Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

spamcop and spammer got my banned


Recommended Posts

oh man, my hosting company suspended the website because my site is reported spam


I need to find out what is wrong with the site before they enable the site back... can anyone please give me some advice which files/folders are infected


i have been looking for the last 1 hour and cant find any line or php is hacked X_X or maybe i am just frustrated and tired


my eyes :( please help me !!!!


The hosting company kindly provide the warning message to me:


Date: Friday, April 27, 2012 3:20 AM -0400
From: [email protected]
To: Abuse Complaints &--#60;.net"]abuse@[member='gnax'].net&--#62;
Subject: [spamCop (http://www.nottyhorse.co.nz./product_info.php?products_id=111) id:5756350126]Your friend *** MAKEMONEY Everyday. A 24CARAT Life..

MIME-Version: 1.0
Received: from sembx02.gnax.net ( by MBX02.gnax.lan
( with Microsoft SMTP Server (TLS) id 8.1.436.0; Fri, 27 Apr
2012 07:58:20 -0400
Received: from sc-smtp7-inbound.soma.ironport.com ([]) by
sembx02.gnax.net with esmtp (Exim 4.76) (envelope-from
&--#60;.spamcop.net"]5756350126.d8b0d39a@[member='bounceswirl'].spamcop.net&--#62;) id 1SNjoV-0002YZ-7a for
.net"]abuse@[member='gnax'].net; Fri, 27 Apr 2012 07:58:20 -0400
Received: from prod-sc-www1.soma.ironport.com (HELO prod-sc-www1.spamcop.net)
([]) by sc-smtp-vip.soma.ironport.com with SMTP; 27 Apr 2012
04:58:09 -0700
Received: from [] by spamcop.net with HTTP; Fri, 27 Apr 2012
11:58:09 GMT
From: "[email protected]" &--#60;[email protected]&--#62;
To: Abuse Complaints &--#60;.net"]abuse@[member='gnax'].net&--#62;
Date: Fri, 27 Apr 2012 02:20:32 -0400
Subject: [spamCop
id:5756350126]Your friend *** MAKEMONEY Everyday. A 24CARAT Life..
Thread-Topic: [spamCop
id:5756350126]Your friend *** MAKEMONEY Everyday. A 24CARAT Life..
Thread-Index: Ac0kbP1odHrzuNe2Sv6Njh6VjfR5+
Message-ID: &--#60;[email protected]&--#62;
Accept-Language: en-US
Content-Language: en-US
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: MBX02.gnax.lan
X-Auto-Response-Suppress: All
x-spamexperts-class: whitelisted
x-spamexperts-evidence: recipient
x-recommended-action: accept
x-whitelisted: recipient
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

[ SpamCop V4.6.2.001 ]
This message is brief for your comfort. Please use links below for details.

Email from / Thu, 26 Apr 2012 23:20:32 -0700

Spamvertised web site: http://www.nottyhorse.co.nz./
http://www.nottyhorse.co.nz./ is; Fri, 27 Apr 2012 11:57:42

Spamvertised web site:
http://www.nottyhorse.co.nz./product_info.php?products_id=111 is; Fri, 27 Apr 2012 11:57:42 GMT

