OK here's how it went down.

Guy signs up for an internet account yesterday pays with 2checkout, I set him up.

Logs in and checks his email and uploads some images with FTP:
secure:Apr 23 21:48:31 www in.proftpd[16215]: connect from 168.205.4.121
secure:Apr 23 21:48:34 www proftpd[16215]: 216.40.203.11 (168.205.4.121[168.205.4.121]) - USER reno332: Login successful.
secure:Apr 23 22:04:53 www in.proftpd[17768]: connect from 168.205.4.121
secure:Apr 23 22:04:55 www proftpd[17768]: 216.40.203.11 (168.205.4.121[168.205.4.121]) - USER reno332: Login successful.
secure:Apr 23 22:19:01 www in.proftpd[19806]: connect from 168.205.4.121
secure:Apr 23 22:19:02 www proftpd[19806]: 216.40.203.11 (168.205.4.121[168.205.4.121]) - USER reno332: Login successful.
secure:Apr 23 22:58:53 www in.proftpd[27369]: connect from 168.205.4.121
secure:Apr 23 22:58:58 www proftpd[27369]: 216.40.203.11 (168.205.4.121[168.205.4.121]) - USER reno332: Login successful.
secure:Apr 23 23:01:36 www in.proftpd[27873]: connect from 168.205.4.121
secure:Apr 23 23:01:39 www proftpd[27873]: 216.40.203.11 (168.205.4.121[168.205.4.121]) - USER reno332: Login successful.
secure:Apr 23 23:02:28 www in.proftpd[27972]: connect from 168.205.4.121
secure:Apr 23 23:02:29 www proftpd[27972]: 216.40.203.11 (168.205.4.121[168.205.4.121]) - USER reno332: Login successful.
secure:Apr 23 23:25:12 www in.qpopper[32375]: connect from 168.205.4.121
Tue Apr 23 21:48:57 2002 0 168.205.4.121 7964 /home/sites/home/users/reno332/web/PICS/CONGRAT.jpg b _ o r reno332 ftp 0 * c
Tue Apr 23 21:48:59 2002 1 168.205.4.121 208399 /home/sites/home/users/reno332/web/PICS/Untitled-1.psd b _ o r reno332 ftp 0 * c
Tue Apr 23 21:49:00 2002 1 168.205.4.121 156993 /home/sites/home/users/reno332/web/PICS/Untitled-2.psd b _ o r reno332 ftp 0 * c
Tue Apr 23 21:49:04 2002 3 168.205.4.121 438931 /home/sites/home/users/reno332/web/PICS/Untitled-3.psd b _ o r reno332 ftp 0 * c
Tue Apr 23 21:49:05 2002 0 168.205.4.121 2808 /home/sites/home/users/reno332/web/PICS/WS_FTP.LOG b _ o r reno332 ftp 0 * c
Tue Apr 23 21:49:05 2002 0 168.205.4.121 9836 /home/sites/home/users/reno332/web/PICS/beach.jpg b _ o r reno332 ftp 0 * c
Tue Apr 23 21:49:06 2002 0 168.205.4.121 18450 /home/sites/home/users/reno332/web/PICS/disney.jpg b _ o r reno332 ftp 0 * c
Tue Apr 23 21:49:06 2002 0 168.205.4.121 14405 /home/sites/home/users/reno332/web/PICS/ramada.jpg b _ o r reno332 ftp 0 * c
Tue Apr 23 21:49:07 2002 0 168.205.4.121 1440 /home/sites/home/users/reno332/web/PICS/strip.gif b _ o r reno332 ftp 0 * c
Tue Apr 23 21:49:07 2002 0 168.205.4.121 9848 /home/sites/home/users/reno332/web/PICS/strip.jpg b _ o r reno332 ftp 0 * c
Tue Apr 23 21:49:09 2002 0 168.205.4.121 4757 /home/sites/home/users/reno332/web/index.htm b _ o r reno332 ftp 0 * c
Tue Apr 23 21:49:10 2002 0 168.205.4.121 5825 /home/sites/home/users/reno332/web/index2.htm b _ o r reno332 ftp 0 * c
Tue Apr 23 22:04:56 2002 0 168.205.4.121 6480 /home/sites/home/users/reno332/web/indextest.htm b _ i r reno332 ftp 0 * c
Tue Apr 23 22:19:03 2002 0 168.205.4.121 4075 /home/sites/home/users/reno332/web/testpage.htm b _ i r reno332 ftp 0 * c
Tue Apr 23 22:59:11 2002 0 168.205.4.121 7035 /home/sites/home/users/reno332/web/index.htm b _ o r reno332 ftp 0 * c
Tue Apr 23 23:02:08 2002 0 168.205.4.121 0 /home/sites/home/users/reno332/web/DWDDXX1.DDD a _ d r reno332 ftp 0 * c


Notice the failed attempts TODAY from this IP (he's long gone as of last night of course):

secure:Apr 24 08:56:50 www in.proftpd[7941]: connect from 168.205.4.121
messages:Apr 24 08:56:50 www proftpd[7941]: 216.40.203.11 (168.205.4.121[168.205.4.121]) - no such user 'reno332'
messages:Apr 24 08:56:50 www proftpd[7941]: 216.40.203.11 (168.205.4.121[168.205.4.121]) - USER reno332 (Login failed): Can't find user.
messages:Apr 24 08:56:51 www proftpd[7941]: 216.40.203.11 (168.205.4.121[168.205.4.121]) - FTP session closed.

