Just a heads up. This person paid for a server using very legitimate looking information that got through all levels of fraud screening.

After his server was setup (Windows 2000/2003 Server was the requested OS) he installed a proxy server, CCProxy, and used it to send about 1GB worth of spam worms/viruses. He denies it, but the spam started minutes after the log shows him installing CCProxy (which was limited to certain IP addresses, it was not an open proxy).

Server at Servepath from which he signed up: 69.59.173.44
Server at Rackspace hosting his email: 64.39.18.147

IP Addresses listed in the Proxy software (probably the originating spam hosts):

24.234.124.226 (Cox Cable in Las Vegas - could be users home computer)
217.75.7.2 (Ireland)
71.32.40.193 (Arizona)
209.34.233.116 (Florida)
Tarpon Coast Technology P10-D122-E970-28 (NET-209-34-233-112-1)
209.34.233.112 - 209.34.233.127
(Possibly a hacked server or a front for the spam operation)

Domain hosting his email:
Domain Name: FIRST-GENEVA.COM

Created on..............: Mon, Feb 04, 2002
Expires on..............: Fri, Feb 04, 2011
Record last updated on..: Tue, Mar 22, 2005

Administrative Contact:
First Geneva Limited
Edviges Correia
Siemens House, 4F
Cork,
IE
Phone: +353214861415
Fax..: +353214861336
Email: info@first-geneva.com

His information:

arthur@first-geneva.com
415-244-3484
Arthur Ware
Address: 18 clipper st
San Francisco, CA 94114

Example spam:
Code:

You can now get $325,000 for as little as $705 a month!
We realize many homeowners struggle and that makes it difficult
to maintain good crrreeedit. But we specialize in poor crrreeeeedit cases- helping you
to refiance even with poor crrrreeeedit, helping you lower your monthly
burden and build back your credit.
You will receive the lowest rate possible in your special circumstance
You can fill out this quick form and be approved within 24 hours:
http://save-monthlyz.org/1093
Alright..,
Patrick Deleon
 


From Patrick.Del...@proaxis.net Sun Jan 22 01:20:50 2006
Received: from ****************** (****************** [***************])
    by **********.********* (8.11.3/***/8.11.2) with ESMTP id k0M1Ko414803
    for <*****************************>; Sun, 22 Jan 2006 01:20:50 GMT
X-Envelope-From: Patrick.Del...@proaxis.net
Received: from proaxis.net (la04-41.proaxis.net [198.145.252.41] (may be forged))
    by ****************** (8.13.4/***/8.13.4) with ESMTP id k0M1Gqec016665;
    Sun, 22 Jan 2006 01:17:39 GMT
Date: Sat, 21 Jan 2006 20:17:41 -0500
Subject: Top Notch Opportunity with ease
Reply-To: Patrick Deleon <Patrick.Del...@proaxis.net>
X-Mailer: Danger Service
X-Danger-Send-Id: AAASayPCrxEAAYan
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="iso-8859-1"; format="flowed"
To: "Larry" <garyt@*******************>, <wallm@*******************>,
 <isaaca@*******************>, <arkon@*******************>,
 <**************************>, <crownwoods@*******************>,
 <ada@*******************>, <skap@*******************>,
 <scampbell@*******************>, <christopher@*******************>,
 <nburgoyne@*******************>, <gwilliamsh@*******************>,
 <eggpie@*******************>
Mime-Version: 1.0
From: Patrick Deleon <Patrick.Del...@proaxis.net>
Message-Id: <1132215864.1015708U@dy11.dngr.org>
Apparently-To: **************************


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2802" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hello,<P><BR>
You can now get $325,000 for as little as $705 a month!<P>
We realize many homeowners struggle and that makes it difficult<P>
to maintain good crrreeedit. But we specialize in poor crrreeeeedit cases- =
helping you<P>
to refiance even with poor crrrreeeedit, helping you lower your monthly<P> =


burden and build back your credit.<P>
You will receive the lowest rate possible in your special =
circumstance<BR><P>
You can fill out this quick form and be approved within 24 hours:<BR><P>
<a =
href=3D"http://save-monthlyz.org/1093">http://save-monthlyz.org/1093</a><BR=

><P>

Alright..,<P>
Patrick Deleon</BR></P>
</FONT></DIV>
<DIV>&nbsp;</DIV></BODY></HTML>
Example Worm:

