« Spam cleaning for blogs
How to get your blog banned for spamming »

Amateur trackback spammer?

I got two trackbacks to annelisabeth.com today that I couldn’t make heads or tails of.

They appeared spammy, in that the excerpt was very much like a spammy comment:
^_^,Pretty Good!

The URL is for a blog with only one post for April, and some text in a foreign language. The hosting is in China.

This trackback also managed to get through my moderation queue on annelisabeth, although the mail I got said that they were moderated. In fact, according to Google cache, all those trackbacks I thought had been moderated - were live on my site until right now (had forgotten to remove them, because I thought they weren’t visible!)! No wonder the xmix spammers kept spamming until I blocked them!

But anyway, the logs tell me that this was spam, though of a more amateurish type.

He came in using this Google search:
mt-tb.cgi 403 error
And he’s using Chinese language in Google.

IP address:
61.145.232.249
Chinese IP block, Microsoft-IIS/5.1 machine with a webserver on it.

User agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; i-NavFourF; .NET CLR 1.1.4322; Alexa Toolbar)
.Text Version .96

And here’s the tipoff - that second user agent is unknown to me, and since he’s using Movable Type, he wouldn’t have used that user agent for trackbacks.

Headers:
Hmmm, the HTTP_ACCEPT for the browser is */*, while it’s missing for the other one. Having only */* for an IE browser is unusual, but not unheard of. It behaves on the site like a typical browser.
The other one has this rather unusual header:
HTTP_EXPECT=100-continue
the rest is non-interesting.

IP number of his website:
211.139.253.93
and his website has a name that contains the word hack.

Update April 16
He’s back, and this time he’s added the name of his site to the user agent, after the script name.
IP name:
219.131.234.177
Server: Microsoft-IIS/5.1

user agent of the GET’ing script:
Mozilla Compatible (MS IE 3.01 WinNT)
and my site as the referrer.

And he hasn’t completely fine tuned the script, because the POST request starts like this:
POST /blog/mt-tb.cgi/174?title=csh… (munged his site name)

The browser leaks this data:
HTTP_ACCEPT=text/html

This entry was posted on Thursday, April 14th, 2005 at 3:20 am and is filed under Trackback spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply