TFBW's Forum
http://forum.tfbw.com/

Widespread and Systematic Forum Abuse (Forum Spam)
http://forum.tfbw.com/viewtopic.php?f=7&t=62
Page 1 of 3

Author:  TFBW [ Sat Sep 30, 2006 9:06 am ]
Post subject:  Widespread and Systematic Forum Abuse (Forum Spam)

Set up a forum like this, and it soon becomes apparent that email isn't the only Internet communications medium suffering under a load of abuse. Although this forum has less than one post per day on average at this time -- and nearly all of that activity originates with me -- I see dozens of obviously non-interactive attempts to "post bills", as it were.

This is no longer a practical concern for me, as I've found a very good way of disabling the spammers -- for now at least -- without compromising the general ability to use the forum in its intended manner. That technique is documented at the following address.

http://www.tfbw.com/archives/20

The fact that the abuse itself no longer has me scurrying about and cleaning up the mess gives me time to look at the patterns of abuse. For as long as it continues to interest me, I'll post bits and pieces of my Apache logfile (or summarised extracts thereof) which illustrate relatively interesting patterns of abuse.

Author:  TFBW [ Sat Sep 30, 2006 10:03 am ]
Post subject:  Sequential zombies

Here's a technique I've seen used in spammer attempts to deliver email. Because spam sources tend to get blocked by address fairly quickly, a spammer will make a series of attempts from different addresses under his control -- usually third party computers which have been compromised. In this case, a spammer leaves a conspicuous trail of POST attempts from a series of thirteen distinct hosts in less than thirty seconds. All are blocked by my countermeasures.

216.32.84.58 - - [29/Sep/2006:16:14:16 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.41.183.117 - - [29/Sep/2006:16:14:17 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.232.67.242 - - [29/Sep/2006:16:14:17 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.232.67.243 - - [29/Sep/2006:16:14:17 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.41.183.116 - - [29/Sep/2006:16:14:22 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
211.141.77.194 - - [29/Sep/2006:16:14:32 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.41.183.115 - - [29/Sep/2006:16:14:35 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
216.32.84.60 - - [29/Sep/2006:16:14:35 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
216.32.84.62 - - [29/Sep/2006:16:14:36 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.41.183.118 - - [29/Sep/2006:16:14:36 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.41.183.114 - - [29/Sep/2006:16:14:36 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
202.101.6.85 - - [29/Sep/2006:16:14:37 -0700] "POST /posting.php HTTP/1.1" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
216.32.84.61 - - [29/Sep/2006:16:14:37 -0700] "POST /posting.php HTTP/1.0" 403 1011 "http://forum.tfbw.com/posting.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Author:  TFBW [ Mon Oct 23, 2006 10:34 am ]
Post subject: 

What's this? Someone in Germany either trying things with different browsers, or just seeing whether my countermeasures are specific to a particular user-agent string, I'd say. The answer is no -- the key ingredients are Javascript and cookies. If you have both of those, you can post.

84.63.121.194 - - [22/Oct/2006:02:56:39 -0700] "POST /login.php HTTP/1.1" 403 1048 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20050519 Netscape/8.0.1"
84.63.121.194 - - [22/Oct/2006:02:56:42 -0700] "POST /login.php HTTP/1.1" 403 1048 "-" "Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.1 (like Gecko)"
84.63.121.194 - - [22/Oct/2006:03:03:41 -0700] "POST /profile.php HTTP/1.1" 403 1048 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412 (KHTML, like Gecko) Safari/412"

Author:  TFBW [ Wed Oct 25, 2006 3:49 pm ]
Post subject: 

Greetings from the Dominican Republic! A glance at my access logs shows a host at 200.88.223.98 (tdev223-98.codetel.net.do, in the Dominican Republic) that has been trying to post on my forum approximately once every 25 minutes since a day ago or so. Here are the first few hits.

