TFBW's Forum

Discuss
It is currently Mon Oct 23, 2017 6:22 am

All times are UTC




Post new topic Reply to topic  [ 51 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: Widespread and Systematic Forum Abuse (Forum Spam)
PostPosted: Sat Sep 30, 2006 9:06 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
Set up a forum like this, and it soon becomes apparent that email isn't the only Internet communications medium suffering under a load of abuse. Although this forum has less than one post per day on average at this time -- and nearly all of that activity originates with me -- I see dozens of obviously non-interactive attempts to "post bills", as it were.

This is no longer a practical concern for me, as I've found a very good way of disabling the spammers -- for now at least -- without compromising the general ability to use the forum in its intended manner. That technique is documented at the following address.

http://www.tfbw.com/archives/20

The fact that the abuse itself no longer has me scurrying about and cleaning up the mess gives me time to look at the patterns of abuse. For as long as it continues to interest me, I'll post bits and pieces of my Apache logfile (or summarised extracts thereof) which illustrate relatively interesting patterns of abuse.


Top
 Profile  
 
 Post subject: Sequential zombies
PostPosted: Sat Sep 30, 2006 10:03 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
Here's a technique I've seen used in spammer attempts to deliver email. Because spam sources tend to get blocked by address fairly quickly, a spammer will make a series of attempts from different addresses under his control -- usually third party computers which have been compromised. In this case, a spammer leaves a conspicuous trail of POST attempts from a series of thirteen distinct hosts in less than thirty seconds. All are blocked by my countermeasures.

216.32.84.58 - - [29/Sep/2006:16:14:16 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.41.183.117 - - [29/Sep/2006:16:14:17 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.232.67.242 - - [29/Sep/2006:16:14:17 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.232.67.243 - - [29/Sep/2006:16:14:17 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.41.183.116 - - [29/Sep/2006:16:14:22 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
211.141.77.194 - - [29/Sep/2006:16:14:32 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.41.183.115 - - [29/Sep/2006:16:14:35 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
216.32.84.60 - - [29/Sep/2006:16:14:35 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
216.32.84.62 - - [29/Sep/2006:16:14:36 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.41.183.118 - - [29/Sep/2006:16:14:36 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.41.183.114 - - [29/Sep/2006:16:14:36 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
202.101.6.85 - - [29/Sep/2006:16:14:37 -0700] "POST /posting.php HTTP/1.1" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
216.32.84.61 - - [29/Sep/2006:16:14:37 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


Top
 Profile  
 
 Post subject:
PostPosted: Mon Oct 23, 2006 10:34 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
What's this? Someone in Germany either trying things with different browsers, or just seeing whether my countermeasures are specific to a particular user-agent string, I'd say. The answer is no -- the key ingredients are Javascript and cookies. If you have both of those, you can post.

84.63.121.194 - - [22/Oct/2006:02:56:39 -0700] "POST /login.php HTTP/1.1" 403 1048 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20050519 Netscape/8.0.1"
84.63.121.194 - - [22/Oct/2006:02:56:42 -0700] "POST /login.php HTTP/1.1" 403 1048 "-" "Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.1 (like Gecko)"
84.63.121.194 - - [22/Oct/2006:03:03:41 -0700] "POST /profile.php HTTP/1.1" 403 1048 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412 (KHTML, like Gecko) Safari/412"


Top
 Profile  
 
 Post subject:
PostPosted: Wed Oct 25, 2006 3:49 pm 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
Greetings from the Dominican Republic! A glance at my access logs shows a host at 200.88.223.98 (tdev223-98.codetel.net.do, in the Dominican Republic) that has been trying to post on my forum approximately once every 25 minutes since a day ago or so. Here are the first few hits.

