Dropsafe

by Alec Muffett

Dropsafe Under Attack?

For the last 24 hours this blog has been – for want of a better explanation – under attack.

The attack has been been to add comment-spam to prettymuch every posting in the archive, and as-of 9am this morning I had received 810 of these things.

Now here’s the funny thing: these aren’t referrer-spams. They are all short, “friendly” messages of a fixed format, with variations in content, sender and subject:

From: {Daniel | Donny | Gaane | Gaby | Mond | Mune | Sofia | Sonta | Werea}
Subject: {good | nice | thank | thanks}

Content: {Just to say hellow! | Nice blog! | Realy good site! | Thank you for the info! | Very interesting blog! | Very nice site! | Your site is realy very interesting! | Your site is realy very interesting.}

…but there is no pollution of the text with HTML or URLs, there are no extra CGI-fields containing URLs that they’d hope would go into the comment text, the “Referrer:” is set to the article to which it is responding, and in short there is no benefit to doing this at all.

The postings are being received from 140+ different IP addresses spread all over the world, so I suspect a network of zombies being used to propagate this attack; all of them are citing a tremendously boring User-Agent:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

…without even the subtle labels that some other bulk comment spammers seem to use.

Unless they are trying to boost PageRank for (mis-)spellings of the words REALY and HELLOW, what is the point?

Another odd thing is that this comes only a week after I sent the following message to an ISP:

To: abuse@infolink.com
Subject: Strange behaviour from 218-119-60-69.serverpronto.com

Hi,

My website is being repeatedly probed by 218-119-60-69.serverpronto.com which is citing a bogus “yahoo” referrer; it appears to be a weak and buggy attempt at the new fad of referrer-scamming-by-proxy, trying to boost keyword search via links redirected through search engines. Can you please get it to stop? It’s pointless (I don’t publish referrer logs) and annoying, and anyway the person apparently does not understand HTTP headers and URL syntax, and is doing it totally wrong.

Log attached.

218-119-60-69.serverpronto.com — Wed Sep 7 11:35:04 2005
ip: 69.60.119.218:3204
mtd: GET http://www.crypticide.com/dropsafe/articles/food/post20040927150624.comments
ref: http://search.yahoo.com
fwd:
via:
ua: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

…which summarises the situation as it was at that time – someone was crawling every single posting on my website and saying that they were referred there by “search.yahoo.com”.

Oooh, and lookee-loo what the referrer string was!

So: some guy crawls my website, and a week later some 140 zombies all over the world start sending me pointless comment spam. Either they are deeply incompetent novices, or they see some benefit I know not what.

I presume that I am not the only one receiving their tender but unwanted attention?

Comments

8 responses to “Dropsafe Under Attack?”

  1. Geoff Arnold
    re: Dropsafe Under Attack?

    Actually I’ve noticed that (so far, touch cellulose) September has been a particularly quiet month for blogspam. Not only have I had very few successful comments/trackbacks to deal with, but mt-blacklist has been catching far fewer attacks than usual. The only annoying thing was that someone hit me with a geocities.com URL; I blacklisted it, but I’m worried that I may block some legitimate geocities subscribers. (Are there any?)

    Reply
  2. Geoff Arnold
    re: Dropsafe Under Attack?

    By the way, I rather resent being classified as “Normal People” in your blogroll. 🙂

    Reply
  3. alecm
    normal people

    well i could break-out a category for “beardie weirdies” if you prefer? i know several who would fit…

    Reply
  4. Chris Samuel
    re: normal people

    Oi, I resemble that remark! 🙂

    Reply
  5. Rich Boakes
    re: Dropsafe Under Attack?

    Hi Alec – What strange circles we move in…

    I was just chatting with a bloke I met in Chicago last year regarding the spam domain that I bought yesterday morning, after noticing that it hadn’t been registered by the spammer.

    That spam domain is MyNiceMailAt.com – and it was spamming my website with the same messages that you describe above.

    So, I’ve now begun looking up references of everyone that’s mentioned the domain and started to investigate it further, and your site popped up.

    It was a surprise therefore, to see that the last remark was sent by… the bloke I met in Chicago, Chris Samuel.

    So if they do “see some benefit” from crawling sites, and then spamming them, they’re going to have to wait before they get any return on their “investment” because they now have no access to the domain they were promoting.

    More info is on boakes.org, & I hope to do a full analysis of the traffic that the spam run generates before too long, so we should get a little insight into the potential profitability of such schemes and (hopefully) therefore, a better understanding of what it will take to stop them.

    Cheers, Rich Boakes

    Reply
  6. Stephen Usher
    re: normal people

    Erm, but you’re not wierd, merely… different. 🙂

    Reply
  7. Chris Samuel
    re: normal people

    You say the nicest of things, Steve. 🙂

    Reply
  8. Chris Samuel
    re: Dropsafe Under Attack?

    G’day and bore da Rich, my fellow grid person.. 🙂

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts