| Ann Elisabeth |
| writes about tech, faith and whatever |
Here’s the first article I promised a while ago. I’ve tried to distill my knowledge about open proxies, from the perspective of me trying to convince admins to secure them:
Discussion here below:
I put this article outside the blog. I expect quite a lot of search engine generated traffic, so that makes sense. Comments can be left here.
These guys hate spammers with a passion:
We’ve been talking about blocking spammers in .htaccess before.
And so with that in mind I went through the results of a tracking script. Most of the referrer spammers have gone clear of that, by not spamming to individual posts in my blog. In fact, most spam the root of my site instead. But of those I caught, here’s a rundown:
One spammer didn’t have any identifying marks that could be blocked.
But dvdsqueeze, which is a regular in my log, can be blocked with this line (not completely sure of the syntax, but it’s something like this):
RewriteCond %{HTTP:VIA} ^.+mesa1
RewriteRule .* - [L,F]
The whole via line is like this:
1.0 wc03.inet.mesa1.secureserver.net:3128 (squid/2.5.stable6)
Today I woke up to two new comments in my moderation queue. New spammer. Topic: adult webcam
And what’s more, it’s relying on a new technique. It’s invisible!
In the moderation queue, it looks a little like the Bulgarians, in that it starts with the HTML code for the biggest headline. But the next codes nested inside those tags are typical of CSS files, and set font size to 1px and line height, margin and padding to 0 px. The headline tag ends just before the final line, which consists of a bland greating with a non-working hyperlink. The result is one line that isn’t visible except for the underline of links (and even that won’t be visible in some cases, depending on your CSS file). And then one bland visible line that won’t tell you anything. The only way to let you figure out that it’s spam is if you see the comments in your moderation queue, or from inside your admin interface.
And the spammer? Whois like this:
Registrant:
Almenix inc
Marcus Bellies-Vinterfrost (marcus at freecasinoplay d ot info)
Kalininskiy pr 12
Magadan
null,137501
RU
Tel. +910.21225550861
Registrar: Directi
Webhost: Esthost
DNS: Dnsmadeeasy, however, dig reveals elion.ee, which looks Finnish to me. Ah, it’s Estonian.
I also checked out the charcode inside one of the pages. When decoded, it’s pointing to a javascript. THAT is what the viewer will see, not what the search engines will see.
And what’s interesting, is that the viewer will see this message:
SUSPENDED for SPAM
if the referrer isn’t from a list of search engines. And then the page reloads into that of a bland search engine.
BUT, if the referrer is from a search engine, you’ll see the webcam page.
How’s that for cloaking? It’s specifically cloaked for bloggers to not take seriously, yet still serving up the intended page for the search engine produced traffic.
If bloggers were ever unsure of what the tactic was, we know now!
I had a discussion with one of the regulars here, about how we find new referrers. Which means either new people linking to us, or new spammers. Shrugs…
Anyway, he used to look at the stats, while I’ll only check the first 10 rather quickly.
In my opinion, the problem with website stats, is that they’re for the whole month. And if you want to check out what’s happened since yesterday, you’ll have to slog through the whole list, going googly eyed in the process, trying to remember which ones are new.
So, here’s what I do:
I download my raw log files. Not necessarily the whole file. I might grep for the last two days and download gzipped versions of those. If you’re on a cpanel webhost without shell access, use cron for that. Here are some pointers that can be adapted. But really, it’s as simple as:
grep ‘19/Feb/’ /path/to/yourlog | gzip -9 > /home/username/19feb.gz
Remember that paths are different from host to host, and you may need some time to figure out yours.
OK, so, then I unzip them and copy the contents into one file.
And then I fire up TextHarvest
(this only works for windows machines. For *NIX and Mac I recomment GREP and batch files, though it requires more coding).
I start by removing anything from the /Keep list
and add one by one referrers I don’t need to be reminded of in the /Delete list
Start each keyword with \
I think default is /, but that doesn’t work with log files, because there are two many instances of the /. \ is my favorite. It hasn’t broken yet with log files.
The trick here is to keep the list in a text doc, because it will grow over time. TextHarvest manages a very large list of exclusions, but if you enter several K worth of keywords, it’ll barf.
When you’ve run the query and browse the results, you can add more keywords to the list. Here’s a small part of mine:
\annelisabeth.com\”"\”-”\W3CRobot\metafilter\403 \kuro5hin
What you want to filter out depends on what you’re looking for. New linkers or spammers. I like to look for anything I haven’t seen before. So almost everything gets added to my list with time.
But the beauty of keeping this list in a text doc, is that at any time you can delete the list from TextHarvest and just search for say the error code 403. Remember to put a space afterwords, or you’ll get a lot of false positives. Most of our .htaccess blocks produce 403 errors, so it’s a nice way of keeping track of the spamming activities of the Bulgarians and Alexander.
Any questions?
We’ve got a new clueless reffy spammers in the logs yesterday.
Say hello to
Matt
Who’s clueless enough to use his own (?) DSL line to spam his adult related domains.
Abuse reports sent to both ISP and webhosts.
Heh, he must be very happy about the way he looks. Didn’t take me more than a minute to find a picture of him. All his whois info has different addresses, but he puts a picture online? Tell me what the logic is in that?
I’d turned off some of my .htaccess protections, so when the Bulgarians started sending trackbacks, one came through right away.
This just started over at my place.
I don’t know if it was a one off, or a new attack starting.
I reinstalled the old blocks, and so far no error messages.
The third entry on February 16 for joatBlog is an interesting lesson in tracing, with our ‘favorite’ spammers as the subject.
We’ve talked about the bait and switch before. The spammers put up an account terminated notice while doing a spam run, then switch it to the real site after the spam run is finished.
And that’s what I thought we were seeing with the nutzu spam run too. But I didn’t look deeply enough.
Michael commented below here, that the real page is actually already there. It’s the javascript that loads the termination page. Which means Google will never see it. They’ll only see the page the spammers intended for it to see.
Which in turn means that from now on, we have to check spamvertized pages even better than before. We know they’ve been cloaking their pages for a while with javascript. But now they’ve taken it to new heights.
UPDATE: I realized after thinking about it for a while, that they’re going to have to remove the javascript at some point. Because after all, the goal is to have humans eyeballing the site at some point. After people have found the site through Google, that is.
