Comments on: A peak behind the scenes at a spammer’s lair http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/ Just another WordPress weblog Sat, 17 May 2008 03:10:43 +0000 http://wordpress.org/?v=2.0.7 by: frank http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-47090 Mon, 02 Oct 2006 10:31:46 +0000 http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-47090 I can't believe anyone can be this stupid showing files like that for everyone to manipulate. I can’t believe anyone can be this stupid showing files like that for everyone to manipulate.

]]> by: Vasily Pumpkin http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34886 Sun, 27 Aug 2006 21:46:04 +0000 http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34886 Yes, I forgot that your domain is on shared hosting :-) Syncing requires root privileges, so from that this would only work with a dedicated box. Perhaps I should add, there's one machine querying an external NTP server. This machine serves then as NTP server for the internal network. Each machine will query the local NTP server with rdate as daily cronjob. Yes, I forgot that your domain is on shared hosting :-) Syncing requires root privileges, so from that this would only work with a dedicated box. Perhaps I should add, there’s one machine querying an external NTP server. This machine serves then as NTP server for the internal network. Each machine will query the local NTP server with rdate as daily cronjob.

]]> by: admin http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34869 Sun, 27 Aug 2006 20:16:14 +0000 http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34869 To Vasily, About synchronization/time. It's not my server in that sense, so not really my business to do that. But yes, I do sync my own servers. I have spamhuntress on a server in the US, because most of the readers are there. My own servers are in Norway. To Vasily,
About synchronization/time. It’s not my server in that sense, so not really my business to do that. But yes, I do sync my own servers. I have spamhuntress on a server in the US, because most of the readers are there. My own servers are in Norway.

]]> by: Vasily Pumpkin http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34788 Sun, 27 Aug 2006 11:04:31 +0000 http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34788 Spamhuntress, your synchronisation problem of your server could be easily solved by means of rdate and a daily cron job that runs it. That's the method I use for keeping my network in sync. Back to the subject: I don't think that the server was used as a proxy. The outbound connections were made by his spam tool and unless someone set a sniffer on this machine, there's no trace of the programme left in logfiles. Well, almost: In theory the php code could be faulty and causing a couple of notices or even warnings to show up in logfiles each time it runs. But that's only if the server is set to dump php error messages to Apache's error log (or any other logfile specified in php.ini). But keep in mind that you are just one out of thousands of targets, so you wouldn't be able to recognise a corresponding pattern anywhere, since the error message only points to the faulty code, but not to any connection made. Vasily Spamhuntress,
your synchronisation problem of your server could be easily solved by means of rdate and a daily cron job that runs it. That’s the method I use for keeping my network in sync.

Back to the subject:
I don’t think that the server was used as a proxy. The outbound connections were made by his spam tool and unless someone set a sniffer on this machine, there’s no trace of the programme left in logfiles. Well, almost: In theory the php code could be faulty and causing a couple of notices or even warnings to show up in logfiles each time it runs. But that’s only if the server is set to dump php error messages to Apache’s error log (or any other logfile specified in php.ini).

But keep in mind that you are just one out of thousands of targets, so you wouldn’t be able to recognise a corresponding pattern anywhere, since the error message only points to the faulty code, but not to any connection made.

Vasily

]]> by: admin http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34555 Sat, 26 Aug 2006 14:12:42 +0000 http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34555 Not only that, but the spammer who pointed my attention to that server may or may not be the spammer who set it up. If it's someone else, it might be someone who's plotting the downfall of others? These are the time stamps of the requests from that IP. And yes, the server is on the correct time zone, but the clock is a little off. Up to ten minutes ahead today: [02/Aug/2006:08:38:55 -0500] "GET [08/Aug/2006:09:20:55 -0500] "GET [08/Aug/2006:09:20:59 -0500] "GE [17/Aug/2006:20:18:00 -0500] "GET [17/Aug/2006:20:18:00 -0500] "POST [21/Aug/2006:12:47:41 -0500] "GET [21/Aug/2006:12:47:42 -0500] "POST [23/Aug/2006:11:37:58 -0500] "GET [23/Aug/2006:11:37:58 -0500] "POST [25/Aug/2006:19:21:09 -0500] "GET [25/Aug/2006:19:21:10 -0500] "POST This is the user agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) My question is if that IP was used as a proxy, or if we can show anything in his logs that correspond with this? Not only that, but the spammer who pointed my attention to that server may or may not be the spammer who set it up. If it’s someone else, it might be someone who’s plotting the downfall of others?

