Recent Topics
  1. b2evolution CMS Support Forums
  2. b2evolution Support
  3. General Support
  4. Spammy looking site searches

Spammy looking site searches

1 Jan 21, 2006 06:13    

I've notice the past couple of days, an abundance of direct referrals that all look similar to the following:

/index.php/<year>/<mo>/<day>/<title>&prev=/search%3Fq%3Denglish%2Btrackback%2Bpost%26start%3D450%26hl%3Dko%26lr%3D%26sa%3DN

They're searches that seem to involve ONE legit word (at the beginning), then "+trackback+post+start" and some query string params.

All of these searches (that I can tell) turn up empty.

The URL that's responsible is 72.232.43.178.

I've denied them in the .htaccess, but I'm curious as to what they're up to. Anyone have an idea? Are they just randomly looking for "trackback" references that they can then shove into their auto-spamming software? Page headers are being sent ... it's a direct access ... so the I'm thinking that the search is showing up on a browser screen SOMEWHERE.

Anyway ... curious ... and I thought I'd say something to see if anyone else is affected similarly.

Back to top

2 Jan 21, 2006 07:01

scott,

<post title>/&prev=/search?q=texasholdem+trackback+uri&start=50&hl=it&lr=&sa=N

ip : 72.232.43.178 or 178.43.232.72.reverse.layeredtech.com

;)

Ive actually been meaning to do something about that at their level. layered technologies is a hosting service; they do have forums though because Im not going to register to post on their forums, I have contacted them via the "contact us" link and invited them to weigh in on this thread.

I dont expect a response.

Back to top

3 Jan 21, 2006 17:09

Interesting. I too, followed them back to Preston Road, Dallas, TX and was going to write to their "LT Abuse Team". I thought I'd weigh in here first and see if I was the only one. Guess not. :-/

Wonder how many others are serving up non-existent search results?

I will write them (tho I too, don't expect a response).

Back to top

4 Jan 23, 2006 21:25

Instead of making threats about "doing your best to associate our company with spam", take action and report the spammer to us.

Submit server logs documenting the spamming of forums/guestbooks or full header & body of spam email. We do not take action on SPAM if there is no evidence. If we did allow spam complaints to be enforced without any documentation showing our clients posting,hosting, or sending the spam, then anybody could submit fraudlent complaints on any of our clients. We require documentation for those reasons.

Thank you,

Tom
Layered Technologies
Policy Enforcement Technician

Fwiw, I directed them to THIS thread in my first email, seems to me that those pastes are Apache logs.

I went ahead and blocked the damn IP in my .htaccess

Morons.

Layered Technologies=spam'

what I ought to do is grep my logs and send off a text file full of the thousands of similar hits I see

Back to top

5 Jan 23, 2006 22:34

I crafted an email and attached some offending lines of my Apache log. Hopefully it will give them the "evidence" they're needing.

Dear LT Abuse team,

Accompanying this complaint, you will find attached a text file that contains Apache server logs for our website http://randsco.com. I have extracted only a portion of the offending data, but have the full server logs (archived) if you require further evidence of nefarious activity.

The complaint:

Beginnin Jan 16, 2006 and through to Jan 22, 2006 (when I denied access to the offending IP 72.232.43.178, which falls within your allocated IP Range, according the tha ARIN WhoIs Database) I recorded the following activity.

Namely, irrelevant searches on our b2evolution blog at a rate of 1 every 5-10 minutes, 24-hours a day. The activity first started on Jan 16th, followed by a quiescent period till Jan 20th, when the activity began again and in earnest. As I say, the activity continued at a steady rate through the 20th, 21st and into the 22nd (until I caught wind of it and denied access to our site, for that IP address).

The searches are all logged similarly: (namely ... a keyword that is evidently CONTAINED in the journal entry (in this case "photo"), followed by the three words and a number ("trackback", "post", "start" and 100) + some query string values. As these searches are not positively matched, yet persistently contain the words "trackback", I can only surmise that this is some automated search to harvest trackback spam candidates.