Code:
*** ENVELOPE RECORDS ./5ACD8FA7A ***
message_size: 3412 846 14
arrival_time: Sun Jan 22 07:07:13 2006
sender: bdadoyamb@hotmail.com
named attribute: client_name=unknown
named attribute: client_address=198.145.252.41
named attribute: message_origin=unknown[198.145.252.41]
named attribute: helo_name=proaxis.net
named attribute: protocol_name=ESMTP
original recipient: connellyerin@aol.com
recipient: connellyerin@aol.com
original recipient: connellyethel@aol.com
recipient: connellyethel@aol.com
original recipient: connellyfam6@aol.com
recipient: connellyfam6@aol.com
original recipient: connellyfam@aol.com
recipient: connellyfam@aol.com
original recipient: connellyfc1@aol.com
recipient: connellyfc1@aol.com
original recipient: connellyg@aol.com
recipient: connellyg@aol.com
original recipient: connellygardens@aol.com
recipient: connellygardens@aol.com
original recipient: connellyggrm@aol.com
recipient: connellyggrm@aol.com
original recipient: connellyhmc@aol.com
recipient: connellyhmc@aol.com
original recipient: connellyhn@aol.com
recipient: connellyhn@aol.com
original recipient: connellyhp@aol.com
recipient: connellyhp@aol.com
original recipient: connellyi@aol.com
recipient: connellyi@aol.com
original recipient: connellyin@aol.com
recipient: connellyin@aol.com
original recipient: connellyinc@aol.com
recipient: connellyinc@aol.com
defer_warn_time: Mon Jan 23 07:07:13 2006
*** MESSAGE CONTENTS ./5ACD8FA7A ***
Received: from proaxis.net (unknown [198.145.252.41])
by mx12.pacifier.net (Postfix) with ESMTP
id 5ACD8FA7A; Sun, 22 Jan 2006 07:07:13 -0800 (PST)
Received: from unknown (HELO qnx.mdrost.com) (118.157.101.237)
by rsmail.alkoholic.net with ASMTP; Sun, 22 Jan 2006 08:48:20 +0600
Received: from unknown (119.137.171.156)
by relay-x.misswldrs.com with SMTP; Sun, 22 Jan 2006 02:39:48 +1200
Received: from mail.naihautsui.co.kr ([11.28.74.119])
by qnx.mdrost.com with LOCAL; Sun, 22 Jan 2006 19:21:06 -0500
Received: from [123.120.244.90] by smtp.doneohx.com with SMTP; Mon, 23 Jan 2006 00:09:09 -1000
Message-ID: <6155FE72.89ED95A@hotmail.com>
Date: Mon, 23 Jan 2006 00:06:21 -1000
From: <bdadoyamb@hotmail.com>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3
MIME-Version: 1.0
To: "cc" <connellyerin@aol.com>
Cc: <connellyethel@aol.com>, <connellyfam6@aol.com>,
<connellyfam@aol.com>, <connellyfc1@aol.com>, <connellyg@aol.com>,
<connellygardens@aol.com>, <connellyggrm@aol.com>,
<connellyhmc@aol.com>, <connellyhn@aol.com>, <connellyhp@aol.com>,
<connellyi@aol.com>, <connellyin@aol.com>, <connellyinc@aol.com>
Subject: Impact Equ-ity Report
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: base64

