Dreamhost has a spammer!


#1

According to the attached post in news.admin.net-abuse.email, the domain webcam-ifriends.net, hosted on Dreamhost, is spamming.

I opened a “site down” ticket (#991604) over 2 hours ago. … Nothing!

Wake up Dreamhost before you find your (MY!) outbound mailservers in so many blocklists that you lose customers because of no usable mail service.

Is anybody from dreamhost reading this forum!!!

YooHoo! … Hello! … Do something!

========= from news.admin.net-abuse.email ========
Path: sn-us!sn-xit-10!sn-xit-06!sn-xit-13!supernews.com!newsfeed.stanford.edu!postnews.google.com!f14g2000cwb.googlegroups.com!not-for-mail
From: “SuN Tsu” bananananae@spamblocked.com
Newsgroups: news.admin.net-abuse.email
Subject: iFriends pr0n bot army employs several layers of FUD to avoid detection
Date: 12 Mar 2005 09:43:39 -0800
Organization: http://groups.google.com
Lines: 451
Message-ID: 1110649419.897871.75950@f14g2000cwb.googlegroups.com
NNTP-Posting-Host: 205.188.116.6
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Trace: posting.google.com 1110649423 5280 127.0.0.1 (12 Mar 2005 17:43:43 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Sat, 12 Mar 2005 17:43:43 +0000 (UTC)
User-Agent: G2/0.2
Complaints-To: groups-abuse@google.com
Injection-Info: f14g2000cwb.googlegroups.com; posting-host=205.188.116.6;
posting-account=e7K3eQ0AAAA3qgManUm9s4NlYPInLVtR
Xref: sn-us news.admin.net-abuse.email:1322271

Spammy still controls armies of spaming pr0n bots.

iFriends has yet another pr0n army of almost 100 spamming bots in
place which employs multiple layers of FUD to avoid detection and
blocking by AOL which is currently hosted by New Dream Network LLC on
205.196.219.93 which is not listed in any BL.

Spammy’s pr0n bot army uses/spews social engineering in chat rooms to
get the intended victim to view their AOL profile(s) where their
spamvertised iFriends link awaits them …

AOL Profile for Semper fidelis08:

Name: My Pics and Webcam. Click here to see

http://home.flash.net/~roland/private/cam.html

which redirects to:

which redirects to:

http://members.lycos.co.uk/cram2k222/ifriends2.php

where it stores the data entered/email address

Clicking through to the spamvertised website, one finds:

Want to see me get NAUGHTY?

Follow these 3 steps and you’ll receive a FREE VIP PASS!

1.) Type your email address in the box below and click Submit.

2.) Check your email and look for a message titled ‘iFriends
Subscription Confirmation’

3.) Verify you’re above 18 by clicking the link in the mail.

Example: SCREENNAME@AOL.COM

<form method=3D"post" action=3D"http://members.lycos.co.uk/cram2k222/ifriends2.php"

Hmm, another iFriends spew. :frowning:

Domain Name: webcam-ifriends.net

Registrant Contact:
Marc Justice marcjustice@bellsouth.net
Marc Justice
471 Parkridge ave.
Orange Park, FL 32065
US
+1.9042723196

Administrative Contact:
Marc Justice marcjustice@bellsouth.net
Marc Justice
471 Parkridge ave.
Orange Park, FL 32065
US
+1.9042723196

Technical Contact:
Marc Justice marcjustice@bellsouth.net
Marc Justice
471 Parkridge ave.
Orange Park, FL 32065
US
+1.9042723196

Billing Contact:
Marc Justice marcjustice@bellsouth.net
Marc Justice
471 Parkridge ave.
Orange Park, FL 32065
US
+1.9042723196

Record created on 2005-02-20 19:10:14.
Record expires on 2006-02-20 19:10:14.

