Jul 24 2009

5 years into it, Vistaprint spam post still going strong

vistaprintIn March 2004 I was fed up with the constant spam that linked to a company called VistaPrint (not hot-linked here for obvious reasons).

I put on my engineering hat and dissected spam emails to find out where the stuff was coming from. I also posted my findings in an open letter to VistaPrint end of March 2004.
Nothing happened for a while and then, out of the blue, an employee from VistaPrint responded and offered to look into the issue. I sent a number of spam samples, which I still happened to have lying around, to that person and, surprise, surprise, never received a response from anybody at VistaPrint (most likely those forwarded spam messages along with my comments were filed under junk mail as well).

If I can trust the traffic analysis for kahunaburger, that very same VistaPrint open letter above is one of the busiest pages on my server. Just in the last few weeks it received at least 10 comments from people who suffer under the constant spam bombardment or who have been duped into signing up for something that they don’t want. Searching for “vistaprint spam” on Google, shows that kahunaburger is listed as the very first entry.

I have little hope that any of those actions mentioned in the comments to the open letter will make any difference. VistaPrint, with headquarters in the Bermudas, lives from affiliate networks driving traffic to their site. Those affiliate networks have been linked to spam since the beginning of spam. VistaPrint claims that they don’t allow affiliate members to send unsolicited emails, but they don’t do anything about it proactively, but instead just pretend to investigate whenever too many people complain about a particular spam incident. Even if they sack the responsible affiliate and terminate his account, that guy just turns around and signs up under a different name/email to do the very same again.

Just take a look at all the information that’s posted about VistaPrint on ripoffreport.com – makes you really wonder how they can still be in business.

Anyway, what I found interesting was the fact that a 5-year old post on this site could still generate substantial traffic today …


Aug 11 2005

dontevercallmyname

Sometimes I don’t get comment spammers: I’ve seen tons of attempts to place comments on kahunaburger.com that refer to dontevercallmyname.com, dontevercallmyname2.org or dontevercallmyname3.net. Always the same BS: “great site! keep up the good work! etc.”. What baffles me is the fact that those domains are not even registered. Does anybody have a clue why I and tons of other places (see Google Search for “dontevercallmyname”) getting spammed this way?


Apr 17 2005

Spammer discover “banner”

Wow – that’s gonna be hard to pattern-match. Top part of this screenshot is from my Email-client, bottom part is the beginning of the source for the message:

spam using banner

Looks like somebody discovered that “banner” (if you’re on a Unix system try this from a shell: banner “foo”) with a small font-size yields machine-unreadable but human-readable content. Almost a reverse-captcha, let’s call it raptcha …


Feb 21 2005

“69.50.182.154” – is it just me?

The a$$-clown going through “69.50.182.154” has been pretty persistent in trying to drop comment spam on my server over the last few days. I would almost say the behaviour is borderline ambitious. In fact:

localhost$ grep "69.50.182.154" access_log | wc -l

303

localhost$

(that’s since this morning 2am). And:

localhost$ zcat access_log.1.gz| grep "69.50.182.154" | wc -l

1398

localhost$

(that would be last week)

So Emil has earned himself already a permanent place in my heart for providing an open proxy to the world, but I can’t believe that nobody else is being targeted – or are you being bugged by “69.50.182.154” as well?


Feb 2 2005

Interview with a link spammer

This “Interview with a link spammer | The Register” is a very interesting interview with somebody who’s bugging public blogs with comment/link spam.

“So Sam, like other link spammers, uses the thousands of ‘open proxies’ on the net. These are machines which, by accident (read: clueless sysadmins) or design (read: clueless managers) are set up so that anyone, anywhere, can access another website through them. Usually intended for internal use, so a company only needs one machine facing the net, they’re actually hard to lock down completely.”

This validates mt-proxyplug as a means to get rid of comment spam. Since I have it running on my web site I had to deal with only a few comment spam submissions here.

Also, Sixapart’s Professional Network seems to have picked up the story and issues recommendations on how to avoid the problem.