These are the time stamps of the requests from that IP. And yes, the server is on the correct time zone, but the clock is a little off. Up to ten minutes ahead today:

[02/Aug/2006:08:38:55 -0500] “GET
[08/Aug/2006:09:20:55 -0500] “GET
[08/Aug/2006:09:20:59 -0500] “GE
[17/Aug/2006:20:18:00 -0500] “GET
[17/Aug/2006:20:18:00 -0500] “POST
[21/Aug/2006:12:47:41 -0500] “GET
[21/Aug/2006:12:47:42 -0500] “POST
[23/Aug/2006:11:37:58 -0500] “GET
[23/Aug/2006:11:37:58 -0500] “POST
[25/Aug/2006:19:21:09 -0500] “GET
[25/Aug/2006:19:21:10 -0500] “POST

This is the user agent:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

My question is if that IP was used as a proxy, or if we can show anything in his logs that correspond with this?

]]> by: Vasily Pumpkin http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34550 Sat, 26 Aug 2006 13:58:15 +0000 http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34550 I think this may take some time as it seems he just got started with spamming and is (yet) pretty clueless. An experienced spammer wouldn't keep his tools on the same server where the doorways and/or throwaway domains lie, but would use an extra server for it and deny any HTTP request except for the spammer him/herself. I think this may take some time as it seems he just got started with spamming and is (yet) pretty clueless. An experienced spammer wouldn’t keep his tools on the same server where the doorways and/or throwaway domains lie, but would use an extra server for it and deny any HTTP request except for the spammer him/herself.

]]> by: admin http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34542 Sat, 26 Aug 2006 12:42:08 +0000 http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34542 Hi log file will be huge by the end of the day if this keeps up! Wonder when he'll figure out what's going on? Hi log file will be huge by the end of the day if this keeps up! Wonder when he’ll figure out what’s going on?

]]> by: admin http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34536 Sat, 26 Aug 2006 12:25:55 +0000 http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34536 Yeah, Wordpress is tricky like that. I don't think that happens in posts, only in comments. But if the logs we see in the logs directory are the real thing, he doesn't have referrers. So it's possible he won't see it. Still, doesn't hurt to be just a little careful. On the other hand, there's a LOT of traffic on that site right now, so he might figure out something's up... On the other hand, I believe the people who used to frequent the community that was once there (the files are gone, but show up in Google's cache), are checking out his file structure as well, so it's not just the people referred there from this site. I mean, any Russian who frequented a place with that name is likely to know how to traverse directory structures ;-) Yeah, Wordpress is tricky like that. I don’t think that happens in posts, only in comments. But if the logs we see in the logs directory are the real thing, he doesn’t have referrers. So it’s possible he won’t see it. Still, doesn’t hurt to be just a little careful.

On the other hand, there’s a LOT of traffic on that site right now, so he might figure out something’s up…

On the other hand, I believe the people who used to frequent the community that was once there (the files are gone, but show up in Google’s cache), are checking out his file structure as well, so it’s not just the people referred there from this site. I mean, any Russian who frequented a place with that name is likely to know how to traverse directory structures ;-)

]]> by: Vasily http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34534 Sat, 26 Aug 2006 12:20:52 +0000 http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34534 Thanks Spamhuntress :-) Of course I didn't mean to provide the spammer a link so he can allocate this article by following the referrers it would leave in his server logs. Seems like Wordpress is automatically converting anything that looks like a valid url into clickable links, although I marked it as code. Next time I'll be wiser and take this behaviour into account. Vasily Thanks Spamhuntress :-)
Of course I didn’t mean to provide the spammer a link so he can allocate this article by following the referrers it would leave in his server logs. Seems like Wordpress is automatically converting anything that looks like a valid url into clickable links, although I marked it as code. Next time I’ll be wiser and take this behaviour into account.

Vasily

]]> by: admin http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34532 Sat, 26 Aug 2006 12:14:32 +0000 http://spamhuntress.com/2006/08/26/a-peak-behind-the-scenes-at-a-spammers-lair/#comment-34532 Vasily, I munged the URL for you. Though the spammer doesn't seem to have referrers set up, I thought it would be a little bit too easy to leave it hotlinked on here. So guys, if you do use that trick, unmunge the URL. Vasily,
I munged the URL for you. Though the spammer doesn’t seem to have referrers set up, I thought it would be a little bit too easy to leave it hotlinked on here.

So guys, if you do use that trick, unmunge the URL.

]]>