The Nerve of some people

[easyhostmedia]

I have run a hosting business for the last 11 yrs.

i have a client sign up 18 months ago and their latest invoice remained unpaid for 2 months when they suddenly renewed then 2 days later i get this email

From: SecurityOperations@
Sent: Monday, November 07, 2011 9:02 PM
To: support@ ; abusenoc@
Cc: DC-OPS
Subject: [!! SPAM] Phish redirection site on your network (74.117.237.175) (MM #127586)

To Whom It May Concern:

It has come to our attention that you are hosting a redirection site
that points to a fraudulent "phish" website, which is attempting to
steal account information from customers of Western Union.

The redirection URL that points to the fraudulent site is as follows:

http://squom.com/simg/index.html

The IP address hosting the redirection site is 74.117.237.175.

The landing URL that is being redirected to is:

http://squom.com/.ssl/www.westernunion.com/online/indexa.php

Please investigate and shut down this site immediately.

If possible, please send us a copy of any fraudulent files or relevant
excerpts of log files regarding this case.

Should you have any questions, please call us at +1-301-515-0820.

Thank you,

Konata Jackson
MM Ops Center

Note: As part of this action, we request that you redirect traffic to
an educational website provided by the Anti-Phishing Working Group
(APWG) at http://education.apwg.org/r/en/index.html. Information
about implementing a redirect to this page can be found at
http://education.apwg.org/r/how_to.html.

which after checking by myself and the DC this is proven 100% correct so immediatly terminated the account and marked the client as fraud as its a clear breach of our TOS wehich it would with most hosts i know.

today i get this message through support ticket when he used a different email and IP ( which i have blocked)

10/11/2011 07:53
I would like to know why my account has been terminated two days after i have paid to renew.?
This is not on as i hve not broke any terms or conditions.
I cant get through to anyone one the phone number supplied so i am getting very fustrated,
Sort it out asap please or send me my epp code and a refund.
Thanks

neither to say that when i termanated his account as he also got his domain through my domain account i locked the domain.

so he now wants the domain and a refund which i will not provide due to him breaching our TOS. i suppose he wants these so he can take to another host to do the same thing.

 

[ldcdc]

1. I would not have posted the URL publicly.

2. IMHO a refund is not something that the customer is entitled to in this situation. I would however give him the necessary access to move his domain to a different registrar, if he so wishes. Confiscating his domain is not going to be productive anyway; he can always register a new one and use it for the same purpose, if he really wants to.

That being said, reporting him to the authorities might not be a completely bad idea either.

 

[HostLeet]

1. I would not have posted the URL publicly.

2. IMHO a refund is not something that the customer is entitled to in this situation. I would however give him the necessary access to move his domain to a different registrar, if he so wishes. Confiscating his domain is not going to be productive anyway; he can always register a new one and use it for the same purpose, if he really wants to.

That being said, reporting him to the authorities might not be a completely bad idea either.

I have to completely agree with what ldcdc has said. I would deny the refund as well (as long as it's stated clearly in your TOS), but I would NOT hold the domain name hostage.. That's beyond your rights, no matter what he has done on your servers. Send him packing for sure, but make sure you allow him to leave with HIS domain name. :thumbup:

 

[easyhostmedia]

1. I would not have posted the URL publicly.

the URLs are dead as the site is gone

2. IMHO a refund is not something that the customer is entitled to in this situation. I would however give him the necessary access to move his domain to a different registrar, if he so wishes. Confiscating his domain is not going to be productive anyway; he can always register a new one and use it for the same purpose, if he really wants to.

well he wont get a refund and my cc processor has told me they would refuse a chargeback if he tried. i was told by the dc to lock the domain as its been used fraudulently. not sure if this has anything to do with ICANN.

That being said, reporting him to the authorities might not be a completely bad idea either.

this is something i was thinking of

 

[SenseiSteve]

I certainly would not refund any money to him, but I would let him take his domain elsewhere. I'd also alert the authorities.

 

[kusai]

Some ppl just play dumb. BTW OP can you please explain what do you mean by this and how you do it.

well he wont get a refund and my cc processor has told me they would refuse a chargeback if he tried

 

[easyhostmedia]

Some ppl just play dumb. BTW OP can you please explain what do you mean by this and how you do it.

well he wont get a refund and my cc processor has told me they would refuse a chargeback if he tried

easily i passed all my evidence along with that of my DC and of markmonitor to my cc processor saying that he may try a chargeback as he only renewed a few days ago.
this along with my TOS and ther fact he was using the site fraudulently they told me that they would refuse any chargeback for this.

I have also reported his details to his local police force

 

[handsonhosting]

Could it have been an honest mistake? Meaning, could his site have been exploited and the client had no idea? This DOES happen, especially when people run outdated software.

