Evil geniouses
I found a referrer and checked it out. It turns out to belong to a guy who gives away free 50 meg Linux kernels to spammers.
Yeah, you heard right…
The Zaharievs get their request redirected to a Linux kernel each time they request a page from his site!
Now that’s inspired!
Oh, and I caught a small sentence there about The Aggressive Self-Defence Book. He considers himself a good guy compared to that. Sounds like it’s worth reading for evil geniouses, and spam fighters?
November 20th, 2005 at 9:27 am
Only 50mb? Hell, I’d like to send them to a nice, full DVD iso image….. if I knew of one where the bandwidth wasn’t going to cause the host a world of trouble.
November 20th, 2005 at 9:44 am
Remember that the Zaharievs tend to use open proxies. So it’s not just the Zaharievs who will be slowed down, it’s the proxies as well.
If only the proxy owners would realize what was going on and secure their machines, I’d be happy.
I guess it’s too much to ask for to think that the proxy owners will realize something’s wrong when they see those requests (probably never read their logs, though).
November 20th, 2005 at 3:59 pm
While this may look like a nice idea at first glance there’s a good chance that it doesn’t work at all. Reason is, that a redirect will only work as long as the client understands HTTP redirects. A dumb script running as cronjob on the server certainly doesn’t. So instead of a kernel the only thing that will be downloaded is:
302 Found
Found
The document has moved here.
And that’s it. Curl for instance doesn’t follow any redirects at all and I myself use it to check where a redirect actually leads to. It’s very easy to integrate in shell scripts, so it can be run as cronjob to mass spam people. Spammers are aware of articles about doing all sorts of redirects so they knowingly will avoid this risk.
November 20th, 2005 at 4:35 pm
There are some crawlers that follow 301/302 Moved, and there are some which don’t. I see that referrer spam follows.
But I think instead of linux kernel one should use WinXP service pack 2 - M$ download sites are spread all over akamai mirrors and the file is bigger.
November 20th, 2005 at 5:32 pm
It would be funny to redirect them to http://cia.gov/i+am+the+cybber+terrorist+come+and+get+me and send an email to webmaster@cia “have you experienced strange apache log entries lately?”, where cia could be replaced with fbi, kgb, theplanet, etc. KGB would be nice, since many of them came from Russia, I was already called “KGB peasant” at umax forum (well, I can’t translate it correctly since it was written in russian and reffered to russian secret police, which has a very negative meaning there), so I don’t want to dissapoint them.
November 20th, 2005 at 6:34 pm
Lemat, if the majority of spambots you are receiving follows redirects your defense strategy would succeed, of course. But speaking of me and the servers I administer, the majority of bots doesn’t follow them, so it wouldn’t be useful here. Also I don’t like the idea of involving unrelated 3rd parties and their resources with problems I have.
To me, a better approach would be to direct them to non-resolving addresses like for instance the 169.254/16 or 192.0.2/24 ranges. In case their application is using blocking sockets, it could severely slow down their spamrun, since they won’t receive any responses at all and the program can’t continue as long as the connection hasn’t timed out.
Some proxies have an interesting behaviour with redirects to nowhere: They will bounce the request back to the client and as a consequence spam would attempt to connect to itself. So if they spam themselves, they can blame it on the proxy servers they were using
.
November 21st, 2005 at 12:32 am
How about this then: just keep the connection open and send nothing.
This way you aren’t wasting anyone’s bandwidth, but you severly decrease the spammer’s efficiency.
November 25th, 2005 at 7:12 pm
I have just found a guestbook spammer who forgot to log-out
www.avan-post.ru./board/index.php?sect=base&mod=import&sid=147558f6123818c1493b9703e04b3774
I’m preparing currently something really evil…
November 25th, 2005 at 8:31 pm
Done. I have replaced 7k URLs with my blacklist. If you need to login there use three spaces as login and password. There is interesting “process list” - the spam run can be aborted.