TFBW's Forum

Discuss
It is currently Mon May 22, 2017 9:22 pm

All times are UTC




Post new topic Reply to topic  [ 51 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject:
PostPosted: Tue Jan 09, 2007 3:31 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
You may think that the above post is pure, unadulterated sarcasm, but it's not! It's actually stealth spam! The words "forum", "usually", and "new" (in "new stuff") are hyperlinks with additional "color" tags to render them black like the surrounding text. I've defanged the links by adding ".nolinkspam" to the domain name, but left them otherwise unchanged for your information.

The spam cam from IP address 80.77.8.29, which is in Pakistan -- almost certainly the same Pakispammer I've encountered before on this very thread, given the overlap in domain names involved. A quick search on a key phrase used in the spam shows that this guy is fairly diverse in his spamming, not just targeting phpBB instances.

I also note that at least one of the blogs he has spammed passes all external links through a local redirect. Redirects have problems of their own, but I note in passing that it probably renders the spam ineffective as a way of boosting search profile.


Top
 Profile  
 
 Post subject: RE
PostPosted: Tue Jan 09, 2007 7:07 pm 
Alright Man, may be it effects you alot thats why you cant even afford 2 or there links, But your post was nice , Thanks Keep it up


Top
  
 
 Post subject:
PostPosted: Wed Jan 10, 2007 1:01 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
It's not a question of me being able to "afford links" -- what a ridiculous concept. The problem is that spammers like you are abusing my forum as a way of getting free advertising and increasing your search engine profile. If you'd taken the time to read through some of what I've posted earlier, you'd note that I already have to block hundreds of POST attempts per day from automated spam generators. If my countermeasures weren't completely effective against such spam, I'd have no choice but to close the forum, since it would not be feasible to find actual conversations amongst all the spam.

If you want to stick around and have a decent conversation, I have no problem with you throwing in a link or two in your signature line. Spouting random crap just so that you can get your links in does not count as "conversation".


Top
 Profile  
 
 Post subject: RE
PostPosted: Thu Jan 11, 2007 8:44 pm 
Well this last time , i had posted a good comment about your forum which probably increase ur forum rank, but you also make it an issue,last time i was wrong posting direct links thats was not good idea at all,......................... you think posting such a comment is easy task, it takes alot time my dear.... But never mind i praise ur pateince even after hundreds of spams u are still calm...hmmm . .. and wish u good luck for ur Forum


Top
  
 
 Post subject: CHINANET jiangsu province network
PostPosted: Thu Feb 01, 2007 6:27 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
Over the last week or so, I've had a persistent spammer from China posting messages consisting of nothing but links, mostly in Chinese. He posts, I delete, we repeat. The spammer is performing this work by hand, and using Google searches on the terms "posting.php?mode=quote" and "post a reply" to find postable forums. (Actually, the search is on the individual words in "post a reply", not the phrase.)

I don't actually have proof that this is one spammer, but there is a common thread between the postings: all have come from IP addresses listed as belonging to China Telecom, "CHINANET jiangsu province network". On each occasion, I have blocked the entire subnet associated with the offending IP address, and I'm now curious as to how many subnets Jiangsu province has, exactly. I've blocked a /16 and two /14s so far!

It would be nice to implement a finer grain of control over such nuisance areas. I don't like the idea that I'm blocking large ranges of China just because of one little enterprise there that is earning money by being a global public nuisance. It would be better to disallow anonymous posting from such a range, or moderate posting from that range. Such subtleties are well beyond the capability of phpBB and my Apache .htaccess/Javascript hack, however.


Top
 Profile  
 
 Post subject: Re: What's a WebaltBot?
PostPosted: Fri Feb 02, 2007 12:00 pm 
TFBW wrote:
Something with a distinctive identifier of "WebaltBot" has been probing at my forum. The entire user agent string is "Mozilla/5.0 compatible WebaltBot/1.00 (i686-pc-linux)". Here's a sample of what it's been up to, minus the repetitive user agent string and "referer" URLs to save space.

