I'm used to dealing with spam on my message boards http://spinalinjury.net/phpbb/index.php, usually just deleting the post and banning them. Never tried to report them and get their accounts closed. Until now! Someone posted almost a dozen (http://spinalinjury.net/phpbb/viewtopic.php?p=145&highlight=#145) different messages with a link to a site that infects the visitor with the JS/Nuvens virus. Now my antivirus program caught it, but unfortunatly quite a few of my members were not so lucky. I promised I would get this guy.

I have his IP address, 217.81.184.130 which converts to pd951b882.dip0.t-ipconnect.de (is that his personal PC?) and the URL of the website. A whois search leads me to http://greatsitehosting.org/ which is a dead end!
Can someone help and tell me what else I can do to track down his ISP, hosting company, etc. I'll do the work, just point me in the right direction.

TIA

My guess is that ipconnect is a German provider. The address is on their website:
Standleitungen.de
Abteilung ISP/Carrier
Kreuzsteinstrasse 2-6
95028 Hof Germany
Tel. in Germany:
09281-1400590

BTW Abteilung is department in English

To e-mail them you need to fill out a form, which is in German, but I think you'll figure it out. It is here http://ipconnect.de/kontakt-iptransit.php
Good Luck finding the rascal.

Are all of the IP's he uses the same? Any good spammer will spoof or use a proxy to hide their real IP and avoid being caught so you may not be able to do anything in the long run.

I see these sporadically on my forum, and registrations like this appear to be mostly automated. I'd be surprised if these don't end up coming in from compromised machines, which would make it challenging to find the real person behind this.

There are several changes you can make to your phpBB forums that might reduce the success rate of bots like this. Have a look at this thread over on phpBB.com for some discussion:

http://www.phpbb.com/phpBB/viewtopic.php?t=393503

Are all of the IP's he uses the same? Any good spammer will spoof or use a proxy to hide their real IP and avoid being caught so you may not be able to do anything in the long run.

Yes, all of his posts came from the same IP address, 217.81.184.130

In your .htaccess file add:
Deny From 217.81.184.130

Doesn't undo any damage already done, but will keep this guy off your site.

Good luck,
Kevin

There are several changes you can make to your phpBB forums that might reduce the success rate of bots like this. Have a look at this thread over on phpBB.com for some discussion:

http://www.phpbb.com/phpBB/viewtopic.php?t=393503

Thanks for the link. There are tons of mods out there I never knew about! I just installed EasyMOD, can you recomend any I should try?

TIA

I'm not running it myself, but a lot of people report good success with the "Antispam for all fields" mod on that page. It's marked as being a "beta", though.

for easily deleting users (and probably a few other things i just dont use), i am fond of the phpBB admin toolkit at http://starfoxtj.phpbbhelp.org/phpBB/toolkit/index.php . It also runs a 'security scan', which is amusing (I like green). it also installs quite easily.

I've been trying to track this douche bag down and came across this thread. Essentially, the guy has a bunch of .org domain names (dotfreeemail.org, freetechemail.org, etc) that all point to 66.36.243.98 (which doesn't resolve to anything). If you put any of those domain names in a browser, you get a stupid webpage with a graphic saying "you SUCK at the internet". That's the only way I know its this guy.

Blocking the ip provided by billyrad may prevent him from posting but his registrations come from all over the place. I'm guessing that these are all hacked computers or he's spoofing his IP.

The abuse reporting address for that 66.x.x.x IP is abuse at hopone.net

Blocking the ip provided by billyrad may prevent him from posting but his registrations come from all over the place. I'm guessing that these are all hacked computers or he's spoofing his IP.
You're probably right, but this prick just posted another 5 messages on my board all with the same link to a page that installs a virus (JS/Nuvens) on my visitors pc's and I'm pissed! At least 4 had been infected in the 5 or 6 hours it was up before I caught it.

The majority of my members are severly disabled, and rely on their PC's as their only access to the outside world that their disabilaty keeps them from. Most only have basic knowledge of computers, and probably have little protection. I'm trying to educate them, but it's not easy.

Now he may be spoofing his IP, but why can't we catch him thru the website he is posting?? I found a good site (http://www.nwtools.com) that has plenty of tools to help. Unfortunetly, I'm just learning, and the tools and results are a bit confusing. I ran the domain and came up with this http://www.nwtools.com/default.asp?prog=express&host=bestdanitykane.info
Maybe someone can help me make sense of the results.

What do you mean by "catch him thru the website he is posting"?

Here are some things other forums use to discourage spammers:

- Don't allow posting of URLs until the user has some number of posts (at least 5)
- Require moderator approval of all new threads (as the PW forum does)
- Enforce some minimum time between posts

Unless you go to moderation of all posts, nothing is 100% effective.

What do you mean by "catch him thru the website he is posting"? Track down the hosting company and let them know he's using the site to spread a virus and close it down.
I'm working on installing some Mods to make it much harder for bots and spammers to post on the board. But meanwhile, at the very least, I want that site shut down.

Oh, now I see. If you PM me the domain names for the web sites, I'll look up the reporting info and send it to you. I can get this from Spamcop.net, but you need to be a subscriber (or at least get a free reporting account) to see it.

Oh, now I see. If you PM me the domain names for the web sites, I'll look up the reporting info and send it to you.Cool, check your inbox. Would the info I got from http://www.nwtools.com help?

http://www.nwtools.com/default.asp?prog=express&host=bestdanitykane.info

Ah, yes. The very end of that page has the info that I sent you.

Just to let you know, this guy has started using randomly generated dns names to register his accounts. They all resolve and point to his email server: 209.160.65.49

Just a few of the ones I've seen:

piwpihrewipreh.org
rpfhwrihwiruhw432.org

The server is located in the US so it should be a trivial matter to get it shut down.

I run www.hardware-pacers.com, and my forum is www.hardware-pacers.com/forum

I have gotten at least one registration using a piwpihrewipreh.org email address. I recieved this registration today.
I am having to imagine it was not a bot that registered as I just installed the Stop Spambot Registration (http://www.phpbb.com/phpBB/catdb.php?cat=57) mod. I have not yet received any e-mail saying that a bot has tried to register yet, but I just installed the mod last night.

This mod will not allow a registering user to input any additional info, just username password and e-mail. If anything else is entered, registration fails..

From what I understand, most bots try to auto fill in the items that are not allowed by this mod.

Users can enter additional info after the registration is complete.

Please keep us updated on your progress and let me know If I can help by supplying you with info.

try this spam profiler it will trace spam & extractor bot based on ua.
http://www.homelandstupidity.us/software/bad-behavior/