Domain servers in listed order:

ns1.dreamhost.com
ns2.dreamhost.com
ns3.dreamhost.com

WEBCAM-IFRIENDS.NET

Website Title: iFriends - Adult Webcam Community
Response Code: 206
SSL Cert: No valid SSL on this Host
Website Status: Active
Reverse IP: Web server hosts 37 websites
Server Type: Apache/1.3.31 (Unix) DAV/1.0.3 mod_gzip/1.3.26.1a
PHP/4.3.10 mod_ssl/2.8.19 OpenSSL/0.9.6c

IP Address: 205.196.219.93

IP Location: California - Huntington Park - New Dream Network LLC

Blacklist Status: Clear

205.196.219.93 - IP hosts 37 Total Domains …

Showing 1 - 37 out of 37

Domain Name

1 ABOUTDIETPILLS.COM.
2 AMANDAUDOFF.COM.
3 AMARIA.NET.
4 BURSBY.COM.
5 DEECERECORDS.COM.
6 EYEBEARDS.COM.
7 FACTSFORACTION.ORG.
8 FRUGAL101.COM.
9 GREERA.COM.
10 GSSHEL.COM.
11 GUITARREPAIRSUK.COM.
12 HALO2VIDS.COM.
13 HANSONCRAFTS.COM.
14 JAMFRIENDS.COM.
15 JOBSINHOLLYWOOD.COM.
16 JONATHANGOLDSBORO.COM.
17 KIBBLESNBITS.NET.
18 LOCALNORTHWEST.COM.
19 LOCALNW.COM.
20 MADISONROSEMUSIC.COM.
21 MIGUELFERNANDES.COM.
22 MIKESBS.COM.
23 MILOSFEHIR.COM.
24 OAKBRUSHDIGITAL.COM.
25 ONEBADMACH.NET.
26 PHRENZY.NET.
27 POLITIKALGRAFFITI.ORG.
28 RAHULDASFILMS.COM.
29 SALCULD.COM.
30 SANVEANGARDENS.COM.
31 SAUSKE-KUN.COM.
32 SILVERNIGHT.ORG.
33 SOLACEINREVERY.COM.
34 SPEKTICAL.NET.
35 TUCSONCITYLIMITS.COM.
36 TURBOSLOW.COM.
37 WEBCAM-IFRIENDS.NET.

OrgName: New Dream Network, LLC
OrgID: NDN
Address: 5610 S. Soto St.
City: Huntington Park
StateProv: CA
PostalCode: 90255
Country: US

NetRange: 205.196.208.0 - 205.196.223.255
CIDR: 205.196.208.0/20
NetName: DREAMHOST-BLK3
NetHandle: NET-205-196-208-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.DREAMHOST.COM
NameServer: NS2.DREAMHOST.COM
NameServer: NS3.DREAMHOST.COM
Comment:
RegDate: 2004-05-18
Updated: 2004-05-18

OrgAbuseHandle: DAT5-ARIN
OrgAbuseName: DreamHost Abuse Team
OrgAbusePhone: +1-323-583-7991
OrgAbuseEmail: abuse@dreamhost.com

OrgTechHandle: ZD69-ARIN
OrgTechName: Network Operations
OrgTechPhone: +1-323-583-7991
OrgTechEmail: netops@dreamhost.com

Domain Name: dreamhost.com

Registrant Contact:
DreamHost Web Hosting internic@DREAMHOST.COM
DreamHost Web Hosting
PO BOX 5479
Huntington Park, CA 90255
US
+1.2139471032

Administrative Contact:
DreamHost Web Hosting internic@DREAMHOST.COM
DreamHost Web Hosting
PO BOX 5479
Huntington Park, CA 90255
US
+1.2139471032

Technical Contact:
DreamHost Web Hosting internic@DREAMHOST.COM
DreamHost Web Hosting
PO BOX 5479
Huntington Park, CA 90255
US
+1.2139471032

Billing Contact:
DreamHost Web Hosting internic@DREAMHOST.COM
DreamHost Web Hosting
PO BOX 5479
Huntington Park, CA 90255
US
+1.2139471032

Record created on 1997-09-22 21:00:00.
Record expires on 2013-09-21 21:00:00.

Domain servers in listed order:

ns1.dreamhost.com
ns2.dreamhost.com
ns3.dreamhost.com


var url =3D “http://1-dream.com/ars/hsn/index2.html”;

EPICCASH LLC
100 ALMADEN BLVD
N/A
SAN JOSE, CA 95110
US

Domain name: 1-DREAM.COM

Administrative Contact:
LLC, EPICCASH WEBMASTER@EPICCASH.COM
100 ALMADEN BLVD
N/A
SAN JOSE, CA 95110
US
408-947-8075
Technical Contact:
LLC, EPICCASH WEBMASTER@EPICCASH.COM
100 ALMADEN BLVD
N/A
SAN JOSE, CA 95110
US
408-947-8075

Registrar of Record: TUCOWS, INC.
Record last updated on 02-Jun-2004.
Record expires on 30-May-2005.
Record created on 30-May-2002.