Below is a sample entry.
72.232.43.178 - - [22/Jan/2006:07:46:23 -0600] "GET /index.php/2005/06/15/introducing_photo_caption_zoom_2&prev=/search%3Fq%3Dphoto%2Btrackback%2Bpost%26start%3D100%26hl%3Dko%26lr%3D%26newwindow%3D1%26sa%3DN HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

I hope that the attached information provides ample evidence for you to take action against, what appears to be, a violation of your TOC by one of your clients.

Thank you for your prompt attention in this matter. Together, we can help make the Internet a more pleasant place to communicate and conduct business.

-Scott
www.randsco.com

SERVER LOGS

72.232.43.178 - - [16/Jan/2006:11:36:56 -0600] "GET /index.php/2005/11/18/anti_spam_script&prev=/search%3Fq%3Dcanada%2Btrackback%2Bpost%26start%3D270%26hl%3Dko%26lr%3D%26newwindow%3D1%26sa%3DN HTTP/1.1" 200 15295 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:05:56:10 -0600] "GET /index.php/2005/10/19/alex_sings_too_much&prev=/search%3Fq%3Dgenetics%2Btrackback%2Bpost%26start%3D280%26hl%3Des%26lr%3D%26sa%3DN HTTP/1.1" 200 15959 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:06:02:44 -0600] "GET /index.php/2005/11/18/anti_spam_script&prev=/search%3Fq%3Dhome%2Btrackback%2Bpost%26start%3D170%26hl%3Dpt-PT%26lr%3D%26sa%3DN HTTP/1.1" 200 15976 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:07:07:47 -0600] "GET /index.php/2005/12/17/automated_spam_meet_thy_enemy&prev=/search%3Fq%3Dstuff%2Btrackback%2Bpost%26start%3D680%26hl%3Dfr%26lr%3D%26sa%3DN HTTP/1.1" 200 15956 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:07:12:28 -0600] "GET /index.php/2005/10/01/penn_state_college_football&prev=/search%3Fq%3Dcollege%2Btrackback%26start%3D420%26hl%3Des%26lr%3D%26sa%3DN HTTP/1.1" 200 15961 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:07:18:58 -0600] "GET /index.php/2005/09/11/changing_z_index_on_hover&prev=/search%3Fq%3Daustralia%2Btrackback%2Bpost%26start%3D410%26hl%3Dde%26lr%3D%26sa%3DN HTTP/1.1" 200 15953 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:07:24:19 -0600] "GET /index.php/2005/06/15/introducing_photo_caption_zoom_2&prev=/search%3Fq%3Dcss%2Btrackback%2Bpost%26start%3D80%26hl%3Dpt-BR%26lr%3D%26sa%3DN HTTP/1.1" 200 15955 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:07:26:31 -0600] "GET /index.php/2005/10/15/p227&prev=/search%3Fq%3Dcollege%2Btrackback%2Bpost%26start%3D430%26hl%3Dit%26lr%3D%26sa%3DN HTTP/1.1" 200 15959 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:07:35:04 -0600] "GET /index.php/2005/11/18/anti_spam_script&prev=/search%3Fq%3Dme%2Btrackback%2Bpost%26start%3D550%26hl%3Des%26lr%3D%26sa%3DN HTTP/1.1" 200 15957 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:07:47:35 -0600] "GET /index.php/2005/11/18/anti_spam_script&prev=/search%3Fq%3Dfamily%2Btrackback%2Bpost%26start%3D310%26hl%3Dko%26lr%3D%26newwindow%3D1%26sa%3DN HTTP/1.1" 200 15956 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:07:53:53 -0600] "GET /index.php/2005/11/18/anti_spam_script&prev=/search%3Fq%3Dcurrent%2Btrackback%2Bpost%26start%3D50%26hl%3Dit%26lr%3D%26sa%3DN HTTP/1.1" 200 15952 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:08:03:48 -0600] "GET /index.php/2005/12/11/astonish_me&prev=/search%3Fq%3Dme%2Btrackback%2Bpost%26start%3D460%26hl%3Dde%26lr%3D%26sa%3DN HTTP/1.1" 200 15958 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:08:34:33 -0600] "GET /index.php/2005/11/18/anti_spam_script&prev=/search%3Fq%3Dupdates%2Btrackback%2Bpost%26start%3D200%26hl%3Dko%26lr%3D%26sa%3DN HTTP/1.1" 200 15961 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:08:45:13 -0600] "GET /index.php/2005/02/11/computing_tips&prev=/search%3Fq%3Djournal%2Btrackback%2Bmessage%26start%3D360%26hl%3Dko%26lr%3D%26newwindow%3D1%26sa%3DN HTTP/1.1" 200 15957 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:08:46:46 -0600] "GET /index.php/2005/01/31/css_photo_caption_zoom&prev=/search%3Fq%3Dcss%2Btrackback%2Blinks%26start%3D600%26hl%3Dko%26lr%3D%26newwindow%3D1%26sa%3DN HTTP/1.1" 200 15958 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:08:47:14 -0600] "GET /index.php/2005/08/06/summer_holiday_intermission&prev=/search%3Fq%3Dfamily%2Btrackback%2Bpost%26start%3D350%26hl%3Dde%26lr%3D%26sa%3DN HTTP/1.1" 200 15957 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:08:52:56 -0600] "GET /index.php/2005/12/17/automated_spam_meet_thy_enemy&prev=/search%3Fq%3Dmarketing%2Btrackback%2Bpost%26start%3D220%26hl%3Dko%26lr%3D%26newwindow%3D1%26sa%3DN HTTP/1.1" 200 15958 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:09:04:11 -0600] "GET /index.php/2005/01/31/css_photo_caption_zoom&prev=/search%3Fq%3Dcss%2Btrackback%26start%3D470%26hl%3Dko%26lr%3D%26sa%3DN HTTP/1.1" 200 15957 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:09:23:50 -0600] "GET /index.php/2005/06/15/introducing_photo_caption_zoom_2&prev=/search%3Fq%3Dcss%2Btrackback%2Bpost%26start%3D130%26hl%3Dde%26lr%3D%26sa%3DN HTTP/1.1" 200 15953 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:09:24:51 -0600] "GET /index.php/2005/10/02/broadband_for_everyone&prev=/search%3Fq%3Dcooking%2Btrackback%2Bpost%26start%3D300%26hl%3Dfr%26lr%3D%26sa%3DN HTTP/1.1" 200 15951 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [20/Jan/2006:09:45:09 -0600] "GET /index.php/2005/11/18/anti_spam_script&prev=/search%3Fq%3Dcurrent%2Btrackback%2Bpost%26start%3D60%26hl%3Dko%26lr%3D%26sa%3DN HTTP/1.1" 200 15951 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