72.232.83.90 - - [03/Nov/2006:00:36:27 -0800] "GET /posting.php?mode=reply&t=7 HTTP/1.1" 200 41905
72.232.83.90 - - [03/Nov/2006:00:36:27 -0800] "GET /posting.php?mode=reply&t=9 HTTP/1.1" 200 40446
59.94.104.60 - - [03/Nov/2006:00:36:35 -0800] "POST /posting.php?sid=e522eb6e23528548bd7beace29668b37 HTTP/1.1" 403 1449
211.119.72.77 - - [03/Nov/2006:00:36:38 -0800] "POST /posting.php?sid=e522eb6e23528548bd7beace29668b37 HTTP/1.1" 403 1449
221.149.83.165 - - [03/Nov/2006:00:36:39 -0800] "POST /posting.php?sid=e522eb6e23528548bd7beace29668b37 HTTP/1.1" 403 1449
83.69.97.142 - - [03/Nov/2006:00:36:40 -0800] "POST /posting.php?sid=d82a2dcde0df145d82115b6ab8ee98e1 HTTP/1.1" 403 1487
217.216.170.234 - - [03/Nov/2006:00:36:44 -0800] "POST /posting.php?sid=d82a2dcde0df145d82115b6ab8ee98e1 HTTP/1.1" 403 1449
61.95.218.114 - - [03/Nov/2006:00:36:53 -0800] "POST /posting.php?sid=e522eb6e23528548bd7beace29668b37 HTTP/1.1" 403 1449
86.138.16.181 - - [03/Nov/2006:00:36:57 -0800] "POST /posting.php?sid=d82a2dcde0df145d82115b6ab8ee98e1 HTTP/1.1" 403 1449
72.232.83.98 - - [04/Nov/2006:00:35:36 -0800] "GET /posting.php?mode=reply&t=9 HTTP/1.1" 200 40447
72.232.83.98 - - [04/Nov/2006:00:35:36 -0800] "GET /posting.php?mode=reply&t=7 HTTP/1.1" 200 41888
218.123.92.74 - - [04/Nov/2006:00:36:04 -0800] "POST /posting.php?sid=c1cb040b3d37771fa6dbd655af8dc487 HTTP/1.0" 403 1449
220.110.213.157 - - [04/Nov/2006:00:36:05 -0800] "POST /posting.php?sid=c1cb040b3d37771fa6dbd655af8dc487 HTTP/1.1" 403 1487
221.24.40.110 - - [04/Nov/2006:00:36:19 -0800] "POST /posting.php?sid=2b70933b65cf596445de4b5dd7d60c06 HTTP/1.0" 403 0
220.35.96.112 - - [04/Nov/2006:00:35:39 -0800] "POST /posting.php?sid=2b70933b65cf596445de4b5dd7d60c06 HTTP/1.0" 403 609
72.232.83.114 - - [04/Nov/2006:04:16:33 -0800] "GET /posting.php?mode=reply&t=7 HTTP/1.1" 200 41900
72.232.83.114 - - [04/Nov/2006:04:16:33 -0800] "GET /posting.php?mode=reply&t=9 HTTP/1.1" 200 40457
71.15.156.88 - - [04/Nov/2006:04:16:35 -0800] "POST /posting.php?sid=f8054e0a7934b221acdf9a6ce4cebe58 HTTP/1.0" 403 1449
201.30.93.5 - - [04/Nov/2006:04:16:37 -0800] "POST /posting.php?sid=f8054e0a7934b221acdf9a6ce4cebe58 HTTP/1.1" 403 1449
201.243.56.199 - - [04/Nov/2006:04:16:37 -0800] "POST /posting.php?sid=851ab5dc7c809697d62b75a9545dbb16 HTTP/1.1" 403 1487
203.88.155.26 - - [04/Nov/2006:04:16:45 -0800] "POST /posting.php?sid=f8054e0a7934b221acdf9a6ce4cebe58 HTTP/1.1" 403 1449
125.177.130.151 - - [04/Nov/2006:04:16:52 -0800] "POST /posting.php?sid=851ab5dc7c809697d62b75a9545dbb16 HTTP/1.1" 403 1449
82.207.54.220 - - [04/Nov/2006:04:16:58 -0800] "POST /posting.php?sid=851ab5dc7c809697d62b75a9545dbb16 HTTP/1.1" 403 1449
211.32.74.174 - - [04/Nov/2006:04:17:12 -0800] "POST /posting.php?sid=851ab5dc7c809697d62b75a9545dbb16 HTTP/1.1" 403 1449
58.121.61.41 - - [04/Nov/2006:04:17:13 -0800] "POST /posting.php?sid=f8054e0a7934b221acdf9a6ce4cebe58 HTTP/1.1" 403 1449


Note the pairs of GET operations, which all originate in the IP address range 72.232.83.*, which belongs to Layered Technologies, Inc. The POST operations appear to come from a botnet.


