megamailservers answers
Todd Burroughs
It's obvious that we have some problems in dealing effectively with
scammers. I've been asked to look into this and help to resolve it.
I've read some of the threads and it's apparent that we have little or
no credibility here. I'm asking you to at least read what I have to
say and give me a chance. I will try to answer some questions I've seen
and please ask and I will do what I can to answer any other questions.
I started the technical side of our company and can and will implement
things to reduce abuse. We are not a scam company, give me a chance
to prove it.
I know that our postmaster did not intend to insult anyone, the response
to McWebber was supposed to be an apology. I would be insulted as well,
please accept our apologies, the comments weren't intended the way they
came across.
It looks like you know our affiliations, etc. We are based in
Ft. Lauderdale, Florida and Mississauga, Ontario. We have two AS's;
we run a network in Toronto and one in Miami. mega*servers.com,
internetnamesforbusiness.com and hostopia.com are owned by the same
company. Have a look at hostopia.com and you'll see who we are.
Basically, we are a wholesaler for hosting services. The mega* names
are to meant hide us from the technical business owner and web developer
who is using one of our partners for hosting. We are supposed to be
"invisible" to them. It is not intended to hide us from people like you.
I know that it sounds suspicious...
Let me explain knowing / not knowing who our customers are. Our systems
are almost 100% automated. People sign up online, often at one of our
partners sites. We then get commands to add/delete domains, etc. from our
partners provisioning systems. We do directly sign up some customers,
but that is a small percentage of our signups, most are done from our
partners and we do not get any information on their customer, other
than domain, package type, password and optionally an admin email.
We get paid from our wholesale customers, based on number of packages
of each type each month, they bill their own customers.
After having a look at the phishing scammers, I've noticed one partner
in particular who is getting a lot of them. I'm certain that they
are not doing it themselves (they're pretty well respected but I can't
name them for obvious reasons). We will be working with this partner
to improve their system so that they block scammers more effectively.
We block people signing up on our system based on bad IP addresses and
CC numbers (we do charge the card before giving them service). We do
track IP addresses, but we don't get many of these domains signing up
on our system. Having said that, I know we are still responsible and
it's my task to get our partners in line to reduce the problem.
Is this the appropriate group to announce removed domains? I'm guessing
that it is, since they pass moderation. I will try to provide more info,
if we have it, in future announcements. I read the charter and it's not
clear to me.
We're planning to add a "feature" which limits the number of emails sent
per day, per domain. If they exceed this, the mail will get queueud and
it will require human intervention from one of our staff. I think that
this will eliminate most of this problem, spammers/scammers aren't going
to be happy when they are limited this way. Any comments or suggestions
on this?
We are a pretty large hosting company and *everything* has to be automated.
We're trying to figure out the best way to do this...
I'm going to post this now. If I've missed anything, please let me know
and I will respond with no BS. My real email is toddathostopiadotcom.
I'm going to sit in my new flame resistant room and wait for your
comments ;-)
Todd Burroughs
--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.
Spambo
> [snip]
>
> We're planning to add a "feature" which limits the number of emails sent
> per day, per domain. If they exceed this, the mail will get queueud and
> it will require human intervention from one of our staff. I think that
> this will eliminate most of this problem, spammers/scammers aren't going
> to be happy when they are limited this way. Any comments or suggestions
> on this?
While this might be a *good* idea don't count on it solving most of
your problems. Spammers, especially those who are doing something
illegal, don't usually send spams from their provider's networks.
Instead they'll hijack open proxies or open relays, or they'll use
trojaned machines to send their spewage.
Unless you have badly secured machines occupying your IPs most of the
reports you get are going to be about spamvertised URLs. With credit
card or other identity phishing scams you can't wait days, or even
hours, before turning off a site.
Since you can be pretty sure within seconds if a major domain, like
eBay, PayPal, or Citibank, is really a customer you need a method of
turning off scam sites within a few minutes after receiving a report
and verifying that a page on one of your servers is pretending to be
something they're not. Your hosting customers must do the same.
> [snip]
Wire...@aol.com
hooked up right yet.
In article <c025ab26.04050...@posting.google.com>,
goo...@parsec.net (Todd Burroughs) writes:
>Subject: megamailservers answers
>From: goo...@parsec.net (Todd Burroughs)
>Date: Sat, 8 May 2004 14:46:12 GMT
>
>Hello,
Hi there:
>
>It's obvious that we have some problems in dealing effectively with
>scammers. I've been asked to look into this and help to resolve it.
>I've read some of the threads and it's apparent that we have little or
>no credibility here. I'm asking you to at least read what I have to
>say and give me a chance. I will try to answer some questions I've seen
>and please ask and I will do what I can to answer any other questions.
>I started the technical side of our company and can and will implement
>things to reduce abuse. We are not a scam company, give me a chance
>to prove it.
Okay...
>
>I know that our postmaster did not intend to insult anyone, the response
>to McWebber was supposed to be an apology. I would be insulted as well,
>please accept our apologies, the comments weren't intended the way they
>came across.
Fine by, me.
You must admit, your postmaster has a talent for ticking of other sysadmins.
(I'm a simple AOLer, and I was offended!)
>
>It looks like you know our affiliations, etc. We are based in
>Ft. Lauderdale, Florida and Mississauga, Ontario. We have two AS's;
>we run a network in Toronto and one in Miami. mega*servers.com,
>internetnamesforbusiness.com and hostopia.com are owned by the same
>company. Have a look at hostopia.com and you'll see who we are.
>Basically, we are a wholesaler for hosting services. The mega* names
>are to meant hide us from the technical business owner and web developer
>who is using one of our partners for hosting. We are supposed to be
>"invisible" to them. It is not intended to hide us from people like you.
>I know that it sounds suspicious...
As long as you know it looks fishy.
>
>Let me explain knowing / not knowing who our customers are. Our systems
>are almost 100% automated. People sign up online, often at one of our
>partners sites. We then get commands to add/delete domains, etc. from our
>partners provisioning systems. We do directly sign up some customers,
>but that is a small percentage of our signups, most are done from our
>partners and we do not get any information on their customer, other
>than domain, package type, password and optionally an admin email.
>We get paid from our wholesale customers, based on number of packages
>of each type each month, they bill their own customers.
I question your business model.
Your methods may not be compatable with the 'modern' Internet.
This is a problem you really, really need to address.
>
>After having a look at the phishing scammers, I've noticed one partner
>in particular who is getting a lot of them. I'm certain that they
>are not doing it themselves (they're pretty well respected but I can't
>name them for obvious reasons).
Then understant that, as far as the rest of the 'net is concerned, this
'partner' does not exist. If you are the one who appears to be holding
the bag, you ARE the one holding the bag.
(I suspect that if this ever got into a court room, you would still be
holding the bag.)
(Have you run this sorry mess by your corporate counsel, yet?)
(Care to imagine explaining how your 'system' works to a Judge?)
(Honest, your Honor, we really don't know who our customers are.)
>We will be working with this partner
>to improve their system so that they block scammers more effectively.
>We block people signing up on our system based on bad IP addresses and
>CC numbers (we do charge the card before giving them service). We do
>track IP addresses, but we don't get many of these domains signing up
>on our system. Having said that, I know we are still responsible and
>it's my task to get our partners in line to reduce the problem.
Consider running all out-bound email through a spam filter you can
set to look for certain key words, just as an early alarm system.
Also note that if the spammers/scammers are spamming through other
systems, you won't know it until the complaints and blocking starts.
>
<snippage>
>
>We're planning to add a "feature" which limits the number of emails sent
>per day, per domain. If they exceed this, the mail will get queueud and
>it will require human intervention from one of our staff. I think that
>this will eliminate most of this problem, spammers/scammers aren't going
>to be happy when they are limited this way. Any comments or suggestions
>on this?
It's a start.
You may be seeing the first wave of what I was talking about concerning
your business model. You may be looking at a LOT more 'management'
being required to stay on-line.
>
>We are a pretty large hosting company and *everything* has to be automated.
>We're trying to figure out the best way to do this...
I question whether that can be, or should be done.
(But I'm not in your business, have no desire to be in you business,
and am not the one spending the money to make it work.)
Note that If you, megamailservers, can not fix your problems, (spammers,
scammers and thieves), 'we', the rest of the net, can and will 'fix' the
problem from our end. (It sounds like you are already figuring this out,
which is good.) (Make sure Management gets the message, also.)