SGVsbG8gSW52ZXN0b3IsDQoNCkNCSU8sIGlzIG91ciBuZXh0IEhPVCBQSUNLIGluIHRoZSBlbmVy
Z3kgc2VjdG9yLiAgQSBicmFuZCBuZXcgaXNzdWUsIENCSU8gaXMgcG9pc2VkIHRvIG91dHBlcmZv
cm0gaXRzIGNvbXBldGl0b3JzIGluIHRoZSBuZWFyIHRlcm0uICBUaGUgcmV2ZW51ZSBwb3RlbnRp
YWwgb24gdGhlIHByb2R1Y3Rpb24gYW5kIG1hcmtldGluZyBvZiBpdHMgcHJpbWFyeSBwcm9kdWN0
LCBiaW9kaWVzZWwgaXMgb3V0c3RhbmRpbmcgYW5kIHN1cHBsZW1lbnRlZCBieSAyMCUgdGF4IGlu
Y2VudGl2ZSBieSB0aGUgVVMgR09WVCENCg0KQ29uc29saWRhdGVkIEJpb2Z1ZWxzKENCSU8pDQpD
dXJyZW50IFByaWNlICAkMC4yNQ0KU2hvcnQgVGVybSBUYXJnZXQgICAkMS4yNQ0KTG9uZyBUZXJt
IFRhcmdldCAgICAkMy41MA0KDQo0MDAlIFNob3J0IFRlcm0gUHJvZml0IFBvdGVudGlhbCEhIQ0K
DQpNb3JlIGluZm8gQDogIGh0dHA6Ly9maW5hbmNlLnlhaG9vLmNvbS9xP3M9Q0JJTy5waw0KDQpB
Ym91dCBDb25zb2xpZGF0ZWQgQmlvZnVlbHMgSW5jOg0KQ29uc29saWRhdGVkIEJpb2Z1ZWxzIGlz
IHBsYW5uaW5nIHRvIGNvbnN0cnVjdCBhbmQgb3BlcmF0ZSBzaXggMzAgbWlsbGlvbiBnYWxsb24g
cHJvZHVjdGlvbiBmYWNpbGl0aWVzIGFuZCBpcyBkZWRpY2F0ZWQgdG8gYSBjbGVhbmVyIEFtZXJp
Y2EgYnkgaW5jcmVhc2luZyB0aGUgYXZhaWxhYmlsaXR5IG9mIGJpb2RpZXNlbCBmdWVsIG5hdGlv
bndpZGUgYW5kIGV4cGFuZGluZyB0aGUgZWZmb3J0IHRvIHJlZHVjZSBwb2xsdXRpb24gY2F1c2Vk
IGJ5IHBldHJvbGV1bSBkaWVzZWwgZnVlbHMuIFRocm91Z2ggdGFjdGljYWwgcmVsYXRpb25zaGlw
cyBhbmQgZXhwZXJpZW5jZWQgbWFuYWdlbWVudCwgKENCSU8pIHdpbGwgYW1hbGdhbWF0ZSBpdHMg
cmVzb3VyY2VzIHRvIGdyZWF0bHkgZW5oYW5jZSB0aGUgZmFjaWxpdGllcycgY2FwYWJpbGl0aWVz
LCBhbGxvd2luZyB0aGUgQ29tcGFueSB0byByZWFsaXplIGVjb25vbWllcyBvZiBzY2FsZSBhZHZh
bnRhZ2VzLiBBZGRpdGlvbmFsIGFkdmFudGFnZXMgZW5jb21wYXNzIGltcHJvdmVkIG1hbmFnZW1l
bnQgc3lzdGVtcyBhbmQgYWR2YW5jZWQgdGVjaG5pY2FsIHNvbHV0aW9ucy4NCg0KU2VuaW9yIElu
dmVzdG1lbnQgQWR2aXNvciBEZXNrDQpUUkFERSBHcm91cA0KDQoNCkRpc2NsYWltZXINClRoaXMg
cHJlc3MgcmVsZWFzZSBjb250YWlucyBzb21lIGZvcndhcmQtbG9va2luZyBzdGF0ZW1lbnRzLiBX
ZSB1bmRlcnRha2Ugbm8gb2JsaWdhdGlvbiB0byBwdWJsaWNseSB1cGRhdGUgYW55IGZvcndhcmQt
DQpsb29raW5nIHN0YXRlbWVudCwgd2hldGhlciBhcyBhIHJlc3VsdCBvZiBuZXcgaW5mb3JtYXRp
b24sIGZ1dHVyZSBldmVudHMsIG9yIG90aGVyd2lzZS4gRm9yd2FyZC1sb29raW5nIHN0YXRlbWVu
dHMgaW4gdGhpcyANCmRvY3VtZW50IHNob3VsZCBiZSBldmFsdWF0ZWQgdG9nZXRoZXIgd2l0aCB0
aGUgbWFueSB1bmNlcnRhaW50aWVzIHRoYXQgYWZmZWN0IG91ciBidXNpbmVzcy4=

*** HEADER EXTRACTED ./5ACD8FA7A ***
return_receipt:
errors_to: bdadoyamb@hotmail.com
*** MESSAGE FILE END ./5ACD8FA7A ***
I hope this information can help to stop this spammer and save other hosting companies time, money, and resources.

-Jon