Top
  
 
 Post subject:
PostPosted: Fri Feb 02, 2007 6:48 pm 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
The harmless but pointless message immediately above is the result of someone in the Ukraine (195.24.157.66) testing my anti-spam system. Two attempts were made at posting to the forum: the first was deflected by the anti-spam system, the second was posted manually through a real browser. This is evident, because the first attempt consisted of one GET and one POST, whereas the second (less than a minute later) exhibited the more usual spray of GETs on images and so forth associated with typical browsers.

As you can see, the countermeasures have nothing to do with the IP address in this case.


Top
 Profile  
 
 Post subject: Goodbye China
PostPosted: Sat Feb 03, 2007 6:54 pm 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
There's a big difference between spammers from eastern Europe, and spammers from Asia: the former automate their spamming; the latter do it manually. My anti-spam mechanism deals with the automata, not the manual spammers. Our friend the Pakispammer actually had a sort of conversation with us here in the forum, for example. The Chinese spammers, on the other hand, are also manual spammers, but aren't interested in conversation. They don't even post in English.

Having deleted another five Chinese spams today, posted from three distinct IP addresses, I've decided that China has got to go. I've started blocking /12s and /11s based on information from APNIC. If I get the time tomorrow, I'll process the APNIC data and get it to generate a complete blocklist for China. I may not block all of China immediately, but I will block the largest subnettable Chinese address range associated with any spam that arrives from now on.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 07, 2007 2:32 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
I did as I said I would, and wrote a short Perl script to convert the APNIC delegation data into CIDR blocks suitable for banning. I've blocked six such ranges allocated to China: four /11s and two /12s. So far, the results are very encouraging.

For example, one of the ranges I've banned is 121.16.0.0/12. As a /12, it's only half the size of the /11s, but it seems to be the most actively abused range. Here's a sample from my logfiles showing exactly what is now being denied.

