Fraudulent Emails Sent -=your Hosting Is Suspended=- "this Is Spam" And Not From Admins At Trap. Be aware that fake suspension emails are sent.

[EricDrinkard 0]

Some one or some thing is sending out emails to the cpanel users of Xisto.com stating that their account is suspended. The email looks legit, however your hosting credits and site are all ok. If you are having this problem please reply and state the situation.(please do not reply if your hosting credits are not positive)ThanksEric Drinkard

[Amezis 0]

A quote from the email i received some hours ago:

Hello Amezis,
We are sorry to inform you that, your web hosting account at has been suspended due to your prolonged inactivity or Lack of Hosting credits. We had dispatched a warning email to all the members so that they could check their hosting credits.
[...]
If you want to un-suspend your hosting account, you will have to make posts at our forums and collect the required number of hosting credits. Once you have sufficient amount of credits, your account will be un-suspended automatically.
[...]

Then, I firstly checked my site. It was working well... Then I checked my hosting credits: 15.12 days...

So... What's happening?

If I'm breaking the TOS or something like that, please say it to me... But I don't think I'm doing that

[NilsC 0]

It's a spam email that seem to come from a comptetitor. I have asked every member that receive one this emails to extract the header files so I can report them. If you still have the email and know how to extract it. please do so and PM or email the data to me.Nils

[Florisjuh 0]

Dont worry, its another spam email. Your hosting accaunt is safe and not suspended

[talbotda13 0]

I have gotten several of those emails and i only kept one. i looked at my hosting credits here. ive been to mywebsite and everything so i just figured it was a non-sense spam email

[guangdian 0]

It's a spam email that seem to come from a comptetitor.

The comptetior plays a role of hacker over & over again.I hope you should keep the server must safer! coz their highest achiver is to hack into your server & delete all they saw....

[Amezis 0]

Ok, ok, thanks for the info. But the e-mail is hidden. <administrator@> is everything I get in "from:"....

[Becca 0]

MAn that is soo cruel. Who would do such... the internet world is so dangerous and e e e e VIL.Did it say it was from Xisto.com ??

[Galahad 0]

Well, I received a certain e-mail from "Management <administrator>", and I forwarded it to Trap 17 abuse email.

 

Here are full headers from that e-mail...

X-Apparently-To: =my_email=@yahoo.com via 216.155.196.65; Thu, 17 Mar 2005 00:05:54 -0800Authentication-Results: mta140.mail.dcn.yahoo.com  from=; domainkeys=neutral (no sig)X-Originating-IP: [69.50.187.114]Return-Path: <Xisto@dasher.psychz.net>Received: from 69.50.187.114  (EHLO dasher.psychz.net) (69.50.187.114)  by mta140.mail.dcn.yahoo.com with SMTP; Thu, 17 Mar 2005 00:05:38 -0800Received: from Xisto by dasher.psychz.net with local (Exim 4.44)        id 1DBpvF-0001LX-DW; Thu, 17 Mar 2005 00:00:01 -0800To: =my_email=@yahoo.comSubject:  : HOSTING ACCOUNT SUSPENDED.MIME-Version: 1.0Content-type: text/html; charset=iso-8859-1To:=my_email=@yahoo.comFrom:  Management <administrator@>Date: Thu, 17 Mar 2005 00:00:01 -0800X-AntiAbuse: This header was added to track abuse, please include it with any abuse reportX-AntiAbuse: Primary Hostname - dasher.psychz.netX-AntiAbuse: Original Domain - yahoo.comX-AntiAbuse: Originator/Caller UID/GID - [32257 32258] / [47 12]X-AntiAbuse: Sender Address Domain - dasher.psychz.netX-Source: X-Source-Args: X-Source-Dir: Content-Length: 849

Now, I dont think that Trap 17 admins have administrator@ email... Nor that they would send account suspension notices from administrators e-mail... I could be wrong though...

 

However, Xisto@dasher.psychz.net is definitely a suspicious e-mail address, for someone like Trap 17 to use I mean, they provide web hosting, paid AND free, would they use some weird mail server, or just use something@Xisto.com? Hope they catch this lamer

[mahesh2k 0]

oh my god that is spam but who the hell can do this do you able to trace the domain name of email sender?

[mahesh2k 0]

need to kill that spammer man it is driving users out of Xisto what opaque goona do any?maybe nisc have an idea?

[gunbound 0]

I got this too email too. This is what I was able to "extract", if this is what you are looking for.

