I wasn't quite sure where to put this but since it involves a supposed breaking of an AUP then I guess it's sort of legal-related... Basically, I logged on to one of my sites earlier today to see that it had been suspended. No E-Mail, just a suspended page. Naturally I got in touch with technical support pretty quickly who said that my account had been suspended and would be terminated once I had retrieved the files from my account as I had broken their acceptable use policy. The reason they gave is below: ------------------------------------------------------------------------ Dear John O'nions We have sent you an email in the middle of the day regarding that problem: We got a Spam activity/outbreak alert from Datacenter/NOC. such activities are violation of our AUP with you. Such activities result in BLACKLISTING of this server's MAIN IP at all RBL sites (e.g Aol, Verizon, Comcast, RR, Outblaze, spamcop.net ). We have Zero Tolerance for spam at our network. Account suspended escalated to be removed from our network. Below is the Full complaint for your review:- =============================================================================================== http://postmaster.aol.com/contactFeedback-Type: abuse User-Agent: AOL SComp Version: 0.1 Received-Date: Wed, 12 Mar 2008 06:13:25 -0500 Source-IP: 207.210.120.234 Reported-Domain: arbi.nswebhost.com Redacted-Address: redacted Redacted-Address: redacted@Return-Path: <good@easycraftprojects.net> Received: from rly-db03.mx.aol.com (rly-db03.mail.aol.com [172.19.130.78]) by air-db09.mail.aol.com (v121.4) with ESMTP id MAILINDB092-aba47d7acae225; Wed, 12 Mar 2008 06:13:25 -0500 Received: from arbi.nswebhost.com (arbi.nswebhost.com [207.210.120.234]) by rly-db03.mx.aol.com (v121.4) with ESMTP id MAILRELAYINDB038-aba47d7acae225; Wed, 12 Mar 2008 06:13:03 -0500 Received: from [127.0.0.1] (port=58780 helo=localhost) by arbi.nswebhost.com with esmtpa (Exim 4.68) (envelope-from <good@easycraftprojects.net>) id 1JZF7f-0007kI-0q; Tue, 11 Mar 2008 19:47:11 -0500 Received: from 83.229.101.70 ([83.229.101.70]) by easycraftprojects.net (Horde MIME library) with HTTP; Tue, 11 Mar 2008 19:47:09 -0500 Message-ID: <20080311194709.ef31j4xiw444o4ko@easycraftprojects.net> Date: Tue, 11 Mar 2008 19:47:09 -0500 From: Mary Adams <good@easycraftprojects.net> Reply-to: To: Subject: CONTACT EMS COURIER SERVICE MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - arbi.nswebhost.com X-AntiAbuse: Original Domain - aol.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - easycraftprojects.net X-Source: X-Source-Args: X-Source-Dir: X-AOL-IP: 207.210.120.234 X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_helo : n X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_822_from : n X-Mailer: Unknown (No Version) Seasons Greetings and Happy New Year!!! Dear Friend, I have been waiting for you to contact me for your Confirmable check of $650.000.00 United States Dollars, after you were unable to come up with the shipping fees,but I did not hear from you since that time. Then I went and deposited the Check with EMS COURIER SERVICE, West Africa,I would travelled out of the country for a 3Months Course and I will not come back till end. What you have to do now is to contact the EMS COURIER SERVICE as soon as possible to know when they will deliver your check to you because of the expiring date. For your information, I have paid for the delivering Charges, =20 Insurance premium fees and Clearance Certificate Fees of the Check showing that it is not a Dr= ug Money. The only money you will send to the EMS COURIER SERVICE to deliver your Che= ck direct to your postal Address in your country is ($120.00 USD)Dollars only being Security Keeping Fee for the check of the Courier Company so far. Again, don't be deceived by anybody to pay any other money except $120.00 US Dollars. I would have paid that but they said no! because they don't know when you wi= ll contact them and in case of demourrage. You have to contact the EMS COURIER SERVICE now for the delivery of your Che= ck with this information below: Director General EMS Express West Africa Mr. Charles Martins Email Address: Tel: +234 702 770 2782 Finally, make sure that you reconfirm your Postal address and direct telepho= ne number to them again to avoid any mistake on the Delivery and ask them to gi= ve you the tracking number after you must have sent the fees of $120.00 dollars for the Security fees to enable you track your package over there and =20 know when it will get to your address. Let me repeat again, try to contact them as soon as you receive this email t= o avoid any further delay and remember to pay them their Security Keeping fee=20= of $120.00 US Dollars for their immediate action. You should also let me know through email as soon as you receive your check. Yours Faithfully, Mrs Mary Adams =============================================================================================== At server logs:- =============================================================================================== 2008-03-11 19:47:11 1JZF7f-0007kI-0q <= H=(localhost) [127.0.0.1]:58780 I=[127.0.0. 