ProntoHost Suspended Me -- Your feedback please

Portal Home > Knowledgebase > Articles Database > ProntoHost Suspended Me -- Your feedback please

Posted by matador, 11-24-2007, 02:26 PM
Hi, I have waited a few days, but I can wait no longer for the communities feedback on this. I feel I have been wrongly suspended (for spamming). I shall explain the story. I ordered a Reseller account on November 8th. 'Kev' restored my cpanel backups in a very timely manner. Everything seemed to be going well until Nov. 23rd. I was attempting to check my email, and unable to get authenticated. So I logged a support ticket. Please note my IP's associated with myself and the server are: 72.249.86.13 & 72.249.86.14 $ host 72.249.86.13 = nexus.prontohost.net. It should also be noted that I have a spamcop account myself, that I report spam to on a daily basis. So of all people to accuse of spamming/being a part of the spammers, I find to be extremely insulting. Marcello Macciacchera Client Posted: 23/11/2007 05:57 Hi, I usually use IMAP or IMAP over TLS/SSL to check mail. Unable to do so, I tried webmail. http://72.249.86.13:2095/login/ This also is not working at the moment. Please look into, thanks. I then received this: Kevin Conlin Staff Posted: 23/11/2007 07:59 Hello, All your accounts have been terminated for repeated spam. Spam from the following accounts were detected: askmatador ontario miernicki This is completely unnaceptable, these accounts sent more than 12000 spam messages. This deciscion will not be overturned, you will receive an invoice for the destruction the spam messages have caused to our business. Kevin ProntoHost http://ProntoHost.net I was never informed of any evidence/warning of the spam up to this point, and am feeling really insulted. It should be noted that of all these 3 accounts accused, 2 especially had me scratching my head. The first 2. The last one (miernicki) is a friends domain that his family members have email accounts on. So that could be a possibility, maybe it got hacked or something. -------------- Summary of accounts accused: askmatador = askmatador.com My own personal domain I use mainly for email. Although recently using fantastico, I setup a personal wallpaper collection for myself using gallery. I am currently in Italy, and I use the ISP's outgoing mail server for sending mail. (out.alice.it) Back in my home town of Toronto, I would always use the local ISP's as well (Rogers). As they block all else on port 25 anyway. How could AskMatador be exploited for spamming ? I figured, ok maybe the gallery, since Fantastico only has it up to 2.2.2 and we are at 2.2.3 now. ontario = ontarioperformance.com Site is all/mostly HTML, and redirects to the clients new site, hosted on a dedicated server at another ISP. Doesn't use much for email as far as I know, uses new domain. Maybe had some old mail php script or cgi on the site that got exploited ? Ok lets disable it, if it was the case. Not suspend all the service, for every account with no turning back. --------------- I'll continue with further raw postings from the current exchange. Marcello Macciacchera Client Posted: 23/11/2007 11:56 Spam???? Could I get some evidence so I can look into what would be causing this ? AskMatador = AskMatador.com ; this is my personal domain I use just for email w/ matador@askmatador.com I don't even have a website on it or anything. I do not understand this. Please contact me on MSN or something so I can see details on where this would be coming from. Thanks, Marshall M. Marcello Macciacchera Client Posted: 23/11/2007 12:04 Further to this, I don't see an email in my yahoo mailbox concerning any details on spam. And *IF* these 3 accounts were spamming, why weren't just those suspended, and others left alone pending an investigation ? This is not making sense. Please contact me ASAP. I repeatedly forward spam emails that I get to my SpamCop account. I am the last person that would accept spamming. This is just crazy! Marcello I don't want to get this first post too long. I will reply/post again with the evidence.