200.88.223.98 - - [24/Oct/2006:00:44:26 -0700] "POST /posting.php HTTP/1.1" 403 1512 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)"
200.88.223.98 - - [24/Oct/2006:01:08:45 -0700] "POST /posting.php HTTP/1.1" 403 1512 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)"
200.88.223.98 - - [24/Oct/2006:01:32:40 -0700] "POST /posting.php HTTP/1.1" 403 1512 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)"
200.88.223.98 - - [24/Oct/2006:01:56:53 -0700] "POST /posting.php HTTP/1.1" 403 1512 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)"
200.88.223.98 - - [24/Oct/2006:02:21:14 -0700] "POST /posting.php HTTP/1.1" 403 1512 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)"

There are seventy such POST attempts at this stage, and it still appears to be on-going. I doubt that this is the worst offender, though. According to my stats page, the host at 209.249.11.4 (in the USA) is responsible for more than [b]one third[/b] of my total forum traffic so far this month! Not that I noticed it, mind you.


Top
 Profile  
 
 Post subject: What's a WebaltBot?
PostPosted: Sat Nov 04, 2006 3:05 pm 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
Something with a distinctive identifier of "WebaltBot" has been probing at my forum. The entire user agent string is "Mozilla/5.0 compatible WebaltBot/1.00 (i686-pc-linux)". Here's a sample of what it's been up to, minus the repetitive user agent string and "referer" URLs to save space.

72.232.83.90 - - [03/Nov/2006:00:36:27 -0800] "GET /posting.php?mode=reply&t=7 HTTP/1.1" 200 41905
72.232.83.90 - - [03/Nov/2006:00:36:27 -0800] "GET /posting.php?mode=reply&t=9 HTTP/1.1" 200 40446
59.94.104.60 - - [03/Nov/2006:00:36:35 -0800] "POST /posting.php?sid=e522eb6e23528548bd7beace29668b37 HTTP/1.1" 403 1449
211.119.72.77 - - [03/Nov/2006:00:36:38 -0800] "POST /posting.php?sid=e522eb6e23528548bd7beace29668b37 HTTP/1.1" 403 1449
221.149.83.165 - - [03/Nov/2006:00:36:39 -0800] "POST /posting.php?sid=e522eb6e23528548bd7beace29668b37 HTTP/1.1" 403 1449
83.69.97.142 - - [03/Nov/2006:00:36:40 -0800] "POST /posting.php?sid=d82a2dcde0df145d82115b6ab8ee98e1 HTTP/1.1" 403 1487
217.216.170.234 - - [03/Nov/2006:00:36:44 -0800] "POST /posting.php?sid=d82a2dcde0df145d82115b6ab8ee98e1 HTTP/1.1" 403 1449
61.95.218.114 - - [03/Nov/2006:00:36:53 -0800] "POST /posting.php?sid=e522eb6e23528548bd7beace29668b37 HTTP/1.1" 403 1449
86.138.16.181 - - [03/Nov/2006:00:36:57 -0800] "POST /posting.php?sid=d82a2dcde0df145d82115b6ab8ee98e1 HTTP/1.1" 403 1449
72.232.83.98 - - [04/Nov/2006:00:35:36 -0800] "GET /posting.php?mode=reply&t=9 HTTP/1.1" 200 40447
72.232.83.98 - - [04/Nov/2006:00:35:36 -0800] "GET /posting.php?mode=reply&t=7 HTTP/1.1" 200 41888
218.123.92.74 - - [04/Nov/2006:00:36:04 -0800] "POST /posting.php?sid=c1cb040b3d37771fa6dbd655af8dc487 HTTP/1.0" 403 1449
220.110.213.157 - - [04/Nov/2006:00:36:05 -0800] "POST /posting.php?sid=c1cb040b3d37771fa6dbd655af8dc487 HTTP/1.1" 403 1487
221.24.40.110 - - [04/Nov/2006:00:36:19 -0800] "POST /posting.php?sid=2b70933b65cf596445de4b5dd7d60c06 HTTP/1.0" 403 0
220.35.96.112 - - [04/Nov/2006:00:35:39 -0800] "POST /posting.php?sid=2b70933b65cf596445de4b5dd7d60c06 HTTP/1.0" 403 609
72.232.83.114 - - [04/Nov/2006:04:16:33 -0800] "GET /posting.php?mode=reply&t=7 HTTP/1.1" 200 41900
72.232.83.114 - - [04/Nov/2006:04:16:33 -0800] "GET /posting.php?mode=reply&t=9 HTTP/1.1" 200 40457
71.15.156.88 - - [04/Nov/2006:04:16:35 -0800] "POST /posting.php?sid=f8054e0a7934b221acdf9a6ce4cebe58 HTTP/1.0" 403 1449
201.30.93.5 - - [04/Nov/2006:04:16:37 -0800] "POST /posting.php?sid=f8054e0a7934b221acdf9a6ce4cebe58 HTTP/1.1" 403 1449
201.243.56.199 - - [04/Nov/2006:04:16:37 -0800] "POST /posting.php?sid=851ab5dc7c809697d62b75a9545dbb16 HTTP/1.1" 403 1487
203.88.155.26 - - [04/Nov/2006:04:16:45 -0800] "POST /posting.php?sid=f8054e0a7934b221acdf9a6ce4cebe58 HTTP/1.1" 403 1449
125.177.130.151 - - [04/Nov/2006:04:16:52 -0800] "POST /posting.php?sid=851ab5dc7c809697d62b75a9545dbb16 HTTP/1.1" 403 1449
82.207.54.220 - - [04/Nov/2006:04:16:58 -0800] "POST /posting.php?sid=851ab5dc7c809697d62b75a9545dbb16 HTTP/1.1" 403 1449
211.32.74.174 - - [04/Nov/2006:04:17:12 -0800] "POST /posting.php?sid=851ab5dc7c809697d62b75a9545dbb16 HTTP/1.1" 403 1449
58.121.61.41 - - [04/Nov/2006:04:17:13 -0800] "POST /posting.php?sid=f8054e0a7934b221acdf9a6ce4cebe58 HTTP/1.1" 403 1449


Note the pairs of GET operations, which all originate in the IP address range 72.232.83.*, which belongs to Layered Technologies, Inc. The POST operations appear to come from a botnet.


Top
 Profile  
 
 Post subject: Do Do Do the Dominican Republic Rap
PostPosted: Sun Nov 05, 2006 3:19 pm 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
That host fom the Dominican Republic I mentioned a couple of posts back is going nuts. There are currently 116 entries in my access log file from this host, all identical save for the timestamp. The earliest timestamp at the time I checked was "04/Nov/2006:00:39:43 -0800", and the latest was "05/Nov/2006:06:57:12 -0800", which translates to "regular accesses from around the start of the earliest logfile checked, right up to the present". The host is only attempting POST operations, and is getting 403s on every attempt.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Nov 06, 2006 4:28 am 
Offline
Recognised Remarker

Joined: Mon Nov 06, 2006 4:17 am
Posts: 2
Location: Ontario, Canada
I actually registered in order to be able to reply to this thread.

I, too, run a number of forums, and was being swamped with bogus registrations, all to the end - I assume - of getting web sites in the profile. I already made changes to the forum code to not show new users who were not yet activated, but had not (yet) blocked profile visibility for unverified users (I'm quite comfortable with code, so that was no obstacle).

Thanks to your javascript/cookie tip, I won't (for now, anyway) need to go any further. Since implementing the cookie trick, I have had zero bot registrations.

Thanks, Brett.

_________________
Ted R - Ontario, Canada


Top
 Profile  
 
 Post subject:
PostPosted: Mon Nov 06, 2006 7:17 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
I'm glad to hear that my technique has been of use. I have tried to share the benefits by publicising the technique in a couple of places, but the response has been underwhelming, which is a little deflating. On the plus side, the longer it remains an obscure technique, the longer it will work.

I still get the odd one or two manually-created accounts which appear to be for no other purpose than creating hyperlinks to boost pagerank. I append ".nolinkspam" to the domains of such URLs if they haven't abided by the terms of my account registration rules, and will probably delete the accounts later.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Nov 06, 2006 5:25 pm 
Offline
Recognised Remarker

Joined: Mon Nov 06, 2006 4:17 am
Posts: 2
Location: Ontario, Canada
By the way, this is the same technique I have used for years to avoid the e-mail address-sucking bots - a bit of javascript to render the e-mail address so it makes sense to a browser, and not to a (simple) script.

