annie Posted January 5, 2005 Posted January 5, 2005 I have a relatively minor spam problem on my MT blog. I'm having fun sharpening my claws on my spammers. I recently did something that, although it may hinder some legitimate users, should at least frustrate my spammers. My most prolific comment spammers has tried a few times, but his frequency isn't too often. But one of the other comment spammers must have gotten tired of my musical chairs approach to frustrating him, and moved to trackback spam. Could be because the latest MT enables moderation of comments by default. Probably more likely than my actions alone influencing him. Anyway, trackbacks are not yet possible to moderate as far as I know. I'd LOVE to learn how, if anyone knows? But, I blocked this one too, and he's currently going crazy, trying IP numbers, trying to get through... 66.30.122.247 24.155.107.102 67.23.106.13 24.17.35.216 68.108.173.158 24.59.54.128 24.193.23.58 201.249.28.91 24.211.92.232 67.160.57.221 24.17.35.216 81.82.58.95 All but the top two are desperate attempts to get through during a period of 15 minutes. The top thwo did get through, and were entered quite far apart. Might have been tests, and since it took me a few hours to remove the first one, he may have stepped up the pace, I don't know. Anyway, the IP numbers look like normal dynamic IP numbers to me. I wonder how that's done? I mean, just minutes apart? EDIT: More IP numbers: 81.82.58.95 24.17.35.216 69.164.157.126 24.90.184.92 68.229.246.43 24.13.185.46 62.163.180.196 68.36.59.234 24.151.214.31 68.174.137.192 24.30.107.215 24.151.214.31 80.216.83.206 Quote
MikeJ Posted January 5, 2005 Posted January 5, 2005 Generally, that's done by using computers they managed to infect or compromise to later use for this type of spamming. So those numerous dynamic IP addresses you are seeing are likely people's home computers who aren't even aware their computer is being used for this purpose. Most are relatively automated and rather persistant. I had one spammer this weekend attempt to spam my blog over 3,000 times from all kinds of IP's even though none of them ever made it to my blog. The trackback's are starting to be used more for precisely the reason that it's harder to moderate them. Quote
annie Posted January 5, 2005 Author Posted January 5, 2005 So, is there any type of clearinghouse for reporting allegedely infected drones? Quote
annie Posted January 5, 2005 Author Posted January 5, 2005 Turns out the varmin is Alexander Morozov. He's quite famous for his blogspam. Quote
LisaJill Posted January 5, 2005 Posted January 5, 2005 A bunch of us using EE got spam last night, I'd link to the entry on my site but it's mean. *winks* The spams all had random letter combos for title, body and URL, and all came froma different IP right to the first octet. I'm not sure if this is what you've got (trackback spam has been a problem for atleast a year, really) - but it appears to be a prelude to an attack on some sites: a testing of their script. Hard to block too, since it's totally random. I turned off trackbacks on my site for the meantime. Quote
annie Posted January 5, 2005 Author Posted January 5, 2005 It's Alexander, no doubt about it. I got the same pre-attack last night. He's still going full tilt at my scripts. I wonder if it's his zombies that are out of control, since they don't understand what's happening when they try trackbacking to my site? But I also got those same nonsense things a while ago, as comment spam, if I remember correctly. Oh, and WTF? I got an access to my log from server85.totalchoicehosting.com with the user agent MovableType/3.14. That site isn't even on here, my other site is. So I'm kinda curious now... Quote
LisaJill Posted January 5, 2005 Posted January 5, 2005 No idea... are you running blacklist and is it helping? If not, is thre a way to turn off trackbacks wholesale until he ceases? Quote
annie Posted January 5, 2005 Author Posted January 5, 2005 Of course there's a way to turn off trackbacks! Just rename the trackback file until the attack is over. Not saying if that's what I did, but here's the file to rename: mt-tb.cgi BTW, either he's stopped for now, or my webhost filtered out the error message. He's done that before, so I wouldn't be surprised... Quote
LisaJill Posted January 5, 2005 Posted January 5, 2005 Oh, I don't run MT, I haven't in a long time. In EE it's just a configuration setting. =) I stopped him after only 3 trackbacks at 5am this morning, no worries at all. Quote
annie Posted January 5, 2005 Author Posted January 5, 2005 Hmph, now my guestbook is getting hammered by some joker I've blocked. Quote
annie Posted January 5, 2005 Author Posted January 5, 2005 Mystery solved. I got a legitimate trackback from a site on Totalchoice. That's what produced that weird user agent in my log. http://www.windsofchange.net/archives/006118.php Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.