Hello,
One of your customers is spamming massively. He is using non-existant
email addresses in my domain as the sender address of his messages.
Because of this, all the bounces are coming to my server and using huge
amounts of disk space and bandwidth.
Let me explain this in detail:
I'm running a small webhosting provider on my server
(
http://www.sengawa-networks.com, which is not finished yet, so the
website is password-protected). My personal site is in the same server
(
http://www.ag0ny.com). In my site, I have been giving free POP3 email
accounts using this form:
http://www.ag0ny.com/index.php?action=freeemail
This form logs the timestamp, IP address, hostname, the email address
requested by the user, the password, etc. When I arrive home each day
after work, I create the accounts by hand. Also, when a user comes back
later and retrieves his account information (the password for using it
the first time), I get a notice email.
On January 13th, a user from your network tried to create a 20-30
accounts. I didn't configure them when I saw them. He never tried to
retrieve the password to use any of them. Several other times he came
back to my site and tried to create more email accounts. These are the
times and IP addresses he used:
Tue Jan 13 00:16:28 PST 2004
203.131.135.100
adsl-131.135.100.info.com.ph
Sun Jan 18 19:45:38 PST 2004
203.131.139.250
adsl-131.139.250.info.com.ph
Tue Jan 20 03:28:39 PST 2004
203.131.138.192
adsl-131.138.192.info.com.ph
Sat Jan 31 12:57:10 PST 2004
203.131.152.15
adsl-131.152.15.info.com.ph
Sun Feb 1 16:46:20 PST 2004
203.131.156.77
adsl-131.156.77.info.com.ph
The times are in the Pacific Standard Time zone because my server is in
the USA. On these five occasions, he tried to create the following email
addresses (all in the ag0ny.com domain):
http://www.ag0ny.com/misc/info.com.ph-spammer/accounts.txt
None of these addresses exist in my server. He's sending spam from his
computer using these addresses as the sender. When some email bounces,
it goes to my server because the addresses are in my domain. And since
the addresses don't exist here, these doublebounces are delivered to the
postmaster account in my server (
postmaster@sengawa-networks.com).
In the last few days, I've received almost 230.000 return emails,
amounting to many gigabytes of data:
ares:/isp/domains/sengawa-networks.com/mail/postmaster/Maildir/new# ls
|wc -l
229360
ares:/isp/domains/sengawa-networks.com/mail/postmaster/Maildir# ls -la
total 12776
drwx------ 5 pop mail 512 Aug 27 23:54 .
drwx------ 3 pop mail 512 Feb 1 19:43 ..
drwx------ 2 pop mail 512 Aug 27 23:54 cur
drwx------ 2 pop mail 13047808 Feb 9 15:01 new
drwx------ 2 pop mail 512 Feb 9 15:01 tmp
I deleted all these emails a while ago, and in the last two hours I've
received 2200 more bounces:
ares:/isp/domains/sengawa-networks.com/mail/postmaster/Maildir/new# ls
|wc -l
2267
I've copied around 300 of these doublebounces to my website so you can
take a look at them:
http://www.ag0ny.com/misc/info.com.ph-spammer/
I have also posted the web server logs for this user. The logs are:
http://www.ag0ny.com/misc/info.com.ph-spammer/access_log.203.131.135.100
http://www.ag0ny.com/misc/info.com.ph-spammer/access_log.203.131.138.192
http://www.ag0ny.com/misc/info.com.ph-spammer/access_log.203.131.139.250
http://www.ag0ny.com/misc/info.com.ph-spammer/access_log.203.131.152.15
http://www.ag0ny.com/misc/info.com.ph-spammer/access_log.203.131.156.77
Is there anything you can do with all this information to close this
user's account? Please tell me when you've taken care of this, so I can
remove these files and logs from my website.
If you want to verify my identity, you can search on Google for my email
address (
ag0ny@ag0ny.com), my full name ("Javi Lavandeira" or "Javier
Lavandeira"), the whois info of the ag0ny.com and sengawa-networks.com
domains, etc.
Thanks in advance,
--
Javi Lavandeira -
http://www.ag0ny.com