Domain servers in listed order:

NS1.SPLITINFINITY.NET 130.94.133.17
NS2.SPLITINFINITY.NET 130.94.133.18


Now lettuce™ have a look to see if spammy has any other pr0n bots
with this identical AOL profile.

Member Directory Search Results

aol://4950:0000010000|advanced:|member_name:My Pics and Webcam. Click
here to see

Yuonghov217
vinogriego23
Tctc004
Yin29
Ttawireless6
Twofastforyou007
Yngcam4u17
Zd246
WilsM27
UNDERTAKERBLACK8
Tarah471
TruckerMike71
XxBeuTi4uLL07xX
Tamarockstardrum
Tigerpawl11
TTwinkie1
Wolfman13
TrippleH3xh0001
TACOMATOM56
X0XBaBipHaT4Ux0x
Semper fidelis08
Shye T
Sk8brder9410
Steeleammber
SensualLocs
Santanabear
SeXyBoy4u2do69
Sportsmdl10
SteveBinsul
Sotomss
Scarletangl
ScotBryan
SylviaBLove730
NatBabe0226
RIVERDALECHASE
Nikkigurl185
Russellket
Quinston25
Phillyman112
RvrViewF1917
RON82946
Rims dont stop
Phoenix754
Rust916
Phardrockplh
NorthEast G21
Overonjohn6
Offroad08
PRETYEYES855
Puma girle
PoePIMP4u
Nellyzlove41204
L3abygurl42024
Markgamble
MarkWhitts1
MrIncreadible21
MichealBurns24
MarkusStehl
Markpawson1
LittleMexican
Markitto
Mccrackencm8
MarkTnr
marketopt2
Markus411
Leon123321
Markm761
MURPHMAN3207
Maggot6x3
Markw72295
McPhersonsBP
MarkTilley01
MONEYSTACKS22
Markle19
Mil87laker
MARKTHEMECHANIC
MARKHANCOCK6
Lakebtm
MARKRH
MACJO04
Layup25
Mosmaximo
MARKSBURYA
Markperry11
MarkSeibold
Mark Ian Crook
Lisajjpaige
Markoni5
Markor59302
Markline79
Marktc75
LLNICE
Luissnchz07
Markoc3
Markrschu

Immediate arrival of a confirmation email merely confirms the identity
of the spammer as webcam-ifriends.net

Click here to Confirm your Subscription

http://webcam-ifriends.net/

There’s been a decrease in AOL niche pr0n spamming of late. Hopefully
AOL is slowly turning the screws on those who believe themselves
impervious to punishment.

Cheers,

SuN


#2

You need to submit this to DreamHost’s abuse department, not the user support forums.


MacManX.com
I don’t work here. I’m just your typical support forum volunteer.


#3

Done that:
abuse@dreamhost.com

almost 4 hours now.

Is anybody minding the abuse queue?


#4

Generally, you don’t get any feedback until the situation is contained. Give them 24 hours.


MacManX.com
I don’t work here. I’m just your typical support forum volunteer.


#5

How do you know they haven’t already taken care of it?

Speaking as someone who recently wrapped up four+ years in an abuse department, I’d be very surprised if they return your e-mail personally. It’s far too time-comsuming to personally reply to every report unless there’s some specific reason to. We usually didn’t, but this should not be taken as meaning we didn’t act on every report we received.


If you want useful replies, ask smart questions.


#6

[quote]your from address is filtered out.

[/quote]

Why might that be?


#7

I doubt they would implement something like this for an abuse address. Mail to this address could come from anywhere, and usually won’t be from DH customers. Nothing will get an ISP a bad reputation faster than not accepting abuse or postmaster mail.


If you want useful replies, ask smart questions.


#8

I see - thanks.


#9

How do I know they haven’t taken care of it (19 hours since the report was made)?

… The offending site (webcam-ifriends.net) is still up and running. That’s how I know.


#10

But have they stopped spamming you?


MacManX.com
I don’t work here. I’m just your typical support forum volunteer.


#11

macmanx wrote:

[quote]But have they stopped spamming you?

[/quote]

They have never spammed me.

I guess the significance of a spammer on Dreamhost is not readily apparent. Dreamhost have been, to this point, militantly anti-spam. Because of that, we, as Dreamhost customers haven’t had the problems that customers at other hosting companies have had getting their own mail delivered. … So, here is a short tutorial.

