Osenoa Mail Miklos Bacso <Miklos Bacso>
[qamb 20371250] URGENT: Account Concerns...
DreamHost Abuse/Security Team <support@dreamhost.com> Thu, Sep 4, 2008 at 5:26 PM
To: Miklos Bacso
------------------------------------------------------------------------
- After reading this response, please consider visiting
- the URL below to comment on its quality. Thanks!
-
- http://www.dreamhost.com/survey.cgi?n=20371250&m=6220216
------------------------------------------------------------------------

Hello Miklos,

We've received reports regarding your URL redirection site being used by
malicious parties to engage in unlawful behavior by providing URL
redirection to fraudulent sites (ie. spam, phishing, etc). Spammers,
phishers, etc. often use URL redirectors such as yours in order to
obfuscate the true origin of their directed sites, hiding their
activities from clear view.

As a temporary measure, I have disabled the site until you have a chance
to review/modify your code to enable preventative measures and prevent
this sort of usage in the future. We recommend the following:

- Immediately remove the following URLs which are being widely used by
spammers and block the IPs which added them:
http://jui.cc/a9
http://jui.cc/hq

- Create some sort of checking system to filter out suspicious URL
redirections before they are created. For example, you could flag URL
creation based on IP addresses originating from countries and IP ranges
where fraudulent activity is common (ie. Vietnam, Nigeria, Romania,
Brazil) and check those links before they become available. You might
also require the use of a CAPTCHA in order to prevent automated
bots/tools from creating links.

- Check destination sites to ensure that they are not likely to be
fraudulent. For current phishing sites we recommend the use of the
Phishtank database (http://www.phishtank.com/), though you might also
want to search for common terms found on spam/phishing sites (ie.
"Viagra", "Bank", etc) and flag those links for review before they are
approved.

- Before finishing a redirect, provide a link so that those who are
redirected can quickly and easily report the site for illegal activity.

- Flag accesses based on 'HTTP REFERER' if no referrer is found. These
are often links contained in emails, which are often fraudulent phishing
redirects.

We ask that you leave the site disabled until you make substantive
changes as described above and we have approved its re-enablement. If you
have any questions in the meantime, please let us know.


Glen,

--
- DreamHost Abuse/Security Team
 - Terms of Service: http://www.dreamhost.com/tos.html
 - Anti-Spam Policy: http://www.dreamhost.com/spam.html
 - Abuse Center: http://abuse.dreamhost.com/
Miklos Bacso <Miklos Bacso> Thu, Sep 4, 2008 at 6:52 PM
To: DreamHost Abuse/Security Team <support@dreamhost.com>
The URLs were disabled earlier this morning... I don't see a need to
disable the site. Please put it back, I'm working on preventative
measures...

Thanks!

