Oct 15 2003

Blog-Spam – ip2location.com

There is a new kind of Spam going on. This time it is not the spam that clogs your inbox and announces the benefits of Viagra from Canada suppliers, no – this time they abuse the commenting facilities of your blog-software.

In my case it started with a comment entry for my “Endless Source of live streams for TiVo” article. This is the email notification I received on Sun 10/12/2003:


A new comment has been posted on your blog KahunaBurger, on entry #54 (Endless Source of live streams for TiVo). http://www.kahunaburger.com/blog/mt-comments.cgi?entry_id=54

IP Address: 219.95.14.69
Name: dns
Email Address: lucy1982@hotmail.com
URL: http://www.ip2location.com

Comments:

Wow. This is the blog I was looking for...

--
Powered by Movable Type
Version 2.62
http://www.movabletype.org/

Wow – lucy1982@hotmail.com, thanks for the message. Hmm, but wait, there is no reference to the article contents. Where did she come from? How did she end up reading the article? Let’s dig a bit deeper.

The post came from “219.95.14.69”. Where’s that? Again using www.visualroute.com we get this:

ip2location.gif

So, Lucy with the hotmail account commented on my entry from Malaysia – cool! Well where did Lucy come from? Let’s check the server’s log-files:


$ grep 219.95.14.69 access_log
219.95.14.69 - - [12/Oct/2003:06:35:34 -0600] "GET /blog/mt-comments.cgi?entry_id=54 HTTP/1.1" 200 6428 "-" "libwww-perl/5.69"
219.95.14.69 - - [12/Oct/2003:06:35:50 -0600] "POST /blog/mt-comments.cgi HTTP/1.1" 302 5 "-" "libwww-perl/5.69"
$

And those are the only entries in the log file. This means that Lucy went directly to the comments page for this entry and left a comment without even looking at the content (and yes, I did check the few hundred log-entries before for similar IP addresses in case Lucy went through a farm or proxy servers).

What’s even more interesting is the browser that Lucy used: libwww-perl/5.69. This tells me that Lucy left her comment programmatically in the blog and did not use IE, Mozilla, Opera, Konquerer or some other browser.

And here’s the theory:
1) Lucy offered her services to a company claiming she would increase traffic for a site (ip2location.com)
2) Lucy did a query on Google for some popular topics and narrowed the number of responses down to those responses that come from Blog systems like MovableType (as used here on kahunaburger.com)
3) Lucy ran her commenting script on those URLs which generated the comment in my blog.
4) People hit my article on www.kahunaburger.com and some of those will follow her link back to www.ip2location.com, which in turn increases the hits on this target site.

Of course this is only a theory, but a pretty solid one as far as I’m concerned. But there are some links out there which seem to prove this theory:

* http://meta.popdex.com/link/117
* http://www.amishrobot.com/archive/000189.html

8 Responses to “Blog-Spam – ip2location.com”

Leave a Reply