>
>I'm going to post this now. If I've missed anything, please let me know
>and I will respond with no BS. My real email is toddathostopiadotcom.
>I'm going to sit in my new flame resistant room and wait for your
>comments ;-)
>
>Todd Burroughs
>
Good luck to you,
Gary G.
--
Gary Grossoehme - Just another disturbed nerd.
Oregon Electronics - Lumber Cartel Member
Portland, Oregon - Not a member of the Cabal
axlq in California
Todd Burroughs <goo...@parsec.net> wrote:
>Hello,
Hi, and thanks for your article.
>Let me explain knowing / not knowing who our customers are. Our systems
>are almost 100% automated. People sign up online, often at one of our
>partners sites. We then get commands to add/delete domains, etc. from our
>partners provisioning systems. We do directly sign up some customers,
>but that is a small percentage of our signups, most are done from our
>partners and we do not get any information on their customer, other
>than domain, package type, password and optionally an admin email.
Since you get domain information, can't you have some simple check
for well-known text strings in domains that contain "citi" or "ebay"
or "paypal" and whatnot? Can't somebody do a simple 'whois' check
to make sure the domain name info is valid, and boot them if it's
not? Nobody at your company seems to bother.
>After having a look at the phishing scammers, I've noticed one partner
>in particular who is getting a lot of them. I'm certain that they
>are not doing it themselves (they're pretty well respected but I can't
>name them for obvious reasons).
You don't have to name the partner. BUT YOU CAN NAME THE SCAMMER.
We already know their domain. And the information provided in the
whois record is always bogus. Furthermore, the bogus information
is identical for most of the scam domains you've been terminating.
This suggests the SAME entity is signing up.
Many businesses maintain a blacklist of bad-check writers and will
refuse to serve those indivicuals. Don't you even maintain a list
of "bad customers" that you distribute to your partners, so they
won't keep signing them up? Others would like that information too.
As I said, this looks like the SAME person infesting your networks.
Revealing who it is would greatly help other ISPs from signing them
up. And it would provide other blocking lists (such as Spamhaus SBL
and ROKSO records) with information that other ISPs could use also.
>We will be working with this partner
>to improve their system so that they block scammers more effectively.
>We block people signing up on our system based on bad IP addresses and
>CC numbers (we do charge the card before giving them service).
Whose name was on the credit card? There is NO REASON to keep this
information private, because if they register a domain name, their
real name should be on their 'whois' record.
>We're planning to add a "feature" which limits the number of emails sent
>per day, per domain. If they exceed this, the mail will get queueud and
>it will require human intervention from one of our staff.
That's not a bad idea, but...
>I think that this will eliminate most of this problem
No, it won't eliminate ANY of your problem.
Your scammers don't send spam from your network. They use other
networks for that. You host their web servers. You give them a
home. And you keep doing so. Over and over.
>We are a pretty large hosting company and *everything* has to be automated.
No, it doesn't. Some things absolutely cannot be automated, as
you don't seem to realize yet. If you continue to insist on
100% automation, with nobody doing preventive investigation of
potential customers, and nobody communicating vital information
about bad customers, either internally or publicly, you are doomed
to continue experiencing problems. And I doubt you'll get out of
the blacklists.
-A
Brian Bruns
news:c025ab26.04050...@posting.google.com:
<snipped for length purposes>
> I'm going to post this now. If I've missed anything, please let me know
> and I will respond with no BS. My real email is toddathostopiadotcom.
> I'm going to sit in my new flame resistant room and wait for your
> comments ;-)
>
> Todd Burroughs
Heres the deal, because I am a fair person, I'm willing to delist
Hostopia/Mega<something>servers/INFB/etc from the AHBL, provided that you are
taking care of the situation on your end.
I am not pleased with how things were handled by your postmaster, but we'll
see where this goes from here.
However, I will be watching what comes from your network into my traps and
what appears on NANAS/NANAE.
--
Brian Bruns
Founder, The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org
The Abusive Hosts Blocking List - DNSbl
http://www.ahbl.org
Shmuel (Seymour J.) Metz
at 02:46 PM, goo...@parsec.net (Todd Burroughs) said:
>I know that our postmaster did not intend to insult anyone, the
>response to McWebber was supposed to be an apology. I would be
>insulted as well, please accept our apologies, the comments weren't
>intended the way they came across.
They didn't just come across as insulting; they came across as
unprofessional and either dishonest or incompetent.
>Let me explain knowing / not knowing who our customers are. Our
>systems are almost 100% automated. People sign up online, often at
>one of our partners sites. We then get commands to add/delete
>domains, etc. from our partners provisioning systems. We do directly
>sign up some customers, but that is a small percentage of our
>signups, most are done from our partners and we do not get any
>information on their customer, other than domain, package type,
>password and optionally an admin email.
Perhaps that's something that you should change. I'd advise you to
talk to your legal department to look into changing your contracts to
require identifying all customers, or at least all customers suspended
for network abuse, including spam.
>We get paid from our wholesale customers, based on number of
>packages of each type each month, they bill their own customers.
Perhaps you should change your billing structure so there is a
significant penalty for signing up a spammer.
>I'm certain that they are not doing it themselves
>From the perspective of a DNSBL maintainer, it doesn't matter whether
it is malice or incompetence; they'll get listed either way.
>Is this the appropriate group to announce removed domains?
In general, the best place is news.admin.net-abuse.bulletins, but if
you're already on a list then I'd advise cross-posting here with a
followup-To here instead of to the usual news.admin.net-abuse.email.
>We're planning to add a "feature" which limits the number of emails
>sent per day, per domain.
Do any of your customers run legitimate mailing lists? That might
cause problems for them, and won't do anything about customers who
send their spam from outside your network. I'd advise putting the
effort instead into fixing your signup procedures, AUP/TOS and
enforcement.
>We are a pretty large hosting company and *everything* has to be
>automated.
Beware; that way lies blocklisting. It has to be done perfectly or not
at all. Google for "ignorebot". You *MUST* ensure that complaints are
handled whether they have the spam inline or as an attachment, whether
they retain the original subject or change it, and whether or not the
spam contains a virus. You *MUST* handle complaints about services
that you host beyond SMTP, including DNS and HTTP. These are things
that automated handling get wrong more often than not.
>I'm going to sit in my new flame resistant room
Look buddy, this is a capitalist society; if you want to be flamed
then you'll have to earn the flames; we[1] don't give no gratuitous
flames pro bono publico. ;-)
[1] With certain exeptions. Your filter is your friend.
--
Shmuel (Seymour J.) Metz, SysProg and JOAT
Unsolicited bulk E-mail will be subject to legal action. I reserve
the right to publicly post or ridicule any abusive E-mail.
Reply to domain Patriot dot net user shmuel+news to contact me. Do
not reply to spam...@library.lspace.org
======================================= MODERATOR'S COMMENT:
crossposting to news.admin.net-abuse.blocklisting is prohibited by charter
Giblet - USA Resident
>
> We're planning to add a "feature" which limits the number of emails
> sent per day, per domain. If they exceed this, the mail will get
> queueud and it will require human intervention from one of our staff.
> I think that this will eliminate most of this problem,
> spammers/scammers aren't going to be happy when they are limited this
> way. Any comments or suggestions on this?
>
if they are sending directly from your servers, that would help.
Another option to make spammers scurry like cockroaches when the light is
flipped on would be to add to your AUP that you will charge 'clean-up fees'
to their credit card - i.e. $500 per incident.
....unless of course they use a stolen/phished credit card to sign up in the
first place...
--
Gib
Hal Murray
>flipped on would be to add to your AUP that you will charge 'clean-up fees'
>to their credit card - i.e. $500 per incident.
>....unless of course they use a stolen/phished credit card to sign up in the
>first place...
Or charge the reseller. Give them some incentive to not sign up
spammers. (Reseller can collect from spammer if they did their
due-diligence.)
--
The suespammers.org mail server is located in California. So are all my
other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited
commercial e-mail to my suespammers.org address or any of my other addresses.
These are my opinions, not necessarily my employer's. I hate spam.
Seth Breidbart
>We are a pretty large hosting company and *everything* has to be automated.
>We're trying to figure out the best way to do this...
Then you need to figure out how to automate
cancelling/blocking/removing phishing domains/URLs in realtime.