200.88.223.98 - - [24/Oct/2006:00:44:26 -0700] "POST /posting.php HTTP/1.1" 403 1512 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)"
200.88.223.98 - - [24/Oct/2006:01:08:45 -0700] "POST /posting.php HTTP/1.1" 403 1512 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)"
200.88.223.98 - - [24/Oct/2006:01:32:40 -0700] "POST /posting.php HTTP/1.1" 403 1512 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)"
200.88.223.98 - - [24/Oct/2006:01:56:53 -0700] "POST /posting.php HTTP/1.1" 403 1512 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)"
200.88.223.98 - - [24/Oct/2006:02:21:14 -0700] "POST /posting.php HTTP/1.1" 403 1512 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)"

There are seventy such POST attempts at this stage, and it still appears to be on-going. I doubt that this is the worst offender, though. According to my stats page, the host at 209.249.11.4 (in the USA) is responsible for more than [b]one third[/b] of my total forum traffic so far this month! Not that I noticed it, mind you.

Author:  TFBW [ Sat Nov 04, 2006 3:05 pm ]
Post subject:  What's a WebaltBot?

Something with a distinctive identifier of "WebaltBot" has been probing at my forum. The entire user agent string is "Mozilla/5.0 compatible WebaltBot/1.00 (i686-pc-linux)". Here's a sample of what it's been up to, minus the repetitive user agent string and "referer" URLs to save space.

72.232.83.90 - - [03/Nov/2006:00:36:27 -0800] "GET /posting.php?mode=reply&t=7 HTTP/1.1" 200 41905
72.232.83.90 - - [03/Nov/2006:00:36:27 -0800] "GET /posting.php?mode=reply&t=9 HTTP/1.1" 200 40446
59.94.104.60 - - [03/Nov/2006:00:36:35 -0800] "POST /posting.php?sid=e522eb6e23528548bd7beace29668b37 HTTP/1.1" 403 1449
211.119.72.77 - - [03/Nov/2006:00:36:38 -0800] "POST /posting.php?sid=e522eb6e23528548bd7beace29668b37 HTTP/1.1" 403 1449
221.149.83.165 - - [03/Nov/2006:00:36:39 -0800] "POST /posting.php?sid=e522eb6e23528548bd7beace29668b37 HTTP/1.1" 403 1449
83.69.97.142 - - [03/Nov/2006:00:36:40 -0800] "POST /posting.php?sid=d82a2dcde0df145d82115b6ab8ee98e1 HTTP/1.1" 403 1487
217.216.170.234 - - [03/Nov/2006:00:36:44 -0800] "POST /posting.php?sid=d82a2dcde0df145d82115b6ab8ee98e1 HTTP/1.1" 403 1449
61.95.218.114 - - [03/Nov/2006:00:36:53 -0800] "POST /posting.php?sid=e522eb6e23528548bd7beace29668b37 HTTP/1.1" 403 1449
86.138.16.181 - - [03/Nov/2006:00:36:57 -0800] "POST /posting.php?sid=d82a2dcde0df145d82115b6ab8ee98e1 HTTP/1.1" 403 1449
72.232.83.98 - - [04/Nov/2006:00:35:36 -0800] "GET /posting.php?mode=reply&t=9 HTTP/1.1" 200 40447
72.232.83.98 - - [04/Nov/2006:00:35:36 -0800] "GET /posting.php?mode=reply&t=7 HTTP/1.1" 200 41888
218.123.92.74 - - [04/Nov/2006:00:36:04 -0800] "POST /posting.php?sid=c1cb040b3d37771fa6dbd655af8dc487 HTTP/1.0" 403 1449
220.110.213.157 - - [04/Nov/2006:00:36:05 -0800] "POST /posting.php?sid=c1cb040b3d37771fa6dbd655af8dc487 HTTP/1.1" 403 1487
221.24.40.110 - - [04/Nov/2006:00:36:19 -0800] "POST /posting.php?sid=2b70933b65cf596445de4b5dd7d60c06 HTTP/1.0" 403 0
220.35.96.112 - - [04/Nov/2006:00:35:39 -0800] "POST /posting.php?sid=2b70933b65cf596445de4b5dd7d60c06 HTTP/1.0" 403 609
72.232.83.114 - - [04/Nov/2006:04:16:33 -0800] "GET /posting.php?mode=reply&t=7 HTTP/1.1" 200 41900
72.232.83.114 - - [04/Nov/2006:04:16:33 -0800] "GET /posting.php?mode=reply&t=9 HTTP/1.1" 200 40457
71.15.156.88 - - [04/Nov/2006:04:16:35 -0800] "POST /posting.php?sid=f8054e0a7934b221acdf9a6ce4cebe58 HTTP/1.0" 403 1449
201.30.93.5 - - [04/Nov/2006:04:16:37 -0800] "POST /posting.php?sid=f8054e0a7934b221acdf9a6ce4cebe58 HTTP/1.1" 403 1449
201.243.56.199 - - [04/Nov/2006:04:16:37 -0800] "POST /posting.php?sid=851ab5dc7c809697d62b75a9545dbb16 HTTP/1.1" 403 1487
203.88.155.26 - - [04/Nov/2006:04:16:45 -0800] "POST /posting.php?sid=f8054e0a7934b221acdf9a6ce4cebe58 HTTP/1.1" 403 1449
125.177.130.151 - - [04/Nov/2006:04:16:52 -0800] "POST /posting.php?sid=851ab5dc7c809697d62b75a9545dbb16 HTTP/1.1" 403 1449
82.207.54.220 - - [04/Nov/2006:04:16:58 -0800] "POST /posting.php?sid=851ab5dc7c809697d62b75a9545dbb16 HTTP/1.1" 403 1449
211.32.74.174 - - [04/Nov/2006:04:17:12 -0800] "POST /posting.php?sid=851ab5dc7c809697d62b75a9545dbb16 HTTP/1.1" 403 1449
58.121.61.41 - - [04/Nov/2006:04:17:13 -0800] "POST /posting.php?sid=f8054e0a7934b221acdf9a6ce4cebe58 HTTP/1.1" 403 1449