Quote:
121.27.232.237 - - [05/Feb/2007:03:13:25 -0800] "GET /posting.php?mode=quote&p=172&sid=5f42ccc17c62de8ff38be81b3f6a7f08 HTTP/1.1" 403 939 "http://www.google.cn/search?complete=1&hl=zh-CN&q=HTML+is+OFF+intitle%3A%27Post+a+reply%27&btnG=Google+%E6%90%9C%E7%B4%A2&meta=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler )"
121.27.232.237 - - [05/Feb/2007:03:13:25 -0800] "GET /posting.php?mode=quote&p=164&sid=314599e3ca0dfb7dbda70a102c6f845e HTTP/1.1" 403 939 "http://www.google.cn/search?complete=1&hl=zh-CN&q=HTML+is+OFF+intitle%3A%27Post+a+reply%27&btnG=Google+%E6%90%9C%E7%B4%A2&meta=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler )"
121.27.232.237 - - [05/Feb/2007:03:34:19 -0800] "GET /posting.php?mode=quote&p=172&sid=5f42ccc17c62de8ff38be81b3f6a7f08 HTTP/1.1" 403 939 "http://www.google.cn/search?q=HTML+is+OFF+intitle:%27Post+a+reply%27&complete=1&hl=zh-CN&newwindow=1&start=0&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler )"
121.27.232.237 - - [05/Feb/2007:03:34:20 -0800] "GET /posting.php?mode=quote&p=164&sid=314599e3ca0dfb7dbda70a102c6f845e HTTP/1.1" 403 939 "http://www.google.cn/search?q=HTML+is+OFF+intitle:%27Post+a+reply%27&complete=1&hl=zh-CN&newwindow=1&start=0&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler )"
121.27.232.237 - - [05/Feb/2007:04:34:47 -0800] "GET /posting.php?mode=quote&p=164&sid=314599e3ca0dfb7dbda70a102c6f845e HTTP/1.1" 403 939 "http://www.google.cn/search?complete=1&hl=zh-CN&q=HTML+is+OFF+intitle%3A%27Post+a+reply%27&btnG=Google+%E6%90%9C%E7%B4%A2&meta=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler )"
121.27.235.222 - - [05/Feb/2007:16:34:43 -0800] "GET /posting.php?mode=quote&p=164&sid=314599e3ca0dfb7dbda70a102c6f845e HTTP/1.1" 403 939 "http://www.google.com/search?q=%20HTML%20is%20OFF%20intitle%3A'Post%20a%20reply'%20%20%20%20%20&hl=zh-CN&lr=&nxpt=20.557448412265546522086" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.235.222 - - [05/Feb/2007:16:35:52 -0800] "GET /posting.php?mode=quote&p=156&sid=466dde8825f9677e1ed43f1d513a078a HTTP/1.1" 403 939 "http://www.google.com/search?q=+HTML+is+OFF+intitle:%27Post+a+reply%27+++++&hl=zh-CN&lr=&newwindow=1&start=10&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.218.219 - - [06/Feb/2007:05:37:43 -0800] "GET /posting.php?mode=quote&p=164&sid=314599e3ca0dfb7dbda70a102c6f845e HTTP/1.1" 403 939 "http://www.google.com/search?q=Post+a+Reply&hl=zh-CN&lr=&newwindow=1&start=10&sa=N" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Alexa Toolbar)"
121.27.218.219 - - [06/Feb/2007:05:37:44 -0800] "GET /favicon.ico HTTP/1.1" 403 938 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Alexa Toolbar)"
121.27.226.119 - - [06/Feb/2007:05:40:07 -0800] "GET /posting.php?mode=quote&p=28&sid=abbbd40df06a4657b75863433632a249 HTTP/1.1" 403 939 "http://www.google.com/search?q=+Topic+review+intitle:%22Post+a+reply+%22+-Confirmation+-code+++5&num=100&hl=zh-CN&newwindow=1&as_qdr=all&start=300&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.218.219 - - [06/Feb/2007:05:44:42 -0800] "GET /posting.php?mode=quote&p=101&sid=3fc0a2fd35682ceaa2eb28354db77118 HTTP/1.1" 403 939 "http://www.google.com/search?q=Post+a+Reply&hl=zh-CN&lr=&newwindow=1&start=20&sa=N" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Alexa Toolbar)"
121.27.218.219 - - [06/Feb/2007:05:44:42 -0800] "GET /favicon.ico HTTP/1.1" 403 938 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Alexa Toolbar)"
121.27.149.130 - - [06/Feb/2007:05:56:18 -0800] "GET /posting.php?mode=quote&p=164&sid=314599e3ca0dfb7dbda70a102c6f845e HTTP/1.1" 403 939 "http://www.google.com/search?q=intitle%3A%22Post+a+reply%22+Disable+Smilies&num=50&hl=zh-CN&newwindow=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.149.130 - - [06/Feb/2007:05:56:18 -0800] "GET /favicon.ico HTTP/1.1" 403 938 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.224.4 - - [06/Feb/2007:06:01:04 -0800] "GET /posting.php?mode=quote&p=164&sid=314599e3ca0dfb7dbda70a102c6f845e HTTP/1.1" 403 939 "http://www.google.com/search?hl=zh-CN&newwindow=1&q=+%22Disable+Smilies+in+this+post%22+intitle%3APost+a+Reply&btnG=Google+%E6%90%9C%E7%B4%A2&lr=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.224.4 - - [06/Feb/2007:06:08:42 -0800] "GET /posting.php?mode=quote&p=101&sid=3fc0a2fd35682ceaa2eb28354db77118 