Actually, a heuristic that reports suspicious-looking stuff for human
checking would be fine, so long as it didn't report too much of it.
There are some pretty easy tricks, but the spammers can avoid them if
they know what they are; if you want advice, as me in email.
Seth
Peter Peters
wrote:
>>Let me explain knowing / not knowing who our customers are. Our systems
>>are almost 100% automated. People sign up online, often at one of our
>>partners sites. We then get commands to add/delete domains, etc. from our
>>partners provisioning systems. We do directly sign up some customers,
>>but that is a small percentage of our signups, most are done from our
>>partners and we do not get any information on their customer, other
>>than domain, package type, password and optionally an admin email.
>
>Since you get domain information, can't you have some simple check
>for well-known text strings in domains that contain "citi" or "ebay"
>or "paypal" and whatnot?
The scammers don't use those terms in their own domains. They only use
it in spam they send. I got one of those today:
|<A href="http://www.customerverify.us/scripts/email_verify.htm">https://web.da-us.citibank.com/(...).jsp</A>
But perhaps checking their own spamfolder to check whether domains
hosted at their site are spammed for, could be a good idea.
--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ
E-Mail Sent to this address will be added to the BlackLists
> In <c025ab26.04050...@posting.google.com>, on 05/08/2004
> at 02:46 PM, goo...@parsec.net (Todd Burroughs) said:
>>Is this the appropriate group to announce removed domains?
>
> In general, the best place is news.admin.net-abuse.bulletins, but if
> you're already on a list then I'd advise cross-posting here with a
> followup-To here instead of to the usual news.admin.net-abuse.email.
http://www.blocklisting.com/faq.html
"As a general rule: Cross-posted articles will not be approved
for NANABl. There are exceptions. (A policy change announcement
by a major DNSbl operator, for example."
http://www.blocklisting.com/
"Cross-posting articles to news.admin.net-abuse.blocklisting
is not allowed; exceptions may be made at the discretion of
the moderators, as for example in the case of FAQ's."
--
E-Mail Sent to this address <Blac...@Griffin-Technologies.net>
will be added to the BlackLists.
axlq in California
Peter Peters <peter....@utwente.nl> wrote:
>>Since you get domain information, can't you have some simple check
>>for well-known text strings in domains that contain "citi" or "ebay"
>>or "paypal" and whatnot?
>
>The scammers don't use those terms in their own domains. They only use
>it in spam they send. I got one of those today:
Yes, that's the point. Megamailservers doesn't send the spam, they
host the domains advertised in the spam. They have announced in
this newsgroup, the cancellation of numerous such domains. I will
bet that NONE of them were advertised in spam originating from
megamailservers.com.
The even bigger point is that they have repeatedly dodged the
question about the identity of this scammer. I think they should at
least publish the info that SHOULD have been in the scammer's whois
records. This blatant protectionism of a criminal is inexcusable,
and leads one to suspect collusion between megamailservers and the
scammer.
The fact that the whois record for many of these domains contained
the same, identical, bogus information suggests that it's the
same customer over and over again, who owned cgi1-yahoo.com,
Paypal-up.com, Pizdacucur.net, Bayzona.com, laptopcretin.net,
ebayupdateform.net, and cgi-ebay-update.com.
-A
Hal Murray
>host the domains advertised in the spam. They have announced in
>this newsgroup, the cancellation of numerous such domains. I will
>bet that NONE of them were advertised in spam originating from
>megamailservers.com.
I have two samples of phish spam from mailrelay.megawebservers.com
NANAS has copies.
Spamvertized web site was
antispam.u26.smartwebinc.com => 216.194.106.38
=> ip-216-194-106-38.affordable-data-center.com
216.194.64.0 - 216.194.111.255 is assigned to tera-byte.com (CA)
traceroute goes through edtnabxldr01.bb.telus.com
That hostname still resolves. Same IP address. It's now in SBL
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL16125
--
The suespammers.org mail server is located in California. So are all my
other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited
commercial e-mail to my suespammers.org address or any of my other addresses.
These are my opinions, not necessarily my employer's. I hate spam.
--
Bill Cole
goo...@parsec.net (Todd Burroughs) wrote:
[...]
> We are a pretty large hosting company and *everything* has to be automated.
> We're trying to figure out the best way to do this...
That's not quite true, and the implied relevant corollaries that you are
too big to have skilled human eyes vette every new signup or keep on top
of abuse mail in a responsible and useful manner is also not quite true.
It may be true (and likely IS true) that these things are not possible
within the constraints of your business model. In other words, you can't
be as big as you would like to be while charging what it would cost to
manage your services in a competent and responsible way.
Since very few of the people who make decisions about whether to accept
mail from your systems stand to gain anything by your financial success
or lose anything by your joining the myriad of mis-planned dotbomb
businesses already long gone, making excuses about being so large that
everything has to be automated and done poorly doesn't really carry a
lot of weight. In the end, you could automate essentially everything,
save money on essentially all of your staff, and be such a trouble
source that no one other than paid transit vendors would accept any of
your packets of any sort.
On the bright side, you don't have to let automated equate to shoddy.
I've spent the last three years automating a corporate Unix environment
to the point where we manage 3 times as many servers running about 5
times as many applications with only 60% more staff, and do a far better
job now than was done then. If you are careful about what you automate
and what you do not automate, it can mean fast, precise, and correct
behavior every time instead of systems that cause trouble so often that
you spend all your time cleaning up messes.
--
Clues for the blacklisted: <http://www.scconsult.com/bill/dnsblhelp.html>
Current Peeve: The mindset that the Internet is some sort of school for novice
sysadmins and that everyone not doing stupid dangerous things
should act like patient teachers with the ones who are.
Shmuel (Seymour J.) Metz
at 04:24 PM, E-Mail Sent to this address will be added to the
BlackLists <Blac...@Griffin-Technologies.net> said:
>http://www.blocklisting.com/
>"Cross-posting articles to news.admin.net-abuse.blocklisting
> is not allowed; exceptions may be made at the discretion of
> the moderators, as for example in the case of FAQ's."
Sorry; in that case I'd advise Todd to post the details to NANAB and a
summary to NANABl, with a reference to the article containing the
details.
--
Shmuel (Seymour J.) Metz, SysProg and JOAT
Unsolicited bulk E-mail will be subject to legal action. I reserve
the right to publicly post or ridicule any abusive E-mail.
Reply to domain Patriot dot net user shmuel+news to contact me. Do
not reply to spam...@library.lspace.org
--
Todd Burroughs
> >I know that our postmaster did not intend to insult anyone, the response
> >to McWebber was supposed to be an apology. I would be insulted as well,
> >please accept our apologies, the comments weren't intended the way they
> >came across.
>
> Fine by, me.
> You must admit, your postmaster has a talent for ticking of other sysadmins.
> (I'm a simple AOLer, and I was offended!)
Yes, after reading previous postings, I agree. I know the person who
is doing postmaster duty and it was not intentional. I mean, if an
AOLer
is offended, we're not doing too good ;-)
We'll try to do better and I will probably stay invlolved now, at
least
reading things regarding our company and making sure we say what we
mean and do
what we say.
> I question your business model.
> Your methods may not be compatable with the 'modern' Internet.
> This is a problem you really, really need to address.
Our business model is high volume, low priced domain services. This
is
web site and email services. We sell it wholesale, so we have to be
efficient. You may not know who we are, but any wholesaler does...
We do have a full time person dealing with spam complaints, the
phishers are
fairly new for us and we will deal with them. We have dealt with
spammers
and are getting better at it, this is something new for us and I will
work
on getting rid of it. I'm sort of a "special projects" person at
hostopia.
> >After having a look at the phishing scammers, I've noticed one partner
> >in particular who is getting a lot of them. I'm certain that they
> >are not doing it themselves (they're pretty well respected but I can't
> >name them for obvious reasons).
>
> Then understant that, as far as the rest of the 'net is concerned, this
> 'partner' does not exist. If you are the one who appears to be holding
> the bag, you ARE the one holding the bag.
I understand that and agree that we are "holding the bag". I just got
involved with this problem, it is new to me for our company, but we
will do whatever it takes to get rid of it. Our CEO/CTO is completely
against spam and scams like this, he's a techie and understands what
we are dealing with. Anyway, that sounds like BS, as I asked before,
give me a chance. Seems that you are...
