Dreamhost has a spammer!

According to the attached post in news.admin.net-abuse.email, the domain webcam-ifriends.net, hosted on Dreamhost, is spamming.

I opened a "site down" ticket (#991604) over 2 hours ago. ... Nothing!

Wake up Dreamhost before you find your (MY!) outbound mailservers in so many blocklists that you lose customers because of no usable mail service.

Is anybody from dreamhost reading this forum!!!

YooHoo! ... Hello! ... Do something!

========= from news.admin.net-abuse.email ========
Path: sn-us!sn-xit-10!sn-xit-06!sn-xit-13!supernews.com!newsfeed.stanford.edu!postnews.google.com!f14g2000cwb.googlegroups.com!not-for-mail
From: "SuN Tsu" <bananananae@spamblocked.com>
Newsgroups: news.admin.net-abuse.email
Subject: iFriends pr0n bot army employs several layers of FUD to avoid detection
Date: 12 Mar 2005 09:43:39 -0800
Organization: http://groups.google.com
Lines: 451
Message-ID: <1110649419.897871.75950@f14g2000cwb.googlegroups.com>
NNTP-Posting-Host: 205.188.116.6
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Trace: posting.google.com 1110649423 5280 127.0.0.1 (12 Mar 2005 17:43:43 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Sat, 12 Mar 2005 17:43:43 +0000 (UTC)
User-Agent: G2/0.2
Complaints-To: groups-abuse@google.com
Injection-Info: f14g2000cwb.googlegroups.com; posting-host=205.188.116.6;
posting-account=e7K3eQ0AAAA3qgManUm9s4NlYPInLVtR
Xref: sn-us news.admin.net-abuse.email:1322271


Spammy still controls *armies* of spaming pr0n bots.

iFriends has yet *another* pr0n army of almost 100 spamming bots in
place which employs multiple layers of FUD to avoid detection and
blocking by AOL which is currently hosted by New Dream Network LLC on
205.196.219.93 which is not listed in any BL.

Spammy's pr0n bot army uses/spews social engineering in chat rooms to
get the intended victim to view their AOL profile(s) where their
spamvertised iFriends link awaits them ...

You need to submit this to DreamHost's abuse department, not the user support forums.

Done that:
abuse@dreamhost.com

almost 4 hours now.

Is anybody minding the abuse queue?

Generally, you don't get any feedback until the situation is contained. Give them 24 hours.

You could also submit a high priority ticket to Support via the panel in case abuse@ is flooded or your from address is filtered out.

Cheers,

BobS

How do you know they haven't already taken care of it?

Speaking as someone who recently wrapped up four+ years in an abuse department, I'd be very surprised if they return your e-mail personally. It's far too time-comsuming to personally reply to every report unless there's some specific reason to. We usually didn't, but this should not be taken as meaning we didn't act on every report we received.

> your from address is filtered out.

Why might that be?

DH does for Support email as posted here, so they could possibly for abuse email, although you might get a bounce message, although it might be filtered out as spam. :-)

BobS

I doubt they would implement something like this for an abuse address. Mail to this address could come from anywhere, and usually won't be from DH customers. Nothing will get an ISP a bad reputation faster than not accepting abuse or postmaster mail.

I see - thanks.

How do I know they haven't taken care of it (19 hours since the report was made)?

... The offending site (webcam-ifriends.net) is still up and running. That's how I know.

But have they stopped spamming you?

macmanx wrote:
> But have they stopped spamming you?

They have never spammed me.

I guess the significance of a spammer on Dreamhost is not readily apparent. Dreamhost have been, to this point, militantly anti-spam. Because of that, we, as Dreamhost customers haven't had the problems that customers at other hosting companies have had getting their own mail delivered. ... So, here is a short tutorial.

The aleged spammers are "AOL niche spammers", that is, they are said to spam AOL users primarily, using virus infected PCs as zombie spam agents. The spam does not originate from Dreamhost IP-space, but the "payload" of the spam points to a Dreamhost hosted URL. ... This is where the suckers sign up to see porn, providing a credit card number. ... Would you provide your credit card number to someone who used virus infected PCs to send spam? ... I didn't think so, but AOL users, I'll not even speculate about why, seem to be especially vulnerable to this kind of spam.

