Yahoo abuse handling improves, OfficeLive and Earthlink have their work cut out

Nine months ago I reported about a series of child porn sites that were being illegally hosted at Yahoo’s webhosting service. At the time I was seeing about half a dozen new sites pop up every day. I am glad to report that about 4 weeks ago Yahoo finally seems to have done something to stop this. After 18 months of a steady stream of new porn sites that I reported, things went quiet after two sites it suspended on November 5, 2007 that I had reported eralier that day. For the next two weeks I didn’t come across any new sites. Another 9 sites I came across on November 20, 21 and 22 were quickly terminated. Then again no new sites to report for three weeks. Thank you, Yahoo, for stopping these criminals! I don’t know what Yahoo did to prevent fraudulent signups (child porn webhosting signups usually involve stolen credit card data), but whatever it is seems to be working. Now if it could only stop the phishing scammers that still abuse their service.

Meanwhile, two other webhosts constantly keep popping up in connection with various Nigerian scams. For many months Microsoft’s OfficeLive has been the clear leader. I did some counts a few months ago and found that amongst domains connected to Advance fee scams that I was adding to the SURBL blacklist, more than half were hosted at OfficeLive, i.e. more than for all other webhosts combined!

Unlike most other webhosts, OfficeLive does not appear to maintain an abuse reporting email address to which to forward scam reports. All they have is a webform.

The runner up amonsgt Advance fee fraud domains has been Earthlink.net, where numbers seem to be increasing. If you try to report fraudulent domains that have appeared in contact addresses listed inside a scam email, such as a “claim agent” for an “email lottery” or an immigration lawyer for an international employment scam, do not waste your time contacting abuse@earthlink.com. All you would get back is a boilerplate message that the message you reported did not originate from an Earthlink account, which may well be true, but is besides the point. Here’s an example:

Hello,

Thank you for submitting a report to the EarthLink Network Abuse
Department. Unfortunately, we are unable to investigate the email you
forwarded because it does not appear to have originated from the
EarthLink network.

For instructions on determining the origin of an email, please visit:

http://support.earthlink.net/tutorial/mailbox/interpret_headers/

If, after reading the above article, you find that the email did NOT
originate from the EarthLink network, we encourage you to submit the
email to the appropriate network.

If you were trying to report fraud (“phishing”), please contact our
Fraud Department via our Fraud webform located at:

http://securitycenterkb.earthlink.net/fraudmi.asp?route=email

If you find that the email DID originate from the EarthLink network,
please reply directly to this email.

The EarthLink Appropriate Use Policy, Users Agreement, and Privacy
Policy are available at: http://earthlink.net/about/policies

We appreciate your assistance.

Sincerely,

EarthLink Network Abuse

The email I had been trying to report had been sent from a Gmail account, but it was telling people to contact an email address that used an Earthlink-hosted domain name.

I will give the Earthlink fraud report webform a try. Hopefully it works better. Webforms are poor substitute for reporting abuse via email. Much abuse will remain unreported if abuse reporting involves much more than hitting the forward button. Criminals will keep flocking to those providers who do not have effective abuse handling departments, such as OfficeLive and Earthlink.