« Guestbook spammer with blank user agent
Another pissed off spammer »

trackback spammed today

I got a number of trackback spams today. Later I also found comments from the same spammer.

The spammer posted so many pieces of spam, my mailserver had a bit of trouble. He didn’t keep it going more than a few minutes, but it was pretty intense. I saw samples on another blog earlier today, so he’s probably sending spam to one server at a time until he’s through the list.

These accessed wp-trackback.php directly, which is unusual these days. That’s behavior you wouldn’t see from a real blog, and can be blocked with a Wordpress plugin. It can probably be blocked with an .htaccess block specifically targetting that file as well.

He’s also accessing wp-comments-post.php directly. That’s how it usually happens, but most browsers also leave a referrer. Not all, though. Hmm, hard to block without also blocking legitimate comments.

The trackbacks are part nonsense, part real domain names. One of the domains were probably entered by fluke. The two first pages on 1bc.com were last modified in 1999.

free-online-poker-000.biz on the other hand, belongs to the spammer:

Administrative Contact Name: Yukkii
Administrative Contact Organization: e-leave
Administrative Contact Address1: 3 Connell Dr.
Administrative Contact City: Berkeley Heights
Administrative Contact State/Province: NY
Administrative Contact Postal Code: 07922
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.9082342243
Administrative Contact Email: yukkikunikkennen@yahoo.com

Old acquaintance…

The website isn’t served right now, probably just standard MO. It should be up in less than a week.

Here are the proxy servers:

202.224.241.14
218.199.97.152
61.56.158.158
61.195.167.151
68.85.163.73
216.65.116.18
62.37.236.193

All of them with this header:
[CONTENT_TYPE] => application/x-www-form-urlencoded
Which I’ve also found with genuine trackbacks: MovableType/2.65 and more.

Many of them sporting this header:
[HTTP_MAX_FORWARDS] => 10

And some with VIA headers:
205.132.32.10
[HTTP_VIA] => 1.0 webmail

148.244.223.236
[HTTP_VIA] => webshield.daltile.com.mx

217.97.16.1
[HTTP_VIA] => 1.0 szuwarek.tpnet.pl

This entry was posted on Thursday, April 21st, 2005 at 11:50 am and is filed under Comment spam, Trackback spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “trackback spammed today”

  1. Spam Huntress » Blog Archive » Trackback run stopped says:
    April 25, 2005 at 8:41 am

    [...] 17;s the spammer below. Accessing wp-trackback.php directly. Looks like the same script as Yukkii used before. This entry was posted on [...]

  2. IO ERROR says:
    April 28, 2005 at 10:58 am

    [CONTENT_TYPE] => application/x-www-form-urlencoded

    This header appears on any properly formed POST request and is indeed the correct Content-Type. Without it, nothing would be POSTed! This applies equally to legitimate comments as well as trackbacks and anything else that uses POST. It’s possible to use something else as the Content-Type, but I’ve never seen a valid POST request with anything else.

Leave a Reply

Search
Categories
Archive
Bookmarks