Today’s Magic Numbers Are: 38.96.1.97

Since the stability issues a few days back, I’ve obtained a new ‘friend’, Mr. ‘Bonifacius’ from some non-existent website. This spammer uses the IP address 38.96.1.97 which is associated with Cogent networks. Not to worry, I’ve already sent a nice letter to their abuse department. Hopefully, on Monday I’ll know this person’s real name, address, phone number, e-mail and all the other goodies necessary to let the Feds have their way with the spammer.

Bonifacius is a mildly retarded spambot persona, he only says one phrase in his comments, and this phrase is: “Great article. I am just sad I dont know how to reply properly, though, since I want to show my appreciation like many other.” A quick Google search for this phrase turns up less than a few hundred results for this spammer, most of these are WordPress based blogs that must not be running any anti-spam plug-ins.

From what I’ve seen, Bonifacius spams a blog differently than most do. The typical spambot will crawl a blog and then make post where ever possible. Bonifacius instead of crawling a site will only check to see if it is a WordPress blog. A week or so later, Bonifacius will start pushing data to the wp-comments-post.php file. It starts starts with the first post then it tries the next post up the next hour. This process continues until either: there are no more articles, wouldn’t that be pleasant, or until it is blocked, or trapped as it is on my blog. I haven’t tested to see if the spambot stops after it reaches the end of the posts or continues on to infinity, if it does that’s very bad as it wastes bandwidth on both ends.

-John Havlik

[end of transmission, stay tuned]

CribSense Alpha

Introducing CribSense, an anti-spam blacklist suit for keeping those you don’t want visiting your site out. I’m just beginning to test it, but it’s a nice spoof of the Websense proxy block pages, you can check it out at the link provided below. I’m seeing if this will have a nice affect on the spammer that is attacking my blog at about once every hour right now.

Here is the link: CribSense

-John Havlik

[end of transmission, stay tuned]

Today’s Magic Numbers Are: 24.62.47.148

Well make that yesterday’s magic numbers. After reading JD’s blog about a spammer accessing his site and spamming on the nature of my little buddy 195.225.177.80 from Europe. They have both made their way to my .htaccess blacklist, permanently blocked from Mtekk’s Crib. The reason is at 1:09 AM and then again at 7:36 AM on Saturday, February 18 2006 a user of the IP address 24.62.47.148, which is associated with Comcast Communications “Comcast Cable Communications Holdings, Inc. BOSTON-6”, attempted to post links via their website tag on comments on various old posts of mine.

They had very generic comments and the messages have been marked as spam. The sites that they linked to were filled with several Google AdSense advertisements; I filed a complaint to Google. Just as JD had filed one, I have also filed a complaint to Comcast, which I received a response that I have to provide more information, a firewall log of sorts, so I have some digging to do, but I am going to fight against this spammer. Hence the tag line “Enemy of the Spammers”. If you experience any malicious activity by this IP address leave a comment with a link to your blog or your could e-mail JD or myself.

Here is the link: JD Hodges – Hurrah! Google shuts down AsSense Spammer

-John Havlik

[end of transmission, stay tuned]

1 Comment Updated:

New Breed of Spambot?

According to the maintainer of Spam Karma in his latest blog entry, a new breed of spam bot has emerged and has been released in the last few days. This new spam bot uses somewhat more intelligent behavior and can get past Spam Karma 2 sometimes. Bad Behavior, the spam protection that I use, isn’t very effective against these bots, which I can attest to since I had swarms of spams queuing up for moderation beginning last Friday.

It seems that there is an update coming to Bad Behavior which may end up stopping these new bots, but it won’t be available until Bad Behavior 2 arrives sometime this year. Michael Hampton, Bad Behavior’s maintainer has released an alpha but it will be some time before a final release will arrive. If you wish to speed the release of Bad Behavior 2 please donate to his paypal account, his laptop died on the third of January and he doesn’t have the cash to repair/replace it.

Here is the link: Michael Hampton’s Blog

Here is the link: Dr Dave: The State of Spam [Karma]

-John Havlik

[end of transmission, stay tuned]

Sticking it to Spammers

Watching a spamming attempt unfold before my very eyes, I have become furious to the point of almost writing a Word Press plug-in. Instead, I’m going to share an idea. So a certain Internet Explorer user from Europe, whom is using the IP address 195.225.177.80 and is ‘pimping’ a fraudulent online pharmacy, decided to crawl my site a few months ago. Plotting its attack, it waited, and waited. Avoiding Bad Behavior was necessary, but the simple WordPress moderation blocks kept his spam from getting through. He should have seen a 412: Precondition Failed, but somehow didn’t. The first attack lasted only 8 posts but they never caught on. The next day 12 spam posts came, and then that night 48 posts came through. This really pissed me off. I uploaded a nicely modified .htaccess file that blocked his IP address, now he sees a nice 403: Forbidden.

Instead of taking such a harsh approach on spammers I’ve though of something: how about using a black list, such as Bad Behavior’s central one, and when a spammer tries to post a comment with under 10 words and has a hyperlink, or supplies one to the “website” field, log the message as spam, the IP address, and the site url in a sql database entry and then forward the robot to the site that they tried to “promote”. That way legitimate the users of the IP address can get make quality responses, while the spammer bots will waste bandwidth of the site that they are “promoting”.

-John Havlik

[end of transmission, stay tuned]