Ok nothing wierd there eh?
[root log]# grep reno332 maillog | wc -l
33815
[root log]# grep reno332 maillog.1 | wc -l
11264

The thing is, he didn't send the spam through my server, he sent (at least some of it) through the smtp server on the dialup connection (smtp.dixiesys.com a CNAME for smtp.safepages.com). These are the BOUNCES and MSG RECIEVED emails FROM that spam (so he sent at least 10 times this many messages and trust me this is STILL coming in so fast that just these bounces have my mail server on its knees).

Hmm let's check the web server logs, gotta do the error (file not found) and the access logs, plus the .1 logs since logs rotated:
[root httpd]# grep reno332 error.1 | wc -l
1237
[root httpd]# grep reno332 error | wc -l
21373
[root httpd]# grep reno332 access | wc -l
126284
[root httpd]# grep reno332 access.1 | wc -l
24277

This started after midnight folks...

Ok, major spammer.

Let's see who this IP belongs to, time to complain....

[root httpd]# whois 168.205.4.121
Disney Worldwide Services, INC (NET-DISNEY-CELEB)
200 Celebration Place #110
Celebration, FL 34747
US

Netname: DISNEY-CELEB
Netblock: 168.205.0.0 - 168.205.255.255

Coordinator:
Navarro, Michelle (MN52-ARIN) severina@AO.NET
(407) 566-1226

Domain System inverse mapping provided by:

NS.CELEBRATION.FL.US 168.205.254.1
NS2.CELEBRATION.FL.US 168.205.254.2

Record last updated on 17-Nov-1998.
Database last updated on 23-Apr-2002 19:59:40 EDT.


Am I seeing things or is this not a Disney owned IP address?

I live in Florida and Celebration is just a town.. maybe Disney owns that town and they have their own ISP in there? Don't really know about that other than I went there a couple times. I would suggest going straight up to Disney and asking them.

Celebration is Disney's planned (and wired) community and I'll bet this is the ISP service they offer to all of the residents in the community. I am assuming one of the Celebration residents is doing this.

Thanks that is better explained :D

I believe there is a resort community disney owns, its like a small town, its prewired for high speed inet access and all the works, very exclusive, i do believe its name might have been celebrations.

Yea, it's name is Celebration cbaker, I was thinking of moving in there (and still am) for a while since it was so nice.

Man I'm too tired.

I left out the best part.

HERE IS THE SPAM (text version)
Congradulations

You have been pre selected to join us for Disneys 100th Anniversary !

This is a limited time offer. Call 800-531-5690 CONFIRMATION #419

4 days 3 nights Orlando a $754.00 value

2 passes to Disney a $110.00 value

2 Sterling passes $50.00 value

Entertainment booklet $500.00 value

TOTAL VALUE OF THIS PACKAGE ALONE IS $1,414 BUT THERE IS MORE!!!

3 days 2 nights Ft. Lauderdale $454.00 value

2 Sun Cruz passes $50.00 value

2 days 3 nights Las Vegas $240.00 value

Retail Price $1658.00 value

Your invitational price of only $174.00(pp based on double occupancy) Covers up

to 4 people !!

Limited Availability Call Now to join us in our Celebration! Call 800-531-5690

CONFIRMATION #419



YOU HAVE RECEIVED THIS E-MAIL BECAUSE, AS A MEMBER OF RR TRAVEL, YOU MAY

OCCASIONALLY RECEIVED SPECIAL OFFERS FROM US. TO UNSUBSCRIBE FROM THESE "SPECIAL

OFFERS", EMAIL US AT JVCTN@NETSCAPE.NET.


SPAM FOR DISNEY'S 100th ANNIVERSARY HAHAHAHAHAHAHAHA

I'd be mad but this is almost surreal :D

OFFERS, EMAIL US AT JVCTN@NETSCAPE.NET

If it was someone from Disney I would think that would be a Disney e-mail address instead of Netscape... maybe it is just some kid from the town Celebration trying to cheat people into money since he knew that if he was traced it would look like a Disney owned IP.

Probably, maybe they'll yank the broadband outta his house and piss his parents off :)

Haha that would be funny :) I would contact Disney about this.. maybe they should tell the clients of Celebration Internet about this activity and add some terms to their agreements?

