Over the past months we continuously receiving spam from the CheetahMail servers. The company behind CheetahMail is Experian a credit reports company. The spam emails target our test accounts we use for testing online stores of our clients. The emails are verified of the origin and are persistent since November 2011. They also include identification image links so the spammers know whether or not these emails are opened.
The received line in the email headers reads like this:
Received: from mta831.chtah.net (mta831.chtah.net [::ffff:220.127.116.11])
Received: from mta834.chtah.net (emta834.chtah.net [::ffff:18.104.22.168])
Received: from mta833.chtah.net (mta833.chtah.net [::ffff:22.214.171.124])
Received: from mta835.chtah.net (mta835.chtah.net [::ffff:126.96.36.199])
Received: from mta930.chtah.net (mta930.chtah.net [::ffff:188.8.131.52])
Received: from mta930.chtah.net (mta930.chtah.net [::ffff:184.108.40.206])
Received: from mta933.chtah.net (mta933.chtah.net [::ffff:220.127.116.11])
Received: from mta932.chtah.net (mta932.chtah.net [::ffff:18.104.22.168])
The IPs shown here are already listed in various spam databases. It's interesting they specify the following at the end of the spam mail:
You're receiving this email because you registered with us to find out about our latest products and special offers. If you prefer not to receive emails from us, simply follow this link here to unsubscribe. Please allow 7 days for this to process.
Which is totally false of course as with every other spam email we receive. What is obvious is they manage to get customer details from customer databases and without any verification they started sending emails.
We did some basic research and seems Experian is behind the CheetahMail spam, a credit and marketing company with others complaining about receiving similar spam over the net. In our view most of these spam companies rely on the fact individuals have no method of showing up details of the mails like the mail headers and hold on to concrete evidence and they have some time to send spam before complains are filed. If you are a customer of these companies we strongly advise you to steer well off their services. Not only you will lose potential customers but your site may also be implicated in the spam scheme. Maybe Experian is a credit report company but has no credibility sending spam emails out.
The spam advertised mail content we receive, promotes various products from a site called ebuyer.com. We never worked for this site and we never signed up for their so called "promotional offers". What's also interesting to note is the currency used for products in the spam mail and country references. They indicate United Kingdom. The vast majority of our clients however is in North America, not Europe. We do however test online stores and websites from all over the world as we participate in open source forums and many times we provide free online community services osCommerce along with our services. When members request to test their stores for a problem that affects the osCommerce core framework it is free of charge and so we worked on hundred of sites.
For instance when a common PHP problem is initially reported we may allocate resources to identify the root cause, create test customer accounts and debug the issue. The stock osCommerce code uses a customer database table for storing customer records and includes the email address. In these cases it is impossible to remove the test accounts simply because we do not have full access to the server. If in turn the server is compromised or the web administrator decides to pass the email list from the database to a third party, is quite possible to see sparse promotional emails. This case is different because the unsolicited and spam emails from the CheetahMail servers have a periodic rate with each arriving every two days.
It's also obvious whoever is behind the Cheetahmail spam doesn't bother analyzing or verifying email lists checking for potential clients. Neither cares about publicity. These so called marketing companies profit on shady contact methods, list fake privacy notices and policies, moreover can be responsible when personal systems are compromised. For others who also receive these spam mails here is a number of things that can be done.
- Block emails from the 63.236.77.nnn and 8.7.43.nnn IP ranges.
- Report the unsolicited emails to spamcop.net and other online SBLs.
Do not reply to the spam emails and do not try to unsubscribe from the spam links as it will most certainly create the opposite effect of what you would expect. If you have any doubts about the authenticity of the email records we keep a full list of all emails received from the CheetahMail servers and we can post further details if necessary.
In the past we reported persistent and frequent spam emails originating from other marketing companies. We did our best to publish the information of the servers and IPs involved including adding comments to mainstream media like wiki which of course were removed as "claims without ground".