_________________
Ted R - Ontario, Canada


Top
 Profile  
 
 Post subject:
PostPosted: Mon Nov 06, 2006 9:25 pm 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
Yes, I use that technique on my personal info page for my email address. After several years, it's still a good way to make an email address available as a hyperlink without disclosing it to the harvesters.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Nov 18, 2006 2:56 pm 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
Every now and then, there's still someone who does their forum spamming the old fashioned way: manually. Someone from Russia just posted a whole bunch of spam-links to geocities pages in this very thread. I deleted it, of course, but here's the breadcrumb trail.

62.33.137.159 - - [17/Nov/2006:10:05:49 -0800] "GET /viewtopic.php?p=104&sid=e8775244618f8d319d8a77ef9e647e43 HTTP/1.1" 200 10800 "http://www.google.com/search?hl=en&lr=&client=opera&rls=ru&q=site%3A+forum+mode%3Dreply%26t&btnG=Search" "Opera/9.00 (Windows NT 5.1; U; ru)"
62.33.137.159 - - [17/Nov/2006:10:05:54 -0800] "GET /favicon.ico HTTP/1.1" 404 584 "http://forum.tfbw.com/viewtopic.php?p=104&sid=e8775244618f8d319d8a77ef9e647e43" "Opera/9.00 (Windows NT 5.1; U; ru)"
62.33.137.159 - - [17/Nov/2006:10:06:12 -0800] "GET /posting.php?mode=reply&t=62&sid=bfa27b162263410f7f52d5d5f4b61bd8 HTTP/1.1" 200 13070 "http://forum.tfbw.com/viewtopic.php?p=104&sid=e8775244618f8d319d8a77ef9e647e43" "Opera/9.00 (Windows NT 5.1; U; ru)"
62.33.137.159 - - [17/Nov/2006:10:06:19 -0800] "GET /posting.php?mode=topicreview&t=62 HTTP/1.1" 200 7794 "http://forum.tfbw.com/posting.php?mode=reply&t=62&sid=bfa27b162263410f7f52d5d5f4b61bd8" "Opera/9.00 (Windows NT 5.1; U; ru)"
62.33.137.159 - - [17/Nov/2006:10:06:52 -0800] "POST /posting.php HTTP/1.1" 200 4565 "http://forum.tfbw.com/posting.php?mode=reply&t=62&sid=bfa27b162263410f7f52d5d5f4b61bd8" "Opera/9.00 (Windows NT 5.1; U; ru)"
62.33.137.159 - - [17/Nov/2006:10:07:00 -0800] "GET /viewtopic.php?p=112 HTTP/1.1" 200 10965 "http://forum.tfbw.com/posting.php" "Opera/9.00 (Windows NT 5.1; U; ru)"
62.33.137.159 - - [17/Nov/2006:10:07:05 -0800] "GET /favicon.ico HTTP/1.1" 404 584 "http://forum.tfbw.com/viewtopic.php?p=112" "Opera/9.00 (Windows NT 5.1; U; ru)"

Yeah... you may need to copy/paste that somewhere to make it readable, but it's not much better in terms of readability at larger sizes. Note in particular that the initial "referer" URL. This very forum happens to be on the first page of that particular Google search. I'll repeat it here at full size to save you the bother of getting a magnifying glass.
Code:
http://www.google.com/search?hl=en&lr=&client=opera&rls=ru&q=site%3A+forum+mode%3Dreply%26t&btnG=Search

I think the intention was to find forums that allowed public posting, and it's worked to the extent that it found mine, but many of those hits aren't even forums, and mine is the first on the list that allows public posting. There might be something in this that I'm not getting, but I'm leaning towards the view that this particular spammer is just a bit of a n00b.


Top
 Profile  
 
 Post subject: Just passing through
PostPosted: Tue Dec 05, 2006 4:25 pm 
I'm not a member of this forum, but I was able to edit a message and post a message here:
posting.php?mode=quote&p=94

By the way, I found you like through Google. :?


Top
  
 
 Post subject:
PostPosted: Wed Dec 06, 2006 2:00 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
You were able to post a message because I've enabled guest posting. What I've attempted to disable is posting by bots. So congratulations, I believe you are not a bot.