[ Offending message ]
X-Apparently-To: x via; Thu, 26 Apr 2012 23:20:32 -0700
Return-Path: &--#60;.dnsprotect.com"]nobody@[member='shuttle'].dnsprotect.com&--#62;
Received-SPF: none (domain of shuttle.dnsprotect.com does not designate
permitted sender hosts) X-YMailISG:
X-Originating-IP: []
Authentication-Results: mta1033.sbc.mail.sp1.yahoo.com from=excite.com;
domainkeys=neutral (no sig); from=excite.com; dkim=neutral (no sig)
Received: from (EHLO flpd116.prodigy.net) (
by mta1033.sbc.mail.sp1.yahoo.com with SMTP; Thu, 26 Apr 2012 23:20:32
-0700 X-Originating-IP: []
Received: from shuttle.dnsprotect.com (shuttle.dnsprotect.com
[] (may be forged)) by flpd116.prodigy.net (8.14.4
IN/8.14.4) with ESMTP id q3R6KVmO016531 for &--#60;x&--#62;; Thu, 26 Apr 2012 23:20:32
Received: from nobody by shuttle.dnsprotect.com with local (Exim 4.77)
(envelope-from &--#60;.dnsprotect.com"]nobody@[member='shuttle'].dnsprotect.com&--#62;)
id 1SNeXd-0002uT-GP
for x; Fri, 27 Apr 2012 02:20:29 -0400
To: "x" &--#60;x&--#62;
Subject: Your friend *** MAKEMONEY Everyday. A 24CARAT Life Changing INFO.
*** has recommended this great product from NottyHorse X-PHP-Script:
www.nottyhorse.co.nz/tell_a_friend.php for From: "***
MAKEMONEY Everyday. A 24CARAT Life Changing INFO. ***"
&--#60;.com"]PricelessInformation@[member='excite'].com&--#62; MIME-Version: 1.0
X-Mailer: osCommerce Mailer
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: &--#60;.dnsprotect.com"]E1SN_________T-GP@[member='shuttle'].dnsprotect.com&--#62;
Date: Fri, 27 Apr 2012 02:20:29 -0400
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report X-AntiAbuse: Primary Hostname - shuttle.dnsprotect.com
X-AntiAbuse: Original Domain - snet.net
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - shuttle.dnsprotect.com
Content-Length: 506

Hi x!

Your friend, *** MAKEMONEY Everyday. A 24CARAT Life Changing INFO. ***,
thought that you would be interested in Castanet (605) from NottyHorse.








It Doesnt Matter Where In The World You Are,

If You Have An Internet Connection


To view the product click on the link below or copy and paste the link into

your web browser:







Link to comment
Share on other sites

You may want to check the root directory for any unknown folders, etc. You can check the index.php file and I believe either at the very bottom or very top there might be code embedded there as well.

Do or Do Not, there is no try.

Link to comment
Share on other sites

Read this

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.


"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -


"Headers already sent" - The definitive help


"Cannot redeclare ..." - How to find/fix it


SSL Implementation Help


Like this post? "Like" it again over there >

Link to comment
Share on other sites

From the subject line on the spam, I'm guessing that's not something that you sent. Nevertheless, are you sending out newsletters to customers? Maybe one of them decided that they wanted to unsubscribe and clicked "Report as spam". Some people are just stupid. Make sure that everyone who receives a newsletter or other mass mailing from you explicitly "opted in", you remind them that they opted in, and tell them how to easily unsubscribe. You may need to unsubscribe everyone and ask those who are interested to opt in to receive newsletters. Some truly important system news (e.g., a security problem discovered) should go out to everyone, regardless of whether they opted in.


As mentioned before, it's possible that your site has been compromised, including Tell-A-Friend. The text of the spam suggests that it came from TAF, but that's not proven. Is nottyhorse.co.nz your site? What version of osC are you running? Anything earlier than 2.3.1 that hasn't had a number of security patches applied is vulnerable to hacks.


Finally, it's possible that the emails weren't even sent from your site. Some spammer may be simply spoofing your address. Can your host establish from any email traffic records whether your site is the one that actually blasted out these emails? If it's not from your site, could they look at the email headers and establish the probable source (first IP address) of the spam. At least, if you can prove your innocence they should unban you.

Link to comment
Share on other sites

Thanks ctec2011 and germ adviced.


Hey MrPhill we dont send out the newsletters and in the future i will disable that functions too.


Yes,its my site, i checked on the Tell-A-Friend.php and try to find the text contains the spam keyword and i could not find anything ( i also did a massive search using notepad++ on all the php. files) ... where is it hiding? yea it runs earlier than 2.3.1 and after i fixed the problem i am going to update all the security


Somehow The mails were sent as ".dnsprotect.com"]nobody@@shuttle.dnsprotect.com its the host dns server(imhosted.com) i have asked the support team from the hosting company and they say its my side not thier server.


I am going to rename the tell_a_friend.php and once they enable my site i am going to admin panel and disable that friend function to false D: but i really want to know how they actually send the message and how to prevent it :S

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...