Posted by matador, 11-24-2007, 02:40 PM
Here is the evidence that was provided. So far as I can see, I do not see the ProntoHost IP's, PHP scripts usually exploited for spam mailers, or anything tracing back to them. These are just 'normal' spoofed mails being sent from different ISP's using spoofed email address'. As you know from earlier post, IP's I was assigned on the server are: 72.249.86.13 & 72.249.86.14 Evidence provided: Kevin Conlin Staff Posted: 23/11/2007 18:00 Received: from bay0-omc2-s7.bay0.hotmail.com ([65.54.246.143] helo=bay0-omc2-s7.bay0.hotmail.com) by ASSP.nospam; 23 Nov 2007 04:18:46 -0500 Received: from bay0-mc7-f2.bay0.hotmail.com ([65.54.244.202]) by bay0-omc2-s7.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 23 Nov 2007 01:18:46 -0800 From: postmaster@hotmail.com To: Marikka@miernicki.com Date: Fri, 23 Nov 2007 01:18:44 -0800 MIME-Version: 1.0 X-DSNContext: 335a7efd - 4480 - 00000001 - 80040546 Message-ID: Subject: Delivery Status Notification (Failure) Return-Path: <> X-OriginalArrivalTime: 23 Nov 2007 09:18:46.0864 (UTC) FILETIME=[D9EBF500:01C82DB1] This is a MIME-formatted message. Portions of this message may be unreadable without a MIME-capable mail program. --9B095B5ADSN=_01C82D1983F2953500018A9Ebay0?mc7?f2.bay0 This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. dbsbt3@msn.com --9B095B5ADSN=_01C82D1983F2953500018A9Ebay0?mc7?f2.bay0 Reporting-MTA: dns;bay0-mc7-f2.bay0.hotmail.com Received-From-MTA: dns;BSN-142-248-185.dial-up.dsl.siol.net Arrival-Date: Fri, 23 Nov 2007 01:18:43 -0800 Final-Recipient: rfc822;dbsbt3@msn.com Action: failed Status: 5.5.0 Diagnostic-Code: smtp;550 Requested action not taken: mailbox unavailable (907639705:2774:0) --9B095B5ADSN=_01C82D1983F2953500018A9Ebay0?mc7?f2.bay0 Received: from BSN-142-248-185.dial-up.dsl.siol.net ([89.142.190.130]) by bay0-mc7-f2.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Fri, 23 Nov 2007 01:18:43 -0800 Received: from dimitrij-a41374 by miernicki.com with ASMTP id 2D86CB0E for ; Fri, 23 Nov 2007 10:19:17 +0100 Received: from dimitrij-a41374 ([158.161.137.65]) by miernicki.com with ESMTP id E9A3B10A8444 for ; Fri, 23 Nov 2007 10:19:17 +0100 Message-ID: <000601c82db1$d9d5ade0$b9f88e59@dimitrija41374> From: "Marikka Mesman" To: Subject: tritium1 Date: Fri, 23 Nov 2007 10:18:46 +0100 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Return-Path: Marikka@miernicki.com X-OriginalArrivalTime: 23 Nov 2007 09:18:44.0279 (UTC) FILETIME=[D8618470:01C82DB1] Get ready for Christmas holidays nights. Dont miss a EDPRICECUT http://smileeat.com/ Get ready for Christmas holidays = nights. Dont=20 miss a EDPRICECUT HREF=3D"http://smileeat.com/">http://smileeat.com/ > --9B095B5ADSN=_01C82D1983F2953500018A9Ebay0?mc7?f2.bay0-- . Kevin Conlin Staff Posted: 23/11/2007 18:04 Received: from baracuda.salvationarmy.org ([217.196.236.71] helo=baracuda.salvationarmy.org) by ASSP.nospam; 23 Nov 2007 04:20:03 -0500 MIME-Version: 1.0 From: Barracuda Spam Firewall - IHQ Message-Id: <000901c82db2$02a9f320$b9f88e59@dimitrija41374> Subject: **Message you sent blocked by our bulk email filter** To: Date: Fri, 23 Nov 2007 09:19:54 +0000 (GMT) ------------=_1195809594-8247-61 Content-Disposition: inline WW91ciBtZXNzYWdlIHRvOiBhcm15c2hhbm5vbl9ob3dhcmRAdXNzLnNhbHZh dGlvbmFybXkub3JnCndhcyBibG9ja2VkIGJ5IG91ciBTcGFtIEZpcmV3YWxs LiBUaGUgZW1haWwgeW91IHNlbnQgd2l0aCB0aGUgZm9sbG93aW5nIHN1Ympl Y3QgaGFzIE5PVCBCRUVOIERFTElWRVJFRDoKClN1YmplY3Q6IHRyYXdyZW51 Cgo= ------------=_1195809594-8247-61 Content-Disposition: inline Content-Description: Delivery error report Reporting-MTA: dns; baracuda.salvationarmy.org Received-From-MTA: smtp; baracuda.salvationarmy.org ([127.0.0.1]) Arrival-Date: Fri, 23 Nov 2007 09:19:54 +0000 (GMT) Final-Recipient: rfc822; armyshannon_howard@uss.salvationarmy.org Action: failed Status: 5.7.1 Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=08247-01-71 Last-Attempt-Date: Fri, 23 Nov 2007 09:19:54 +0000 (GMT) ------------=_1195809594-8247-61 Content-Disposition: inline Content-Description: Undelivered-message headers Received: from BSN-142-248-185.dial-up.dsl.siol.net (localhost [127.0.0.1]) by baracuda.salvationarmy.org (Spam Firewall) with ESMTP id AE84A5B9A47 for ; Fri, 23 Nov 2007 09:19:51 +0000 (GMT) Received: from BSN-142-248-185.dial-up.dsl.siol.net (BSN-142-190-130.dial-up.dsl.siol.net [89.142.190.130]) by baracuda.salvationarmy.org with ESMTP id Nrq3OrnbEQEW37NB for ; Fri, 23 Nov 2007 09:19:51 +0000 (GMT) Received: by 10.55.78.141 with SMTP id aamJNfwgSMAGE; Fri, 23 Nov 2007 10:20:00 +0100 (GMT) Received: by 192.168.230.112 with SMTP id oVaRddbflscRuG.6930216179183; Fri, 23 Nov 2007 10:19:58 +0100 (GMT) Message-ID: <000901c82db2$02a9f320$b9f88e59@dimitrija41374> From: "Christien Hovorak" To: armyshannon_howard@uss.salvationarmy.org Subject: trawrenu Date: Fri, 23 Nov 2007 10:19:55 +0100 Message-ID: <000901c82db2$02a9f320$b9f88e59@dimitrija41374> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 ------------=_1195809594-8247-61-- Kevin Conlin Staff Posted: 