> (I suspect that if this ever got into a court room, you would still be
> holding the bag.)
Actually, I will do this and see what he says. I'm pretty good at
legal stuff
myself, but will run it through our legal counsel. I need to know
what
to say or not to say myself.
> >We are a pretty large hosting company and *everything* has to be automated.
> >We're trying to figure out the best way to do this...
>
> I question whether that can be, or should be done.
> (But I'm not in your business, have no desire to be in you business,
> and am not the one spending the money to make it work.)
What I mean about "automated", are things like siging up, leaving,
changing package types, etc. We have to do this automatically, as it
is
becoming a commodity and we cannot afford to pay people to do it.
We still have people doing support and dealing with abuse.
> Good luck to you,
>
> Gary G
Thank You,
Todd
Todd Burroughs
> >Yes, that's the point. Megamailservers doesn't send the spam, they
> >host the domains advertised in the spam. They have announced in
> >this newsgroup, the cancellation of numerous such domains. I will
> >bet that NONE of them were advertised in spam originating from
> >megamailservers.com.
>
> I have two samples of phish spam from mailrelay.megawebservers.com
> NANAS has copies.
We try to get rid of spammers who run from our web servers. We're
going
to implement something where a domain can send a limited number per
day, unless they are excluded (we have a few people who send thousands
of legitimate email daily)
It seems that we host the phishing sites, not send the emails. I'm
working on that. I can state this with authority, Hostopia will not
host phishing sites
and we will deal with our current problem with these sites.
Todd
axlq in California
>> you don't seem to realize yet. If you continue to insist on
>> 100% automation, with nobody doing preventive investigation of
>> potential customers, and nobody communicating vital information
>> about bad customers, either internally or publicly, you are
>> doomed to continue experiencing problems. And I doubt you'll get
>> out of the blacklists.
>
>and flag any that looked suspicious. I think I will push this idea
>and make it happen, I noticed that most of the recent scam domains
>where obvious to a human.
That's good. Once again, however, you have dodged the question
concerning the identity of this scammer who seems to have signed
up with your service over and over again. Who is it? Don't claim
privacy; this info SHOULD have been in the scammer's whois records.
Help other ISPs here avoid signing up this scum.
axlq in California
>changing package types, etc. We have to do this automatically, as
>it is becoming a commodity and we cannot afford to pay people to do
>it.
Then you will likely have to face problems with various DNSBLs
because you're trying to automate signups. Due diligence performed
by a human is necessary to prevent customers with a history of abuse
from signing up.
>We still have people doing support and dealing with abuse.
Yes, after it happens. Sometimes long after, judging by the record on
google. That's why you're in SPEWS now.
-A
Todd Burroughs
> In article <7vgu90tih9dfcr77d...@4ax.com>,
> Peter Peters <peter....@utwente.nl> wrote:
> >>Since you get domain information, can't you have some simple check
> >>for well-known text strings in domains that contain "citi" or "ebay"
> >>or "paypal" and whatnot?
We just started looking for terms like this: citibank, ebay, yahoo, aol,
paypal and hotmail. Most of the problem domains don't contain these terms.
> The even bigger point is that they have repeatedly dodged the
> question about the identity of this scammer. I think they should at
> least publish the info that SHOULD have been in the scammer's whois
> records. This blatant protectionism of a criminal is inexcusable,
> and leads one to suspect collusion between megamailservers and the
> scammer.
I've gotten access to information for some domains: royfbaumeister.com,
jonathangbonett.com, douglasburdette.com, laurenshaw.com, safeelogin.com,
lawrencejberman.net. They all appear to be fraudulent credit cards. All
different numbers. The names and addresses are from all over but appear
valid. (I don't mean that they are valid)
Not sure if this helps, but here's an assortment of IP addresses used to
sign up from. The ones I checked are from various places in the US,
192.111.123.247, 64.170.27.197, 216.66.124.1, 64.170.27.197, 66.98.184.83,
66.179.30.138, 65.71.16.97, 66.185.109.130, 172.134.182.9, 64.202.41.120
192.111.123.247
I haven't noticed much of a pattern, other than this person seems to use
domains like firstnamelastname.com. We'll be watching for that pattern.
> The fact that the whois record for many of these domains contained
> the same, identical, bogus information suggests that it's the
> same customer over and over again, who owned cgi1-yahoo.com,
> Paypal-up.com, Pizdacucur.net, Bayzona.com, laptopcretin.net,
I think these are the same person as above. Again, i didn't find a pattern.
ebayupdateform.net and cgi-ebay-update.com may be a different person, but
I don't have any information on them. This is a different partner and I
will see what I can find out.
Todd
Shmuel (Seymour J.) Metz
at 02:07 AM, Bill Cole <bi...@scconsult.com> said:
>If you are careful about what you automate
>and what you do not automate,
It's more important to be careful of how you automate than what you
automate. The problem with a lot of abuse autoresponders is not that
they're automated, but that they're ignorebots. Basically, *anything*
that you automate at the abuse desk must be carefully thought out, all
exceptional cases identified and dealt with, etc.
--
Shmuel (Seymour J.) Metz, SysProg and JOAT
Unsolicited bulk E-mail will be subject to legal action. I reserve
the right to publicly post or ridicule any abusive E-mail.
Reply to domain Patriot dot net user shmuel+news to contact me. Do
not reply to spam...@library.lspace.org
--
McWebber
news:slrnca2ht...@noop.colo.erols.net...
> On 2004-05-11, axlq in California <ax...@spamcop.net> wrote:
> > In article <c025ab26.04051...@posting.google.com>,
> > Todd Burroughs <goo...@parsec.net> wrote:
> >>What I mean about "automated", are things like siging up, leaving,
> >>changing package types, etc. We have to do this automatically, as
> >>it is becoming a commodity and we cannot afford to pay people to do
> >>it.
> >
> > Then you will likely have to face problems with various DNSBLs
> > because you're trying to automate signups. Due diligence performed
> > by a human is necessary to prevent customers with a history of abuse
> > from signing up.
>
> is that the signups are not with mega*servers, but with a
> reseller. I suspect that the reseller only gives minimal information
> to mega*servers (e.g. domain name and package) to mega*servers.
>
> I would suggest to mega*servers that the reseller should give full
> billing information on signup of new customers so that mega*servers
> have an audit trail and can properly handle these phishers
>
Depends on what they're selling. If they are actually selling
megamailservers services and not their own, yes, they should provide that
info. But, if it's a colo type situation, no. My host has no idea and no
right to the information on who I am hosting.
--
McWebber
"Richter points to the lack of legal action against his company as proof
that he's operating appropriately."
Information Week, November 10, 2003
Peter Peters
wrote:
>Not sure if this helps, but here's an assortment of IP addresses used to
>sign up from. The ones I checked are from various places in the US,
>192.111.123.247, 64.170.27.197, 216.66.124.1, 64.170.27.197, 66.98.184.83,
>66.179.30.138, 65.71.16.97, 66.185.109.130, 172.134.182.9, 64.202.41.120
>192.111.123.247
Probably all owned hosts. I see some .gov hosts there. I think you could
get law enforcment into this because of the use of government hosts for
CC fraude.
--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe
McWebber
news:c7r92j$prg$3...@blue.rahul.net...
> In article <c025ab26.04051...@posting.google.com>,
> Todd Burroughs <goo...@parsec.net> wrote:
> >What I mean about "automated", are things like siging up, leaving,
> >changing package types, etc. We have to do this automatically, as
> >it is becoming a commodity and we cannot afford to pay people to do
> >it.
>
> Then you will likely have to face problems with various DNSBLs
> because you're trying to automate signups. Due diligence performed
> by a human is necessary to prevent customers with a history of abuse
> from signing up.
It just doesn't happen that way in the real world anymore than registrars
looking over every domain registration by a human. Simple email hosting
accounts being sold for minimal amounts of money all over the world do not
justify human intervention. This month it's megamailservers being used. Next
month it will everyone.net and on and on.
>
> >We still have people doing support and dealing with abuse.
>
> Yes, after it happens.
As is the case with every ISP. Should AOL be put in the DNSBL due to the
spam I've been getting for www.9001hosting.com from AOL accounts?
--
McWebber
"Richter points to the lack of legal action against his company as proof
that he's operating appropriately."
