Comments on: Evil geniouses

by: Lemat

Sat, 26 Nov 2005 02:31:05 +0000

Done. I have replaced 7k URLs with my blacklist. If you need to login there use three spaces as login and password. There is interesting “process list” - the spam run can be aborted.

by: Lemat

Sat, 26 Nov 2005 01:12:49 +0000

I have just found a guestbook spammer who forgot to log-out
www.avan-post.ru./board/index.php?sect=base&mod=import&sid=147558f6123818c1493b9703e04b3774

I’m preparing currently something really evil…

by: Manni

Mon, 21 Nov 2005 06:32:53 +0000

How about this then: just keep the connection open and send nothing.

This way you aren’t wasting anyone’s bandwidth, but you severly decrease the spammer’s efficiency.

by: Olliver

Mon, 21 Nov 2005 00:34:25 +0000

Lemat, if the majority of spambots you are receiving follows redirects your defense strategy would succeed, of course. But speaking of me and the servers I administer, the majority of bots doesn’t follow them, so it wouldn’t be useful here. Also I don’t like the idea of involving unrelated 3rd parties and their resources with problems I have.

To me, a better approach would be to direct them to non-resolving addresses like for instance the 169.254/16 or 192.0.2/24 ranges. In case their application is using blocking sockets, it could severely slow down their spamrun, since they won’t receive any responses at all and the program can’t continue as long as the connection hasn’t timed out.

Some proxies have an interesting behaviour with redirects to nowhere: They will bounce the request back to the client and as a consequence spam would attempt to connect to itself. So if they spam themselves, they can blame it on the proxy servers they were using .

by: Lemat

Sun, 20 Nov 2005 23:32:34 +0000

It would be funny to redirect them to http://cia.gov/i+am+the+cybber+terrorist+come+and+get+me and send an email to webmaster@cia “have you experienced strange apache log entries lately?”, where cia could be replaced with fbi, kgb, theplanet, etc. KGB would be nice, since many of them came from Russia, I was already called “KGB peasant” at umax forum (well, I can’t translate it correctly since it was written in russian and reffered to russian secret police, which has a very negative meaning there), so I don’t want to dissapoint them.

by: Lemat

Sun, 20 Nov 2005 22:35:09 +0000

There are some crawlers that follow 301/302 Moved, and there are some which don’t. I see that referrer spam follows.
But I think instead of linux kernel one should use WinXP service pack 2 - M$ download sites are spread all over akamai mirrors and the file is bigger.

by: Olliver

Sun, 20 Nov 2005 21:59:42 +0000

While this may look like a nice idea at first glance there’s a good chance that it doesn’t work at all. Reason is, that a redirect will only work as long as the client understands HTTP redirects. A dumb script running as cronjob on the server certainly doesn’t. So instead of a kernel the only thing that will be downloaded is:


302 Found

Found The document has moved here.

And that’s it. Curl for instance doesn’t follow any redirects at all and I myself use it to check where a redirect actually leads to. It’s very easy to integrate in shell scripts, so it can be run as cronjob to mass spam people. Spammers are aware of articles about doing all sorts of redirects so they knowingly will avoid this risk.

by: Administrator

Sun, 20 Nov 2005 15:44:27 +0000

Remember that the Zaharievs tend to use open proxies. So it’s not just the Zaharievs who will be slowed down, it’s the proxies as well.

If only the proxy owners would realize what was going on and secure their machines, I’d be happy.

I guess it’s too much to ask for to think that the proxy owners will realize something’s wrong when they see those requests (probably never read their logs, though).

by: Brian

Sun, 20 Nov 2005 15:27:05 +0000

Only 50mb? Hell, I’d like to send them to a nice, full DVD iso image….. if I knew of one where the bandwidth wasn’t going to cause the host a world of trouble.