From: Admin Reply-To: abuse@2003.dolphinwave.org Organization: Private person To: , abuse@club-internet.fr, abuse@unitedlayer.com, abuse@321host-it.com, abuse@ev1.net, abuse@godaddy.com, postmaster@godhost.com, mccole@prado.com, abuse@prado.com, postmaster@protgp.com, postmaster@cogentco.com, abuse@cogentco.com, abuse@prohosters.com Subject: Guestbooks pr0n spamming from club-internet.fr: Webnet Products (aaz-sexo.com/annuaire-sexe-1.com/sexe-1000.com/casino-en-ligne.ws)! Date: Sat, 23 Aug 2003 20:03:15 +0300 User-Agent: KMail/1.5 X-Complaints-To: abuse@dolphinwave.org (live person) X-PGP-key: 0xAAE2A579 X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133 FA87 000B 0FB6 AAE2 A579 X-No-Confirm: Yes MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308232003.15681@2003.dolphinwave.org> Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: The last month my guestbook is being spammed with what looks like genuine messages about the web site, but in fact are spams for their own pr0n web pages. All these "different" people came from the same d1.club-internet.fr machines, and webserver logs show that those IPs did NOT visit anything but the script, itself (so they can't claim that they "liked my page", or that they "didn't find what they wanted to"). Please, terminate the spammers' accounts as soon as possible! Thanks! ======= Refusing to deal with your abusers will lead your whole IP range to be blocked from accessing of my servers ever again, and this info will be shared with other admins and public blocklists! Spammer: f04v-1-114.d1.club-internet.fr [212.194.60.114] Date: 07.21.2003 02:27 (GMT+0300) Spamvertised web page: http://www.aaz-sexo.com Spammer: f03m-11-89.d1.club-internet.fr [212.194.58.89] Date: 07.22.2003 15:28 (GMT+0300) Spamvertised web page: http://www.annuaire-sexe-1.com Spammer: f13m-5-245.d1.club-internet.fr [212.195.80.245] Date: 08.09.2003 00:40 (GMT+0300) Spamvertised web page: http://www.sexe-1000.com Spammer: f13m-8-103.d1.club-internet.fr [212.195.83.103] Date: 08.23.2003 19:16 (GMT+0300) Spamvertised web page: http://www.casino-en-ligne.ws www.aaz-sexo.com [209.237.241.190] (service-209-237-241-190.321host-it.com) ================ Registrant: Webnet Products Ltd 7-11 Minerva Road Park Royal London NW10 6HJ United Kingdom Registered through: GoDaddy.com Domain Name: AAZ-SEXO.COM Created on: 04-Feb-03 Expires on: 04-Feb-04 Last Updated on: 04-Feb-03 Administrative Contact: Touchard, Jeremie jt@webnetprod.com Webnet Products Ltd 7-11 Minerva Road Park Royal London NW10 6HJ United Kingdom 7092111479 Fax -- 7092111479 Technical Contact: Touchard, Jeremie jt@webnetprod.com Webnet Products Ltd 7-11 Minerva Road Park Royal London NW10 6HJ United Kingdom 7092111479 Fax -- 7092111479 Domain servers in listed order: NS1.321CUSTOMER.COM NS2.321CUSTOMER.COM United Layer IP block [209.237.224.0 - 209.237.255.255]. Upstream: United Layer (GE49-ar01-200p-sfo.unitedlayer.com). Nameservers: 321customer.com. www.annuaire-sexe-1.com [66.98.142.4] ======================= Registrant: Webnet Products Ltd 7-11 Minerva Road Park Royal London NW10 6HJ United Kingdom Registered through: GoDaddy.com Domain Name: ANNUAIRE-SEXE-1.COM Created on: 16-May-03 Expires on: 16-May-04 Last Updated on: 27-May-03 Administrative Contact: Touchard, Jeremie jt@webnetprod.com Webnet Products Ltd 7-11 Minerva Road Park Royal London NW10 6HJ United Kingdom 7092111479 Fax -- 7092111479 Technical Contact: Touchard, Jeremie jt@webnetprod.com Webnet Products Ltd 7-11 Minerva Road Park Royal London NW10 6HJ United Kingdom 7092111479 Fax -- 7092111479 