Information Week, November 10, 2003
Todd Burroughs
> In article <c025ab26.04050...@posting.google.com>,
> goo...@parsec.net (Todd Burroughs) wrote:
> [...]
> > We're trying to figure out the best way to do this...
>
> That's not quite true, and the implied relevant corollaries that you are
> too big to have skilled human eyes vette every new signup or keep on top
> of abuse mail in a responsible and useful manner is also not quite true.
>
> It may be true (and likely IS true) that these things are not possible
> within the constraints of your business model. In other words, you can't
> be as big as you would like to be while charging what it would cost to
> manage your services in a competent and responsible way.
We do have people looking at all transactions to see if they look
suspicious.
This is a cursory look and the people doing it don't read groups like
this.
We started this about a year ago and it has cut down a lot on the
scammers we
let through.
(rant, I hate posting through web, but I haven't got our news working
well
enough /rant)
When I said "*everything* has to be automated", I meant signup, etc.
We still
need people to look for scams. Someone like me has to train them or
at least
tell them what to look for. We screwed up by not having someone like
that
watching.
Since I started looking into this, I've shown them a few more things
to look
for and I have some people digging for info on the scammers (don't
expect
much though).
We are not the "rock bottom price" hosting company, our CFO makes sure
we do things in a sensible way. If we need more resources to deal
with this stuff,
it will have to be worked into the model.
Todd
Todd Burroughs
> goo...@parsec.net (Todd Burroughs) wrote in
> news:c025ab26.04050...@posting.google.com:
>
> <snipped for length purposes>
>
> > I'm going to post this now. If I've missed anything, please let me know
> > and I will respond with no BS. My real email is toddathostopiadotcom.
> > I'm going to sit in my new flame resistant room and wait for your
> > comments ;-)
> >
> > Todd Burroughs
>
> Heres the deal, because I am a fair person, I'm willing to delist
> Hostopia/Mega<something>servers/INFB/etc from the AHBL, provided that you are
> taking care of the situation on your end.
Thank you. I will try not to let you down and I will never bullshit the
group. I may not be able to release some info, but will do my best to
help. I don't like these scams or getting 100+ spams daily, I would love to
nail these people. Maybe we (group) can make things different. We're
(Hostopia) almost (not quite though) large enough to enforce things like
a callback or something to sign up. We aren't big enough to do that yet.
Any ideas on a software solution to this? We could probably do that.
Actually, we're starting to use asterisk, maybe we could make it call back
and tie this into new accounts. Then, we'd have a phone number that should
be more reliable than IP addresses. (This'll be a hard sell to the company
for me...)
Todd
Todd Burroughs
> is that the signups are not with mega*servers, but with a
> reseller. I suspect that the reseller only gives minimal information
> to mega*servers (e.g. domain name and package) to mega*servers.
>
> I would suggest to mega*servers that the reseller should give full
> billing information on signup of new customers so that mega*servers
> have an audit trail and can properly handle these phishers
What information do you think is necessary? From our standpoint, we
need
enough info to deal with abusers, but not enough (from our wholesale
customers point) to steal their customers. We have no intention to
steal customers, but I
would not want to give too much info about my customers to
whoolesalers if I
where our customer. When we get into agreements with someone providing
our customers
some service, we provide as little info as possible.
This is a difficult balance, but if we ask for something reasonable,
we can
quite often get it.
Todd
Peter Peters
wrote:
>Any ideas on a software solution to this? We could probably do that.
>Actually, we're starting to use asterisk, maybe we could make it call back
>and tie this into new accounts. Then, we'd have a phone number that should
>be more reliable than IP addresses. (This'll be a hard sell to the company
>for me...)
I know asterisk and I know it could be tought to behave like this. It
can even say something like "You requested our service through $partner.
Type in the code you received from said $partner." and then check the
code.
--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe
--
Rex Karz
> g...@erols.com wrote in message news:<slrnca2ht...@noop.colo.erols.net>...
>
>
>>Actually, I suspect automated signups isn't the problem. The problem
>>is that the signups are not with mega*servers, but with a
>>reseller. I suspect that the reseller only gives minimal information
>>to mega*servers (e.g. domain name and package) to mega*servers.
>>
>>I would suggest to mega*servers that the reseller should give full
>>billing information on signup of new customers so that mega*servers
>>have an audit trail and can properly handle these phishers
>
>
> What information do you think is necessary? From our standpoint, we
> need
> enough info to deal with abusers, but not enough (from our wholesale
> customers point) to steal their customers.
In a hierarchical organization, such as provider to reseller to
end customer, I would imagine that *less* detailed information is
required the further up the hierarchy one goes. What mega*servers
is trying to achieve is zero spam from those occupying its IP
space. To that end, mega*servers should, IMHO, not try and micro
manage what information resellers provide to mega*servers, but to
provide the resellers with an "incentive" to not sign up spammers.
As a suggestion, I'd recommend that for each reseller, for each
spammer forced off of mega*servers IP space, that the reseller
forfeit *all* +$INCREMENT revenue from spammers (implies that
mega*servers see the revenue(!)) or that if a reseller signs up $N
spammers per $UNITTIME, then the reseller is terminated, with
earnings forfeit. Let the resellers figure out how to manage
keeping spammers off your network.
You (mega*servers) either do business directly with your end users
or you don't. If you don't sign 'em up directly AND cannot manage
your resellers, then you have no right to exist on the internet.
JMHO,
Rex Karz, ... a pseudonym.
--
The email address is the From: line of this message is a
spamtrap. Mail sent to this address may get the sender's
mailserver listed in one or more DNSBLs. -- Rex Karz
McWebber
news:c025ab26.04051...@posting.google.com...
> Any ideas on a software solution to this? We could probably do that.
> Actually, we're starting to use asterisk, maybe we could make it call back
> and tie this into new accounts. Then, we'd have a phone number that
should
> be more reliable than IP addresses. (This'll be a hard sell to the
company
> for me...)
I'm not sure what your main area is, but if you're getting 98% of your
business from US and Canadian IPs, you might use the country blackholes list
to flag signups from countries like CN, NG, etc. I'm sure someone here could
help you develop such a check in your signup system. I'm still not sure how
you let accounts get activated, or your reseller did, using invalid credit
cards.
--
McWebber
"Richter points to the lack of legal action against his company as proof
that he's operating appropriately."
Information Week, November 10, 2003
Todd Burroughs
> Todd Burroughs wrote:
> >
> > We're planning to add a "feature" which limits the number of emails
> > sent per day, per domain. If they exceed this, the mail will get
> > queueud and it will require human intervention from one of our staff.
> if they are sending directly from your servers, that would help.
>
> Another option to make spammers scurry like cockroaches when the light is
> flipped on would be to add to your AUP that you will charge 'clean-up fees'
> to their credit card - i.e. $500 per incident.
>
> ....unless of course they use a stolen/phished credit card to sign up in the
> first place...
They're phishers... I can't charge them more, we refund the cards and
take
a loss on all of this. These are all done with fake info and stolen
CC
numbers.
We do get quite a bit of the email sent from our servers and this
limit feature will help. It won't help for the ones who send the
email from other servers.
We have something like this in place to catch spam and it works fairly
well,
but this one will work much better for scammers who use us to send.
Todd
axlq in California
>bullshit the group. I may not be able to release some info, but
>will do my best to help. I don't like these scams or getting 100+
>spams daily, I would love to nail these people. Maybe we (group)
>can make things different. We're (Hostopia) almost (not quite
>though) large enough to enforce things like a callback or something
>to sign up.
...which would accomplish nothing. If they use stolen credit cards
to sign up with your service, they can use stolen credit cards to
pay for a temporary cell phone. Or even an anonymous cell phone
with a prepaid cash card (such "disposable phones" are available all
over Asia, I don't know about the U.S.). They'd use this phone for
the purpose of untraceable callback verification. I know *I* would,
if I were in the phishing business.
You really need to match phone numbers with addresses and identities
on the credit card. The credit card companies have telephone
contact info on their customers. There are also public telephone
directories you can use to verify phone numbers and even make
verification calls.
Some things you just can't automate. If I were a phisher, I'd
ONLY do business with fully-automated ISPs. The inherent security
weaknesses are SO easy to exploit. I think your misguided emphasis
on automating everything has made hostopia attractive to scammers.
>Any ideas on a software solution to this? We could probably do
>that. Actually, we're starting to use asterisk, maybe we could
>make it call back and tie this into new accounts. Then, we'd have
>a phone number that should be more reliable than IP addresses.