Miklos


On Thu, Sep 4, 2008 at 5:26 PM, DreamHost Abuse/Security Team
<support@dreamhost.com> wrote:
> ------------------------------------------------------------------------
> - After reading this response, please consider visiting
> - the URL below to comment on its quality. Thanks!
> -
> - http://www.dreamhost.com/survey.cgi?n=20371250&m=6220216
> ------------------------------------------------------------------------
>
> Hello Miklos,
>
> We've received reports regarding your URL redirection site being used by
> malicious parties to engage in unlawful behavior by providing URL
> redirection to fraudulent sites (ie. spam, phishing, etc). Spammers,
> phishers, etc. often use URL redirectors such as yours in order to
> obfuscate the true origin of their directed sites, hiding their
> activities from clear view.
>
> As a temporary measure, I have disabled the site until you have a chance
> to review/modify your code to enable preventative measures and prevent
> this sort of usage in the future. We recommend the following:
>
> - Immediately remove the following URLs which are being widely used by
> spammers and block the IPs which added them:
> http://jui.cc/a9
> http://jui.cc/hq
>
> - Create some sort of checking system to filter out suspicious URL
> redirections before they are created. For example, you could flag URL
> creation based on IP addresses originating from countries and IP ranges
> where fraudulent activity is common (ie. Vietnam, Nigeria, Romania,
> Brazil) and check those links before they become available. You might
> also require the use of a CAPTCHA in order to prevent automated
> bots/tools from creating links.
>
> - Check destination sites to ensure that they are not likely to be
> fraudulent. For current phishing sites we recommend the use of the
> Phishtank database (http://www.phishtank.com/), though you might also
> want to search for common terms found on spam/phishing sites (ie.
> "Viagra", "Bank", etc) and flag those links for review before they are
> approved.
>
> - Before finishing a redirect, provide a link so that those who are
> redirected can quickly and easily report the site for illegal activity.
>
> - Flag accesses based on 'HTTP REFERER' if no referrer is found. These
> are often links contained in emails, which are often fraudulent phishing
> redirects.
>
> We ask that you leave the site disabled until you make substantive
> changes as described above and we have approved its re-enablement. If you
> have any questions in the meantime, please let us know.
>
>
> Glen,
>
> --
> - DreamHost Abuse/Security Team
>  - Terms of Service: http://www.dreamhost.com/tos.html
>  - Anti-Spam Policy: http://www.dreamhost.com/spam.html
>  - Abuse Center: http://abuse.dreamhost.com/
>
>
DreamHost Abuse/Security Team <support@dreamhost.com> Thu, Sep 4, 2008 at 7:54 PM
To: Miklos Bacso
Hello,

On Thu, 04 Sep 2008, you wrote:

> The URLs were disabled earlier this morning... I don't see a need to
> disable the site. Please put it back, I'm working on preventative
> measures...

As Glen mentioned, we are unable to place the site back online until
after those measures have been put in place and we have had a chance to
review and approve the changes.

Due to how often scammers and phishers use such services for their deeds
- a serious concern - we cannot take the chance of simply putting an
insecure site back online.

Jeff C,

--
- DreamHost Abuse/Security Team
 - Terms of Service: http://www.dreamhost.com/tos.html
 - Anti-Spam Policy: http://www.dreamhost.com/spam.html
 - Abuse Center: http://abuse.dreamhost.com/
Miklos Bacso <Miklos Bacso> Thu, Sep 4, 2008 at 8:32 PM
To: DreamHost Abuse/Security Team <support@dreamhost.com>
That's a joke right? That site gets like 3 visitors to it... hehe..
mainly i use it for my own url shortening purposes... everyone else
uses tinyurl.com... Anyway I went to the sites (note that these are
the only instances of spam eversince jui.cc has been online) that have
been reported as "harmful" (http://azsxdioew.letratio.com and
http://y.letratio.com/r.php) and they are not directly harmful even,
they are mere e-commerce sites that look suspicious enough that
hopefully the general populous could figure out that "gee this looks a
bit odd" ... or are people that stupid nowadays?

Anyway... I see that Glen only moved the directory out of place to
"turn the site off" ... I'll keep it there for now, I'll just link a
different domain name there so I can continue to work on it until I
patch it up..

And please, don't treat me like an idiot. I'm not... I love you guys,
I've not had any major beef with dreamhost eversince I've been here
(almost 4 years now).... I am not a criminal, and I feel that this is
being blown a bit out of proportion and that the team is somehow
against me now.

All I ask for is your support, like you've always supported me and
hell... I do pay for your services, and I plan on doing so for a while
to come.