Jan 21 2005

Referer Spammer of the Month Award

Kahunaburger.com is proud to present the first “Referer Spammer of the Month Award”.

It was a close race between the two favorites and only a few hundred referer spam entries separate them, but in the end, there can only be one winner.
Continue reading


Jan 15 2005

mt-proxyplug shut down comments through proxies

A few days ago I posted Deny Comment Spam from open proxies in MovableType which showed a technique to limit comment submissions through proxies. Unfortunately there are a number of issues with the small plugin, which made me create mt-proxyplug, presented in this article.

How it all started

I am a longtime user of Jay Allen’s Blacklist and was happy with it for a long time. Recently I could not keep up with adding new keywords/urls to the black list. There seem to be a million variations of “Texas Hold’em” out there and I ended up adding those items slowly to the Blacklist system (in the end I actually added “texas” as a Blacklist item only to find a “texa$ H0ld’em” the next day in my list of moderated comments).

I started to look more carefully at the offending posts and investigated the submitting IP addresses in detail. Soon I realized that most of the stuff was coming from public proxy servers. Companies stupid enough to run public proxies and hijacked user systems are on top of the list of systems that submitted spam to my server.

Monitoring the proxies

My apache configuration was changed to include some proxy specific information in my access_logs. I changed the line:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
to
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %{HTTP_X_FORWARDED_FOR}e" combined

This means that the apache server will also log the contents of the environment variable “HTTP_X_FORWARDED_FOR” to the access_log, whenever that environment variable is present. And the environment variable is present if the current request contains a “X-Forwarded-For:” header item. The presence of this item is almost always a clear indication that the request was handled by a proxy server. Items that would have previously been logged like this:

200.242.249.70 - - [15/Jan/2005:11:31:52 -0700] "POST /blog/mt-comments.cgi HTTP/1.0" 302 0 "http://www.kahunaburger.com/blog/mt-comments.cgi?entry_id=113" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)"

suddenly looked like this:

200.242.249.70 - - [15/Jan/2005:11:31:52 -0700] "POST /blog/mt-comments.cgi HTTP/1.0" 302 0 "http://www.kahunaburger.com/blog/mt-comments.cgi?entry_id=113" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)" 168.41.192.0

(note the addition of the IP address at the end of the line)

That’s when I started focusing on proxies and developed mt-commentproxyblock, which evolved into mt-proxyplug.

What does it do?

mt-proxyplug when installed on a MovableType system will act as a ‘CommentFilter’. Every comment submission is passed through it, before it is committed to the database. The plugin will inspect the remote IP address of the system that submits the comment. First it will check if there is a “X-Forwarded-For:” header item in the current comment submission request. The mere presence of the header field is an indication that stuff is being submitted through a proxy server. It will then query the Distributed Sender Blackhole List and the Blitzed Open Proxy Monitor List for entries for the submitting remote IP address. If either one knows about the IP address, then we assume that the comment comes from a known public proxy system.

In a last test the remote system is probed on a number of common proxy ports. We try to get access through the system to a well-known and relatively stable host on the internet. If this request is processed successfully on any of the probed ports we also assume that the remote end is indeed a public proxy.

If any one of the above tests is positive we are not executing the other tests and simply flag the current comment submission as suspicious.

A configuration section at the top of the file allows for customization of the list of tests the plugin should run.
There is also a CACHE_COUNT definition that specifies how many found proxies the plugin should keep track of (this will make it much quicker on subsequent requests, if a proxy is used numerous times in a row).

A log of the plugin’s actions is also provided in MT’s Activity Log. Here’s just a small section from my current log:

Since I installed the plugin on kahunaburger.com’s blog it has caught 121 of 122 comment submissions. The one that slipped through was actually caught by mt-spamassassin. During the same time period I also received 4 good comment submissions which made it through the system without any problems.

How to use mt-proxyplug

Just drop the file below into your MovableType’s plugins folder. Modify the “settings” section to your liking (the default values are the recommended values) and you’re set.
No other modules are required (I assume that IO::Socket is available on all newer perl installations). HTTP::CheckProxy (as used in the previous version of the plugin) has been dropped, because it would report false positives (or is it “true negatives”?).