The tutorial: There is a mechanism that is built in to most Mail Transfer Agents (MTA) that will look up an IP-address in a DNSBL (Domain Name System Block List). There are many DNSBLs published by various entities on the web. See this for a hint: http://www.dnsstuff.com ... In the query box titled "spam database lookup" (first row, center on the page) plug in the IP-address of one of your spam sources. You probably do not have many spams if you are using Dreamhost's spam filters (SpamAssasin) because those same filters use several well respected DNSBLs.

Many, many ISPs use the DNSBLs to refuse (yes, block the connection alltogether) SMTP connections from IP-space listed in DNSBLs.

Suppose Dreamhost's IP-space gets listed in SPEWS (a popular, effective, neither conservative nor aggressive. See: http://www.spews.org) DNSBL? Some would say that up to 40% of all email addresses would never see any email from any Dreamhost customer!

Worse, many ISPs, in addition to using the public DNSBLs maintain their own DNSBLs. While the public DNSBLs are actively maintained by their owners/operators, many private DNSBLs are "set and forget". This means that once a set of IP-addresses gets into that private DNSBL, they never come out. For the Dreamhost customer with correspondents at those ISPs using private DNSBLS, the problems of getting your mail to your correspondents is monumental, all because Dreamhost did not do their jobs in killing the spammers in their IP-space.

But wait! There's more. Carl Hunzler, head anti-spam fellow at AOL, is said to place blocks on the payload addresses of spam received by AOL customers. This means that AOL users will not see web sites hosted at Dreamhost. ... What does that mean to you?

Should Dreamhost get it's IP-space listed in SPEWS or SBL, I will have to move to a different hosting provider.

... The offending site (webcam-ifriends.net) is still up and running. That's how I know.

Good point. I was doing other things at the time I wrote that and somehow didn't even think to check the site. I agree that the spamvertised site should be terminated immediately.

SPEWS (a popular, effective, neither conservative nor aggressive

You're joking, right? SPEWS, not agressive? The BL that habitually lists entire netblocks due to one compromised host? The same organization that tries to avoid accountability to the point where the only way to contact them is to post to n.a.n-a.e and hope that one of them notices it?

Don't get me wrong, I am a big believer in blacklists in general, but SPEWS just leaves a bad taste in my mouth. I'm not alone in feeling this way either. Their BL may be fine for someone filtering their own mail, but no one responsible for the mail of others should even think about using this list for anything other than scoring (low scoring, at that); it should certainly not be used as a basis for rejecting mail outright.

Even their DUL is faulty. In my previous abuse work, someone once (against my and others' better judgement) imported their DUL into our own in-house BL and we saw an absolutely huge number of false positives. We had to manually adjust or remove literally dozens of addresses and ranges that weren't actually dynamic, some of which hadn't been for quite some time. Most of these ranges were trivially verified as being static by checking ARIN records or even just reverse DNS.

Carl Hunzler, head anti-spam fellow at AOL, is said to place blocks on the payload addresses of spam received by AOL customers. This means that AOL users will not see web sites hosted at Dreamhost.

Are you sure he didn't mean that he uses the presence of these URLs as a basis for scoring mail, like what you can do using the URIDNSBL SpamAssassin plugin? If not, and they're actually blocking outbound HTTP traffic to these sites, are you certain they're blocking IP addresses and not just the spamvertised domains? Due to the prevelance of shared hosting and the enormous number of false positives that this can cause, I find it pretty unlikely that AOL is dropping traffic to other sites hosted on the same IP addresses.

- We are still very much anti-spam.

- Calm down.

- SPEWS can be pretty nutty.

- When you offer up your servers to anybody with a credit card, these things happen. What matters is how well you take care of problems as they come up.