Domain servers in listed order: NS1.GODHOST.COM NS2.GODHOST.COM Everyones Internet IP block [66.98.128.0 - 66.98.175.255]. Upstream: Everyones Internet (216.200.251.29.ev1.net). Nameservers: godhost.com www.sexe-1000.com [66.172.67.59] ================= Registrant: Webnet Products Ltd 7-11 Minerva Road Park Royal London NW10 6HJ United Kingdom Registered through: GoDaddy.com Domain Name: SEXE-1000.COM Created on: 19-Jul-03 Expires on: 19-Jul-04 Last Updated on: 19-Jul-03 Administrative Contact: Touchard, Jeremie jt@webnetprod.com Webnet Products Ltd 7-11 Minerva Road Park Royal London NW10 6HJ United Kingdom 7092111479 Fax -- 7092111479 Technical Contact: Touchard, Jeremie jt@webnetprod.com Webnet Products Ltd 7-11 Minerva Road Park Royal London NW10 6HJ United Kingdom 7092111479 Fax -- 7092111479 Domain servers in listed order: NS1.PROTGP.COM NS2.PROTGP.COM Sunwave Communications IP block [66.172.64.0 - 66.172.95.255]. Upstream: Cogent (Sunwave_Communications.demarc.cogentco.com). Nameservers: protgp.com. www.casino-en-ligne.ws [69.5.73.234] ====================== Pro Hosters L.L.C. IP block [69.5.64.0 - 69.5.79.255]. Upstream: Pro Hosters (ge-2-2.hr1.iad1.4ph.com). Nameservers: 4ph.com. ======= Guestbook spams were (GMT+0300) ======= name=roxo88 mail=roxo@fotos-rubia.com url=http://www.aaz-sexo.com text=Good website. I wish to see more like this one. date=07.21.2003 02:27 ip=212.194.60.114 name=agrem44 mail=ag@dvdachats.com url=http://www.annuaire-sexe-1.com text=I came up here while looking for a guestbook script. Nice job done here. date=07.22.2003 15:28 ip=212.194.58.89 name=giorgws mail=giorgws@bzh.net url=http://www.sexe-1000.com text=Congratulations for your website. date=08.09.2003 00:40 ip=212.195.80.245 name=faical mail=faical@soleil.org url=http://www.casino-en-ligne.ws text=Not exactly what I was looking for, but interesting though. date=08.23.2003 19:16 ip=212.195.83.103 ======= Webserver logs for this month, for the spammers' accesses ======= # cat http-log |grep "212.195." 212.195.80.245 - - [09/Aug/2003:00:35:28 +0300] "GET /Guestbook/guestbook.php HTTP/1.1" 200 8325 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" 212.195.80.245 - - [09/Aug/2003:00:35:30 +0300] "GET /Guestbook/guestbook.css HTTP/1.1" 200 2808 "http://www.dolphinwave.org/Guestbook/guestbook.php" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" 212.195.80.245 - - [09/Aug/2003:00:35:30 +0300] "GET /Guestbook/gif/email.gif HTTP/1.1" 200 264 "http://www.dolphinwave.org/Guestbook/guestbook.php" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" 212.195.80.245 - - [09/Aug/2003:00:35:31 +0300] "GET /Guestbook/gif/home.gif HTTP/1.1" 200 274 "http://www.dolphinwave.org/Guestbook/guestbook.php" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" 212.195.80.245 - - [09/Aug/2003:00:35:31 +0300] "GET /Guestbook/gif/icq.gif HTTP/1.1" 200 366 "http://www.dolphinwave.org/Guestbook/guestbook.php" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" 212.195.80.245 - - [09/Aug/2003:00:35:34 +0300] "GET /Guestbook/gif/yim.gif HTTP/1.1" 200 86 "http://www.dolphinwave.org/Guestbook/guestbook.php" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" 212.195.80.245 - - [09/Aug/2003:00:35:34 +0300] "GET /Guestbook/gif/aim.gif HTTP/1.1" 200 348 "http://www.dolphinwave.org/Guestbook/guestbook.php" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" 212.195.80.245 - - [09/Aug/2003:00:40:14 +0300] "POST /Guestbook/guestbook.php HTTP/1.1" 302 1 "-" "MSIE" 212.195.83.103 - - [23/Aug/2003:19:16:26 +0300] "POST /Guestbook/guestbook.php HTTP/1.1" 302 1 "-" "MSIE"