Hello,

We own and operate www.templatestyles.com and we encountered a severe
problem with a person/group that send spam on the net in our name.

The spammer use different servers that allow SMTP relay. First attacks
were made in July - August 2002. At that time the spammer used our
emails (@templatestyles.com) as return addresses. Since couple of days
the spammer use random emails as return addresses including the above
ones.

We believe that the spammer is one of our competitors that try to
discredit our company. We have discussed with SpamCop.net and other
organizations that dealing with spam issues. All of them told us: "you
have to wait until the storm is over".

We had to move from a hosting provider to another (4 times now), our
email accounts are blocked (spam lists) and we received 1000's
complains. Please find below the emails/spam (just an example):

July - August 2002

Return-Path: <info@templatestyles.com>
Received: from [217.206.43.154] (HELO QRJATYDI)
  by jfkadatc.net (CommuniGate Pro SMTP 4.0b5)
  with SMTP id 123261 for blacklist-admin@jfkadatc.net@blacklisted;
Thu, 18
Jul 2002 04:59:06 -0400
From: info@templatestyles.com
To: <blacklist-admin@jfkadatc.net>
Subject: Nice web page templates here. Check it out!
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
Date: Thu, 18 Jul 2002 11:23:39 +-0800
Mime-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Message-ID: <auto-000000123261@jfkadatc.net>

Hello,

I was recently browsing the internet and came accross some guys that
are
making really good job.
Here they are - www.templatestyles.com .
Check it out. Nice designs!

yorth sincerely,
Mark Boen Lowen

-------------------------------

November 2002


Received: from 189.44.26.24.cfl.rr.com [24.26.44.189] by server158
  (SMTPD32-7.00) id AC6D17D200CA; Sun, 03 Nov 2002 11:43:41 -0800
Return-Path: <info@templatestyles.com>
Received: from mailexcite.com (prodigy.com [193.112.163.240])
          by msn.com (8.11.6/8.11.6) with ESMTP id 32061
  for <webmaster@pivideo.com>; Sun, 3 Nov 2002 17:45:23 +0000
From: "chsk" <ci@earthlink.net>
To: "" <webmaster@pivideo.com>
Subject: I have visited your site...
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: The Bat! (v1.39) Educational
Date: Sun, 3 Nov 2002 17:45:23 +0000
Message-ID: <1989716263zhepdvwhuCslylghr1frp@juno.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-RCPT-TO: <webmaster@pivideo.com>
Status: U
X-UIDL: 329102394

I have visited your site and I think that design looks not good now.

Here we are - www.templatestyles.com . Check it out! We have hired 2
new designers
from Indonesia. They rocks!

Swap your current design on ours.

Aby Sultan,
www.templatestyles.com
Marketing staff
info@templatestyles.com


This is just the short version of the story. There MUST be a way to
find the real spammer and to stop the attacks. Any Gurus around here?
We need a solution.

We are waiting for your reply.

Kind regards,

TemplateStyles.com Team

Hello Templatestyles,

Thanks for your question.  

I am sorry to hear about your difficulties.  Spammers are very
difficult to stop, as you well know.  It seems that your only real
option may be legal action.  From examining the second message,
assuming the header information is complete, the message appears to
have originated from this address:  193.112.163.240, which is owned by
PSINET.  The other information for that header entry, "mailexcite.com
(prodigy.com", appears to be faked.  Your first stop in determining
the identity of the spammer may be to write a letter to
abuse@uk.psi.com.  I would send the complete text of your second
example, plus any other examples that contain addresses owned by
PSINET.  You can determine if an address is owned by PSINET by looking
for addresses in your other records of the spam e-mails that start
with 193.112 and inputting those addresses into the RIPE database at:

(http://www.ripe.net/ripencc/pub-services/db/whois/whois.html)

Please note that the RIPE database services countries in Europe,
Central Asia, the Middle East and Africa.  If you would like to query
for American addresses, you should use the ARIN database at:

(whois.arin.net)

It will take some detective work to track the person or persons down. 
I would gather as many of these spam e-mails as possible and look for
commonalities.  To determine which information is real or faked is not
easy, but it is possible.  For instance, in your second example:

Received: from 189.44.26.24.cfl.rr.com [24.26.44.189] by server158 
  (SMTPD32-7.00) id AC6D17D200CA; Sun, 03 Nov 2002 11:43:41 -0800 
Return-Path: <info@templatestyles.com> 
Received: from mailexcite.com (prodigy.com [193.112.163.240]) 
          by msn.com (8.11.6/8.11.6) with ESMTP id 32061 
  for <webmaster@pivideo.com>; Sun, 3 Nov 2002 17:45:23 +0000 

Pretty much everything below these entries can be discarded as false. 
I am assuming server158 is your mail server, and that rr.com is your
provider.  The addresses mailexcite.com and prodigy.com do not match
the address in the brackets and can be assumed to be false.  I have
found in my experience that the IP address within the brackets is
usually correct.  Using the WHOIS databases, you should be able to
determine who owns the address, and almost all ISPS have an abuse
department that you can write to.  It may be a slow going process but
considering the impact it is having on your business, I am sure you
will find most ISPS very cooperative and helpful.  I have found
several excellent sources of references for tracking spam, and taking
action against spammers for your perusal.

The Spam Tracking Page
http://www.rahul.net/falk/

Spam Source Tracking
http://email.about.com/cs/spamtracking/index.htm

SpamCon Foundation
http://www.spamcon.org
http://law.spamcon.org/
http://www.spamcon.org/directories/faqs.shtml

Tracking Spam
http://www.claws-and-paws.com/spam-l/tracking.html

IP Tracking Tutorial
http://www.randam-art.com/tutorial/iptracking.htm

Search Terms Used:  spam tracking, spam law
Search Engine Used: www.google.com

In regards to being blacklisted, you only really have two options. 
There isn't a centralized database for spammers; there are many
different lists and “vigilantes” run most of them.  You could change
your Internet address, which besides being inconvenient, probably
would not help since the person who is trying to sabotage your
business would just use the new address instead.  You could also write
to each of the larger blacklists and explain the situation.  I don't
know how easy or difficult that may be, but I think your situation is
not a rare one so it should be easy to convince them to remove you. 
Here are some databases that I have found:

dmoz
http://dmoz.org/Computers/Internet/Abuse/Spam/Blacklists/

Google Web Directory
http://directory.google.com/Top/Computers/Internet/Abuse/Spam/Blacklists/

TotalWebShop.com
http://www.totalwebshop.com/links/Abuse/Spam/Blacklists/

I am sorry I do not have any sort of magic-bullet type of solution for
you.  There really is not much you can do about spam besides trying to
trace the source and file legal action against them.  I hope that this
helps.

Best Regards,

watershed-ga

First and foremost, place a large, prominent notice on your homepage
stating that you didn't send the spam, that you aren't affiliated with
the spammer in any way, and that you apologise for the inconvenience.
I would then ask that people forward you the spam that they received.
Have them turn on all headers first, and provide instructions. When
you have emails with the full headers, then you can begin trying to
track the spammers.

Hello sparky4ca,

Thank you for your reply.

We have added a disclaimer page since the first attacks occurs. You
are not able to load our website now, because it's down. We moved to
another hosting provider and our site will be back online in max. 12
hours.

We need a solution.

Kind regards,

TemplateStyles.com Team

Wow, I've gotten about a dozen of these spams. Glad to hear that you
guys don't think my site is "not so good" after all!  :-)

Unfortuately, I've deleted all the recent ones I've received, but if
it would help, I will post header information of any future spams I
receive.