1]:25 P=esmtpa A=fixed_login:good@easycraftprojects.net S=2928 id=20080311194709.ef31j4xiw444o4ko@easycraftpro jects.net T="CONTACT EMS COURIER SERVICE" from <good@easycraftprojects.net> for usfopinion@a ol.com ussoldierev . nz uwilhelm@toyboxje eps.com v1n_n@hot mail.com vacuouslypid@mlbh ookup.com m Valentin.Banks@meyerw eb.com Valentin ValerietiedCram vall_yorkville@ya hoo.com vam VanceClement@decisivemo ment.com Vanessa@griffinbrothers. com tcarli tcreekside@t riggirl.com technic@groundwater .com T tedpersaud@yah oo.com teen teesquaredd@btintern et.com tehnoui12@ yahoo.com tej@q107. com teli@ qualinet.com.br tel temmykon@aqnet .com.tw Temployer@smar tpipes.com m tenoc teo_85222@ yahoo.com tequilaman909@petleyha re.com terechko@verizon.n et T ter terrariums@hi ghnetworthclient.com terrencemcquade@hotmail. com Terr T --More-- Webmail activity : 208.78.62.100 - [03/11/2008:16:47:31 -0000] "GET /webmail/x3/ HTTP/1.1" 200 0 "" "M ozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:47:57 -0000] "GET /cPanel_magic_revision_1184431225/ webmail/x3/branding/local.css HTTP/1.1" 200 0 "http://easycraftprojects.net:2095/webmail/x3/" "Mozilla/4.0 (co mpatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:48:01 -0000] "GET /cPanel_magic_revision_1202377575/ webmail/x3/css/combined_optimized.css HTTP/1.1" 200 0 "http://easycraftprojects.net:2095/webmail/x3/" "Mozilla /4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:52:36 -0000] "GET /cPanel_magic_revision_1200477192/ webmail/x3/yui/utilities_container/utilities_container.js HTTP/1.1" 200 0 "http://easycraftprojects.net:2095/w ebmail/x3/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:53:39 -0000] "GET /cPanel_magic_revision_1202463886/ webmail/x3/js/x3_optimized.js HTTP/1.1" 200 0 "http://easycraftprojects.net:2095/webmail/x3/" "Mozilla/4.0 (co mpatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:54:09 -0000] "GET /cPanel_magic_revision_1184431222/ webmail/x3/branding/top-logo.png HTTP/1.1" 200 0 "http://easycraftprojects.net:2095/webmail/x3/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:54:09 -0000] "GET /cPanel_magic_revision_1200477179/ webmail/x3/css/ie6.css HTTP/1.1" 200 0 "http://easycraftprojects.net:2095/webmail/x3/" "Mozilla/4.0 (compatibl e; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:54:23 -0000] "GET /webmail/x3/images/horde.gif HTTP/ 1.1" 200 0 "http://easycraftprojects.net:2095/webmail/x3/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:54:30 -0000] "GET /webmail/pngbehavior.htc HTTP/1.1" 404 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:54:32 -0000] "GET /cPanel_magic_revision_1184431222/ webmail/x3/branding/top-logo.png HTTP/1.1" 200 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; C razy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:54:36 -0000] "GET /cPanel_magic_revision_1184431225/ webmail/x3/branding/password.jpg HTTP/1.1" 200 0 "http://easycraftprojects.net:2095/webmail/x3/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:54:47 -0000] "GET /webmail/x3/images/squirrelmail_lo go.gif HTTP/1.1" 200 0 "http://easycraftprojects.net:2095/webmail/x3/" "Mozilla/4.0 (compatible; MSIE 6.0; Win dows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:55:02 -0000] "GET /roundcube/skins/default/images/ro undcube_logo.png HTTP/1.1" 200 0 "http://easycraftprojects.net:2095/webmail/x3/" "Mozilla/4.0 (compatible; MSI E 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:55:08 -0000] "GET /cPanel_magic_revision_1184431224/ webmail/x3/branding/forwardersemail.gif HTTP/1.1" 200 0 "http://easycraftprojects.net:2095/webmail/x3/" "Mozil la/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" 208.78.62.100 - [03/11/2008:16:55:12 -0000] "GET /cPanel_magic_revision_1184431217/ webmail/x3/branding/responder.jpg HTTP/1.1" 200 0 "http://easycraftprojects.net:2095/webmail/x3/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" --More-- =============================================================================================== Unfortunatly, our CEO does not allow any kind of spam on our clients, since it might lead to the blacklist of all our company servers and to lose all our clients. So we have to ask you the PayPal you want us to credit this month payment since we received orders to give you all your files and kindly ask you to move to other hosting company. It is nothing particular with you, it is just the company policy. Please feel free to contact us, Regards, [Hosting Provider] ---------------------------------------------------------------------- The account doesn't (as far as I'm aware) exist and never has done. I have never sent unsolicited E-Mail and I object strongly to the suggestion I have. Is there any way I can come back on this or is the above more than enough to axe me? They've been reasonable hosts and I just feel so angry that my account has been terminated in this fashion given that I have done nothing wrong. Sure if someone has gotten hold of my login details then I will take full responsibility, but as far as I know these E-Mails have been spoofed - The return address is a French Yahoo account! The server logs only suggest somebody accessing the Webmail page - Is there anything that that proves that somebody actually logged in or did they only try and not succeed? Any advice would be much appreciated, it's not the moving hosts that bothers me, its the principle. Thanks in advance. John
It seems I posted slightly prematurely - I've since received a response with my files and offering a refund of the payment that's just been taken. It's still very unsatisfactory that somebody abusing my domain can lead to the termination of hosting accounts - Is there anything I can do in future to protect myself or are we all subject to the consequences of spammers? John
It could be two things, either a phishing email or maybe someone used an unsecured form to email from your site to send. You can ask them about that, just tell them you do not have this account and you suspect that you may be a victim. Your provider should find it easy to ascertain from the headers and from their logs.
same thing happened to me. looks like same email as well. my host understood, told me to change passwords and that was it. then i was alerted to another AUP violation which i thought i was clear of and they suspended my account. took 3 days to provide my backups but the other accounts on the account was active. this hosts just outright suck. they like to offer 9.99 hosting and when you use it to what they offer they cant handle it and want you gone. the sever hustle has cost me so much time and money. i was even paying for a dedicated server for 200.00 and was drama. be lucky you got your data. not sure what host but ive been looking for a good one lol. i end up back at hostgator, at least i get a referal from there affiliate each time lol.
I am not sure I can agree with that. The people who send spam, etc., go for the low-hanging fruit. They scan thousands of servers using automated software that looks for the ones with the most obvious security holes. Obviously a crime is ultimately the fault of the perpetrator, but nevertheless if you get hijacked for spamming it normally means that you did not take basic care in protecting your site/server.
As far as being hacked, the question is whether the send IP address in the email header resolves to the IP address of your host's mail server. If it does then you were hacked (or your host was). If it doesn't, then they simply spoofed the send email address (which can be done from any mail server). However, even if you were not hacked, you can try to get the host to change their mind but depending on where you live (assuming the US) they have the right to refuse service to anyone.
I had something similar happen when a php-nuke script on one of my sites was hacked to pump out emails- apparently a known vulnerability in that version and it was a nuke version that the host had made available thru cpanel. What bothered me most in their termination email to me was the tone and automatic assumption that I was a hacker and not a victim. I moved to a better/nicer host and never looked back.
Actually I have restored/moved/relocated many more than that. Cpanel does it in about 5 clicks and then you change your DNS and PRESTO! The sitesa re moved without a wink of downtime... Technically you are at fault if you are hacked.