To: abuse@verio.net Date: Sun, 16 Jan 2005 10:36:04 -0500 Subject: Spam abuse by your customer One of your web hosting clients is using dozens and dozens of domains on your server (161.58.59.8) to send automated referral spam via a rotating proxy at a rate of about 5 per minute on my site (and likely comment spam elsewhere, though I haven't seen that on my site). This is a clear violation of your AUP, as I read it at http://www.verio.net/about/legal/aup.cfm My web host is on the verge of blocking the IP number of that server (and all 2,051 sites on it) due to this abusive behavior (see access log below). This is a last attempt to end this abuse without having to resort to that. Here's a *few* of the domains you are hosting for them that are engaging in referral spam (note they all have the same odd "admin" page): http://www.lvcpa.org/ http://www.lvcpa.net/ http://www.targetindustries.org/ http://www.ingyensms.net/ http://www.ingyensms.org/ http://www.jfcadvocacy.net/ http://www.hdic.net/ http://www.hdic.org/ http://www.zalaszentgrot.com/ http://www.neweighweb.net/ http://www.gargzdai.net/ http://www.jmsimonr.com/ http://www.darkangelclan.com/ http://www.hometeaminspection.net/ http://www.hometeaminspection.org/ http://www.middlecay.net/ http://www.psychexams.net/ http://www.psychexams.org/ http://www.parkviewsoccer.net/ http://www.parkviewsoccer.org/ http://www.stories-on-cd.org/ http://www.tclighting.net/ http://www.mp-forum.com/ http://www.bigyonet.com/ This is literally a *few* of the domains this person is using on your server to send referral spam. They have dozens and dozens, often in both .org and .net. The WHOIS registration for these domains claims they are registered to: Registrant: Jane Phill 61 Street New York NYC US 10044 Administrative Contact: Justine, Rianna (NIC-18209) contact69@support-4u.net Rianna Justine Lexington Ln. 71 Bronson South Dakota , US 85703 Phone: 8850462774 Billing Contact: Justine, Rianna (NIC-18209) contact69@support-4u.net Rianna Justine Lexington Ln. 71 Bronson South Dakota , US 85703 Phone: 8850462774 They all use these DNS servers: NS0.TEST-DNS.NET NS1.TEST-DNS.NET Here's a sample of the pounding they give just my site. The ten hits below came in a little over two minutes, and it goes on around the clock: photodude.com 82.194.62.17 - - [16/Jan/2005:15:10:11 +0000] "GET /article/2595/mt-comment-spam-the-attack HTTP/1.1" 200 29440 "http://www.mor-lite.net/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)" photodude.com 203.199.247.243 - - [16/Jan/2005:15:10:29 +0000] "GET /article/2288/war-and-reconciliation HTTP/1.0" 200 12952 "http://www.darkangelclan.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)" photodude.com 163.121.128.210 - - [16/Jan/2005:15:10:49 +0000] "GET /galleries/lensbaby2/ HTTP/1.0" 200 5706 "http://www.hometeaminspection.net/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)" photodude.com 68.113.112.12 - - [16/Jan/2005:15:10:54 +0000] "GET /wedding/post/2k_susan_roses.htm HTTP/1.1" 200 1346 "http://www.middlecay.net/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)" photodude.com 163.121.128.210 - - [16/Jan/2005:15:10:49 +0000] "GET /article/315/phototerrorists HTTP/1.0" 200 28486 "http://www.mor-lite.net/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)" photodude.com 203.199.247.243 - - [16/Jan/2005:15:11:42 +0000] "GET /article/2288/war-and-reconciliation HTTP/1.0" 200 12941 "http://www.darkangelclan.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)" photodude.com 216.164.99.102 - - [16/Jan/2005:15:11:50 +0000] "GET /pixel/2000_10_15_bloglog.shtml HTTP/1.0" 200 27928 "http://www.darkangelclan.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)" photodude.com 68.48.242.62 - - [16/Jan/2005:15:11:56 +0000] "GET /article/1642/terrorist-silenced-in-british-town HTTP/1.1" 200 14365 "http://www.bigyonet.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)" photodude.com 163.121.128.210 - - [16/Jan/2005:15:12:00 +0000] "GET /wedding/post/2l_hands.htm HTTP/1.0" 200 1360 "http://www.stories-on-cd.net/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)" photodude.com 64.47.62.26 - - [16/Jan/2005:15:12:26 +0000] "GET /article/1642/terrorist-silenced-in-british-town HTTP/1.0" 200 14396 "http://www.bigyonet.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)" Comment spam and referral spam have become huge problems on the web, and your own servers should show that (via hundreds of mt-comment.cgi processes generating server loads of 300+ during such an attack), I would expect this matter to be dealt with quickly and thoroughly. Because if you can't stop the abuse emitting from your server, it will be blacklisted and blocked. The customers of TextDrive are sick of this abuse of our resources emitting from your server at 161.58.59.8 regards, Reid -- Reid Stott e-mail: reid@photodude.com A Photo Gallery with an Attitude: http://www.photodude.com/