Another source of irritation which wasn't a bot has just landed in my manually-maintained ban-list. The latest network to gain that dubious accolade is China Network Communications Group's Hebei province network (121.24.0.0/14). They have a nasty little forum spammer who spams in Chinese, unsurprisingly enough. He didn't take the hint when I deleted his first post, and came back for a couple more honking great hyperlink-laden posts in Chinese.

No more "TFBW's Forum" for Hebei until they reform their local spammer.


Top
 Profile  
 
 Post subject: Re: What's a WebaltBot?
PostPosted: Tue Dec 12, 2006 4:52 pm 
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Ultram.html'>Ultram'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Paxil.html'>Paxil'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Home-Loan.html'>Home Loan'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Network-Marketing.html'>Network Marketing'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Life-Insurance.html'>Life Insurance'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Personal-Loan.html'>Personal Loan'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Mortgage-Refinance.html'>Mortgage Refinance'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Roulette.html'>Roulette'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/slot.html'>slot'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Online-Gambling.html'>Online Gambling'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Casino-Bonus.html'>Casino Bonus'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Sport-Betting.html'>Sport Betting'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/forex.html'>forex'>


Top
  
 
 Post subject:
PostPosted: Wed Dec 13, 2006 1:28 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
The above n00b spammer arrived via Google. The referer was "http://www.google.com/search?hl=en&lr=&client=opera&rls=en&hs=q7U&q=inurl%3Aposting.php%3Fmode%3Dquote%26p%3D&btnG=Search". Said spammer then posted again, after figuring out the proper way to format BBCode, but I deleted that one. The source IP address was 65.23.154.76.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Dec 15, 2006 2:34 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
The spammer mentioned in the post immediately prior to this one spammed again from exactly the same IP address. The /24 associated with the IP has been added to my "no access" list. Said spammer is a fairly ineffective pharma-spammer: the hyperlinks posted were all to pages named after drugs (mostly "ultram" and "tramadol"), but a quick check showed that the target was already 404 page not found. Either the spammer stuffed up his links, or the host on which his pages were stashed figured out they'd been hacked and cleaned it up.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Dec 16, 2006 3:18 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
A manual forum spammer, apparently in Pakistan (203.215.177.253), posted a spam with a massive number of links to "insidethesports.com" (registered to "Shahid Bashir Ahmad" of Lahore, Pakistan; creation Date: 10-Jun-2006), all relating to shoes. For some odd reason, there were also three links to "aerobic-shoes.net" (registeres to "Ausaf Ahmad" of Lahore, Pakistan; creation Date: 04-Dec-2006) at the end, unsurprisingly on the subject of "aerobic shoes". He seems to have found my forum via Google as follows.
Code:
http://www.google.com/search?hl=en&lr=&safe=off&q=.ru+forum+post+a+reply&btnG=Search

Welcome to Pakispam. The BBCode on that post has been disabled to neutralise the links, and I'll probably delete it altogether in the near future.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Dec 23, 2006 3:14 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
A manual forum spammer operating from 65.88.88.200, which is registered to the New York Public Library, has posted a link to an AOL Hometown page ("musicopter") which claims to be the property of one "Gerry Aire". So a big "hi" goes to Gerry, who I surmise is spamming away like an antisocial prick in the New York Public Library. It's pretty obvious that spam is the name of the game when you arrive at the forum through a search like the following.
Code:
http://www.google.com/search?q=%22you+can+post+new%22%22you+can+reply+to+topics%22&hl=en&lr=&start=80&sa=N


Top
 Profile  
 
 Post subject: Random stats
PostPosted: Sat Jan 06, 2007 1:59 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
Random statistical trivia: between 2007-01-04 01:24:21 -0800 and 2007-01-05 17:42:29 -0800 (a period of just over 40 hours), the spam countermeasures on this forum blocked 387 POST attempts from 253 distinct IP addresses. That's between nine and ten POST attempts per hour, and that's a lotta spam! No doubt the trend will continue upwards, and then we'll fondly remember the days when there were only ten attempts per hour.


Top
 Profile  
 
 Post subject: Re: What's a WebaltBot?
PostPosted: Tue Jan 09, 2007 12:09 am 
I like this forum, always provide new and fresh information,i usually visit it to check some new stuff and discussion


Top
  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 51 posts ]  Go to page 1, 2, 3  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group