The aleged spammers are “AOL niche spammers”, that is, they are said to spam AOL users primarily, using virus infected PCs as zombie spam agents. The spam does not originate from Dreamhost IP-space, but the “payload” of the spam points to a Dreamhost hosted URL. … This is where the suckers sign up to see porn, providing a credit card number. … Would you provide your credit card number to someone who used virus infected PCs to send spam? … I didn’t think so, but AOL users, I’ll not even speculate about why, seem to be especially vulnerable to this kind of spam.

The tutorial: There is a mechanism that is built in to most Mail Transfer Agents (MTA) that will look up an IP-address in a DNSBL (Domain Name System Block List). There are many DNSBLs published by various entities on the web. See this for a hint: http://www.dnsstuff.com … In the query box titled “spam database lookup” (first row, center on the page) plug in the IP-address of one of your spam sources. You probably do not have many spams if you are using Dreamhost’s spam filters (SpamAssasin) because those same filters use several well respected DNSBLs.

Many, many ISPs use the DNSBLs to refuse (yes, block the connection alltogether) SMTP connections from IP-space listed in DNSBLs.

Suppose Dreamhost’s IP-space gets listed in SPEWS (a popular, effective, neither conservative nor aggressive. See: http://www.spews.org) DNSBL? Some would say that up to 40% of all email addresses would never see any email from any Dreamhost customer!

Worse, many ISPs, in addition to using the public DNSBLs maintain their own DNSBLs. While the public DNSBLs are actively maintained by their owners/operators, many private DNSBLs are “set and forget”. This means that once a set of IP-addresses gets into that private DNSBL, they never come out. For the Dreamhost customer with correspondents at those ISPs using private DNSBLS, the problems of getting your mail to your correspondents is monumental, all because Dreamhost did not do their jobs in killing the spammers in their IP-space.

But wait! There’s more. Carl Hunzler, head anti-spam fellow at AOL, is said to place blocks on the payload addresses of spam received by AOL customers. This means that AOL users will not see web sites hosted at Dreamhost. … What does that mean to you?

Should Dreamhost get it’s IP-space listed in SPEWS or SBL, I will have to move to a different hosting provider.


#12

… The offending site (webcam-ifriends.net) is still up and running. That’s how I know.

Good point. I was doing other things at the time I wrote that and somehow didn’t even think to check the site. I agree that the spamvertised site should be terminated immediately.

SPEWS (a popular, effective, neither conservative nor aggressive

You’re joking, right? SPEWS, not agressive? The BL that habitually lists entire netblocks due to one compromised host? The same organization that tries to avoid accountability to the point where the only way to contact them is to post to n.a.n-a.e and hope that one of them notices it?

Don’t get me wrong, I am a big believer in blacklists in general, but SPEWS just leaves a bad taste in my mouth. I’m not alone in feeling this way either. Their BL may be fine for someone filtering their own mail, but no one responsible for the mail of others should even think about using this list for anything other than scoring (low scoring, at that); it should certainly not be used as a basis for rejecting mail outright.

Even their DUL is faulty. In my previous abuse work, someone once (against my and others’ better judgement) imported their DUL into our own in-house BL and we saw an absolutely huge number of false positives. We had to manually adjust or remove literally dozens of addresses and ranges that weren’t actually dynamic, some of which hadn’t been for quite some time. Most of these ranges were trivially verified as being static by checking ARIN records or even just reverse DNS.

Carl Hunzler, head anti-spam fellow at AOL, is said to place blocks on the payload addresses of spam received by AOL customers. This means that AOL users will not see web sites hosted at Dreamhost.

Are you sure he didn’t mean that he uses the presence of these URLs as a basis for scoring mail, like what you can do using the URIDNSBL SpamAssassin plugin? If not, and they’re actually blocking outbound HTTP traffic to these sites, are you certain they’re blocking IP addresses and not just the spamvertised domains? Due to the prevelance of shared hosting and the enormous number of false positives that this can cause, I find it pretty unlikely that AOL is dropping traffic to other sites hosted on the same IP addresses.


If you want useful replies, ask smart questions.


#13
  • We are still very much anti-spam.

  • Calm down.

  • SPEWS can be pretty nutty.

  • When you offer up your servers to anybody with a credit card, these things happen. What matters is how well you take care of problems as they come up.