- If you do, by chance, end up on a blocklist, you contact the list admins and get delisted. For the most part all of these mechanisms are run by sane organizations.

- While these things may seem immediately cut-and-dry to the complainant, they are sometimes slightly more complicated. I'm not commenting on this specific issue, just generally.

- See the first point. That's it in a nutshell.


nate.

> - We are still very much anti-spam.

Good to hear. I see that webcam-ifriends.net is still up and still hosted by Dreamhost.

On the presumption that the original report in news.admin.net-abuse.email was correct I have to ask why they are still hosted at Dreamhost.

> - Calm down.

I am calm

> - SPEWS can be pretty nutty.

Some think so, but SPEWS also has a lot of subscribers.

> - When you offer up your servers to anybody with a credit card, these things happen. What matters is how well you take care of problems as they come up.

Right. What have you done?

> - If you do, by chance, end up on a blocklist, you contact the list admins and get delisted. For the most part all of these mechanisms are run by sane organizations.

Right. And it would be Dreamhost's job to do that. Not mine.

> - While these things may seem immediately cut-and-dry to the complainant, they are sometimes slightly more complicated. I'm not commenting on this specific issue, just generally.

What makes them complicated? Either they are spammers or they are not. If they are, you give 'em the boot.

What some say complicates the matter is that some spammers are said to pay hosting companies "extra" to not enforce their anti-spam policies.

While I'm not commenting on this specific issue, not knowing with absolute certainty that webcam-ifriends.net is spamming, I'm just wondering what makes this complicated.

Perchance have Dreamhost contacted AOL's abuse department to get their sense of the matter?

Nate, I am now convinced that webcam-ifriends.net and ifriends.net are the same entity. Further, a search of groups.google.com has convinced me that ifriends.net are indeed spammers.

There's more: I also find that ifriends.net is also hosted at Dreamhost.

So, you could have found the same things I did. There are over 200 references to ifriends.net in the articles posted to the newsgroups news.admin.net-abuse.* ... I now have to ask the esteemed representative from dreamhost, the self proclaimed "Nerd Wrangler", why is ifriends.net and it's cohort webcam-ifriends.net still hosted by dreamhost?

Are you getting paid extra to continue hosting them?

Are you are suggesting that every hosting provider gets thrown on a blacklist if it hosts a spammer? Consider the fact that every hosting provider has at least one spammer. If your statement was true, the internet would cease to exist. So, sit back, calm down, and let DreamHost handle this.

No, I'm not suggesting that every hosting provider gets blocklisted if they host a spammer. But I will tell you affirmatively that hosting providers that continue hosting spammers after they have been notified that they are hosting spammers will almost certainly get themselves blocklisted.

All the spammer has to do is hit spamtrap addresses scraped from web pages or harvested from newsgroup posts. I'm told that the spamtraps operated by SPEWS will notify the hosting company. If the spam continues and the hosting company continues hosting the spammer, it pretty much guarantees a listing.

I was just notified by Dreamhost that webcam-ifriends.net is now down. Their web page now has a "temproarily unavailable" page.

Note that the domain ifriends.net is also hosted by Dreamhost. ifriends.net's pages look a lot like webcam-ifriends.net's. Note also that ifriends.net has, apparently, a well documented history of spamming in the newsgroups news.admin.net-abuse.*

I believe it is incumbent on all of us, as customers of Dreamhost, to help them police their IP-space for spammers. If I do not have credibility with you and if you wanna see some true horror stories told by hosting providers about spammer infestations, see: webhostingtalk.com. It ain't a pretty picture.

So, Thanks to Dreamhost.

I said in my previous post:

> Note that the domain ifriends.net is also hosted by Dreamhost. ifriends.net's pages look a lot like webcam-ifriends.net's. Note also that ifriends.net has, apparently, a well documented history of spamming in the newsgroups news.admin.net-abuse.*

ifriends.net is NOT hosted at Dreamhost. I goofed! MeaCulpa! Just shoot me. ...

My apologies to Dreamhost.

I'll go back to my cave now.