Spam email increase from / on Server #6

[FredWeb]

I signed up with Page-Zone late Friday night, transferred my domain, and started receiving email on the new server around mid-day Saturday as the nameserver change began propagating across the Net.

Ignoring the "default" email "catch all" account, I have noticed that the amount of spam sent to my valid email account in the first 24 hours was triple the average daily amount I experienced before at my previous hosting company. I and the hosting company were/are not using any spam filtering program or feature then or now. On the next day the quantity of spam doubled again and now three days later it is still climbing rapidly. The only thing I have done during this time was move my domain to Page-Zone, and that should not cause this drastic amd immediate change in quantity.

If I and an IT associate I consulted are reading the email headers correctly, it seems that the majority of the new spam I am receiving appears to be originated through the Server #6 email server, i.e. the first (and in this case the last) email server in the chain, meaning that some one is using SMTP on Server #6 to send their spam, either through their account or some other compromised method.

I spoke with Jim at Page-Zone this morning regarding my report to "abuse@...." and he was very helpful (as usual it seems from reading posts here) and interested in investigating the problem to see if in fact someone was really using a valid Page-Zone account or somehow accessing the server improperly to send spam to customers on the same server (and perhaps elsewhere).

He was interested in learning if any one else had experienced a noticeable increase in spam from or on this same server recently or if any new accounts on this server have noticed a similar significant rise in spam just after their account was established.

So if you read this post and are aware of a similar situation involving Server 6 please post your experience here so Jim can see if a pattern exists or starts to develop.

Thanks.

[swccgpc]

I have noticed a sizable increase in spam, but I'm not sure how I know what server its coming from.

[stratplan]

I had one definitely from page-zone servers on a new account just added. Sent it with headers to abuse at page-zone.com.

[Jim]

Quote:

Originally posted by stratplan
I had one definitely from page-zone servers on a new account just added. Sent it with headers to abuse at page-zone.com.

Check the email I sent back to you on this one. I also took the liberty of altering your post so that our abuse email isn't "harvestable".

Also anyone who is noticing an increase in spam should send some of the headers this way. Also if you publish your email address on your site in linkable form it is just a matter of time until an email harvester craws your site and adds your email address to its libarary and becomes part of a CD sold to spammers. Once that happens the spam you get increases dramatically. The same goes for posting your email addrss anywhere where it can be harvested by software which crawls the internet and/or usenet gathering email links (mailto: )

If you do it this way:
http://page-zone.com/contact.shtml
where all email text is not "harvestable" because they are posted as a non linked image the chances of getting on a spam CD such as one of these: http://search.yahoo.com/bin/search?p=email+address+list is greatly reduced. Our email addresses have been posted on our site for years and we still only get about one or two spams a day.

I have customers who's email address is posted on their site in link format and they now receive anywhere from 20-50 spams a day. There is also no way to stop it once you get on a bulk email list that particular email address is rendered useless forever in my opinion.

[FredWeb]

I have done a little more investigating after starting this thread. It seems that, contrary to what I was originally told, my previous hosting provider did in fact have some type of minimal spam blocking solution in place.

Next, after talking with a couple more "experts" I have learned that it is possible that certain mail servers favored or controlled by spammers may not always forward on the headers in "standard" format to the next mail server in the chain, which could cause Server 6 to show the originating email server as one line making it appear that it was the user's Internet location when it really may be the address of the first mail server in the chain suppressing its full information and masquerading as a user. When consulting with experts, get at least 3 opinions and if 2 of them are similar, you will be lucky.

So what I have been seeing as a new customer may be mostly the result of the above. My previous host was probably blocking obvious spam from high volume repeat offenders, and Page-Zone is passing everything addressed to me without restriction or censoring. Actually, I would rather have it that way because then *I* can chose how or if I want to filter it, using either Page-Zone's Spam Assassin feature or something local to my computer.

Sorry Jim, it looks like I was premature in sounding an alarm. I am so seldom wrong it bothers me when I am! After consulting experts and conducting my own test emails to and from the Page-Zone server and analyzing the headers on each, we were sure we were right. I failed to consider that certain mail servers may hide their existence and appear as a user.

