Comments on: Chinese Spam Mafia?

By: in8sworld

in8sworld — Fri, 28 Dec 2007 21:56:21 +0000

Added an image / math challenge to commenting care of Peter's Math Anti-spam plugin. Along with the otherwise very impressive Akismet plugin, this should make it a lot safer to enable anonymous commenting.

By: in8sworld

in8sworld — Fri, 28 Dec 2007 21:38:02 +0000

I’ve decided to re-enable anonymous commenting. This is just a test to make sure it’s working again. I may need to install some more anti-spammer tests, but the coast seems to have cleared a bit.

By: Nate

Nate — Mon, 08 Jan 2007 02:31:59 +0000

A similar thing was happening at work, and we called in a security friend of mine who traced a couple of the IPs back to compromised Linksys routers to which they had supposedly uploaded some hacked firmware. He was able to read the logs on one of the routers which had other IPs (supposedly the real criminals). On those machines he found links to an IRC channel which he turned me on to. I was stunned – they apparently had broken into a bank someplace and were processing stolen credit cards through some scripts that were running there. Something about an eGold account which I didn’t quite understand… Seems like the US is going to need to start training an army of counter insurgent hackers soon – they haven’t been doing too good of a job so far.

By: Ironmax

Ironmax — Mon, 08 Jan 2007 02:23:20 +0000

Nate,

I know where they are coming from initially. I found that they are cruising the search engines to find these links and thats why I ended up moving my mail signup form for email. Then putting a fake one in its place. Those spammers in Nigeria were saying anything just to try and get a free email account. Unbenounced to them it was a booby trap, and they got caught in the act. So I wont be seeing them for some time.

As far as finding or seeing the referer, try changing your script around juat a little to throw them off, theey’ll have to change theirs to keep up.

Ironmax

By: Ironmax

Ironmax — Mon, 08 Jan 2007 02:11:27 +0000

For those that run windows based mail servers, I recommend using Spamfilter ISP in front of their mail server. You can get to the link on our site at http://www.spacequad.com and download a free evaluation copy. As far as the comment spam or any other spam on our site, I haven’t seen any as of lately. They’ve tried to post but the captcha has stpped them cold in their tracks for now. The only way someone can post on our system is to manually post by hand…bots are not welcomed.

Ironmax

By: Nate

Nate — Sun, 07 Jan 2007 14:57:53 +0000

OK – so, in hopes of stopping the endless stream of emails generated by this situation, I found a helpful page on macmerc.com that described how to add a couple lines to my .htaccess file which looks at the referrer and marks those that match as ‘spammer’. Of course, if the spammers speak english and read this, they will just change their scripts, but they have to change the scripts anyways if they want to post some comment spam. So far, its working – the emails have stopped for now.

That gained me all of about 5 hours of peace. Apparently the spammers script was broken and I was seeing something that I wasn’t supposed to see. Now that he’s fixed it, he is spoofing the ‘Referer’ – what this means is that his script replaces the part of the transaction where the server sees what page he clicked on to get to the page he wants to spam on with my own domain name, so I can’t use the htaccess trick to deny him. In other words, it looks like this now:

A user tried to go to
http://www.in8sworld.net/blog/article.php?story=20050425062300738
and received a 404 (page not found) error. It wasn’t their fault, so try fixing it.
They came from
http://in8sworld.net/article.php?story=20050425062300738

You see, he didn’t come from where it says he’s coming from ‘cuz it doesn’t exist anymore! I moved the whole site to a subdirectory (and changed the whole site code) so there is no article.php in there. I’m thinking I might be able to use that fact to block him again. More on this later.