23/11/2007 18:07 Received: from phoenix.adsoft ([69.64.68.2] helo=phoenix.adsoft) by ASSP.nospam; 22 Nov 2007 18:09:05 -0500 Received: from localhost (localhost) by phoenix.adsoft (8.13.7/8.13.7) id lAMN95kM017091; Thu, 22 Nov 2007 15:09:05 -0800 Date: Thu, 22 Nov 2007 15:09:05 -0800 From: Mail Delivery Subsystem Message-Id: <200711222309.lAMN95kM017091@phoenix.adsoft> To: MIME-Version: 1.0 Subject: Returned mail: see transcript for details Auto-Submitted: auto-generated (failure) This is a MIME-encapsulated message --lAMN95kM017091.1195772945/phoenix.adsoft The original message was received at Thu, 22 Nov 2007 15:09:03 -0800 from 071-198-40-89.LAN.Netlink.Vaslui.net [89.40.198.71] ----- The following addresses had permanent fatal errors ----- (reason: 553 5.3.0 ... no such user) ----- Transcript of session follows ----- .... while talking to mail.adsoft-development.com.: >>> DATA <<< 553 5.3.0 ... no such user 550 5.1.1 ... User unknown <<< 503 5.0.0 Need RCPT (recipient) --lAMN95kM017091.1195772945/phoenix.adsoft Reporting-MTA: dns; phoenix.adsoft Received-From-MTA: DNS; 071-198-40-89.LAN.Netlink.Vaslui.net Arrival-Date: Thu, 22 Nov 2007 15:09:03 -0800 Final-Recipient: RFC822; henry@adsoft-development.com Action: failed Status: 5.3.0 Remote-MTA: DNS; mail.adsoft-development.com Diagnostic-Code: SMTP; 553 5.3.0 ... no such user Last-Attempt-Date: Thu, 22 Nov 2007 15:09:05 -0800 --lAMN95kM017091.1195772945/phoenix.adsoft Return-Path: Received: from acasa-5228ba965 (071-198-40-89.LAN.Netlink.Vaslui.net [89.40.198.71]) by phoenix.adsoft (8.13.7/8.13.7) with ESMTP id lAMN91kM017008 for ; Thu, 22 Nov 2007 15:09:03 -0800 Received: from [89.40.198.71] by ontarioperformance.com; Fri, 23 Nov 2007 01:08:48 +0200 Date: Fri, 23 Nov 2007 01:08:48 +0200 From: "Kenneth Capps" X-Mailer: The Bat! (v3.0) Professional Reply-To: jontarioperformancem@ontarioperformance.com X-Priority: 3 (Normal) Message-ID: <760173757.06567733948863@ontarioperformance.com> To: henry@hoteldir.org Subject: Order meds with pleasure and make significant savings MIME-Version: 1.0 ------------1DA758B6E901DA Dear valued member. We are grateful to all our devoted customers, and to show our appreciation CanadianPharmacy introduced really amazing seasonal discounts. Only during the summer period - all the products from really impressive selection for a half price.CanadianPharmacy is a reliable Canadian online store that sells products at cheap costs. Order products at a time that suits you, from your home or office, easy and confidentially here. Top quality products from the world known manufactures. Professional customer care service, fast delivery. We are flexible and take care of every customer. http://batnature.comYours faithfully, Kenneth Capps ------------1DA758B6E901DA Dear valued member. We are grateful to all our devoted customers, and to show our appreciation CanadianPharmacy Kevin Conlin Staff Posted: 23/11/2007 18:08 Received: from barracuda.conveyorhandling.com ([70.17.253.128] helo=barracuda.conveyorhandling.com) by ASSP.nospam; 22 Nov 2007 17:53:18 -0500 MIME-Version: 1.0 From: Barracuda Spam Firewall Message-Id: <221358974.71059361505075@ontarioperformance.com> Subject: **Message you sent blocked by our bulk email filter** To: Date: Thu, 22 Nov 2007 17:53:18 -0500 (EST) ------------=_1195771998-29520-1 Content-Disposition: inline WW91ciBtZXNzYWdlIHRvOiB0Y2Fycm9sbEBjb252ZXlvcmhhbmRsaW5nLmNv bQp3YXMgYmxvY2tlZCBieSBvdXIgU3BhbSBGaXJld2FsbC4gVGhlIGVtYWls IHlvdSBzZW50IHdpdGggdGhlIGZvbGxvd2luZyBzdWJqZWN0IGhhcyBOT1Qg QkVFTiBERUxJVkVSRUQ6CgpTdWJqZWN0OiBJbXByb3ZlIHlvdXIgaGVhbHRo IGFuZCBzYXZlIG1vbmV5IAoK ------------=_1195771998-29520-1 Content-Disposition: inline Content-Description: Delivery error report Reporting-MTA: dns; barracuda.conveyorhandling.com Received-From-MTA: smtp; barracuda.conveyorhandling.com ([127.0.0.1]) Arrival-Date: Thu, 22 Nov 2007 17:53:17 -0500 (EST) Final-Recipient: rfc822; tcarroll@conveyorhandling.com Action: failed Status: 5.7.1 Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=29520-01 Last-Attempt-Date: Thu, 22 Nov 2007 17:53:18 -0500 (EST) ------------=_1195771998-29520-1 Content-Disposition: inline Content-Description: Undelivered-message headers Received: from 79.35.205-77.rev.gaoland.net (localhost [127.0.0.1]) by barracuda.conveyorhandling.com (Spam Firewall) with ESMTP id 6B27820000BA for ; Thu, 22 Nov 2007 17:53:12 -0500 (EST) Received: from 79.35.205-77.rev.gaoland.net (79.35.205-77.rev.gaoland.net [77.205.35.79]) by barracuda.conveyorhandling.com with ESMTP id ZYVAvZDTltQqI2lL for ; Thu, 22 Nov 2007 17:53:12 -0500 (EST) Received: from [77.205.35.79] by ontarioperformance.com; Thu, 22 Nov 2007 23:52:16 +0100 Date: Thu, 22 Nov 2007 23:52:16 +0100 From: "Gracie Winslow" X-Mailer: The Bat! (v3.0.0.15) Educational Reply-To: jontarioperformancem@ontarioperformance.com X-Priority: 3 (Normal) Message-ID: <221358974.71059361505075@ontarioperformance.com> To: tcarroll@conveyorhandling.com Subject: Improve your health and save money MIME-Version: 1.0 ------------=_1195771998-29520-1-- . Kevin Conlin Staff Posted: 23/11/2007 18:09 Received: from ham.proweb.net ([85.189.29.221] helo=ham.proweb.net) by ASSP.nospam; 22 Nov 2007 00:53:16 -0500 Received: from pop.proweb.net (pop.proweb.net [81.109.162.26]) by ham.proweb.net (8.13.1/8.13.1) with SMTP id lAM5rsPI009877 for ; Thu, 22 Nov 2007 05:54:01 GMT Received: from localhost ([127.0.0.1]) by pop.proweb.net (Slinky v2.09) with SMTP for ; Thu, 22 Nov 2007 05:53:11 GMT Message-ID: <22102007.055311.0.28606@pop.proweb.net> Date: Thu, 22 Nov 2007 05:53:11 GMT Reply-to: release-66931344-aqieia@courierexchange.co.uk From: "Hold Queue Release" To: Wladimir_Lammie@matadorsplace.com Subject: ** Proweb System Notice - Spam Detected ** MIME-Version: 1.0 ** Proweb System Notice - Spam Detected ** A message that you sent to a Proweb customer has been classified as spam and has not been delivered. If the message has been falsely identified as spam, then please reply to this message within 4 days and the original message will be delivered to the marked recipient. If you did not send this message then you have been the victim of Sender Address Forgery. To help prevent this happening in the furture, ask YOUR Internet Service Provider to deploy Sender Policy Framework. For more informaton, see http://www.openspf.org/Introduction Note that any content of the reply that you make to this message will be discarded, and the mail sent to the recipient will be the original message that you sent. Should you have any further questions, please contact: support@proweb.net. The mail had a subject: adurahim The mail was sent from: Wladimir_Lammie@matadorsplace.com The mail was sent to: aqieia@courierexchange.co.uk To release the message send a mail to: release-66931344-aqieia@courierexchange.co.uk or browse to: http://pop.proweb.net/admin/spam_rel...1344&pid=28606 The full headers of the original mail plus the reasons for spam classification are included below: -------------------------------------------------------------------------- X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on ham.proweb.net X-Spam-Level: ************************* X-Spam-Status: Yes, score=25.8 required=5.0 tests=BAYES_99,DCC_CHECK, FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_IPADDR2,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_PBL,RCVD_IN_SBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC, URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=spam version=3.2.3 X-Spam-Report: * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.0000] * 4.4 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr * 2) * 0.0 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d * 0.0 HTML_MESSAGE BODY: HTML included in message * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: causebest.com] * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: causebest.com] * 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [URIs: causebest.com] * 0.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: causebest.com] * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see ] * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [12.202.246.32 listed in zen.spamhaus.org] * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [12.202.246.32 listed in dnsbl.sorbs.net] * 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * ==========MY REPLY============ Marcello Macciacchera Client Posted: 23/11/2007 18:10 Hi, Quite obviously, someone is sending out mail with the from email being spoofed. As those email accounts do not exist on the server. Also, where is -- 72.249.86.13 -- in all these headers ? No email is being sent from the server that I can see. Look at the last one: Received: from 79.35.205-77.rev.gaoland.net (localhost [127.0.0.1]) by barracuda.conveyorhandling.com (Spam Firewall) with ESMTP id 6B27820000BA Its coming from some gaoland.net IP. ===================== I was then sent an invoice for ~$440 and a great reply in the ticket. Kevin Conlin Staff Posted: 23/11/2007 18:11 We have many many more. If you do not wish to pay the damage prices within 30 days, it will be forwarded to a collections agent in your area. Kevin ProntoHost http://ProntoHost.net I'm not sure what they have many many more of. Spam bounces coming from some country I & the server are not even in ? ===========I replied====== Marcello Macciacchera Client Posted: 23/11/2007 18:12 I did a search of all these headers. I've yet to find "72.249.86" within them. How do you see spam coming from the server ? Please advise. Talk to me on MSN or this Live Support if possible. Or you can call me at +1.647.***.