HTTP/1.1" 403 939 "http://www.google.com/search?q=+%22Disable+Smilies+in+this+post%22+intitle:Post+a+Reply&hl=zh-CN&lr=&newwindow=1&start=10&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.226.119 - - [06/Feb/2007:06:10:57 -0800] "GET /posting.php?mode=quote&p=137&sid=2bffe0dcf1a687794c482646145d7772 HTTP/1.1" 403 939 "http://www.google.com/search?q=+Topic+review+intitle%3A%22Post+a+reply+%22+-Confirmation+-code+++March&btnG=%E6%90%9C%E7%B4%A2&num=100&hl=zh-CN&newwindow=1&as_qdr=all" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.226.119 - - [06/Feb/2007:06:20:53 -0800] "GET /posting.php?mode=quote&p=128&sid=92cc9e49d1dbf54a7185d9da48b1dd5b HTTP/1.1" 403 939 "http://www.google.com/search?q=+Topic+review+intitle:%22Post+a+reply+%22+-Confirmation+-code++May&num=100&hl=zh-CN&newwindow=1&as_qdr=all&start=100&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.218.219 - - [06/Feb/2007:07:15:35 -0800] "GET /posting.php?mode=quote&p=89&sid=fbbaf91874a3840313d293056c760329 HTTP/1.1" 403 939 "http://www.google.com/search?q=Post+a+Reply&hl=zh-CN&lr=&newwindow=1&start=110&sa=N&filter=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Alexa Toolbar)"
121.27.218.219 - - [06/Feb/2007:07:15:35 -0800] "GET /favicon.ico HTTP/1.1" 403 938 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Alexa Toolbar)"
121.27.218.219 - - [06/Feb/2007:07:15:55 -0800] "GET /posting.php?mode=quote&p=156&sid=466dde8825f9677e1ed43f1d513a078a HTTP/1.1" 403 939 "http://www.google.com/search?q=Post+a+Reply&hl=zh-CN&lr=&newwindow=1&start=120&sa=N&filter=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Alexa Toolbar)"
121.27.218.219 - - [06/Feb/2007:07:15:55 -0800] "GET /favicon.ico HTTP/1.1" 403 938 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Alexa Toolbar)"
121.27.218.219 - - [06/Feb/2007:07:15:59 -0800] "GET /posting.php?mode=quote&p=83&sid=27209ddc5c3e665ad707b6c584dbdfae HTTP/1.1" 403 938 "http://www.google.com/search?q=Post+a+Reply&hl=zh-CN&lr=&newwindow=1&start=130&sa=N&filter=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Alexa Toolbar)"
121.27.218.219 - - [06/Feb/2007:07:16:00 -0800] "GET /favicon.ico HTTP/1.1" 403 938 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Alexa Toolbar)"
121.27.226.119 - - [06/Feb/2007:07:20:41 -0800] "GET /posting.php?mode=quote&p=21&sid=d4701822392ca4779aa1aed0e3ad5109 HTTP/1.1" 403 939 "http://www.google.com/search?q=intitle:Post+a+Reply++Disable+BBCode+in+this+post++-Confirmation+-code++&num=100&hl=zh-CN&lr=&newwindow=1&as_qdr=all&start=200&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.226.119 - - [06/Feb/2007:07:30:18 -0800] "GET /posting.php?mode=quote&p=84&sid=24a1e0048158973239adfb57cf31f187 HTTP/1.1" 403 939 "http://www.google.com/search?q=intitle:Post+a+Reply++Disable+BBCode+in+this+post++-Confirmation+-code+++1+&num=100&hl=zh-CN&newwindow=1&as_qdr=all&start=200&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.226.119 - - [06/Feb/2007:07:31:35 -0800] "GET /posting.php?mode=quote&p=39&sid=726ba4d7faebf849ae884f5380497735 HTTP/1.1" 403 939 "http://www.google.com/search?q=intitle:Post+a+Reply++Disable+BBCode+in+this+post++-Confirmation+-code+++1+&num=100&hl=zh-CN&newwindow=1&as_qdr=all&start=300&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.213.228 - - [06/Feb/2007:09:17:05 -0800] "GET /posting.php?mode=quote&p=2&sid=f8bdf63b554d6a4eaa4fa920d5257d79 HTTP/1.1" 403 939 "http://www.google.com/search?q=intitle:Post+a+Reply++Disable+BBCode+in+this+post++-Confirmation+-code+May&num=100&hl=zh-CN&newwindow=1&as_qdr=all&start=100&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.212.57 - - [06/Feb/2007:11:37:42 -0800] "GET /posting.php?mode=quote&p=7&sid=ba858a5c1925c0d21a9e28b3b58999af HTTP/1.1" 403 939 "http://www.google.com/search?q=HTML+is+OFF+intitle:%22Post+a+reply%22+-Confirmation+-code++2&num=100&hl=zh-CN&newwindow=1&as_qdr=all&start=300&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"
121.27.212.57 - - [06/Feb/2007:11:56:29 -0800] "GET /posting.php?mode=quote&p=3&sid=8473fb666e25510c6a54326f72944026 HTTP/1.1" 403 939 "http://www.google.com/search?q=HTML+is+OFF+intitle:%22Post+a+reply%22+-Confirmation+-code++3&num=100&hl=zh-CN&newwindow=1&as_qdr=all&start=300&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"