Update 01/20/2005: I’ve updated the plugin below to version 0.6. Two changes since the original version:
1) I set CHECK_LIST_DSBL_ORG to “0” by default, based on ioerror.us’s comments here
2) I fixed the require list at the top of the file to include “LWP::UserAgent” after receiving a problem report from Chris.

You can download the plugin here: mt-proxyplug.pl.gz (2.5KB, gzip)


Jan 13 2005

Deny Comment Spam from open proxies in MovableType

Update 2005/01/15: Please consider using mt-proxyplug instead of this plugin below.

Along the same lines as yesterday’s SpamAssassin and MovableType entry, here’s another weapon against the “texas hold’em” and “football–betting” idiots.

Those morons have a tendency to conceal their identity. They are hiding behind public proxy servers and bombard your servers with their crap from there. So all we have to do is to check for a public proxy when somebody tries to submit a comment. If I detect a submission through a public proxy server it will not end up on the site, but will be ignored silently.

The proxy check is done in two stages:

  • if we find the HTTP_X_FORWARDED_FOR environment variable we assume that a proxy has handled the request and we don’t even look any further.
  • if no HTTP_X_FORWARDED_FOR is found, we grab Apache’s REMOTE_ADDR environment variable (the ip-address of the system who sent the current request) and use the HTTP::CheckProxy module to test whether the submitting system is a public proxy server

If a comment submission is coming from a public proxy we drop a line in the server’s error_log. Here are just some of the entries I captured since I installed it:

[Thu Jan 13 08:35:21 2005] comment denied - using proxy: 216.49.49.118 80.25.156.151 -
poker/bushmills1614@rocketmail.com/80.58.4.111
[Thu Jan 13 08:35:46 2005] comment denied - using proxy: 24.215.40.47 -
football betting/bob@y6322o.com/63.110.140.28
[Thu Jan 13 08:39:00 2005] comment denied - using proxy: 58.40.89.127 -
phentermine/gocha9985@see.it/203.199.92.158
[Thu Jan 13 08:48:59 2005] comment denied - using proxy: 115.120.174.78, 127.0.0.1 -
online poker/absolut5129@freemail.com/80.255.49.222

And before somebody points me at Brad’s DBSL plugin: I’ve tested all the proxies listed above and they do not appear in the DSBL.

In order to use the plugin you will need to have the perl module HTTP::CheckProxy on your system. Drop the perl-code below into your MT plugins folder and you should be ready to go. Again, this has only been tested under Apache!

You can download the compressed version here: mt-commentproxyblock.pl.gz (1 Kb,gzip)

#!/usr/bin/perl -w
package MT::Plugin::CommentProxyBlock;

use strict;
use lib '../lib';
use vars qw ($VERSION);
$VERSION='0.2';

use constant ACCEPT_RESPONSE => 1;
use constant DENY_RESPONSE => 0;

use MT;
use MT::App::Comments;
use HTTP::CheckProxy;

eval{ require MT::Plugin };
unless ($@) {
    my $plugin = {
        name => qq{Comment Proxy Block for Movable Type v$VERSION},
        description => qq{Will block attempts to post a comment via a proxy server},
    };
    MT->add_plugin(new MT::Plugin($plugin));
    # tell MT that we want to be called to filter comments
    MT->add_callback('CommentFilter', 1, $plugin, \&proxyCheck_filter);
}

# proxyCheck_filter
#
# checks environment for an entry which indicates we are handling a request that
# came from a proxy server (HTTP_X_FORWARDED_FOR). If environment does not give
# any indication, check REMOTE_ADDR and see if it proxies requests for us. If
# either is true we deny the comment posting attempt. Tested in Apache only!

sub proxyCheck_filter {
    my($eh,$app,$comment)=@_;
    my($isProxy,$proxy)=(0,'');