On Thu, Sep 4, 2008 at 7:54 PM, DreamHost Abuse/Security Team
<support@dreamhost.com> wrote:
> Hello,
>
> On Thu, 04 Sep 2008, you wrote:
>
>> The URLs were disabled earlier this morning... I don't see a need to
>> disable the site. Please put it back, I'm working on preventative
>> measures...
>
> As Glen mentioned, we are unable to place the site back online until
> after those measures have been put in place and we have had a chance to
> review and approve the changes.
>
> Due to how often scammers and phishers use such services for their deeds
> - a serious concern - we cannot take the chance of simply putting an
> insecure site back online.
>
> Jeff C,
>
> --
> - DreamHost Abuse/Security Team
>  - Terms of Service: http://www.dreamhost.com/tos.html
>  - Anti-Spam Policy: http://www.dreamhost.com/spam.html
>  - Abuse Center: http://abuse.dreamhost.com/
>
>
DreamHost Abuse/Security Team <support@dreamhost.com> Thu, Sep 4, 2008 at 8:39 PM
To: Miklos Bacso
Hello,

> That's a joke right? That site gets like 3 visitors to it... hehe..
> mainly i use it for my own url shortening purposes... everyone else
> uses tinyurl.com... Anyway I went to the sites (note that these are
> the only instances of spam eversince jui.cc has been online) that have
> been reported as "harmful" (http://azsxdioew.letratio.com and

We consider even 'typical' spam alone to be a major issue, and want
absolutely nothing to do with it.

Even if we didn't, we have often seen such services hijacked and it would
only be a matter of time before a phisher exploited it as well. By the
time we'd get to it, there may very well be a few dozen identity theft
victims. It's better to secure it now than to wait for that to happen.

If you are okay using it only for yourself, perhaps you might consider
simply adding a password protection to the URL addition interface so only
you can create shortened URLs. We would consider that sufficient.

> hopefully the general populous could figure out that "gee this looks a
> bit odd" ... or are people that stupid nowadays?

Unfortunately, I'm afraid that a lot of people are.

> And please, don't treat me like an idiot. I'm not... I love you guys,
> I've not had any major beef with dreamhost eversince I've been here
> (almost 4 years now).... I am not a criminal, and I feel that this is
> being blown a bit out of proportion and that the team is somehow
> against me now.

It's not a matter of criminality, but that still doesn't mean that we can
leave an insecure service online for any length of time. We are certainly
open to providing suggestions and advice (it seems Glen offered a few
ideas himself), but if ultimately your concern is that we had to shut the
site down there isn't much else we could have done in good conscience.

Anyhow, if you have any questions or other requests, please let us know.

Jeff C,

--
- DreamHost Abuse/Security Team
 - Terms of Service: http://www.dreamhost.com/tos.html
 - Anti-Spam Policy: http://www.dreamhost.com/spam.html
 - Abuse Center: http://abuse.dreamhost.com/
Miklos Bacso <Miklos Bacso> Thu, Sep 4, 2008 at 8:57 PM
To: DreamHost Abuse/Security Team <support@dreamhost.com>
Ok, thanks for the response.

I've moved the site back, but disabled URL creation: http://jui.cc/

Please approve.

The questionable URLs are also no longer accessible.

Thanks,
Miklos


On Thu, Sep 4, 2008 at 8:39 PM, DreamHost Abuse/Security Team
<support@dreamhost.com> wrote:
> Hello,
>
>> That's a joke right? That site gets like 3 visitors to it... hehe..
>> mainly i use it for my own url shortening purposes... everyone else
>> uses tinyurl.com... Anyway I went to the sites (note that these are
>> the only instances of spam eversince jui.cc has been online) that have
>> been reported as "harmful" (http://azsxdioew.letratio.com and
>
> We consider even 'typical' spam alone to be a major issue, and want
> absolutely nothing to do with it.
>
> Even if we didn't, we have often seen such services hijacked and it would
> only be a matter of time before a phisher exploited it as well. By the
> time we'd get to it, there may very well be a few dozen identity theft
> victims. It's better to secure it now than to wait for that to happen.
>
> If you are okay using it only for yourself, perhaps you might consider
> simply adding a password protection to the URL addition interface so only
> you can create shortened URLs. We would consider that sufficient.
>
>> hopefully the general populous could figure out that "gee this looks a
>> bit odd" ... or are people that stupid nowadays?
>
> Unfortunately, I'm afraid that a lot of people are.
>
>> And please, don't treat me like an idiot. I'm not... I love you guys,
>> I've not had any major beef with dreamhost eversince I've been here
>> (almost 4 years now).... I am not a criminal, and I feel that this is
>> being blown a bit out of proportion and that the team is somehow
>> against me now.
>
> It's not a matter of criminality, but that still doesn't mean that we can
> leave an insecure service online for any length of time. We are certainly
> open to providing suggestions and advice (it seems Glen offered a few
> ideas himself), but if ultimately your concern is that we had to shut the
> site down there isn't much else we could have done in good conscience.
>
> Anyhow, if you have any questions or other requests, please let us know.
>
> Jeff C,
>
> --
> - DreamHost Abuse/Security Team
>  - Terms of Service: http://www.dreamhost.com/tos.html
>  - Anti-Spam Policy: http://www.dreamhost.com/spam.html
>  - Abuse Center: http://abuse.dreamhost.com/
>
>
DreamHost Abuse/Security Team <support@dreamhost.com> Thu, Sep 4, 2008 at 9:08 PM
To: Miklos Bacso
Hello,