Celebration is, indeed, a little town -- a planned community near Kissimmee on the south side of the DisneyWorld complex. Disney built the town and owns it, in effect. It has a little town square that's actually kinda' nice -- but very Disney-like. A police station. A fire station. A town hall. The works. There are a variety of different home styles, but its mostly townhomes (narrow, two- or three-story). It's very, very clean -- almost sterile. Too planned for me, but many people like it.

Every home is wired (though it may or may not be turned on in each home) for the Internet using the "DISNEY-CELEB" netblock.

Your spammer is either a Celebration resident (unlikely) or a guest in one of its homes (more likely). Maybe a Celebration resident has a friend staying with them who is a rule-breaker by nature -- something that won't fly for long in a buttoned-down, almost frighteningly calm place like Celebration. Or, who knows, maybe your spammer really is a resident of Celebration. We keep wanting our spammers to be dark, drooling little gremlin types who are unfit for society when, in fact, they're increasingly otherwise respectable citizens who are able to see a place like Celebration as a community, but not the Internet.

Or perhaps Disney is leasing some of the homes as timeshares or something; or maybe it's using some of its IP block in one or more of its hotels or resorts.

An email to the admin of the block might get you some answers.

You don't like the houses there? Wow, I thought everyone did :) The community is great and I like the shops and such.. I didn't see one thing about Disney (The characters) either (That is a plus). About a year from now I plan on living there.


Anyways, back on topic. There are computers there that are on and open to the public - this may be true it is a guest there. But what are the chances of him being there long enough to store files from that computer onto the server? Let alone having the files on that computer in the first place unless he took the time to download it from an e-mail address or something.

Just to make sure, like he said, I would contact the administrator of the block to be safe and to see what is going on.

i wouldnt be suprised if it was disney after watching all those indigtments against them last year and the things they are involved nothing much else is left to question for me

Originally posted by Vex
You don't like the houses there? Wow, I thought everyone did :) The community is great and I like the shops and such.. I didn't see one thing about Disney (The characters) either (That is a plus). About a year from now I plan on living there.

I didn't mean to be so harsh. Indeed there are some very beautiful homes there. And high quality, too, I might add... no cheap stuff. But the whole planned community thing just rubs me the wrong way. It's a personal preference. I hate gated communities, too. They contribute to urban sprawl; they rob cities of resources, a tax base, and community-minded citizens; and the communities themselves are usually downright oppressive in their zeal to encourage comformance.

All that having been said, Celebration does it about as well as anyone, I guess. Just be careful. Disney can be a much scarier organization than one might think. The money it brings to the state has caused lawmakers and others in state government to look the other way as it flat-out ignored the the law many times over the years. It's almost a country unto its own; almost a sovereign nation. It's impossible to fight them on any level. If you have a problem with them, as a resident of Celebration I wonder what kind of recourse you would actually have. It's the essence of Big Brother.

You must not be a native Floridian. Natives tend to hate Disney and all that it stands for -- unless, of course, they own a motel or concession nearby. Even then, it's often a love/hate relationship at best.

Originally posted by Vex
Anyways, back on topic.

Indeed. Me, too. Sorry.

Originally posted by Vex
There are computers there that are on and open to the public - this may be true it is a guest there. But what are the chances of him being there long enough to store files from that computer onto the server? Let alone having the files on that computer in the first place unless he took the time to download it from an e-mail address or something.

All he'd need is a connection for his laptop. You apparently know Celebration better than I, now (I haven't been there in at least three years). Is there an Internet Cafe in the downtown area with a wireless Ethernet connection for laptop owners? That would do it.

You must not be a native Floridian.

I am, I just don't mind it that much because I don't go hardly any.. mostly Universal and Islands of Adventure here.. :)

Is there an Internet Cafe in the downtown area with a wireless Ethernet connection for laptop owners?

When I was there, there wasn't one.. but who knows they might have added one?

Somebody in Celebration has been comprimised and their machine is now running an open proxy that your spammer knows about. ;)

Just a possibility..... but then again the odds of a spammer who's looking to spam people ABOUT disney just HAPPENING to know of an open proxy in the celeb-netblock is well... extremely slim. :)

Originally posted by Dixiesys
Congradulations

You have been pre selected to join us for Disneys 100th Anniversary !

This is a limited time offer. Call 800-531-5690 CONFIRMATION #419

...
Sounds like the same person who sends me junk faxes all the time.

We need an anti-spam law. This would work like the fax ad law. If you get spam, you can claim $500 from the company. (This assumes you can track them). Until then, I'm just gonna keep the evil spammers from my email account.

Originally posted by Dixiesys
CONFIRMATION #419

Thats a salesman/affliate id. Some ahole is trying to make some money, hope you LART him good

Hey do me a favor and ask him for a free ticket for me will ya? :D