    # uncomment to get a complete dump of the environment
    # dumpEnv();
    # check environment
    $proxy=$ENV{HTTP_X_FORWARDED_FOR};
    if(defined($proxy) && length($proxy)) {
        print STDERR "[".scalar(localtime())."] proxy request forwarded for: $proxy\n";
        # if we have a X-Forwarded-For header, it was most likely
        # added by the system that sent the request
        $proxy=$ENV{REMOTE_ADDR};
        $isProxy++;
    }
    # check remote address
    unless($isProxy) {
        $proxy=$ENV{REMOTE_ADDR};
        print STDERR "[".scalar(localtime())."] probing for open proxy: $proxy\n";
        my $p=HTTP::CheckProxy->new($proxy,qq{http://www.google.com/});
        $isProxy++ if($p->guilty());
    }
    if($isProxy) {
        print STDERR "[".scalar(localtime())."] comment denied - " .
          "using proxy: $proxy - " .
          join("/",$comment->author,$comment->email,$comment->ip) .
          "\n";
        return DENY_RESPONSE;
    }
    return ACCEPT_RESPONSE;
}

sub dumpEnv {
    print STDERR "[".scalar(localtime())."] environment for $0:\n";
    foreach my $key (sort keys %ENV) {
        print STDERR "[".scalar(localtime())."] $key = ",$ENV{$key},"\n";
    }
}

1;

Jan 11 2005

Spam Assassin and Movable Type

Update 2005/01/15: Please consider combining the plugin below with mt-proxyplug for best results.

A few days ago I saw the post on ioerror.us which details a solution to link WordPress’s comment checking system with Spam Assassin. I run MovableType and a WordPress solution does not work for me. The code needed to change a bit before it was usable on my system.

After enabling it last night and disabling mt-blacklist, I’m happy to report that it has caught every single comment spam attempt (a total of 32 attempts were registered). Spam indications appear in my server’s error_log like this:

[Tue Jan 11 08:33:34 2005] spam from diet pills/jane_doe7082@work.com/
148.244.150.58: score 10.7 (limit 5.0)

A message like this indicates that the ‘CommentFilter’ implemented in mt-spamassassin.pl has received notification from the Spam Assassin daemon that the current comment is over the Spam Assassin threshold.

In order to use the mt-spamassassin.pl plugin you will need to have Spam Assassin’s spamd running on your own network or need access to spamd running on a remote system. Enter the name of the system that runs spamd in $sa_spamd_host (use ‘localhost’ if it’s running on the same host as MovableType) and also enter the port number where spamd can be reached in $sa_spamd_port. And because I did not find a way to retrieve a blog owners email address from within the MoveableType plugin, please also enter your email address in $mt_owner. For SpamAssassin’s user_prefs to work, you should also set your real (unix) userid in $mt_userid. Drop the modified file in your blog’s plugins folder and it should be ready to go.

Thanks to http://www.ioerror.us/ for the cool idea!

You can download the compressed version here: mt-spamassassin.pl.gz (1.5 Kb,gzip)

Update 01/14/2005: I’ve since added another plugin called mt-commentproxyblock, which has detected every single spam submission on 01/13/2005 before it was passed through mt-spamassassin. It seems that the majority of spammers do use public proxies and those are easy to detect.

Update 01/20/2005: I just posed a new version of the plugin with a few enhancements. If you have both mt-spamassassin and mt-proxyplug on your system, a comment will be shortcut if mt-proxyplug has already determined that it comes from an open proxy. Specifically, mt-spamassassin will look at the visible-flag of the comment and will not work on comments which are not visible. This will cut down on processing time for spam comments.
Second, Justin was nice enough to correct the fake Message-header I’ve been sending to spamd to make it more RFC-2822 compliant. Thanks!
Third, you can now specify a $mt_moderate threshold value. This means that if a comment submission is below the Spam threshold (defined in Spam Assassin), but above the $mt_moderate value, it will be moderated instead of being allowed all the way through to the blog.