Note the pairs of GET operations, which all originate in the IP address range 72.232.83.*, which belongs to Layered Technologies, Inc. The POST operations appear to come from a botnet.

Author:  TFBW [ Sun Nov 05, 2006 3:19 pm ]
Post subject:  Do Do Do the Dominican Republic Rap

That host fom the Dominican Republic I mentioned a couple of posts back is going nuts. There are currently 116 entries in my access log file from this host, all identical save for the timestamp. The earliest timestamp at the time I checked was "04/Nov/2006:00:39:43 -0800", and the latest was "05/Nov/2006:06:57:12 -0800", which translates to "regular accesses from around the start of the earliest logfile checked, right up to the present". The host is only attempting POST operations, and is getting 403s on every attempt.

Author:  TedR [ Mon Nov 06, 2006 4:28 am ]
Post subject: 

I actually registered in order to be able to reply to this thread.

I, too, run a number of forums, and was being swamped with bogus registrations, all to the end - I assume - of getting web sites in the profile. I already made changes to the forum code to not show new users who were not yet activated, but had not (yet) blocked profile visibility for unverified users (I'm quite comfortable with code, so that was no obstacle).

Thanks to your javascript/cookie tip, I won't (for now, anyway) need to go any further. Since implementing the cookie trick, I have had zero bot registrations.

Thanks, Brett.

Author:  TFBW [ Mon Nov 06, 2006 7:17 am ]
Post subject: 

I'm glad to hear that my technique has been of use. I have tried to share the benefits by publicising the technique in a couple of places, but the response has been underwhelming, which is a little deflating. On the plus side, the longer it remains an obscure technique, the longer it will work.

I still get the odd one or two manually-created accounts which appear to be for no other purpose than creating hyperlinks to boost pagerank. I append ".nolinkspam" to the domains of such URLs if they haven't abided by the terms of my account registration rules, and will probably delete the accounts later.

Author:  TedR [ Mon Nov 06, 2006 5:25 pm ]
Post subject: 

By the way, this is the same technique I have used for years to avoid the e-mail address-sucking bots - a bit of javascript to render the e-mail address so it makes sense to a browser, and not to a (simple) script.

Author:  TFBW [ Mon Nov 06, 2006 9:25 pm ]
Post subject: 

Yes, I use that technique on my personal info page for my email address. After several years, it's still a good way to make an email address available as a hyperlink without disclosing it to the harvesters.