**** ; or I can call you. Thanks, Marshall M. ========= On the invoice was an interesting thing. Said it was for damages to SpamCop, and removal from them. I know how SpamCop works, being a techie and working on the other side of the spam fence (ISP level). They automatically remove your IP within 24-48h of no more spam coming from your IP. Further, they have a Report ID that they provide so you can see full details of the spam in your browser. To see where you the ISP are at fault. i.e. Being the transport mechanism, or being the spamvertised site host. Knowing this, I requested these ID's: ------- Marcello Macciacchera Client Posted: 23/11/2007 18:14 You mentioned SpamCop on the invoice. Could I have the URL to the SpamCop report(s) that say AskMatador.com was spamming via the IP associated on the server of 72.249.86.13 ? Thanks, Marshall M. -------------- Further agitated, and wishing to educate: ------ Marcello Macciacchera Client Posted: 23/11/2007 18:18 Look at the headers: Received-From-MTA: dns;BSN-142-248-185.dial-up.dsl.siol.net This is not you. ---------- Marcello Macciacchera Client Posted: 23/11/2007 18:24 So in order to spam through your server. It would have to be port: 25, which would need authentication. Or it would have to be done through some kind of PHP script. I just can't see it in these headers. This are just faked bounce messages, I assure you I am not doing this. As well as any of my clients. Please provide some spamcop reports that show how the .13/14 ip that I was on was affected by my domain(s). I'd like to see this offending script, if it exists. Thanks, Marshall M. ---------------- This has been the last reply to the ticket. I have yet to hear a response. Funny how Live Support has been offline all this time when I have been checking. And 'Kev' is no longer on MSN, or has somehow ignored/blocked me. Of course I do not enjoy downtime and am making other arrangements, but this comes as a serious disappointment and PITA, as my last backups are from when I moved over to the service, what seems less than 2 weeks ago. I spoke to Kevin, and he mentioned the drives were on a mirrored raid setup. So I didn't feel like I had to back up weekly. Maybe I'm blind, but I don't see how the headers provided show that I am spamming. I know I'm not ! Its also been more than 24 hours since I last responded to the accusation. I have not heard anything back. Extremly Frustrated, Marshall M. Last edited by matador; 11-24-2007 at 02:43 PM.
Posted by activelobby4u, 11-24-2007, 03:07 PM
The mailer programs in the headers seem to be genuine email clients. X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-Mailer: The Bat! (v3.0) Professional Hence the visible reason is that you were (or someone else who hacked in your acount) was spamming. Confirm whether your host is not set to open relay as well and you are not using simple passwords
Posted by DephNet[Paul], 11-24-2007, 03:18 PM
He is on a resellers account so if his host does have an open SMTP relay then that is his host's problem not his. As the OP stated this looks like backscatter which comes a very close second to SPAM in annoying me. To the OP have you had a reply from Prontohost yet or are you just gonna give up and move on? Paul
Posted by activelobby4u, 11-24-2007, 03:23 PM
Yes ofcourse. he needs to confirm this to appeal to the fact that he was not spamming purposely . You can test the relay here http://www.spamhelp.org/shopenrelay/ http://www.checkor.com/
Posted by matador, 11-24-2007, 03:34 PM
Hi Paul, Scatter would be along the correct lines of what this is. (I use ThunderBird) But.. If you look in that Outlook header: Reporting-MTA: dns;bay0-mc7-f2.bay0.hotmail.com Received-From-MTA: dns;BSN-142-248-185.dial-up.dsl.siol.net The MTA is *.siol.net ; not the IP's associated with Pronto or myself for that matter. Of course its a WHM/Cpanel server, so relaying is for authenticated clients only. (I would presume, although I havent tried) I have not had a reply since: Posted: 23/11/2007 18:24 Which is GMT or thereabouts. Either way it amounts to 24+ hours now (Saturday evening GMT/CET) I realize its annoying scatter, but it certainly wouldn't result in a SpamCop blacklist on the ISP, as its not originating from it. I have no choice at this point but to move on from Pronto, given the circumstances. But I plead my innocence as I would like my account re-instate for the 1 month I paid for so I can atleast take the 2 weeks of email since last backup. Given the headers provided, I have no choice but to prove PH (ProntoHost) incompetent of understanding email headers. As well as in customer service, in the sense of suspending all ~20 clients/domains hosted vs the 3 (SUPPOSEDLY!) at fault ; without any notice. I myself have worked for a rather decent sized hosting firm. We would give 24 hours for the first spam infraction. 12h for the 2nd, and 1h/Suspension for the 3rd, depending on severity. Although this may seem lax, most infractions I delt with were the result of out of date or exploited PHP scripts. Not outright port 25 blasting. So I routinely chmod 000 the php script, and advised client to update the script (shopping cart, photo gallery, etc..) I can tell you that I *did not* suspend the whole resellers service & all hosting accounts that were innocent. This just seems so barbaric and inhumane. Thanks for the replies so far, showing I am not brain dead and that I may in fact be innocent. Please keep them coming, Thanks, Marshall M.