----------------------
Activity continues through the remainder of 20/Jan/2006 ... 21/Jan/2006 and into 22/Jan/2006
with similar frequency. I finally denied access via .htaccess file, which was the only way the suspicious activity came to a stop. Among the last entries ...
----------------------

72.232.43.178 - - [22/Jan/2006:07:45:22 -0600] "GET /index.php/2005/10/02/broadband_for_everyone&prev=/search%3Fq%3Dcooking%2Btrackback%2Bpost%26start%3D250%26hl%3Des%26lr%3D%26sa%3DN HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [22/Jan/2006:07:46:23 -0600] "GET /index.php/2005/06/15/introducing_photo_caption_zoom_2&prev=/search%3Fq%3Dphoto%2Btrackback%2Bpost%26start%3D100%26hl%3Dko%26lr%3D%26newwindow%3D1%26sa%3DN HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

72.232.43.178 - - [22/Jan/2006:07:47:42 -0600] "GET /index.php/2005/11/18/anti_spam_script&prev=/search%3Fq%3Dlinks%2Btrackback%2Bpost%26start%3D520%26hl%3Des%26lr%3D%26sa%3DN HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

Darn ... I wish I had a good grepping tool (as I had to search, cut & paste each entry). Yeah, yeah, I know ... for good admin tools, windows XP sucks. I want my old vi, sed and awk. ;)

Back to top

6 Jan 23, 2006 22:49

hahaha, omg, if ONLY I had your tact!

