I just got an order for hosting and the domain seemed a lil fishy so I just entered it in Google and got a hit on it for a Citizens Bank phishing email - "Activate your BillPay" scam.

So we started checking, the billing address was in Panorama City, CA IP was from MARINA DEL REY, CALIFORNIA that is defiantly possible since when I trace my Ip I show up in a different city here in LA.

So then we did a domain lookup came to Orlando, FL.

Then we checked and they already uploaded Sendmail.php the only file their...

What do you think we should do, I don’t want to let them use our servers to spam and scam people but I don’t want to just let them move on.

We have tried calling the phone but he won’t be in until later today. Do you think that suspicious?

THe IP trace will not always give you an accurate answer, because it first traces to the ISP if they are behind a proxy, and some of the ISP's put users behind proxies for certain reasons.

I don't like invading privacy of my customers, but in this case you may have to. Check out the PHP file and see what the functions are and see if it has any loops for spam or whatever.

If you cannot contact him by phone, email or any other way, you may need to suspend that account until they respond.

I have had this same issue with one of my customers, but he replied straight away and verified everything was correct.

The domain is citizensonline.us
http://www.fraudwatchinternational.com/fraudalerts2/0412/pages/041230_4839_citizens.htm

We immediately suspended the account (5 min after creation) after seeing sendmail.php uploaded.

We then contacted the card holder and they reported to us that they did not buy from us, so we refunded the money to their card.

We have collected all the logs we have from the 5 minutes the account was active.

Ordered from IP: 82.129.167.171 and uploaded files from 203.210.247.133

Hmm, does sound like a problem. I think you did the right thing my cancelling the account

Yes, me to. One more chargeback avoided :)

We should have the topic changed to “Do not give hosting to citizensonline.us”
So other hosts can prevent being scammed, I’m just glad I caught it that soon and the card holder is now aware of a possible stolen card.

Today’s good deed is done.

If you want, create the topic in Web Hosting Forum as 'Fraud Alert - citizenonline.us' and then post your experience or issue that occured

good idea i didint think about that.

Good luck, hehe