« Blocking the xmix spammer
Keeping Google out of stats pages »

Trackback run expected

I got a trackback this morning, with a nonsensical domain name. I’ll leave it up for a while, to see what happens.

IP address:
68.49.179.15
pcp09581356pcs.rtchrd01.md.comcast.net
proxy

User agent:
Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

This is the same user agent Alexander Morozov used, isn’t it?

So expect a filthy trackback spamrun soon.

If it really is Alexander Morozov, then the AAA part of the Bulgarian block may work. This is just a guess, based on earlier blocks I’ve had, one time I edited the .htaccess on the fly while he was actively spamming.

This entry was posted on Thursday, April 7th, 2005 at 4:10 am and is filed under Trackback spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “Trackback run expected”

  1. Tom Raftery Says:
    April 7th, 2005 at 4:41 am

    Bad news Ann,

    I have the AAA block in my .htaccess file and I received a trackback spam this morning which matched the one you mention above.

    Same User Agent, nonsensical domain name but diff IP (172.164.210.50 - an AOL IP).

    Cheers,

    Tom

  2. Administrator Says:
    April 7th, 2005 at 5:00 am

    If that’s the case, then we’ll need someone who logs all HTTP headers to speak up. To see if there’s anything that’ll help, short of blocking the user agent - if that’s the same in your case?

  3. Tom Raftery Says:
    April 7th, 2005 at 6:11 am

    The User Agent is exactly the same in my case.

    I blocked the UA using the following line in my .htaccess file:
    SetEnvIfNoCase User-Agent ^Mozilla\/4.0 \(compatible; MSIE 5.5; Windows 98; Win 9x 4.90\) spammer=yes

    It sounds a bit drastic but I went through my logs and couldn’t find any genuine browser using this UA!

    I’d prefer to find a rule to prevent this UA from posting (i.e. allow get but deny post) but my knowledge of .htaccess doesn’t extend that far.

    Tom

  4. Tom Raftery’s I.T. views » Blog Archive » Blocking trackback spam using .htaccess Says:
    April 7th, 2005 at 7:02 am

    […] ndows 98; Win 9x 4.90). I took a look at Spamhuntress’ site and sure enough she has a post warning that a trackback spam run is about to get underway imminently. I took […]

  5. Administrator Says:
    April 7th, 2005 at 11:35 am

    Right, swiped this from annelisabeth. Tested and works:

    ————–

    SetEnvIf User-Agent “Mozilla/3.0 (compatible; Indy Library)” botsp
    SetEnvIf User-Agent “compatible; MSIE 5.5; Windows 98; Win 9x 4.90″ botsp

    Order Allow,Deny
    Allow from all
    Deny from env=botsp

    ———

    It’s possible to limit it to one file only as well, if needed. In fact, if you limit any Mozilla user agents from posting to your trackback script, you should be doing pretty good, except for the xmix trackbacks.

    You should probably retype the “”, because Wordpress changes them.

  6. Administrator Says:
    April 7th, 2005 at 11:41 am

    I got one IP that fetched the post, and another that did a POST. The GET request came from:
    66.90.167.220
    66-90-167-220.dyn.grandenetworks.net
    Don’t know if it’s a proxy. Hmm, probably not, because of that “dyn” in the name. Could be a compromised box.

Leave a Reply