>(This'll be a hard sell to the company for me...)
And it likely won't fix the problem, for the reason I stated above.
-A
Perusion Hostmaster
> "Giblet - USA Resident" <useneth...@2mbit.com> wrote in message news:<PvKdnWzrJ_S...@bright.net>...
>> Todd Burroughs wrote:
>> >
>> > We're planning to add a "feature" which limits the number of emails
>> > sent per day, per domain. If they exceed this, the mail will get
>> > queueud and it will require human intervention from one of our staff.
>
>> if they are sending directly from your servers, that would help.
>>
>> Another option to make spammers scurry like cockroaches when the light is
>> flipped on would be to add to your AUP that you will charge 'clean-up fees'
>> to their credit card - i.e. $500 per incident.
>>
>> ....unless of course they use a stolen/phished credit card to sign up in the
>> first place...
>
> They're phishers... I can't charge them more, we refund the cards and
> take a loss on all of this. These are all done with fake info and
> stolen CC numbers.
Start doing AVS and collecting the CVV. That will stop 90% of them.
--
I am convinced that life is 10% what happens to me and 90%
how I react to it. And so it is for you... we are in charge
of our attitudes. -- Charles Swindoll
McWebber
> Some things you just can't automate. If I were a phisher, I'd
> ONLY do business with fully-automated ISPs. The inherent security
> weaknesses are SO easy to exploit. I think your misguided emphasis
> on automating everything has made hostopia attractive to scammers.
Then all automated signups for an ISP, of which there are hundreds, are just
as vulnerable.
--
McWebber
"Richter points to the lack of legal action against his company as proof
that he's operating appropriately."
Information Week, November 10, 2003
Peter Peters
wrote:
>> Some things you just can't automate. If I were a phisher, I'd
>> ONLY do business with fully-automated ISPs. The inherent security
>> weaknesses are SO easy to exploit. I think your misguided emphasis
>> on automating everything has made hostopia attractive to scammers.
>
>Then all automated signups for an ISP, of which there are hundreds, are just
>as vulnerable.
They are. ISP's don't block certain types of access for that kind of
customers (during the first period) for nothing.
--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe
--
axlq in California
Todd Burroughs <goo...@parsec.net> wrote:
>> The even bigger point is that they have repeatedly dodged the
>> question about the identity of this scammer. I think they should at
>> least publish the info that SHOULD have been in the scammer's whois
>> records.
>
>jonathangbonett.com, douglasburdette.com, laurenshaw.com, safeelogin.com,
>lawrencejberman.net.
Thank you for addressing this matter of identity.
>They all appear to be fraudulent credit cards.
You seem to have contradicted yourself in an earlier
article, where you wrote: "We block people signing up on
our system based on bad IP addresses and CC numbers (we do
charge the card before giving them service)." (quoted in
http://groups.google.com/groups?selm=1ac.23ef1f44.2dce809c%40aol.com
-- I wish you'd quit disabling google's archiving in your own
posts).
>different numbers. The names and addresses are from all over but appear
>valid. (I don't mean that they are valid)
Are you surprised? These are credit card phishers after all.
>> The fact that the whois record for many of these domains contained
>> the same, identical, bogus information suggests that it's the
>> same customer over and over again, who owned cgi1-yahoo.com,
>> Paypal-up.com, Pizdacucur.net, Bayzona.com, laptopcretin.net,
>
>I think these are the same person as above. Again, i didn't find a pattern.
>
>ebayupdateform.net and cgi-ebay-update.com may be a different person, but
>I don't have any information on them. This is a different partner and I
>will see what I can find out.
See, this is part of the problem. These people are criminals,
using your network to engage in their criminal activity. You're
having trouble figuring out who they are just for the purpose of
posting here. One would think that your company would interested in
identifying the perpetrators who implicate your service in criminal
pursuits, so that you can at least report them to law enforcement
officials. But you've just shown that your company doesn't have the
ability to do even that.
You insist on automation, which creates a massive weakness in
security and integrity, which naturally gets exploited, and results
in a DNSBL listing.
The trouble you're having identifying these criminals should lead
you to conclude that NO effort was made to confirm their identities
when they were signed up. Perhaps a policy change is in order here,
requiring that credit cards be confirmed. Matching phone numbers
against addresses would be a start.
Perhaps you should also implement a policy that prohibits your
company and partners from hosting domains that don't have
valid contact information. This requires non-automated, human
involvement, to check whois records of every new domain.
-A
to...@linux.local
>
> I have two samples of phish spam from mailrelay.megawebservers.com NANAS
> has copies.
>
> Spamvertized web site was
> antispam.u26.smartwebinc.com => 216.194.106.38
> => ip-216-194-106-38.affordable-data-center.com
> 216.194.64.0 - 216.194.111.255 is assigned to tera-byte.com (CA)
> traceroute goes through edtnabxldr01.bb.telus.com
>
> That hostname still resolves. Same IP address. It's now in SBL
> http://www.spamhaus.org/SBL/sbl.lasso?query=SBL16125
spamhaus.org does not seem to be co-operating with my browser, so
I can't find this entry right now.
Almost everything coming through our "mailrelay" servers will have
the real domain name in the headers. These servers relay stuff from
our web systems. There is an exception to having the real domain in
there, but I'm not going to announce that... We're working on it,
but don;t have source code. If it shows
somedomain@web*.megawebserevrs.com, that domain is very likely the one
that sent the mail.
We also add a header to all (most, there seems to be some bug that
lets some get through, but we haven't figured it out yet...) mail
relayed through us that adds the user who either authenticated
via SMTP AUTH or via "POP before sending". The pop user isn't
the correct one for sure, it's the last user who popped email
from that IP address. Usually correct, but if there's some kind of
proxy, it could be wrong. The authenticated user should be
authoritative.
Todd
Todd Burroughs
> "Todd Burroughs" <goo...@parsec.net> wrote in message
> news:c025ab26.04051...@posting.google.com...
> > Any ideas on a software solution to this? We could probably do that.
> business from US and Canadian IPs, you might use the country blackholes list
> to flag signups from countries like CN, NG, etc. I'm sure someone here could
We do block signups from a lot of countries. We use GeoIP and they are
told to call an 800 number if they're from one of our "blocked countries".
This reduced a lot of the problem with CC fraud.
The batch that I am looking at signed up from various US addresses.
I have more info on them, will post separately.
Todd
to...@linux.local
asking about. When we delete a site, we keep it in a holding area for
about a month for recovering content from mistakes... I found several of
these domains, copied them and looked through the code. I also dug
through some logs to see who first accessed the site, as I figure that is
most likely the site owner. I think that the scammer wasn't as careful as
they where when signing up. You'll see the pattern below, but again, I
don't know if it will be of much use.
Seems that they may live in Romania or somewhere nearby.
What I'm posting below is in this format:
domain name
first access log entries (if any, just IP and timestamp)
any emails that the forms sent to, if any
any URLs mentioned in the code that seemed suspicious
Our servers are all running ntpd and keep accurate time. I have
the data that is reported below. If you have anything else to
look for, let me know. I mentioned before, my real email is
toddathostopiadotcom.