On Thu, 04 Sep 2008, you wrote:

> Ok, thanks for the response.
>
> I've moved the site back, but disabled URL creation: http://jui.cc/
>
> Please approve.
>
> The questionable URLs are also no longer accessible.

As long as no more problematic URLs are created (and, by extension, we
receive no more complaints), this should be perfectly fine. Thank you for
the quick action.

Jeff C,

--
- DreamHost Abuse/Security Team
 - Terms of Service: http://www.dreamhost.com/tos.html
 - Anti-Spam Policy: http://www.dreamhost.com/spam.html
 - Abuse Center: http://abuse.dreamhost.com/
Miklos Bacso <Miklos Bacso> Fri, Sep 5, 2008 at 12:09 AM
To: DreamHost Abuse/Security Team <support@dreamhost.com>
No more URLs are created whatsoever for the time being. I'll implement
some sort of system that, if not prevents it entirely, attempts to
combat spammers or at least makes it easier for people to flag /
disable problematic URLs.

Thanks guys.



On Thu, Sep 4, 2008 at 9:08 PM, DreamHost Abuse/Security Team
<support@dreamhost.com> wrote:
> Hello,
>
> On Thu, 04 Sep 2008, you wrote:
>
>> Ok, thanks for the response.
>>
>> I've moved the site back, but disabled URL creation: http://jui.cc/
>>
>> Please approve.
>>
>> The questionable URLs are also no longer accessible.
>
> As long as no more problematic URLs are created (and, by extension, we
> receive no more complaints), this should be perfectly fine. Thank you for
> the quick action.
>
> Jeff C,
>
> --
> - DreamHost Abuse/Security Team
>  - Terms of Service: http://www.dreamhost.com/tos.html
>  - Anti-Spam Policy: http://www.dreamhost.com/spam.html
>  - Abuse Center: http://abuse.dreamhost.com/
>
>
DreamHost Abuse/Security Team <support@dreamhost.com> Fri, Sep 5, 2008 at 12:18 AM
To: Miklos Bacso
------------------------------------------------------------------------
- After reading this response, please consider visiting
- the URL below to comment on its quality. Thanks!
-
- http://www.dreamhost.com/survey.cgi?n=20373590&m=2859019
------------------------------------------------------------------------

Hello,

On Thu, 04 Sep 2008, you wrote:

> No more URLs are created whatsoever for the time being. I'll implement
> some sort of system that, if not prevents it entirely, attempts to
> combat spammers or at least makes it easier for people to flag /
> disable problematic URLs.
>

Thats all we ask for. Thanks for your quick pro-active effort to disallow
spammers from making use of your domain for their nefarious purposes.

Glen,

--
- DreamHost Abuse/Security Team
 - Terms of Service: http://www.dreamhost.com/tos.html
 - Anti-Spam Policy: http://www.dreamhost.com/spam.html
 - Abuse Center: http://abuse.dreamhost.com/