I found this interesting. The usual FreshPorts logging indicated an unusual number of account creations in a short amount of time. So I went looking. I found one IP address had created 20 logins.
freshports.org=# SELECT ip_address, freshports.org-# count(ip_address) freshports.org-# FROM users freshports.org-# GROUP BY ip_address freshports.org-# ORDER BY 2 DESC freshports.org-# LIMIT 2; ip_address | count ---------------+------- 0.0.0.0 | 1203 95.211.27.210 | 38 (2 rows) freshports.org=#
Ignore that 0.0.0.0. That indicates a user which was created before the ip_address field was added to the table.
So…. what’s going on here?
freshports.org=# SELECT email,
freshports.org-# firstlogin
freshports.org-# FROM users
freshports.org-# WHERE ip_address = '95.211.27.210'
freshports.org-# ORDER BY 2 DESC;
email | firstlogin
-----------------------------+-------------------------------
pamelathorn@mail15.com | 2010-04-29 17:15:14.23305+01
barbarajackson@mail15.com | 2010-04-29 12:52:33.786686+01
barbarajackson@mail15.com | 2010-04-29 12:08:25.597785+01
elizabethmartin@mail15.com | 2010-04-29 11:04:21.886639+01
elizabethmartin@mail15.com | 2010-04-29 10:56:06.860984+01
elizabethmartin@mail15.com | 2010-04-29 10:20:51.615789+01
pamelathorn@mail15.com | 2010-04-29 10:00:03.366337+01
elizabethmartin@mail15.com | 2010-04-29 09:38:11.397616+01
elizabethmartin@mail15.com | 2010-04-29 09:26:49.760226+01
elizabethmartin@mail15.com | 2010-04-29 08:07:33.958235+01
pamelathorn@mail15.com | 2010-04-29 05:10:11.033442+01
pamelathorn@mail15.com | 2010-04-29 04:43:53.755426+01
jennifermartinez@mail15.com | 2010-04-29 04:26:49.43041+01
jennifermartinez@mail15.com | 2010-04-29 04:24:43.374981+01
jennifermartinez@mail15.com | 2010-04-29 01:47:24.950648+01
jennifermartinez@mail15.com | 2010-04-29 01:23:12.473853+01
jennifermartinez@mail15.com | 2010-04-29 01:14:24.086015+01
barbarajackson@mail15.com | 2010-04-29 01:10:49.826533+01
barbarajackson@mail15.com | 2010-04-29 00:47:02.95436+01
barbarajackson@mail15.com | 2010-04-28 22:52:17.371778+01
barbarajackson@mail15.com | 2010-04-28 22:02:52.512775+01
pamelathorn@mail15.com | 2010-04-28 21:20:53.972371+01
elizabethmartin@mail15.com | 2010-04-28 18:43:28.266215+01
pamelathorn@mail15.com | 2010-04-28 14:48:55.668841+01
barbarajackson@mail15.com | 2010-04-28 13:33:13.06128+01
barbarajackson@mail15.com | 2010-04-28 13:33:12.524171+01
barbarajackson@mail15.com | 2010-04-28 13:24:23.736056+01
elizabethmartin@mail15.com | 2010-04-28 11:03:50.452646+01
elizabethmartin@mail15.com | 2010-04-28 11:00:55.18447+01
barbarajackson@mail15.com | 2010-04-28 10:56:58.46371+01
pamelathorn@mail15.com | 2010-04-28 07:42:18.979039+01
barbarajackson@mail15.com | 2010-04-28 04:56:03.343899+01
pamelathorn@mail15.com | 2010-04-28 03:30:26.976301+01
jennifermartinez@mail15.com | 2010-04-28 02:46:50.949887+01
jennifermartinez@mail15.com | 2010-04-27 10:58:40.681218+01
jennifermartinez@mail15.com | 2010-04-27 10:45:52.53576+01
barbarajackson@mail15.com | 2010-04-27 06:54:22.046983+01
elizabethmartin@mail15.com | 2010-04-27 06:31:13.662795+01
(38 rows)
freshports.org=#
OK, so he’s doing this persistently. I sent him an email earlier. No reply. Shocking.
So his next attempt will redirect him to this page.