And Jim's comments regarding safeguarding your email address are very important. In addition to protecting your email address on the web, when I send email to small groups of people, like a committee that I may be on, I always use blind addressing (BCC) to protect the privacy of the recipients. And I expect others to do the same for me. I never enter anyone's email address in one of those web forms to "email a copy to a friend." If I want them to see something I will paste the URL into an email and send it to them directly. I use a separate email address that is dedicated to "postings" so that if it becomes overwhelmed with spam I dispose of it and create a new one. That will help lengthen the "useful life" of your main address. And I never participate in chain letters and multiple forwarded email messages. My friends think I am paranoid. Maybe. But I prefer to consider it as prudent caution.

The email address that I have that is receiving all the spam is one that I have never listed on a web page, never used to post a newsgroup message, never used for a mailing list, and never used to register a product. It has only been given to about 20 people for "personal" email use. So it was likely harvested from one of those emails that some well-intentioned individual sent to "everyone in their address book" to warn of some impending doom or other false scam. After multiple forwarding by other naive people it was probably visible to many hundreds of people. Now if just one of those "down line recipients" is unethical, you are now potentially on a spam list of active addresses!

[Jeremy]

Quote:

Originally posted by Jim
...If you do it this way:
http://page-zone.com/contact.shtml
where all email text is not "harvestable" because they are posted as a non linked image the chances of getting on a spam CD such as one of these: http://search.yahoo.com/bin/search?p=email+address+list is greatly reduced. Our email addresses have been posted on our site for years and we still only get about one or two spams a day...

An equally effective way to render e-mail links non-"harvestable" is to utilize some simple javascript, such as:

<SCRIPT LANGUAGE="JavaScript">
user = "put_your_address_here";
site = "put_your_domain_name_here";
document.write('<a href=\"mailto:' + user + '@' + site + '\">');
document.write('E-mail</a>');
</script>

Works like a charm, and also provides clickable e-mail links for novice browsers!

[stratplan]

I wanted to add a few thoughts: the message I thought was spam from Page-Zone servers on closer inspection of headers appears to have originated from a spammer in France. Which means all the laws the US Congress could pass would be worthless against them and other off-shore thugs. I don't know how they got the *******server link in there, but they did. Thanks, Jim, for your time and help on this.

Next, this brings up a problem. If you use cgiemail for forms, the .txt file for response is sitting on your server, and evil bots can harvest the good email addresses from it - in my opinion. So what''s the answer there?

Finally. The .gif solution isn't good, for replies. why make it look like an email link if it isn't? It will frustrate novices and others wanting a clickable link to send email. IMO, I like the javascript idea, and might start using it. Now if I can just get all the viewers to use javascript....

[Jim]

I don't think anyone has ever manualy typed out out email link "image". Everyone uses the form below it. It also works across nearly every platform short of a cell phone browser. And might even work on some of those.

[harveyc]

Hey Jim, I remembered reading this a while back and was just checking it out again because I was thinking of putting in an e-mail form like you used.

However, I noticed that your contact page no longer has the form in it like it did when you wrote this post so it looks like people actually need to type out the e-mail address. I don't want my visitors to have to do that. Would you mind explaining why you made that change?

Thanks

[Jim]

Sorry. The form was taken out last week to try and channel mail support through the help desk and pre-sales questions to the forum. There is anywhere from 250 - 1000 emails coming in daily. Every server sends about 20-100 bounced mails sometimes up to 1000 on one server alone in a day. System notification mails, and there's a ton of spam coming in and it is nigh on impossible to weed out the 1 out of 200 important mails these days. Proof of that can be seen here:
http://www.page-zone.com/forums/show...?threadid=1046

It used to be that Outlook would apply rules pretty well and sort it out, but our pst folder now hovers around 1.8GB and Outlook is extremely unreliable in applying mail rules now. I still try and address all email but many just get totally missed in the wave of useless email.

[harveyc]

Thanks Jim for the reply. Yes, I saw that unforunate situation for that customer, but am amazed at how many posts you do reply to.

If someone else has an example of the e-mail form that I might take a look at, I'd appreciate seeing it. I'd just like to see how it is set up as I'm having trouble figuring it out in FrontPage. Thanks!

[allendick]

I've been directing all my links throughout my site to one page giving an address written using the script generator at http://jscript.dk/2002/3/obfuscate.html

allen

[midwest]

One of the best ways to confirm your email addressd is read email as HTML. Take a look at the source of one. Most have grraphics, some just a 1x1 pixel transparent one that has a unique name for each email sent. The HTTP logs are parsed for the graphic name and matched to db of addresses and, viola! You have just verified your address for some spammer.