auction-ebay.us
ac9052b1.ipt.aol.com - - [17/Apr/2004:04:24:37 -0400]
auctionliveupdate.com
aca7e5a0.ipt.aol.com - - [19/Apr/2004:16:20:56 -0400]
quadt...@yahoo.com
auctionsitesupdate.com
ac8373bd.ipt.aol.com - - [20/Apr/2004:06:57:32 -0400]
quadt...@yahoo.com
storezbay.com
ac99143d.ipt.aol.com - - [23/Apr/2004:17:47:19 -0400]
usernr...@yahoo.com
database-update.com
80.97.211.207 - - [25/Apr/2004:01:40:22 -0400]
whois info: SC Artelecom SA, Bucharest, Romania
masadet...@yahoo.com
papalacioaca.com
cache-rh05.proxy.aol.com - - [07/Apr/2004:05:24:09 -0400]
cardu...@yahoo.com
habibu.com
65.173.161.165 - - [18/Apr/2004:21:07:52 -0400]
whois: MOBILEARIA, MOUTNAIN VIEW, CA
82.114.67.194 - - [18/Apr/2004:21:10:49 -0400]
whois: KIS-NET-KS, KUJTESA NETWORK, CS
laurenshaw.com
66.98.184.83 - - [25/Apr/2004:09:13:38 -0400]
whois: Everyones Internet, Houston, TX
tmobil...@yahoo.com
These two URLs are in some of the code:
a href=http://cgi4-ebay.host.sk/index.html
img src=http://t-mobile-inc.com/click.jpg
niggamp3z.com (AOL -sending spam)
82.114.67.194 - - [17/Apr/2004:16:45:47 -0400]
whois: KIS-NET-KS, KUJTESA NETWORK, CS
URLs in the spam:
href="http://aolserver2.com/css_ms00.css"
a href="http://aolserver2.com/billing.html"
paypal-webscr.com (sending spam)
svctdb15.dot.ca.gov - - [24/Apr/2004:08:37:44 -0400]
82.114.67.194 - - [24/Apr/2004:18:23:12 -0400]
safeelogin.com
home-136132.b.astral.ro - - [23/Apr/2004:17:21:28 -0400]
82.208.176.75 - - [24/Apr/2004:06:51:41 -0400]
whois: ASTRAL-BUC-Cable, Astral Telecom Bucuresti, RO
cardu...@yahoo.com
cardu...@yahoo.com
URL mentioned:
img src="http://www.gnasher.34SP.com/images/eBay-wellcome-visa.gif"
The Signup info below is from one of our partners. I haven't got an IP
yet and am not sure if the "Title: / Company:" section was changed to
indicate that they where deleted. Basically, the info is fake, CC info is
fake.
cgi-ebay-update.com
Emails from forms on site:
grimobs...@yahoo.com
thesto...@yahoo.com
Signup info:
First Name:Karen
Last Name:Myers
Title:VIOLATION-SECURITY DEPT
Email addr:off...@cutetexan.com
ebayupdateform.net
213.157.178.74 - - [12/Mar/2004:03:22:23 -0500]
whois: ORG-RA18-RIPE, RDSNET PROVIDER Local Registry, RO
www.crdnet.ro - - [12/Mar/2004:03:32:17 -0500]
Emails from forms on site:
dr...@hotmail.com
URLs:
a href="http://hosting.vosn.net/%7Ealayman/images/"
http://211.220.223.189/images/ebay/truste_button.gif
whois: KORNET, Korea
http://213.190.47.180/verification/ebay2.htm"
Hostname: senas.tiltas.lt
Signup info:
First Name:Elisabeth
Last Name:Molle
Company:VIOLATION SECURITY DEPT.
Email addr:dr...@hotmail.com
Perusion Hostmaster
> I have some more info on some deleted domains that you have been
> asking about. When we delete a site, we keep it in a holding area for
> about a month for recovering content from mistakes... I found several of
> these domains, copied them and looked through the code. I also dug
> through some logs to see who first accessed the site, as I figure that is
> most likely the site owner. I think that the scammer wasn't as careful as
> they where when signing up. You'll see the pattern below, but again, I
> don't know if it will be of much use.
>
> Seems that they may live in Romania or somewhere nearby.
No surprise, the Internet fraud capital of the world.
Perhaps you could do what I do, just blackhole all of Romania at the
router. It has cut my scans by a significant percentage, and I have
had one complaint in 8 months.
--
Light travels faster than sound. This is why some people appear bright
until you hear them speak. -- unknown
Todd Burroughs
> In article <c025ab26.04051...@posting.google.com>, Todd
> Burroughs <goo...@parsec.net> wrote:
>
> Thank you for addressing this matter of identity.
>
>>They all appear to be fraudulent credit cards.
>
> You seem to have contradicted yourself in an earlier article, where you
> wrote: "We block people signing up on our system based on bad IP addresses
> and CC numbers (we do charge the card before giving them service)."
> (quoted in
> http://groups.google.com/groups?selm=1ac.23ef1f44.2dce809c%40aol.com -- I
> wish you'd quit disabling google's archiving in your own posts).
I've switched to my own news server partly because I didn't see my own
posts in google. (I thought maybe google was doing it with cookies or
something and it was very annoying) That wasn't intentional, I don't
like web interfaces and probably clicked something by mistake. Now
I'll have to log in and see what I did... Our server seems to be working
properly now (and I fixed my name in Pan), so this shouldn't happen
anymore.
We block people based on country, using GeoIP, bad CC numbers and bad IPs.
The "bad lists" are done by hand. We also automatically block IPs, based
on failed attempts, etc.
I saw one of these domains hit the failed attempt limit, then move to
new IP. There's too many owned boxes out there.
We charge all cards before enabling service, but if the card is not
reported as stolen/invalid, it still works.
>>different numbers. The names and addresses are from all over but appear
>>valid. (I don't mean that they are valid)
>
> Are you surprised? These are credit card phishers after all.
I'm not surprised at all, I mentioned in another post, they can easily
provide me with perfectly valid information, since a lot of people fall
for the scam. We try to be proactive, but it ends up that we have to be
reactive to most of these things. If we make it too much hassle for the
scammers, they will move on to someone else. That's great for us, but how
do we stop them globally?
> See, this is part of the problem. These people are criminals, using your
> network to engage in their criminal activity. You're having trouble
> figuring out who they are just for the purpose of posting here. One would
> think that your company would interested in identifying the perpetrators
> who implicate your service in criminal pursuits, so that you can at least
> report them to law enforcement officials. But you've just shown that your
> company doesn't have the ability to do even that.
They seem to be from Romania or somewhere near. Our US ar Canadian law
enforcement isn't going to be able to do much. They sign up from US IP
addresses, but the people who own the computers thay use probably are
running one of the worms that are rampant right now. Unfortunately, that
is the state of the Internet, anyone can get on it and some software
vendors don't (just my opinion) make some changes that would help because
it might make their product harder to use. It's the "ease of use" vs.
security thing. I'm not just blaming Microsoft, we do the same thing.
Our service has to be easy to use, Linux vendors, etc. are going the same
way.
The problem is that there isn't much accountability on the Internet.
That's a good thing, I think the Net has helped a lot in the freedom of
speech area, but it's a bad thing for people trying to fight spam and
scams.
> You insist on automation, which creates a massive weakness in security and
> integrity, which naturally gets exploited, and results in a DNSBL listing.
>
> The trouble you're having identifying these criminals should lead you to
> conclude that NO effort was made to confirm their identities when they
> were signed up. Perhaps a policy change is in order here, requiring that
> credit cards be confirmed. Matching phone numbers against addresses would
> be a start.
>
> Perhaps you should also implement a policy that prohibits your company and
> partners from hosting domains that don't have valid contact information.
> This requires non-automated, human involvement, to check whois records of
> every new domain.
As I've mentioned, domains and hosting are becoming a commodity. We do
have humans looking at some things and I am open to more checks, etc. I
can have them look for other things or patterns. Most of our signups come
from our partners, we get sent commands from their provisioning systems.
I'm not sure how we can cost effectively verify everything. There is
another thread about "throw away cell phones". A phisher gets all the
right info, we call their anonymous phone and we're no better off, but we
just blew a couple months of revenue per account...
Todd
Peter Peters
wrote:
>I saw one of these domains hit the failed attempt limit, then move to
>new IP. There's too many owned boxes out there.
At least have your system trigger when somebody hops from a blocked to a
new IP. And perhaps report that IP to the provider as "possibly owned".
--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe
--
axlq in California
Perusion Hostmaster <na...@perusion.net> wrote:
>>
>> They're phishers... I can't charge them more, we refund the cards and
>> take a loss on all of this. These are all done with fake info and
>> stolen CC numbers.
>
>Start doing AVS and collecting the CVV. That will stop 90% of them.
Er.. in English please, for the rest of us...?
-A
Perusion Hostmaster
> In article <slrnca5kr6...@bill.heins.net>,
> Perusion Hostmaster <na...@perusion.net> wrote:
>>>
>>> They're phishers... I can't charge them more, we refund the cards and
>>> take a loss on all of this. These are all done with fake info and
>>> stolen CC numbers.
>>
>>Start doing AVS and collecting the CVV. That will stop 90% of them.
>
> Er.. in English please, for the rest of us...?
If don't do online credit card verification, you don't need to know.
If you do, you should know. 8-)
But you are probably right as there might be people following
this who are just interested.