#!/usr/bin/perl -w
package MT::Plugin::SpamAssassin;
use strict;
use lib '../lib';
use vars qw ($VERSION);
$VERSION='0.4';
# (CHANGE ME) what host is running spamd?
my $sa_spamd_host = q{localhost};
# (CHANGE ME) what port is spamd listening on?
my $sa_spamd_port = 783;
# (CHANGE ME) who is the owner of the blog?
my $mt_owner      = q{me@localhost.com};
# (CHANGE ME) what is the userid for SpamAssassin?
my $mt_userid     = q{me};
# (CHANGE ME) what is the moderate threshold?
my $mt_moderate   = 1.5;
use constant ACCEPT_RESPONSE => 1;
use constant DENY_RESPONSE   => 0;
use MT;
use MT::App::Comments;
use IO::Socket;
use Time::Local qw(timegm);
use POSIX;
eval{ require MT::Plugin };
unless ($@) {
    my $plugin = {
        name => qq{Spamassassin for Movable Type v$VERSION},
        description => qq{Spamassassin for Movable Type},
    };
    MT->add_plugin(new MT::Plugin($plugin));
    # tell MT that we want to be called to filter comments
    MT->add_callback('CommentFilter', 10, $plugin, \&sa_filter);
}
# sa_filter
#
# 'CommentFilter' that is called for each attempt to post a comment
# on your blog. We'll pass the incoming comment to spamd running on
# $sa_spamd_host:$sa_spamd_port. If spamd responds with an indication
# that the comment was spam, then we'll repond with DENY_RESPONSE.
# If spamd says it's no spam or we can't get a good connection to
# spamd, we'll respond with ACCEPT_RESPONSE
sub sa_filter {
    my($eh,$app,$comment)=@_;
    unless($comment->visible()) {
        return ACCEPT_RESPONSE;
    }
    #print STDERR "[".scalar(localtime())."] mt-spamassassin: " .
    #  join("/",$comment->author,$comment->email,$comment->url,$comment->ip) . "\n";
    my $now=rfc822_date();
    my $hostname=gethostbyaddr(inet_aton($comment->ip), AF_INET);
    my $message="From " . $comment->email . " " . $now . "\n" .
      "Received: from client ([" . $comment->ip . "] ".
      ($hostname?$hostname:$comment->ip) . ")" .
      " by " . $ENV{HTTP_HOST} . " via MovableType; " . $now . "\n" .
      "Message-id: <". sprintf("%x\$%x",time,rand(65535)) .
      "\@" . ($hostname?$hostname:sprintf("[%s]",$comment->ip)) . ">\n" .
      "From: " . $comment->author .
      " <" . $comment->email . ">\nDate: " . $now . "\n" .
      "Subject: MovableType comment\n" .
      "To: $mt_owner\n\n" .
      $comment->url . "\n".
      $comment->text;
    # make sure all lines end in "\r\n";
    $message =~ s/\r\n/\n/gs;
    $message =~ s/\r/\n/gs;
    $message =~ s/\n/\r\n/gs;
    # now send it off to Spamassassin
    my $socket=IO::Socket::INET->new(PeerAddr => $sa_spamd_host,
                                     PeerPort => $sa_spamd_port,
                                     Proto    => "tcp",
                                     Type     => SOCK_STREAM);
    # no socket - no spam check
    return ACCEPT_RESPONSE unless($socket);
    # create the CHECK message for spamd
    $message = "CHECK SPAMC/1.2\r\n" .
      "User: $mt_userid\r\n" .
      "Content-Length: ".length($message).
      "\r\n\r\n".
      $message;
    # print STDERR "[".scalar(localtime())."] sending to spamd:\n$message\n";
    # send it to spamd
    my $toSend=$message;
    while(length($toSend)) {
        my $written = $socket->send($toSend);
        unless(defined($written)) {
            # oh no, something went wrong :-(
            return ACCEPT_RESPONSE;
        }
        $toSend=substr($toSend,$written);
    }
    # close writing end of socket
    $socket->shutdown(1);
    # suck in response from SpamAssassin
    my $response;
    while(1) {
        my $buffer;
        unless(defined($socket->recv($buffer, 1024))) {
            return ACCEPT_RESPONSE;
        }
        last unless(length($buffer));
        $response .= $buffer;
    }
    # trim  whitespace off the beginning of the response
    $response =~ s/^\s*//;
    # check if it is really a SpamAssassin response
    return ACCEPT_RESPONSE unless ($response =~ /^spamd\/[\d\.]+/i);
    # now find "Spam: True|False ; score / limit" header
    return ACCEPT_RESPONSE
      unless ($response =~ /spam:\s*(\S+)\s*;\s*([\d\.]+)\s*\/\s*([\d\.]+)/is);
    my($flag,$score,$limit)=($1,$2,$3);
    #if($flag =~ /false/i) {
        #print STDERR "[".scalar(localtime())."] no spam:\n$message\n";
    #}
    print STDERR "[".scalar(localtime())."] spam $flag from " .
      join("/",$comment->author,$comment->email,$comment->ip) .
      ": score $score (limit $limit)\n";
    if($flag =~ /false/i) {
        if($score > $mt_moderate) {
            print STDERR "[".scalar(localtime())."] moderating comment\n";
            $comment->visible(0);
        }
        return ACCEPT_RESPONSE;
    }
    # log a line to the error_log
    return DENY_RESPONSE;
}
# rfc822_date
#
# generate a GMT date according to rfc822
sub rfc822_date {
    # offset in hours (from Mail::Sendmail)
    my $offset  = sprintf "%.1f", (timegm(localtime) - time) / 3600;
    my $minutes = sprintf "%02d", abs( $offset - int($offset) ) * 60;
    my $TZ  = sprintf("%+03d", int($offset)) . $minutes;
    return POSIX::strftime("%a, %d %b %Y %T $TZ",localtime(time()));
}
1;