Author:  TFBW [ Sat Nov 18, 2006 2:56 pm ]
Post subject: 

Every now and then, there's still someone who does their forum spamming the old fashioned way: manually. Someone from Russia just posted a whole bunch of spam-links to geocities pages in this very thread. I deleted it, of course, but here's the breadcrumb trail.

62.33.137.159 - - [17/Nov/2006:10:05:49 -0800] "GET /viewtopic.php?p=104&sid=e8775244618f8d319d8a77ef9e647e43 HTTP/1.1" 200 10800 "http://www.google.com/search?hl=en&lr=&client=opera&rls=ru&q=site%3A+forum+mode%3Dreply%26t&btnG=Search" "Opera/9.00 (Windows NT 5.1; U; ru)"
62.33.137.159 - - [17/Nov/2006:10:05:54 -0800] "GET /favicon.ico HTTP/1.1" 404 584 "http://forum.tfbw.com/viewtopic.php?p=104&sid=e8775244618f8d319d8a77ef9e647e43" "Opera/9.00 (Windows NT 5.1; U; ru)"
62.33.137.159 - - [17/Nov/2006:10:06:12 -0800] "GET /posting.php?mode=reply&t=62&sid=bfa27b162263410f7f52d5d5f4b61bd8 HTTP/1.1" 200 13070 "http://forum.tfbw.com/viewtopic.php?p=104&sid=e8775244618f8d319d8a77ef9e647e43" "Opera/9.00 (Windows NT 5.1; U; ru)"
62.33.137.159 - - [17/Nov/2006:10:06:19 -0800] "GET /posting.php?mode=topicreview&t=62 HTTP/1.1" 200 7794 "http://forum.tfbw.com/posting.php?mode=reply&t=62&sid=bfa27b162263410f7f52d5d5f4b61bd8" "Opera/9.00 (Windows NT 5.1; U; ru)"
62.33.137.159 - - [17/Nov/2006:10:06:52 -0800] "POST /posting.php HTTP/1.1" 200 4565 "http://forum.tfbw.com/posting.php?mode=reply&t=62&sid=bfa27b162263410f7f52d5d5f4b61bd8" "Opera/9.00 (Windows NT 5.1; U; ru)"
62.33.137.159 - - [17/Nov/2006:10:07:00 -0800] "GET /viewtopic.php?p=112 HTTP/1.1" 200 10965 "http://forum.tfbw.com/posting.php" "Opera/9.00 (Windows NT 5.1; U; ru)"
62.33.137.159 - - [17/Nov/2006:10:07:05 -0800] "GET /favicon.ico HTTP/1.1" 404 584 "http://forum.tfbw.com/viewtopic.php?p=112" "Opera/9.00 (Windows NT 5.1; U; ru)"

Yeah... you may need to copy/paste that somewhere to make it readable, but it's not much better in terms of readability at larger sizes. Note in particular that the initial "referer" URL. This very forum happens to be on the first page of that particular Google search. I'll repeat it here at full size to save you the bother of getting a magnifying glass.
Code:
http://www.google.com/search?hl=en&lr=&client=opera&rls=ru&q=site%3A+forum+mode%3Dreply%26t&btnG=Search

I think the intention was to find forums that allowed public posting, and it's worked to the extent that it found mine, but many of those hits aren't even forums, and mine is the first on the list that allows public posting. There might be something in this that I'm not getting, but I'm leaning towards the view that this particular spammer is just a bit of a n00b.

Author:  Guest [ Tue Dec 05, 2006 4:25 pm ]
Post subject:  Just passing through

I'm not a member of this forum, but I was able to edit a message and post a message here:
posting.php?mode=quote&p=94

By the way, I found you like through Google. :?

Author:  TFBW [ Wed Dec 06, 2006 2:00 am ]
Post subject: 

You were able to post a message because I've enabled guest posting. What I've attempted to disable is posting by bots. So congratulations, I believe you are not a bot.

Another source of irritation which wasn't a bot has just landed in my manually-maintained ban-list. The latest network to gain that dubious accolade is China Network Communications Group's Hebei province network (121.24.0.0/14). They have a nasty little forum spammer who spams in Chinese, unsurprisingly enough. He didn't take the hint when I deleted his first post, and came back for a couple more honking great hyperlink-laden posts in Chinese.