AVS stands for Address Verication System. Basically, it means you pick
the numbers out of an address and verify it against what is in the
billing address for the card holder. If your address is
123 Main St. Apt #2
Anytown, AS 55555
the AVS value is 123255555. (Zip + 4 is stripped).
You can get back, usually, any of several status values that are
dependent on your gateway software. Typically they are Y) AVS complete
match, Z) AVS zip match, and N)AVS mismatch. You can decide whether to accept
the transaction anyway or reject it based on this, and your software can
flag AVS != Y for manual verifcation if you program it that way.
CVV stands for Credit card Verification Value, and is the 3-7 digit
number printed on your mag strip (i.e. not on the impression or
on a scanned sales slip). If you collect this, you can be somewhat
more confident that you have a real card and not a stolen one.
Unfortunately, many ecommerce programs have their head up their
butt and don't trash this value, but write it to disk.
It is stupid and negligent to write any CC info to disk unencrypted, but
many programs do it (or write it to a database). My program only writes
it to disk if it is encrypted with strong (PGP/GPG) encryption.
--
Fast, reliable, cheap. Pick two and we'll talk. -- unknown
axlq in California
Todd Burroughs <use...@parsec.net> wrote:
>They seem to be from Romania or somewhere near. Our US ar Canadian law
>enforcement isn't going to be able to do much. They sign up from US IP
>addresses, but the people who own the computers thay use probably are
>running one of the worms that are rampant right now. Unfortunately, that
>is the state of the Internet, anyone can get on it and some software
>vendors don't (just my opinion) make some changes that would help because
>it might make their product harder to use. It's the "ease of use" vs.
>security thing. I'm not just blaming Microsoft, we do the same thing.
>Our service has to be easy to use, Linux vendors, etc. are going the same
>way.
You have succinctly described your predicament, and I appreciate your
candor.
I gotta wonder what it is about hostopia that has suddenly attracted
phishers? The only thing that came to my mind was the automation
and transparency in the sign up process. If you can adjust the
automation to avoid signing these people up, more power to you. But
for now you might consider eating a bit of profit margin and hiring
a few extra bodies to conduct investigations as preventive measures.
Perhaps a "forced delay" step in the automated process, where the
customer has to wait a day or so before service starts "for the
purpose of verification" would help scare the scammers off, but
minimally inconvenience your legitimate customers.
>I'm not sure how we can cost effectively verify everything. There is
>another thread about "throw away cell phones". A phisher gets all the
>right info, we call their anonymous phone and we're no better off, but we
>just blew a couple months of revenue per account...
I think I started that topic. The point I was making is that the
throw-away cell phone number will likely NOT match the telephone
number associated with a stolen credit card. It's an easy check,
but not easy to automate.
-A
Gizeorge
<to...@linux.local> wrote in message
news:pan.2004.05.13....@linux.local...
> I have some more info on some deleted domains that you have been
> asking about. When we delete a site, we keep it in a holding area for
> about a month for recovering content from mistakes... I found several of
> these domains, copied them and looked through the code. I also dug
> through some logs to see who first accessed the site, as I figure that is
> most likely the site owner. I think that the scammer wasn't as careful as
> they where when signing up. You'll see the pattern below, but again, I
> don't know if it will be of much use.
Todd, when you look through the code, I am betting there is something in
common, a bit of jscript or something, between all the sites. Have you
thought about setting up a search of the html and site code that is
uploaded, looking for these sites as they are put up?
You might also want to have your affiliates, or yourself, check the
connecting IP address during signup against various DNSbl services. It's
probably likely that criminals would sign up and stick their browser behind
the same proxies and abused machines that spammers do.
It's automatable to get a reasonable assertion that a proxied machine had
suspect code uploaded to a site. That should trigger human interest.
Besides disabling the sites I bet you could then ask American law
enforcement to set up for a sting. Romania is far away, but it's not beyond
the grasp. American requests there may not merit extradition, but they may
be locally handled by the Romanians.
-g
axlq in California
Perusion Hostmaster <na...@perusion.net> wrote:
>In article <pan.2004.05.13....@linux.local>, to...@linux.local wrote:
>
>No surprise, the Internet fraud capital of the world.
>
>Perhaps you could do what I do, just blackhole all of Romania at the
>router. It has cut my scans by a significant percentage, and I have
>had one complaint in 8 months.
What are the Romanian IP address ranges? They're not listed on
blackholes.us.
-A
AndrewR
> In article <slrnca8hsu...@bill.heins.net>,
> Perusion Hostmaster <na...@perusion.net> wrote:
>
>>In article <pan.2004.05.13....@linux.local>, to...@linux.local wrote:
>>
>>>Seems that they [phishers] may live in Romania or somewhere nearby.
>>
>>No surprise, the Internet fraud capital of the world.
>>
>>Perhaps you could do what I do, just blackhole all of Romania at the
>>router. It has cut my scans by a significant percentage, and I have
>>had one complaint in 8 months.
>
>
> What are the Romanian IP address ranges? They're not listed on
> blackholes.us.
>
ro.countries.nerd.dk and ro.rbl.cluecentral.net are both lists of
Romanian IP addresses. You can replace ro with any other country code
in both cases and it should work.
Andrew
--
http://www.andrewr.co.uk/contact.shtml
"If one man offers you democracy and another offers you a bag of grain,
at what stage of starvation will you prefer the grain to the vote?" -
Bertrand Russell
"...the police had unconstrained power to treat everyone in London as a
terrorist, and stop, search and hold them without cause or reasonable
suspicion." -
http://observer.guardian.co.uk/comment/story/0,6903,1071346,00.html
I am not a lawyer, nor am I SPEWS, nor do I speak for anyone other than
myself.
Martijn Lievaart
> It is stupid and negligent to write any CC info to disk unencrypted, but
> many programs do it (or write it to a database). My program only writes it
> to disk if it is encrypted with strong (PGP/GPG) encryption.
Standard procedures should also dictate that this happens on a seperate
machine, in a seperate DMZ, using a protocol between those machines that
will never ever hand out information it should not hand out. That machine
should be protected by multiple protection mechanisms. Webservers are to
often compromised not to take these precautions.
Actually this is just common sense. But commerce is generally not known
for its common sense.
M4
Dick Cardy
"Perusion Hostmaster" <na...@bill.perusion.com> wrote in message
news:slrncaa4if...@bill.heins.net...
> CVV stands for Credit card Verification Value, and is the 3-7 digit
> number printed on your mag strip (i.e. not on the impression or
> on a scanned sales slip).
Also called CVC. Not on the mag stripe it is on the signature stripe.
Dick
Perusion Hostmaster
> In article <slrnca8hsu...@bill.heins.net>,
> Perusion Hostmaster <na...@perusion.net> wrote:
>>In article <pan.2004.05.13....@linux.local>, to...@linux.local wrote:
>>> Seems that they [phishers] may live in Romania or somewhere nearby.
>>
>>No surprise, the Internet fraud capital of the world.
>>
>>Perhaps you could do what I do, just blackhole all of Romania at the
>>router. It has cut my scans by a significant percentage, and I have
>>had one complaint in 8 months.
>
> What are the Romanian IP address ranges? They're not listed on
> blackholes.us.
I got my list at countries.nerd.dk, I believe. This is what I
have right now:
62.217.192.0/18 194.102.32.0/19
62.231.64.0/18 194.102.64.0/18
80.86.96.0/20 194.102.128.0/17
80.86.112.0/20 194.105.0.0/19
80.96.0.0/15 194.153.224.0/19
81.12.128.0/17 194.176.160.0/19
81.18.64.0/20 212.35.128.0/19
81.18.80.0/20 212.54.96.0/19
81.89.0.0/20 212.93.128.0/19
81.180.0.0/15 212.146.64.0/18
81.196.0.0/16 213.154.96.0/19
82.76.0.0/14 213.154.128.0/19
82.137.0.0/18 213.157.160.0/19
82.208.128.0/18 213.164.224.0/19
193.226.0.0/18 213.233.64.0/18
193.226.64.0/18 217.10.192.0/20
193.226.128.0/18 217.10.208.0/20
193.230.0.0/16 217.13.96.0/20
193.231.0.0/18 217.19.0.0/20
193.231.64.0/18 217.73.160.0/20
193.231.128.0/17 217.156.0.0/17
193.254.32.0/19
--
Prove you aren't stupid. Say NO to Passport.