Mar 3 2004

Open letter to vistaprint.com: Stop the Spam!

“Claim 250 Full-Color Business Cards FREE!” it screams at me every few days. Vistaprint.com is giving away those 250 Business Cards, because they know you’ll like the quality and will come back for more.
What they don’t know is that people are getting fed up with the constant stream of spam advertising their service. So here’s an open letter to those guys at vistaprint.com
Continue reading


Jan 26 2004

Bye, bye nonymouse.com – thanks to the losers at airengiadina.ch

Thanks to those losers at airengiadina.ch the anonymous proxy at http://www.nonymouse.com/ has been banned entirely from my web-server. It started when some loser tried to post a comment to every single entry on my blog. Here are the relevant lines from the access_log file:

66.36.249.149 – – [26/Jan/2004:12:35:12 -0700] “GET /blog/archives/000001.html HTTP/1.0″ 200 7761 “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:35:17 -0700] “GET /blog/archives/000001.html HTTP/1.0″ 200 7761 “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:35:22 -0700] “POST /blog/mt-comments.cgi HTTP/1.0″ 200 2159 “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:35:24 -0700] “GET /blog/archives/000002.html HTTP/1.0″ 200 7556 “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:35:27 -0700] “POST /blog/mt-comments.cgi HTTP/1.0″ 200 2159 “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:35:30 -0700] “GET /blog/archives/000003.html HTTP/1.0″ 200 7391 “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:35:34 -0700] “POST /blog/mt-comments.cgi HTTP/1.0″ 200 2159 “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:35:37 -0700] “GET /blog/archives/000004.html HTTP/1.0″ 200 7618 “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:35:42 -0700] “POST /blog/mt-comments.cgi HTTP/1.0″ 200 2159 “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:35:46 -0700] “GET /blog/archives/000005.html HTTP/1.0″ 200 7908 “-” “http://@nonymouse.com/ (Unix)”

I happened to have a terminal window open which showed the lines go by. So I go quickly to my control center (see the entry Making it fun to fight blog spammers) and hit the “Deny all future access” link for ip-address 66.36.249.149.