 

X-Message-Status: n

X-SID-Result: Fail

X-Message-Info: 6sSXyD95QpXHYuw+I5OMr7kZym7Y8v2LWNN+HWU0uJg=

Received: from dasher.psychz.net ([69.50.187.114]) by mc11-f3.hotmail.com with Microsoft SMTPSVC(6.0.3790.211);

  Sat, 26 Mar 2005 03:06:34 -0800

Received: from Xisto by dasher.psychz.net with local (Exim 4.44)

id 1DF91S-00036s-Hu; Sat, 26 Mar 2005 03:00:06 -0800

To: son_dawg[at]hotmail[dot]com (<--- this is me!!)

Subject:  : HOSTING ACCOUNT SUSPENDED.

MIME-Version: 1.0

Content-type: text/html; charset=iso-8859-1

To: son_dawg[at]hotmail[dot]com (<--- this is me!!)

From:  Management <administrator@>

Message-Id: <E1DF91S-00036s-Hu@dasher.psychz.net>

Date: Sat, 26 Mar 2005 03:00:06 -0800

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - dasher.psychz.net

X-AntiAbuse: Original Domain - hotmail.com

X-AntiAbuse: Originator/Caller UID/GID - [32257 32258] / [47 12]

X-AntiAbuse: Sender Address Domain - dasher.psychz.net

X-Source:

X-Source-Args:

X-Source-Dir:

Return-Path: Xisto@dasher.psychz.net

X-OriginalArrivalTime: 26 Mar 2005 11:06:34.0986 (UTC) FILETIME=[DFB40CA0:01C531F3]

 

 

If there is any sensitive information here, Admin, please remove it for me to protect my email account. Thanks.

[NilsC 0]

for me to be able to report them I have to have the headers within 24 hours. The faster I get them the easier it is to track the spammer down and report him/her. I need the full extracted headers in a PM do not -=mung=- your email address or the ip that it was received at. If you mung the text my parser show an error and stop processing the spam. I use munging when I report the email so any response to that report will go to me and not any of your email addresses.Nils

[NilsC 0]

Because it's missing parts the parser fails. What I need is the whole email with headers, unchanged.. PM it to me because you don't wanna post you email address on the board. I don't send out any report without -=munging the email address and any other info=- This is an example on munging To: son_dawg[at]hotmail[dot]com (<--- this is me!!)

X-Message-Status: n

X-SID-Result: Fail

X-Message-Info: 6sSXyD95QpXHYuw+I5OMr7kZym7Y8v2LWNN+HWU0uJg=

Received: from dasher.psychz.net ([69.50.187.114]) by

mc11-f3.hotmail.com with Microsoft SMTPSVC(6.0.3790.211);

  Sat, 26 Mar 2005 03:06:34 -0800

Received: from Xisto by dasher.psychz.net with local (Exim 4.44)

id 1DF91S-00036s-Hu; Sat, 26 Mar 2005 03:00:06 -0800

To: son_dawg[at]hotmail[dot]com (<--- this is me!!)

Subject:  : HOSTING ACCOUNT SUSPENDED.

MIME-Version: 1.0

Content-type: text/html; charset=iso-8859-1

To: son_dawg[at]hotmail[dot]com (<--- this is me!!)

From:  Management <administrator@>

Message-Id: <E1DF_________s-Hu@dasher.psychz.net>

Date: Sat, 26 Mar 2005 03:00:06 -0800

X-AntiAbuse: This header was added to track abuse, please include it

with any abuse report

X-AntiAbuse: Primary Hostname - dasher.psychz.net

X-AntiAbuse: Original Domain - hotmail.com

X-AntiAbuse: Originator/Caller UID/GID - [32257 32258] / [47 12]

X-AntiAbuse: Sender Address Domain - dasher.psychz.net

X-Source:

X-Source-Args:

X-Source-Dir:

Return-Path: Xisto@dasher.psychz.net

X-OriginalArrivalTime: 26 Mar 2005 11:06:34.0986 (UTC)

FILETIME=[DFB40CA0:01C531F3]

 

View entire message

Parsing header:

0: Received: from dasher.psychz.net ([69.50.187.114]) by mc11-f3.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Sat, 26 Mar 2005 03:06:34 -0800

Hostname verified: dasher.psychz.net

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

No source IP address found, cannot proceed.

[NilsC 0]

OK, from using dig the emails originate from a server called dasher.psychz.net and there are 78 different users hosted on that server. If anyone here recognises a name of someone who may have had hosting here let us know. It's one of the 78 in the list that are sending the spam.

 

 

// links snipped

Edited September 18, 2016 by OpaQue (see edit history)