure its not publicly out there for email address extraction software to pick up.

Hope this helps you.

Brian

[plumsauce]

You are using gmail, therefore the most important and trustworthy header is the received header that is reported by the gmail server as the ip address of the sending server. In the headers you posted, it is:

Code:

Received: from amulyammail.com (mailserver2.amulyammail.com [69.64.86.32])
by mx.google.com with ESMTP id j22si27917774yha.34.2010.10.19.12.08.37;
Tue, 19 Oct 2010 12:08:37 -0700 (PDT)

the ip address as reported by a trusted server is more important than whatever host name that the sending server chose to use because it cannot be faked. that ip address is behind a codero.com router

Code:

 11   110 ms   109 ms   109 ms  xe-1-1-0.mpr4.phx2.us.above.net [64.125.28.73]
 12   109 ms   125 ms   125 ms  64.124.178.250.allocated.above.net [64.124.178.2
50]
 13   110 ms   140 ms   125 ms  gi1-46.dr1.dg1.phoenix.codero.com [69.64.66.62]

 14   109 ms   125 ms   110 ms  mailserver2.amulyammail.com [69.64.86.32]

bits and pieces of that domain may be at the planet, for example, mail.amulyamail.com, but the server you want is mailserver2.amulyamail.com

and that is at codero.com, although theplanet should also be concerned as they are hosting part of the infrastructure that supports the spamming domain.

[plumsauce]

Also as Hivelocity says, a good set of spam filters works wonders in keeping your daily reading down. If you never receive the spam, you won't have to read it, nor will you have to worry about reporting every new spammer that lands in your mailbox. The email client in Seamonkey is particularly good at this once you have trained the bayesian engine. The app is ugly and sometimes awkward, but the filters make it worthwhile.

[tomydurden]

Quote:

Originally Posted by ppaul81

Here is the WHOIS data at: http://whois.domaintools.com/amulyammail.com
Server Type:Apache-Coyote/1.1
IP Address:67.19.48.84 Reverse-IP | Ping | DNS Lookup| Traceroute
IP Location:United States - Texas - Dallas - Theplanet.com Internet Services Inc
Response Code:200
Domain Status:Registered And Active Website
------------------------
Below is the chat with CODERO representative:

Jay South: Hello p paul, how may I help you?

p paul: Hello

p paul: Do you host : amulyammail.com

p paul: Is you there ?

Jay South: Let - yes I'm here - me check.

Jay South:
#~ > ping amulyammail.com
PING amulyammail.com (67.19.48.84) 56(84) bytes of data.
64 bytes from mail.amulyammail.com (67.19.48.84): icmp_seq=1 ttl=53 time=29.8 ms
64 bytes from mail.amulyammail.com (67.19.48.84): icmp_seq=2 ttl=53 time=29.5 ms

--- amulyammail.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 29.535/29.681/29.827/0.146 ms
#~ > whois 67.19.48.84
[Querying whois.arin.net]
[Redirected to rwhois.theplanet.com:4321]
[Querying rwhois.theplanet.com]
[rwhois.theplanet.com]
%rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-THEPLANET-BLK-11
network:Auth-Area:67.18.0.0/15
network:Network-Name:TPIS-BLK-67-19-48-0
network:IP-Network:67.19.48.80/29
network:IP-Network-Block:67.19.48.80 - 67.19.48.87
network:Organization-Name:amulyam
network:Organization-City:Hyderabad
network:Organization-Zip:500025
network:Organization-Country:IND
networkescription-Usage:customer
networkerver-Pri:ns1.theplanet.com
networkerver-Sec:ns2.theplanet.com
network:Tech-Contact;I:abuse@theplanet.com
network:Admin-Contact;I:abuse@theplanet.com
network:Created:20091219
network:Updated:20091220

%referral rwhois://root.rwhois.net:4321/auth-area=.
%ok
#~ >

Jay South: so... no.

p paul: Fine this means this IP belongs to : theplanet.com . Am I right ?

Jay South: Yes, I believe so. I'm not sure - but that's the whois on the IP, and its not in our range.

p paul: Can U plz check and inform your seniours that someone from Theplanet.com Tomy Durden has accused that this IP from which I regularly get spam mail belongs to codero.

p paul: plz check : http://www.webhostingtalk.com/showthread.php?p=7075694

------------------------------

Correct. 67.19.48.84 does belong to The Planet, however, this isn't the IP where the email was coming from.

69.64.86.32 belongs to Codero. According to the headers you've provided, this is where the email originated from.



DNS is handled from off of our network:

Code:

$ dig amulyammail.com soa +short
ns27.domaincontrol.com. dns.jomax.net. 2010100101 28800 7200 604800 86400
$ dig amulyammail.com ns +short
ns28.domaincontrol.com.
ns27.domaincontrol.com.

The IP in the headers trace back to Codero:

Code:

$ dig mailserver2.amulyammail.com a +short
69.64.86.32
$ dig 32.86.64.69.in-addr.arpa ptr +short
mailserver2.amulyammail.com.
$ dig 86.64.69.in-addr.arpa soa +short
ns1.codero.com. hostmaster.codero.com. 2009073004 7200 1800 604800 43200

There may be an A record pointed to a server on our network, but your headers don't indicate that the server is, in any way, related to the emails you're receiving.

[ppaul81]

One thing ticking my head! After sending thousands of mail how still their IP's remain white-listed ? Even my friend who has own dedicated server says sending mails more than 1000 per hour will cause blacklisting. Then how these guys are doing ? Must be something Blackhat!

[yume-hostplex]

using gmail ?

[ppaul81]

But Gmail must have a sending limit, right. I do not think, google will encourage this, even this is a free email!