Note that if I were attempting to target abuse narrowly, it would be more appropriate to block 121.27.128.0/17 or thereabouts. China has proved to be enough of a nuisance that I'm not going to be so lenient: I block in anticipation as much as in reaction. That aside, let's look at all this activity I've denied from this one region.

I count twenty-four instances of "google" in the above, with the most conspicuous search term being "Post a reply" (in title). In fact, the only items which don't have "google" in the "referer" field are the items requesting the "favicon.ico" file. So that pretty much summarises the modus operandi of spammers in this neblock: do a Google search for key terms indicating an open forum, then navigate to the "post a reply" form directly from the Google search and enter your spam. Sweatshop spammers.

Note also that nine of the search queries include the term "num=100", indicating the number of search results per page. This generates a nice long list of postable forums. These queries also include the term "newwindow=1", which causes the search links to open in a new window. I surmise that the spammers prefer to click on several links, resulting in several new open windows, then deal with each of those windows in turn and close them. Streamlined spamming.

Note also that the "start=" term is sometimes as high as three hundred, indicating that my forum was only found in the fourth page of results. There's a certain dogged dedication to the process of wading through four hundred potential links to open forums and attempting to post in each of them. Note that the hundred-results-per-page spammer also avoids CAPTCHA-protected pages, filtering on the terms "confirmation code". It's not clear whether he starts with low-hanging fruit like my forum and then moves on to the CAPTCHA-protected pages, though.

The spammer operating from 121.27.218.219 is much more basic in his search terms, and makes no effort to avoid CAPTCHAs or produce more search results per page. All in all, it seems that several independent spammers with similar (but distinct) modi operandi (and browser configurations) are operating in this range. Are they spammers for hire? Freelance? Subcontracted by SEO companies? Pimping their own pages?

If I were the betting type, my money would be on, "they are subcontracted by SEO companies".


Top
 Profile  
 
 Post subject: Quote
PostPosted: Fri Feb 09, 2007 1:58 am 
http://www.mcpmedia.com/corporate_info/quote.php

marketing@mcpmedia.com

MCP Media is a professional Phoenix web design company. Get free web design quotes here any time!


Top
  
 
 Post subject:
PostPosted: Fri Feb 09, 2007 2:54 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
The above spam came from 202.134.119.9, which is in Hong Kong. Interestingly, the "referer" URL was "http://172.16.19.3/LinkBuilder/CheckLinkEx.aspx". The IP address in that URL is a private (local network) address, but the "LinkBuilder/CheckLinkEx.aspx" part is strongly suggestive of a custom application of some sort. The spamming activity has been performed manually, but is aided by some kind of private search engine. Once again, this looks very much like "spam for hire" work. I'm preemptively blocking 202.134.64.0/18 (delegated to HK by APNIC) in response to this.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Feb 11, 2007 2:15 pm 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
More China spam. Today I had three posts from a registered user in China. The posts try to be at least slightly relevant to the topics under which they were posted, but they were still content-free, mostly irrelevant, and seemed to exist purely for the purpose of linking to the submitter's website. Two of the posts have been deleted; the third currently remains because the link was broken anyhow, and I want to give the spammer a chance to respond.

The IP source was 61.167.36.226, and 61.128.0.0/10 is currently the largest containing CIDR block specific to China that I could ban. No ban yet, though: they get one chance to defend their actions.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 12, 2007 10:06 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
Well, that spammer's chance came and went. As is typical, he's in write-only mode, and doesn't seem to have read my response to the one message I allowed to remain on the system. Instead, he's posted three more junky random posts, all of which are excerpts off a particular website (his, presumably), and included a link to the source. This is just link-spamming pollution so far as I'm concerned, and I've added 61.128.0.0/10 to the list of IPs not welcome here, and removed the new posts.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 13, 2007 3:31 pm 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
China continues to be whittled away. Today 59.32.0.0/11 was added thanks to a -- what term should I use for these forum-spamming equivalents of telemarketers? -- at 59.35.230.96. The banned range is the largest enclosing CIDR around that address entirely delegated to China. There's not a lot to say about this particular instance: the referrer field on the first access is empty, and the user agent includes "TencentTraveler". There may be some automation involved here, since the entire process took less than ten seconds from initial GET to final POST.