Posted by DephNet[Paul], 11-24-2007, 03:36 PM
Well both of those report that he is not using an open relay. And as I stated before those headers look like his email address, domain has been spoofed and so he is getting tonnes of backscatter. Backscatter is not SPAM, it is the result of a spoofed email being used for SPAM. Paul
Posted by matador, 11-24-2007, 03:41 PM
As per checkor.com ; it is not an open relay as presumed. Therefore, I want authentication names & numbers ; and only those accounts disabled if indeed they are spamming. But the fact is, I don't think we'll ever see it. Unless its forged. Because my password is not a dictionary one. As well, nobody has it. As I have been on a wired connection to my router, and using IMAP via TLS with PH when checking mail. Also I don't use the server to send mail, as per previous post. I use my local ISP's. --Marshall M.
Posted by matador, 11-24-2007, 03:45 PM
Thanks. This is exactly what I know this is ! I just want 50 more people to reply to confirm this fact. Then I want to see how ProntoHost will reply to this thread, and my ticket. Re: "This deciscion will not be overturned, you will receive an invoice for the destruction the spam messages have caused to our business." So the decision cannot be overturned... its final. I'm a spammer, case closed. Excuse me ??? Is this Guantanamo Bay ? Unreal I tell you.
Posted by PH-Kev, 11-25-2007, 08:17 AM
Hello Sir, This may be backscatter as you say, the point of our closing your account was that these are 3 unrelated accounts of yours, receiving the same "undelivered message" warnings. The choice was not taken lightly or quickly, we suspended 1 account first (askmatador.com) then another which spiked in traffic and had the same failed delivery messages (ontarioperformance.com) with pharmacy and viagra spam and then finally miernicki. As i was informed of what was happening, i only took a quick look at emails posted to me from a support associate. Spammers also carry a high risk of hacking of servers and we have no policy of simply suspending the accounts. Accounts are terminated immediately and the spammer is billed accordingly. Could you please explain why these 3 unrelated domains have all come under fire of spam bombs? Also, i noted when i personally changed over your accounts that they had nothing but massive massive email accounts and i mentioned this to you on IM.
Posted by DephNet[Paul], 11-25-2007, 12:40 PM
PH-Kev, Because spammers check to see what domains are registered and then send emails from *@domain.tld. I myself have backscatter come in to no fewer than 20 of my domains ALL are unrelated to each other. Does that mean I am a spammer? Would I be suspended with no warning? The simple fact that you labled the op a spammer with, as you say, a quick look at the email headers shows that you need to do more checking when SPAM is suspected. If you run cPanel on your servers there is a setting that will delete all email to invalid mail boxes this is before any processing of the email takes place, so the load should not increase. Paul
Posted by matador, 11-25-2007, 01:29 PM
Hi, I need my domains,etc.. working. Therefore I would not, if I knew how, disrupt my own server. I can't explain why (a) particular domain(s) is being used by spammers to create all this. Only the spammers can tell me this. I can tell you in my heart of hearts, I forward all spam I get to SpamCop. So being told I caused damage to PH(ProntoHost) in relation to spamcop is the polar opposite. Where possible, I set my domains to delete all mail which does not have a matching email address. So this backscatter should not increase load or get PH blacklisted. This one-way final judgement of me being labelled a spammer is really hurtful. Hurt & Insulted, Marshall M.
Posted by DephNet[Paul], 11-25-2007, 01:40 PM
matador, It seems that PH are not going to budge on the matter so I would say have a look at the shared hosting offers forum and pick a few hosts from there and email them asking them what they would do with regards to obvious backscatter. Paul
Posted by matador, 11-25-2007, 02:15 PM
Hi Paul, Thanks again for your responses. At it assists me in knowing I have done nothing wrong. I have realized a while ago that they are not going to budge. I appeal for: -Self-realization that I am innocent -And..one of my clients (and myself) would like the ~2 weeks of emails between my last backup and date of termination. The other thing is that on the invoice, they listed "damage to spamcop" I find this odd. #1a. SpamCop doesn't charge for delisting #1b. If you are listed on SpamCop, they auto delist you after 24 hour of no further spam reports. #2. They have not provided me with spamcop report id's -- to substantiate that 1b is true. I know that #2 is going to be pretty hard to do, as if it was on SpamCop, one of two things would have to be true. A) The spamvertised site would have to be hosted on PH B) The source of the spam would have to be PH Since both are false, this is going to be a tough hoop to get through.