No more "TFBW's Forum" for Hebei until they reform their local spammer.

Author:  hgfhdg [ Tue Dec 12, 2006 4:52 pm ]
Post subject:  Re: What's a WebaltBot?

[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Ultram.html'>Ultram'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Paxil.html'>Paxil'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Home-Loan.html'>Home Loan'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Network-Marketing.html'>Network Marketing'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Life-Insurance.html'>Life Insurance'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Personal-Loan.html'>Personal Loan'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Mortgage-Refinance.html'>Mortgage Refinance'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Roulette.html'>Roulette'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/slot.html'>slot'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Online-Gambling.html'>Online Gambling'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Casino-Bonus.html'>Casino Bonus'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/Sport-Betting.html'>Sport Betting'>
[url=http://swixnordicwalking.us/english/jun/eng245/Discussion/bucks/forex.html'>forex'>

Author:  TFBW [ Wed Dec 13, 2006 1:28 am ]
Post subject: 

The above n00b spammer arrived via Google. The referer was "http://www.google.com/search?hl=en&lr=&client=opera&rls=en&hs=q7U&q=inurl%3Aposting.php%3Fmode%3Dquote%26p%3D&btnG=Search". Said spammer then posted again, after figuring out the proper way to format BBCode, but I deleted that one. The source IP address was 65.23.154.76.

Author:  TFBW [ Fri Dec 15, 2006 2:34 am ]
Post subject: 

The spammer mentioned in the post immediately prior to this one spammed again from exactly the same IP address. The /24 associated with the IP has been added to my "no access" list. Said spammer is a fairly ineffective pharma-spammer: the hyperlinks posted were all to pages named after drugs (mostly "ultram" and "tramadol"), but a quick check showed that the target was already 404 page not found. Either the spammer stuffed up his links, or the host on which his pages were stashed figured out they'd been hacked and cleaned it up.

Author:  TFBW [ Sat Dec 16, 2006 3:18 am ]
Post subject: 

A manual forum spammer, apparently in Pakistan (203.215.177.253), posted a spam with a massive number of links to "insidethesports.com" (registered to "Shahid Bashir Ahmad" of Lahore, Pakistan; creation Date: 10-Jun-2006), all relating to shoes. For some odd reason, there were also three links to "aerobic-shoes.net" (registeres to "Ausaf Ahmad" of Lahore, Pakistan; creation Date: 04-Dec-2006) at the end, unsurprisingly on the subject of "aerobic shoes". He seems to have found my forum via Google as follows.
Code:
http://www.google.com/search?hl=en&lr=&safe=off&q=.ru+forum+post+a+reply&btnG=Search

Welcome to Pakispam. The BBCode on that post has been disabled to neutralise the links, and I'll probably delete it altogether in the near future.

Author:  TFBW [ Sat Dec 23, 2006 3:14 am ]
Post subject: 

A manual forum spammer operating from 65.88.88.200, which is registered to the New York Public Library, has posted a link to an AOL Hometown page ("musicopter") which claims to be the property of one "Gerry Aire". So a big "hi" goes to Gerry, who I surmise is spamming away like an antisocial prick in the New York Public Library. It's pretty obvious that spam is the name of the game when you arrive at the forum through a search like the following.
Code:
http://www.google.com/search?q=%22you+can+post+new%22%22you+can+reply+to+topics%22&hl=en&lr=&start=80&sa=N

Author:  TFBW [ Sat Jan 06, 2007 1:59 am ]
Post subject:  Random stats

Random statistical trivia: between 2007-01-04 01:24:21 -0800 and 2007-01-05 17:42:29 -0800 (a period of just over 40 hours), the spam countermeasures on this forum blocked 387 POST attempts from 253 distinct IP addresses. That's between nine and ten POST attempts per hour, and that's a lotta spam! No doubt the trend will continue upwards, and then we'll fondly remember the days when there were only ten attempts per hour.

Author:  Mark78 [ Tue Jan 09, 2007 12:09 am ]
Post subject:  Re: What's a WebaltBot?

I like this forum, always provide new and fresh information,i usually visit it to check some new stuff and discussion

Page 1 of 3 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/