Top
 Profile  
 
 Post subject: Shame on Commtouch Software Inc
PostPosted: Mon Feb 19, 2007 6:29 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
While conducting my usual smug perusal of blocked POST attempts today, I noted the following conspicuous cluster of activity. According to WHOIS, the IP range in question (216.163.176.0/20) is allocated to "Commtouch Software Inc." What's with the abusive activity emanating from your network, guys? Here's the evidence from the logfiles.

Quote:
216.163.188.200 - - [18/Feb/2007:16:17:34 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.201 - - [18/Feb/2007:16:17:34 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.207 - - [18/Feb/2007:16:17:46 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.203 - - [18/Feb/2007:16:18:12 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.208 - - [18/Feb/2007:17:51:09 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.209 - - [18/Feb/2007:17:51:09 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.202 - - [18/Feb/2007:17:51:22 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.204 - - [18/Feb/2007:17:51:47 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.201 - - [18/Feb/2007:19:17:29 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.202 - - [18/Feb/2007:19:17:29 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.206 - - [18/Feb/2007:19:17:41 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.209 - - [18/Feb/2007:19:18:07 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.200 - - [18/Feb/2007:20:38:27 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.201 - - [18/Feb/2007:20:38:27 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.207 - - [18/Feb/2007:20:38:39 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.208 - - [18/Feb/2007:20:39:05 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.204 - - [18/Feb/2007:21:56:31 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.203 - - [18/Feb/2007:21:56:31 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.208 - - [18/Feb/2007:21:56:44 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
216.163.188.209 - - [18/Feb/2007:21:57:09 -0800] "POST /posting.php HTTP/1.0" 403 1247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 05, 2007 9:44 pm 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
The above cluster of POSTS was bad, but it's nothing compared to the hammering I'm getting from the Inhoster hosting company in the Ukraine. Between 04/Mar/2007:03:31:03 -0800 and 05/Mar/2007:13:15:16 -0800, my logs show 309 accesses from the range 85.255.113.178 to 85.255.113.185, plus 6 from 85.255.117.98. In total, 288 of those accesses were failed POST attempts. That's some fairly heavy abuse! Thankfully my countermeasures deflect it without putting any noteworthy load on the system.


Top
 Profile  
 
 Post subject: Implementing your JavaScript hack against trackback spammers
PostPosted: Wed Mar 28, 2007 5:21 pm 
Offline
Recognised Remarker

Joined: Wed Mar 28, 2007 5:15 pm
Posts: 2
Hey Brett,

I implemented your JavaScript/htaccess hack on my site. I'll watch my logs over the next week and let you know how that works.

I am already using a netblock blacklist culled from my own logs. It helps but I hate seeing a trickle of spam come through. http://steamedpenguin.com/blacklist

_________________
SteamedPenguin - Not Your Usual Meal


Top
 Profile  
 
 Post subject:
PostPosted: Thu Mar 29, 2007 1:03 am 
Offline
Your Host

Joined: Mon Jul 10, 2006 6:57 am
Posts: 204
Location: Sydney, Australia
Please do let us know. I'm sure you'll be pleased with the results.


Top
 Profile  
 
 Post subject: So far so good
PostPosted: Thu Mar 29, 2007 3:30 am 
Offline
Recognised Remarker

Joined: Wed Mar 28, 2007 5:15 pm
Posts: 2
Brett,

I'll report with a more data in a week but so far no stragglers have made it through.

This will keep the baddies away until their bots speak JavaScript I guess.

_________________
SteamedPenguin - Not Your Usual Meal


Top
 Profile  
 
 Post subject:
PostPosted: Fri Mar 30, 2007 5:19 pm 
Hello, do you think it's neccesary to use Javascript to set the cookie? What if you set the cookie via CGI script on a page that normal users will go to but not bots (e.g. the main page of the forum site)? This might be less effective since it's more likely that bots accept cookies normally than through Javascript, but it solves the problem of visitors who don't have javascript on.

Reed


Top
  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 51 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group