Posted by steven99, 11-25-2007, 05:06 PM
Simple, spammers use domain's to spoof and those domains are legit, trusted domains. All the "major" mail servers (gmail, hotmail, aol, etc) have the same spoof problem. I guess they should suspend themselves. I guess I should go delete my domains, and my business domain, because the same thing happens with those -- at the same time. I guess slashdot, digg, and others should have their servers shutdown as the same thing happens with them. I guess that's why SPF was developed? Marshall, before you pay anything I think you should be provided at the least logs that show these mails going out from their servers. I think they should provide those spamcop IDs as that is what the charge is for (as you have said) and if they can't provide them, then they shouldn't charge you for it. EDIT: Was their IP even listed at Spamcop? Last edited by steven99; 11-25-2007 at 05:18 PM.
Posted by foobic, 11-25-2007, 06:03 PM
Well, to me it seems that you now need to take a closer look and either: 1. Provide some real evidence that your client was spamming, or 2. Give him a sincere apology and appropriate compensation for your mistake.
Posted by DephNet[Paul], 11-25-2007, 06:29 PM
Even if it was it does not cost $440 to remove an IP from the Spamcop database. It prices a grand total of $0.00 to remove an IP from Spamcop as stated below. Paul
Posted by steven99, 11-25-2007, 06:49 PM
Paul, indeed. That's not the point. Maybe they are charging for the listing it self? A RBL listing can cause "damages" by being listed and mail being bounced and losing customers because of the listing. I believe I've seen threads here that other hosts have done the same thing. I think a few even charge more for just spam messages, not just listings. I am not providing support for PH, but rather why they may have charged for the spamcop listing, which is why I asked if it was even listed, and why they should be required to provide proof of that listing.
Posted by DephNet[Paul], 11-25-2007, 07:03 PM
If it was listed then they should be able to provide the proof that the OP has asked for, namely the spamcop reference numbers. Re-reading the origional post I noticed:According to who.is that is an AT&T IP that is assigned to Mediacom Communications Corp. That is just one of the IP's from the list of "evidence" that HP has used to "prove" that the op is a spammer. My guess is that none of the IP's that the SPAM has been sent from points to HP. Paul
Posted by matador, 11-25-2007, 07:42 PM
Hi, So far I still don't have a response on the ticket. Which means I have no SpamCop reports to go on. Which means the invoice to me is a lie, so far. Obviously I'm not paying it, and I may in fact press charges myself. To be continued. --Marshall M.
Posted by PH-Kev, 11-25-2007, 08:46 PM
Sir, as we have spoken on live chat, i pointed out the invoice was a charge for removal from DNSBL and usually this would be a charge of $20 per spam incident, in your case it would amass to a pretty hefty sum. I will have the invoice amended and re-sent, we also both agreed to have a server admin take a look, i am in the process of temporarily hiring an independent server administrator to take a look into this. You are welcome to not pay the invoice although i must forewarn that if unpaid after 30 days it will be sent to a collections agent in your area which may adversely affect obtaining credit. If the report comes back that your domains were indeed completely legitimate and unused for illegal activities within the server, nexus.prontohost.net, you will receive a full apology, digital and/or written.
Posted by matador, 11-25-2007, 09:09 PM
I will be contacting DNSBL very soon to see if and when nexus. was ever on the blacklist. If it turns out to be false, then this invoice is based on nothing, and is a false invoice. If true, then I want to see what created it, and if it was related to anything on my accounts. We will get to the bottom of this. --Marshall M.
Posted by qwan, 11-29-2007, 04:44 PM
matador from what i see and the replies that this is an attempt to "extort" money from you. Pronto host was very well aware that this was scatter. But they were hoping that you were dumb. They could have come to the conclusion from the fact that your websites were personal in nature. So they expected a newbie. I think you should press charges. You have a good case. The downtime caused to you deserves damages. Moreover this should be put as "attempted fraud". Best of luck Last edited by qwan; 11-29-2007 at 04:45 PM. Reason: Typos
Posted by DephNet[Paul], 11-29-2007, 04:49 PM
What DNSBL? Spamcop does not charge, same with most of the other reputable DNSBL's. Paul
Posted by jon-f, 11-29-2007, 05:30 PM
wow thats crazy. Most of those spamcop things are just courtesy notices anyway and few of them are for real live spam coming from your server. And the charge you got for removal is crazy. All hosts get spamcop notices, very few do this to their customers. You have to take them anti-spam agencies with a grain of salt. Most of the time the complaint/notice isnt even legit. If thats the case spamcop will gladly mark the issue resolved and not forward anymore concerning the domain. Never has been a removal fee or some painstaking process involved in resolving a spamcop complaint, its as simple as following the link and selecting what to do. Although I think the delisting charge is highly questionable I believe the decision to terminate over that notice was either because they just seen the complaint and hastily looked at it OR they didnt know what they were looking at.
Posted by PH-Kev, 11-29-2007, 11:08 PM
Sir, please be careful about what you are saying about our company.
Posted by DephNet[Paul], 11-29-2007, 11:35 PM
PH-Kev, If you are going to post to this thread then can you please answer my question as to what DNSBL you were listed on and so needed to pay to be removed from. Paul
Posted by Cody Salter, 11-29-2007, 11:40 PM
I agree, from what I can see in those headers, there is nothing that points it as coming from their servers so they have no need to suspend your account, not to mention be treated as rudely as that. Someone needs a smack. PRHOST, You need to do some more research and use better judgment before putting large claims like this forward, or at least unsuspend his account while you uncover more information. Also, why are you invoicing him for that? Thats insane... your server didn't get blacklisted as it didn't send the spam, the servers that sent the spam appearing as such and such domain, would be blacklisted.