What follows in the access_log is an almost endless list of attempts to download other blog-entries (even ones that don’t exist):

66.36.249.149 – – [26/Jan/2004:12:35:52 -0700] “POST /blog/mt-comments.cgi HTTP/1.0″ 403 – “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:35:55 -0700] “GET /blog/archives/000006.html HTTP/1.0″ 403 – “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:35:57 -0700] “GET /blog/archives/000007.html HTTP/1.0″ 403 – “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:36:00 -0700] “GET /blog/archives/000008.html HTTP/1.0″ 403 – “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:36:06 -0700] “GET /blog/archives/000009.html HTTP/1.0″ 403 – “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:36:09 -0700] “GET /blog/archives/000010.html HTTP/1.0″ 403 – “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:36:12 -0700] “GET /blog/archives/000011.html HTTP/1.0″ 403 – “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:36:15 -0700] “GET /blog/archives/000012.html HTTP/1.0″ 403 – “-” “http://@nonymouse.com/ (Unix)”
66.36.249.149 – – [26/Jan/2004:12:36:18 -0700] “GET /blog/archives/000013.html HTTP/1.0″ 403 – “-” “http://@nonymouse.com/ (Unix)”

The 403 means that they received an “Access Denied” error message, instead of the page content.

Funny enough, I can also see that those guys were not successful at posting comments to my server, thanks to the Moveable Type Blacklist Plugin (see Jay Allen’s page at http://www.jayallen.org/projects/mt-blacklist/).

mysql> select log_id,log_message,log_ip from mt_log order by log_created_on desc limit 4;
+——–+————————————————————–+—————+
| log_id | log_message | log_ip |
+——–+————————————————————–+—————+
| 139 | MT-Blacklist comment denial on KahunaBurger: airengiadina.ch | 66.36.249.149 |
| 138 | MT-Blacklist comment denial on KahunaBurger: airengiadina.ch | 66.36.249.149 |
| 137 | MT-Blacklist comment denial on KahunaBurger: airengiadina.ch | 66.36.249.149 |
| 136 | MT-Blacklist comment denial on KahunaBurger: airengiadina.ch | 66.36.249.149 |
+——–+————————————————————–+—————+

Losers, be gone …


Dec 20 2003

Ebay Account Verification – yernadop again – Wake Up!

This morning I received another “EBay Account Verification” scam message. And again, “yernadop” was behind this one (see my first post on this subject: here). This time he used http://infinitymicrocomponents.com/ to anchor the verification pages. Within 2 minutes after opening the page, I had sent a notification to spoof@ebay.com where one is supposed to report those kind of scam messages. About 2 minutes later I called the owner of the web site (who’s phone number was conveniently posted on the “Contact Us” page). Some woman answered and confirmed that I had indeed reached “Infinity Micro Components”, however she did not have a clue what I was talking about when I told her that her web server was hijacked and being abused. After 5 minutes of trying to explain it to her, I decided to send them email and strongly suggest to shutdown the web server or remove the pages in question.

A few minutes after hanging up the phone, I stumbled over a WS_FTP.LOG file in a directory that was used by the scammer. Interestingly enough it shows activity over the whole year and where the scammer placed false “Account Verification” pages (www.luckymv.com, www.trackitsolutions.com, www.planetamultimedia.com, etc.) – the list goes on and on. Some of them are still active.
I thought that this would be valuable information for ebay, however when I sent it to the same spoof@ebay.com address, I received a notification that my message was not received by ebay, because it did not happen to be a “forwarded message”.

Bummer! Here I sit with evidence of other spoof places and gullible people are getting ripped off and ebay does not offer a way for me to report this? Sad … somebody at ebay, please, wake up and provide a way where this information can be submitted. If you’re interested, that is …

PS: It’s also good to see that the “Account Verification” page on Infinity Micro Components has been shut down earlier today …


Oct 24 2003

hotpennies.net – IPFS spam

There are some classes of spam which make me furious. Here is one example of them. Hotpennies.net (not linked for a reason) sent me this message where they advertise a company called “Integrated Performance Systems Inc.” and urge me to “Watch This Stock Trade!!!”.