With regards to a refund, this is determined in your TOS, but most hosts do not refund in cases like that.

The domain name however, if they purchased the domain name through you, and your TOS does not state that they're leasing it through you, then you SHOULD be passing that domain to the client to let them move it elsewhere or redirect elsewhere. To lock them out of the domain for something that is theres isn't normally done.

Hopefully your client had the domain in THEIR name and not in yours. This is how it should be.

 

[kusai]

Seen this rarely but most of the time its always a rogue customer playing dumb.

 

[easyhostmedia]

site was initially suspended and client informed along with a copy of the email we received to the reason why.

i checked the logs the DC checked the logs and could find no exploits or any signs of a hack, the client site files only had the 2 folders that were mentioned in the email within his account, so i was instructed by the DC to terminate his account immediately or they would close down my server.

when the termination notice was sent to the client this also included a copy of the email again.
so then the client eventally contacts me using a different .live email address and a proxy IP with this

I would like to know why my account has been terminated two days after i have paid to renew.?
This is not on as i hve not broke any terms or conditions.

they you have to laugh as he has the email we received twice explaining the problem and then to say he broke no terms.

i replied to him once again with a copy of the email and the reason why the site was terminated and so far he has no replied back, which i dare say if he genuinally had nothing to do with this he would of replied straight away as he would want his site back up running.

All the evidence points to him using our server for phising.

resellerclub have asked me to keep his domain locked until they check on this with ICANN as in certain circumstances domains can be pulled, but this is decided by ICANN

 

[HostOX]

I would not refund but I would not have posted all of the info you did really, you should have just asked without all of the info laid out on a public forum, remember the data protection act + your companies reputation.

 

[easyhostmedia]

I would not refund but I would not have posted all of the info you did really, you should have just asked without all of the info laid out on a public forum, remember the data protection act + your companies reputation.

No details about any client/person or anything to identify a person so does not breach Data Protection Act. the links displayed were links to a phishing site which has been taken down.

 

[kusai]

DO they really provide real details ? I never thought so.

 

[easyhostmedia]

DO they really provide real details ? I never thought so.

well the address and postcode checked out as this is one check i carry out


also just got this from resellerclubs compliance team

Hello,

Instead of locking the domain name, you may disable the privacy protection service and suspend the domain name to prevent spreading phishing over the internet.

Regards,
PDR Compliance Team

so it looks like i can suspend the domain which will prevent him from moving the domain or amend any details on the domain.

also messaged the client to say if this had nothing to do with him then forward a fresh copy of the site so this can be check out and we may reinstate him, but after 2 days no reply which to me is enough proof that he knew exactly what he was doing and just played dumb.

 

[HostOX]

No details about any client/person or anything to identify a person so does not breach Data Protection Act. the links displayed were links to a phishing site which has been taken down.

It was no pun intent but a host should not go publicly labelling clients domains weather they are breaking the law or not.

Nor airing dirty washing in public.

Google detects this... was friendly advice.
I would not enjoy a company posting my Domains and issues with them on a forum, sure most won't.

What if the client actually has been hacked??? :smash:

 

[easyhostmedia]

What if the client actually has been hacked??? :smash:

this is not the case as my previous comments state, the only 2 files/folders that were on this clients account were the ones linked to the phishing page

the DC checked and no exploits were made and no hacking attempts made on this account.

this clients only reply was made from another .live email address using a proxy IP.
he was even given the change to forward a fresh copy of his site so this could be checked over to see if it was clean and they we would decide if to reinstate him or not and so far 2 days has passed and no reply to this.
i think he was involved and was playing dumb. i have done nothing wrong in adding this links which are dead, like on many forums the URL of phishing sites etc. are always published to warn others.

 

[othellotech]

Why do you not scan your servers for the common phishing scams (so you would have known sooner) ?

 

[easyhostmedia]

Why do you not scan your servers for the common phishing scams (so you would have known sooner) ?

the server is constantly being scanned

CSF
Modsecurity
eXploit Scanner
Linux Malware Detect
RK Hunter

so i am puzzled how this was missed

 

[easyhostmedia]

Reported him to his local police internet crime unit, who when i mentioned his name knew who i was talking about. a member of the ICU of my local force called me and arranged for me to provide them with all my evidence along with a copy of the site.

i have since received this message from him

"Sorry for the trouble i caused if you reinstate me i promise not to do this again, the police have been and gave me wrong and took away my computer so i write this from a friends computer" he even signed this Sir **** MBE

As if i would reinstate him after he admitted what he did, i passed this full message along with the IP it was sent from to the police

 

[lowesthost]

well I guess that Scooby Soo mystery was solved, I was thinking myself this may have been a hack, but since he/she admitted to it
you may have saved a kid from a life of crime

How in the heck did you get the police to do anything I personally have reported dozens of 100% positive fraud to authorities they never do a thing