Please help me trace this

[Chadi]

Received many notfications of some clown causing chaos on this same server. This is one of the many notificiations

Server specs:

Exim Mail server

Cpanel

PHP 4.4.2

Centos 4.2

Please help me trace this person to stop this nonsense.

your customer using IP address 147.202.65.178 has been

spamming our web submission form at

http://www.trialware.org/join.html. You can see the form results

attached. Please consider doing all you can to prevent such

incidents in the future.

Thank youReturn-path: <trialwar[at]eta.asmallorange.com>

Envelope-to: trialwar[at]eta.asmallorange.com

Delivery-date: Mon, 06 Feb 2006 11:24:56 -0500

Received: from trialwar by eta.asmallorange.com with local-bsmtp (Exim 4.52)

id 1F69AS-00008P-LT

for trialwar[at]eta.asmallorange.com; Mon, 06 Feb 2006 11:24:55 -0500

X-spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on

eta.asmallorange.com

X-spam-Level:

X-spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AMATEUR_PORN,

BAYES_00,HOT_NASTY autolearn=ham version=3.1.0

Received: from trialwar by eta.asmallorange.com with local (Exim 4.52)

id 1F69AO-00008E-NP

for trialwar[at]trialware.org; Mon, 06 Feb 2006 11:24:41 -0500

Received: from 147.202.65.178 by www.trialware.org with HTTP;

Mon, 06 Feb 2006 11:24:40 EST

X-Mailer: cgiemail 1.6

(form="http://www.trialware.org/join.html")

(action="/cgi-bin/cgiemail/join.txt")

To: trialwar[at]trialware.org

Subject: Join Trialware Professional Association

From: "Geoff" <Geoff[at]inm.ras.com>

Message-Id: <E1F69AO-00008E-NP[at]eta.asmallorange.com>

Date: Mon, 06 Feb 2006 11:24:40 -0500

X-PMFLAGS: 33570944 0 1 PXHZ2PQY.CNM

X-CC-Diagnostic: The F word (40)

IP: 147.202.65.178

Update: False

email: Geoff[at]inm.ras.com

input_company: Health Management Associates Inc.

name: Geoff

HideEMail: True

input_website: http://www.big-woman.be

input_desc: Any girls/ladies that like random phone sex? Someone like it I saw on <a href='http://www.big-woman.be'>http://www.big-woman.be</a> What do you like about it? Details please!

keywords: sex,porn,porno,adult,xxx, hardcore, fu**,sexy girls, hot girls, amateur porn, bbw, big woman, big wonderful women

input_linktype: Other

[agsteele]

Received many notfications of some clown causing chaos on this same server. This is one of the many notificiations

Server specs:

Exim Mail server

Cpanel

PHP 4.4.2

Centos 4.2

Please help me trace this person to stop this nonsense.

your customer using IP address 147.202.65.178 has been

spamming our web submission form

40172[/snapback]

This IP is not listed in the SpamCop block list so it would seem this isn't a reporting or block list issue.

You don't say which form-to-mail scri_pt you are using but from the information provided it would seem that you may need to secure that scri_pt.

Andrew

ADMINS: Please could consideration be made to moving this to the Lounge?

[Chadi]

I think you misunderstood. It was an email sent to me reporting the abuse of the person on my server using another person's website (the one who reported the abuse to me) so obviously I do not know wha form was used.

I just need help tracing this going by what was provided to me here.

[agsteele]

I think you misunderstood. It was an email sent to me reporting the abuse of the person on my server using another person's website (the one who reported the abuse to me) so obviously I do not know wha form was used.

I just need help tracing this going by what was provided to me here.

40182[/snapback]

As I noted, this IP address is not listed in the SpamCop block list and it is not, therefore, an issue with the SpamCop reporting service. This forum is for support on the reporting service which is not what your message relates to.

I've suggested to the admins it be moved to the Lounge which is the area for more general discussion on spam related issues such as yours.

As noted, it seems to be a problem with a form-to-mail scri_pt. (You are correct that I understood it to be a problem with your scri_pt - not somebody else's.)

If one of your customers is abusing somebody else's scri_pt then, provided you have evidence to support the allegation and unless you have a contract which prevents you from taking action, I'd cancel their contract and ask them to go elsewhere. If for contractual reasons you can't just pull the plug then give them notice and pull the plug when the notice expires.

But this advice assumes there is good evidence to support the allegation.

Andrew

[Wazoo]

The IP involved simply tracks back to Virtuoso Net Solutions Inc VIRTUOSO-NET-SOLUTIONS (NET-147-202-65-0-1) 147.202.65.0 - 147.202.65.255 ... but I suspect you already know this.

02/07/06 14:04:06 Slow traceroute 147.202.65.178

Trace 147.202.65.178 ...

147.202.1.140 RTT: 52ms TTL: 96 (bb2.coreswa.cf.teamnet.net bogus rDNS: host not found [authoritative])

147.202.6.58 RTT: 52ms TTL: 96 (teaml3-1.teamnet.net bogus rDNS: host not found [authoritative])

147.202.65.178 RTT: 53ms TTL: 46 (server4.virtuosonetsolutions.com ok)

But, I'm thinking you already know this also.

Taking an actual look at the code, then the web-site found at http://www.trialware.org/join.html .... there is not automatic thing going on at that site. The compalints and appearances would seem to be the traffic seen from the IP address already pointed out. Tracking down where it's coming from would seem to be on your sholders (taking the wild leap that the Chad in the WHOIS my be yourself) .... Not sure what logs you may have available, but you would be looking for plain Port 80 traffic to this web-site used while someone was filling in the blanks .. the complaint about this being "repeated" suggsts that there would be multiple instances of this traffic.

On the other hand, in a situatio like this, I normally send some of the access_log data seen to assist the "problem" ISP in actually narrowing down the issue on their system. Have you asked these folks for more data?

Agreed, this has absolutely zero reference to an issue with the SpamCop Parsing and Reporting system. Moved to the Lounge.