  • If you do, by chance, end up on a blocklist, you contact the list admins and get delisted. For the most part all of these mechanisms are run by sane organizations.

  • While these things may seem immediately cut-and-dry to the complainant, they are sometimes slightly more complicated. I’m not commenting on this specific issue, just generally.

  • See the first point. That’s it in a nutshell.

nate.


#14

[quote]- We are still very much anti-spam.

[/quote]

Good to hear. I see that webcam-ifriends.net is still up and still hosted by Dreamhost.

On the presumption that the original report in news.admin.net-abuse.email was correct I have to ask why they are still hosted at Dreamhost.

[quote]- Calm down.

[/quote]

I am calm

[quote]- SPEWS can be pretty nutty.

[/quote]

Some think so, but SPEWS also has a lot of subscribers.

[quote]- When you offer up your servers to anybody with a credit card, these things happen. What matters is how well you take care of problems as they come up.

[/quote]

Right. What have you done?

[quote]- If you do, by chance, end up on a blocklist, you contact the list admins and get delisted. For the most part all of these mechanisms are run by sane organizations.

[/quote]

Right. And it would be Dreamhost’s job to do that. Not mine.

[quote]- While these things may seem immediately cut-and-dry to the complainant, they are sometimes slightly more complicated. I’m not commenting on this specific issue, just generally.

[/quote]

What makes them complicated? Either they are spammers or they are not. If they are, you give 'em the boot.

What some say complicates the matter is that some spammers are said to pay hosting companies “extra” to not enforce their anti-spam policies.

While I’m not commenting on this specific issue, not knowing with absolute certainty that webcam-ifriends.net is spamming, I’m just wondering what makes this complicated.

Perchance have Dreamhost contacted AOL’s abuse department to get their sense of the matter?


#15

Nate, I am now convinced that webcam-ifriends.net and ifriends.net are the same entity. Further, a search of groups.google.com has convinced me that ifriends.net are indeed spammers.

There’s more: I also find that ifriends.net is also hosted at Dreamhost.

So, you could have found the same things I did. There are over 200 references to ifriends.net in the articles posted to the newsgroups news.admin.net-abuse.* … I now have to ask the esteemed representative from dreamhost, the self proclaimed “Nerd Wrangler”, why is ifriends.net and it’s cohort webcam-ifriends.net still hosted by dreamhost?

Are you getting paid extra to continue hosting them?


#16

Are you are suggesting that every hosting provider gets thrown on a blacklist if it hosts a spammer? Consider the fact that every hosting provider has at least one spammer. If your statement was true, the internet would cease to exist. So, sit back, calm down, and let DreamHost handle this.


MacManX.com
I don’t work here. I’m just your typical support forum volunteer.


#17

No, I’m not suggesting that every hosting provider gets blocklisted if they host a spammer. But I will tell you affirmatively that hosting providers that continue hosting spammers after they have been notified that they are hosting spammers will almost certainly get themselves blocklisted.

All the spammer has to do is hit spamtrap addresses scraped from web pages or harvested from newsgroup posts. I’m told that the spamtraps operated by SPEWS will notify the hosting company. If the spam continues and the hosting company continues hosting the spammer, it pretty much guarantees a listing.

I was just notified by Dreamhost that webcam-ifriends.net is now down. Their web page now has a “temproarily unavailable” page.

Note that the domain ifriends.net is also hosted by Dreamhost. ifriends.net’s pages look a lot like webcam-ifriends.net’s. Note also that ifriends.net has, apparently, a well documented history of spamming in the newsgroups news.admin.net-abuse.*

I believe it is incumbent on all of us, as customers of Dreamhost, to help them police their IP-space for spammers. If I do not have credibility with you and if you wanna see some true horror stories told by hosting providers about spammer infestations, see: webhostingtalk.com. It ain’t a pretty picture.

So, Thanks to Dreamhost.


#18

I said in my previous post:

[quote]Note that the domain ifriends.net is also hosted by Dreamhost. ifriends.net’s pages look a lot like webcam-ifriends.net’s. Note also that ifriends.net has, apparently, a well documented history of spamming in the newsgroups news.admin.net-abuse.*

[/quote]

ifriends.net is NOT hosted at Dreamhost. I goofed! MeaCulpa! Just shoot me. …

My apologies to Dreamhost.

I’ll go back to my cave now.