Posted by PH-Kev, 11-29-2007, 11:43 PM
I fear you are correct, i have had 2 second opinions and it has come to light that a ProntoHost server administrator was a little too quick to advise on terminating the account. All reports can only point to scatter of which, overloaded exim, which is not entirely hard. The spike and MTA failure caused the Server Admin to suspend 3 accounts before contacting myself, I had a look at reports but please forgive my stupidity, i did not know the slightest of what i was looking at. I was advised by the server administrator that he was 110% sure that the accounts were all spamming and all under 1 reseller, this all happened within the space of 90 minutes. Matador, i am currently compiling an email and handwritten letter of apology to yourself, this is of course, not enough for what you have been put through. Sir, i know from IM that you had great service from ProntoHost up until this point, there is not much chance of winning you back after our serious failure but i would like to extend an offer of 12 months free ProntoHost service of any Product. We could also offer your own VPS with Cpanel installed and set up free for 12 months, as you have been through an awful time with our service, which has up until now, had a perfect, spotless record. The Server administrator concerned has not been suspended due to it being the run up to christmas and new year but is being trained by an independent technical server administrator and will not touch any servers or deal with accounts until the course is completed.
Posted by PH-Kev, 11-29-2007, 11:45 PM
Sir, the charge was a cleanup fee, as i mentioned before, if using common sense, you would know that naturally, there is no charge to be removed from any of those services.
Posted by DephNet[Paul], 11-29-2007, 11:50 PM
Please let me take you back to your post of 2 days ago where you stated and now you are stating Which is the correct statement as to why you charged him more than $400. Paul
Posted by DephNet[Paul], 11-29-2007, 11:53 PM
Is this person a level 1, 2 or 3 admin? If one of my server admin's made that mistake then they would be instantly suspended. Paul
Posted by PH-Kev, 11-29-2007, 11:53 PM
We charge spammers for spam.
Posted by PH-Kev, 11-29-2007, 11:55 PM
Level 2, i would be obliged to do the same but at this time of year it would be unreasonable.
Posted by DephNet[Paul], 11-30-2007, 12:06 AM
So you are bending the rules for one of your staff members because of the time of year yet when the OP gave you proof that this was not spam and asked for you to reinstate his account you said:Where was your sense of charity then? Paul
Posted by adam, 11-30-2007, 01:02 AM
You need to review your policies. It took me all of 5 minutes to review all of those headers to see that this was not coming from the customer. It is not that hard to figure that out. Going ahead and removing email accounts is something that you should NEVER do. The account should simply of been suspended. You not replying to the tickets was another bad move on your part. You purposely ignoring the customers replies to the ticket and going on about the fee and forwarding them to collections also shows that you do not care one bit for this customer. $400 for a spam cleanup? You've got to be kidding me. Those bounces could of been removed in 5 minutes tops. If it took any longer then your admin needs to get fired and you need to hire somebody that knows what they are doing. Charging that much of a fee IS extortion, exactly what the other poster said. If the client knowingly spammed on purpose then I could see charging this fee. But if there was an issue with the customers script that may of caused this then why would you even think of charging that? You simply clean up the mess, suspend the account until the client responds and have them update all of there scripts to close the exploit. Seriously? If you have to hire ANOTHER admin to check into this then your original admin should be fired immediately. Your constant threats of sending this to collections is horrendous. You are supposed to give the customer the benefit of the doubt while you check into it. The customer has shown an extreme amount of willingness to work on this issue and get it resolved. The way you have handled this situation is very unprofessional. This is a forum. Free speech. The opinions here are being based solely upon the way that you are/did/were handling this situation. If I was this customer I would not accept that. I would pack up and leave to greener pastures. Especially after how rudely you treated the client. Why would the fee be so high? It is not hard to remove the emails from the Inbox. 5 minutes tops. I would suggest you find a company such as TouchSupport.com to handle your issue. Your admin does not seem to know how to read headers. --- This has to be one of my longest responses ever on this forum but when I see things like this it upsets me. Creation Date: 18-aug-2007 It seems you are new to the hosting industry. I would highly suggest you sit down and review how you are running your company and handling situations like this. Blaming your customer, being rude and downright ignoring what they are saying is no way to handle a situation like this. I am not saying the above to put you down in any way, it is simply to help you for the future incase issues like this do arise.
Posted by Nnyan, 11-30-2007, 03:06 PM
WOW. That is all I can say...wow. I would LOVE to see an itemized accounting of that $400 charge. Obviously whoever this admin is really doesn't know much about his job. But besides that this thread clearly indicates that ProntoHost is not a professionally run reseller IMHO.

Add to Favourites Print this Article

Knowledgebase

ProntoHost Suspended Me -- Your feedback please

Our Services

Client Menu

Legal