While I’m in no position to judge the perfromance of this company or it’s stock, I’m in a position to judge what I want to see in my EMail-Inbox. And this is not among those items I want to deal with on a daily basis. Even if this company is poised to sky-rocket in the future and one could make millions from buying stock in this company, it had exactly the opposite effect on my: the fact that they chose to advertise via spam makes me avoid them like the plague in the future. I hope you do the same. Too bad.


Oct 17 2003

More blog spam – discount-life-insurance.us and discount-viagra-cheap.com

I guess I’ve only seen the tip of the iceberg here on kahunaburger. Two more of those blog spammers are present in the comment section for TiVo + Home Media Option + Email. One points us a the incredible and amazing discount-viagra-cheap.com and the other one leads to the wonder discount-life-insurance.us.

For the moment the “http” in those links has been replaced by “hddp”, which will make sure that other robots will not count those stupid links as valid and will also not make people go there.

As long as Registrars like Go Daddy and enom.com allow people to register domains with information like the one you find for discount-life-insurance.us and for discount-viagra-cheap.com every low-life out there has a chance to make money on the web. This has got to change.


Oct 15 2003

Blog-Spam – ip2location.com

There is a new kind of Spam going on. This time it is not the spam that clogs your inbox and announces the benefits of Viagra from Canada suppliers, no – this time they abuse the commenting facilities of your blog-software.

In my case it started with a comment entry for my “Endless Source of live streams for TiVo” article. This is the email notification I received on Sun 10/12/2003:


A new comment has been posted on your blog KahunaBurger, on entry #54 (Endless Source of live streams for TiVo). http://www.kahunaburger.com/blog/mt-comments.cgi?entry_id=54

IP Address: 219.95.14.69
Name: dns
Email Address: lucy1982@hotmail.com
URL: http://www.ip2location.com

Comments:

Wow. This is the blog I was looking for...

--
Powered by Movable Type
Version 2.62

http://www.movabletype.org/

Wow – lucy1982@hotmail.com, thanks for the message. Hmm, but wait, there is no reference to the article contents. Where did she come from? How did she end up reading the article? Let’s dig a bit deeper.

The post came from “219.95.14.69”. Where’s that? Again using www.visualroute.com we get this:

ip2location.gif

So, Lucy with the hotmail account commented on my entry from Malaysia – cool! Well where did Lucy come from? Let’s check the server’s log-files:


$ grep 219.95.14.69 access_log
219.95.14.69 - - [12/Oct/2003:06:35:34 -0600] "GET /blog/mt-comments.cgi?entry_id=54 HTTP/1.1" 200 6428 "-" "libwww-perl/5.69"
219.95.14.69 - - [12/Oct/2003:06:35:50 -0600] "POST /blog/mt-comments.cgi HTTP/1.1" 302 5 "-" "libwww-perl/5.69"
$

And those are the only entries in the log file. This means that Lucy went directly to the comments page for this entry and left a comment without even looking at the content (and yes, I did check the few hundred log-entries before for similar IP addresses in case Lucy went through a farm or proxy servers).

What’s even more interesting is the browser that Lucy used: libwww-perl/5.69. This tells me that Lucy left her comment programmatically in the blog and did not use IE, Mozilla, Opera, Konquerer or some other browser.

And here’s the theory:
1) Lucy offered her services to a company claiming she would increase traffic for a site (ip2location.com)
2) Lucy did a query on Google for some popular topics and narrowed the number of responses down to those responses that come from Blog systems like MovableType (as used here on kahunaburger.com)
3) Lucy ran her commenting script on those URLs which generated the comment in my blog.
4) People hit my article on www.kahunaburger.com and some of those will follow her link back to www.ip2location.com, which in turn increases the hits on this target site.

Of course this is only a theory, but a pretty solid one as far as I’m concerned. But there are some links out there which seem to prove this theory:

* http://meta.popdex.com/link/117
* http://www.amishrobot.com/archive/000189.html