I have zero tolerance for spammers, and even less (yes thats possible) for hosts that allow it.

PS: windows grep, it does exist: www.wingrep.com

Back to top

7 Jan 23, 2006 23:42

It's pretty PC isn't it? What can I say ... I've been "corporatized". LOL.

Plus, we can find out what (if anything) taking this tack will yield. (Prolly, nuthin). But at least they can't say ... where's the beef?

-stk

PS .. thnks for the grep tool. a decent text editor would be good too, but it's not often anymore that I need to edit such large chunks of text data (not like ye old corporate days of dealing with file dumps and such).

Back to top

8 Feb 17, 2006 17:56

This is VERY interesting.

I wrote Layered Tech, sent copies of the offending server log lines and only got a "automated reply". Two weeks later, after not receiving a considered reply to my SPAM inquiry, I wrote back, saying

I would appreciate the courtesty of a reply

as a response, I received this

This will be the only reply.

Due to the sheer amount of abuse complaints this department receives daily, we do not reply to senders of the complaints stating the issue has been resolved. We do take all complaints seriously and do take actions to stop the abuse.

This issue has been resolved, for 2 weeks.

Thank you,

Tom
Layered Technologies
Policy Enforcement Technician

About a week after, I began noticing more comment SPAM. The messages are nearly identical (sales links for the drugs alprazolam or diazepam). The frequency is variable, though it has generally been at night and only a couple. The content (an <a> link, which we allow), points to a variety of URLs.

Last night, I got 13 such messages. 8|

This ... despite a post_comment.php rename, a rotating htsrv folder name AND disallowing off-site (i.e., remote comments) via htaccess. I've also been reporting the URLs and updating our anti-spam list.

Today, (after 13), I thought I'd investigate.

(This is where it gets interesting). ;)

Looking at the server logs, I noticed that despite the different IP addresses reported in the POST line ... the actual entry is called up just prior to that (like seconds before) and the IP address is ALWAYS the same ... 216.32.88.138

RAW Access Log wrote:

216.32.88.138 - - [17/Feb/2006:07:18:12 -0600] "GET /index.php/2005/11/18/anti_spam_script HTTP/1.1" 200 44534 "" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
61.219.70.12 - - [17/Feb/2006:07:18:15 -0600] "POST /blogs/HTSERVICE.randomSEQJ//rite_here.php HTTP/1.0" 303 0 "http://randsco.com/index.php/2005/11/18/anti_spam_script" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"

A reverse lookup == (guess who, Whoo?)

Layered Technologies, Inc. 216.32.64.0 - 216.32.95.255 !! :lol:

I'm curious as to how they can VIEW the entry under one IP and then COMMENT using another? (When I comment to my own blog, the same IP shows up for both the VIEW and the COMMENT ... but then again ... I'm not a spammer ;))

Also ... looking at the apache manual, it looks like the server log reports can be modded to report a variety of information. I'm assuming one sets this in the .htaccess file? (We're just using whatever the host has as default. Is there a format you use or can recommend?)

Back to top

9 Feb 17, 2006 20:31

lots of questions in that post, so lets see.

the ip changing is something thats done a lot. my take is that 'they" load up an "array" of working proxies and just cycle through them in whatever script or application they happen to be using.. Ever seen an aol'er traverse your pages? The ips change with every hit (same thing, different method and reasoning, I assume)

The "remote access" htaccess bit can be circumvented, though it takes work (so to speak), as "they" would need to spoof the referer.

Essentially, anything sent via headers can be spoofed, the referer is one

Yes, you can customize your server log output (if you have access to your apache config files) but honestly its just re-arranging the same info that you see in your standard logs.

the last resort and not the best solution is to just block the whole netblock using cidr notation in an .htaccess.***

*** Check my antispam thread later, Ill show you what Ive been doing lately.

Back to top


Form is loading...