Jump to content

Unintended Open Proxies


Recommended Posts

I've been grappling with comment spamming lately. What I found is that the spammers are using open proxies to a large degree. Some might be zombie boxes, but a large percentage are webservers or other servers with proxying turned on. Most of them unintentional.


Usually you can just plug the IP addresses into Google and find lots of spammy posts, blacklists and open proxy lists.


When I did the same with the TCH address my site is listed on, there wasn't even ONE hit like that.


So, is there any way we can get the message out more thoroughly, than me notifying webmasters/admins one at a time?


Also, I've trying to get a server on Verio off their service. It's got hundreds of spammy sites on it. The owner of that server seems to be ultimately responsible for over 50 percent of the spam hitting my logs.


I've sent an e-mail to their hosting abuse department, and I know others who have and are about to. The server is still online, still serving all those spammy domains.


For details, check this post (click on smiley):



So, you guys at TCH, any advice on making this fight against the spammers more effective?

Link to comment
Share on other sites

Depending on what software you use on your site, you might want to look for some plugin that prevents spamming.


Currently I'm using wordpress at my borfast.com site and I installed an anti-spam plugin. Since this is my first blog ever and I started it with the spam filter already installed, I never experienced this comment spam problem that I read so much about, so I guess it works.... or perhaps it's just my site that doesn't have anything worth spamming... :pissed:

Link to comment
Share on other sites

I wasn't asking for advice on how to keep the comment spammers out of my blog. I'm doing fine in that respect.


I'm asking for advice on how to get as many open proxies as possible shut down.


One of the admins of one such server kindly offered to share the log with me. I got a small fragment so far, and will get the full log later on.


Comment spam is only one of the things happening on such a server.


Fraudulent banner traffic is one other thing. I'm sure there's more.

Link to comment
Share on other sites

The issue is, a lot of the zombie boxes are completely unknown to the users. I traced one such comment spam thread back, and found proxies everywhere, from ecommerce sites in the EU, to reserach universities, to residential cable internet hookups. I think the best thing that can be done is encourage as many people as possible to secure their machines - or, depending on how extreme things get, have ISPs block uploads on certain connections when they detect that the computer is sending a huge amount of ptraffic on unusual ports with no reason to do so. This would certainly prevent a lot of worms, which themselves can make computers vulnerable to subsequent zombification.


There's no perfect solution yet, but if you're determined enough, you can use a site like centralops.net (domain dossier) to find out info on the sites, and warn the users or ISPs that their computers may be infected, and doing quite a number of things that their owners don't want them to do...

Link to comment
Share on other sites

I'm very serious about this. I don't have the capacity to run down every proxy server. But I'm starting to see some patterns here as to what's happening on these servers.


I'm guessing the best way would be to create enough of a ruckus the admins will have to take it seriously, like they did with open e-mail relays a few years ago.


As to zombies, that's trickier. There are some zombies on my ISP's net. I notified the ISP, and they replied and told me they didn't have the capacity to run down specific users and warn them about this. So the users will keep on trying to get through my firewall - indefinitely. Unless I can find those IP numbers one Google connected to an e-mail address or user name, there's nothing I can do about it.

Link to comment
Share on other sites

I've seen an absolutely enormous amount of referer spam over the past several weeks, coming from a large set of different IP addresses and pointing to an equally large set of sites. There's some good discussion of it in several places:





The mass of it functioned as a DDOS against one host:



Reid (the author of the first link above) has tracked a lot of it back to a single source, and is trying to get Verio to act on it -- but not much luck so far.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...