spam referring users to script on my site

[twcinpa]

Yes, someone has been useing my URL to send spam, but today I've got a lot of that mail sent to my email (with the same URL).

Below is one of them:

Dear Valued Member,

According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.

http://www.myURL.com/confirm.php?email=dan@myurl.com

Thank you for your attention to this question. We apologize for any inconvenience.

Sincerely,Duckpondwebs Security Department Assistant.



There is no script, that I can find in the root directory.

Anything I can do to stop this.

Tom

[Spathiphyllum]

I'm not sure I understand your dilemma other than to say that you are getting flooded with emails containing an irrelevant link. Since your email contains a link to a non-existent URL, in this case a script, any GETS for it should produce a FileNotFound error if someone clicks on it (or copy-pastes it in their browsing agent). Is this email a text file or is it HTML? The visible text could be concealing another link than the one that is shown if the email is HTML. You could confirm this though I'm not sure this would really shed much information on your issue.

Can you post the email headers (disguising, of course, any personally identifiable material for you specifically)? Maybe that will at least identify the source(s).

If it's a crack attempt, I'm not sure what this would accomplish. I guess I need more info.

[jason]

Short answer: nothing. You could, of course try reporting this to the FBI, or the sender's ISP (if you can track that down), but such attemps are usually not very fruitful these days. Like most spam, the spammers will eventually move on. What exactly do they think they can get out of sending people to a fake URL on your site, anyway?

One thing that you could do is put up a confirm.php page that alerts people that they have received a forged spam message and that it did nopt come from your site. You could also follow up with some email safety tips (see virrtually any banking website for ideas). Who knows, if you play it right you might even gain some business based on your honesty and helpfulness.

If you store any kind of customer data on your site you should probably do a review of all of your logs to make sure it didn't fall into the wrong hands. You can review your HTTP logs through CPanel, support can probably provide you with other logs, like MySQL.

--Jason

[twcinpa]

Source code of message is:
<META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=iso-8859-1">
<html>
<body>
<BR><STRONG>Dear Valued Member, </STRONG><BR>
<BR>According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.<BR>
<BR><a href="http://205.138.199.146/confirm.php?email=sam@mySite.com">http://www.mySite.com/confirm.php?email=sam@mySite.com</a><BR>
<BR>Thank you for your attention to this question. We apologize for any inconvenience.<BR>
<BR>Sincerely,mySite Security Department Assistant.<BR>
</body>
</html>

Looks like 205.138.199.146 is the IP address. I haven't been through this before, what's the next step.

Thanks,

Tom

[jason]

First thing to do is a whois lookup on the IP address at arin.net. That will tell you who "owns" the IP address. Send an email to one of their contacts with the URL identified above (actually, attach the whole message) saying that someone on their network is spoofing your site and ask to have that site taken offline. (The IP address isn't responding for me, so I have a feeling that that's already been done.)

Open the original email with full headers if you can (if it is a bounce they may or may not be there). Look for the lines that start with "Received:" this is the list of all of the mail servers that the message has bounced through on its way to the original recipient, a roadmap of its trip. Usually the bottommost Received: header is the one that identifies where the message originated and what server the message first passed through. You can run a whois at Arin on that IP and get a contact for the "owner" of that IP address (and presumably that server). Forward the message on to them as well. Note, however that every bounce you receive may have originated at a different server.

Take a look at www.cybercrime.gov for more information about what you can do to fight this.

--Jason

[twcinpa]

Thank you Jason. I'm following your instructions now. I appreciate your knowledge and helpfulness.

Regards,

Tom