A peak behind the scenes at a spammer’s lair
I got a comment that appeared to be from the guy who impersonated Michael Pollitt recently. I knew from before that this one is a bit sloppy, so I checked the IP address. Turns out he left all his files out in the open.
zonewarez.net
You’ll find site logs as well as logs from his spamming. Check it while it’s still operational.
August 26th, 2006 at 6:08 am
Very interesting
In case you have a spare server left, you could type the following on the command prompt (should work on any Unix like operating system):
while true; do wget -qr -l 3 -w 10 --random-wait -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" h*tp://zonewarez.net/ ; doneIn this case wget would download the entire web site over and over again, overwriting already existing copies. Now, if 100 people would do this, the bandwidth would skyrocket causing the poort spammer’s website to be taken down because of exceeding the allowed bandwidth.
Of course this is only a demonstration of what Wget can do for you and isn’t meant as a mean to harm a second party’s website. Do it at your own risk
. I heard some rumours that this is quite popular to knock down doorway pages on free hosts, but of course it could be applied to any other spammer site on a cheapo low budget account. But don’t do it, it’s not nice, though I don’t know in which way this could be considered as self defense 
Vasily
PS: You can interrupt the loop anytime by typing CTRL+C
August 26th, 2006 at 6:14 am
Vasily,
I munged the URL for you. Though the spammer doesn’t seem to have referrers set up, I thought it would be a little bit too easy to leave it hotlinked on here.
So guys, if you do use that trick, unmunge the URL.
August 26th, 2006 at 6:20 am
Thanks Spamhuntress
Of course I didn’t mean to provide the spammer a link so he can allocate this article by following the referrers it would leave in his server logs. Seems like Wordpress is automatically converting anything that looks like a valid url into clickable links, although I marked it as code. Next time I’ll be wiser and take this behaviour into account.
Vasily
August 26th, 2006 at 6:25 am
Yeah, Wordpress is tricky like that. I don’t think that happens in posts, only in comments. But if the logs we see in the logs directory are the real thing, he doesn’t have referrers. So it’s possible he won’t see it. Still, doesn’t hurt to be just a little careful.
On the other hand, there’s a LOT of traffic on that site right now, so he might figure out something’s up…
On the other hand, I believe the people who used to frequent the community that was once there (the files are gone, but show up in Google’s cache), are checking out his file structure as well, so it’s not just the people referred there from this site. I mean, any Russian who frequented a place with that name is likely to know how to traverse directory structures
August 26th, 2006 at 6:42 am
Hi log file will be huge by the end of the day if this keeps up! Wonder when he’ll figure out what’s going on?
August 26th, 2006 at 7:58 am
I think this may take some time as it seems he just got started with spamming and is (yet) pretty clueless. An experienced spammer wouldn’t keep his tools on the same server where the doorways and/or throwaway domains lie, but would use an extra server for it and deny any HTTP request except for the spammer him/herself.
August 26th, 2006 at 8:12 am
Not only that, but the spammer who pointed my attention to that server may or may not be the spammer who set it up. If it’s someone else, it might be someone who’s plotting the downfall of others?
These are the time stamps of the requests from that IP. And yes, the server is on the correct time zone, but the clock is a little off. Up to ten minutes ahead today:
[02/Aug/2006:08:38:55 -0500] “GET
[08/Aug/2006:09:20:55 -0500] “GET
[08/Aug/2006:09:20:59 -0500] “GE
[17/Aug/2006:20:18:00 -0500] “GET
[17/Aug/2006:20:18:00 -0500] “POST
[21/Aug/2006:12:47:41 -0500] “GET
[21/Aug/2006:12:47:42 -0500] “POST
[23/Aug/2006:11:37:58 -0500] “GET
[23/Aug/2006:11:37:58 -0500] “POST
[25/Aug/2006:19:21:09 -0500] “GET
[25/Aug/2006:19:21:10 -0500] “POST
This is the user agent:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
My question is if that IP was used as a proxy, or if we can show anything in his logs that correspond with this?
August 27th, 2006 at 5:04 am
Spamhuntress,
your synchronisation problem of your server could be easily solved by means of rdate and a daily cron job that runs it. That’s the method I use for keeping my network in sync.
Back to the subject:
I don’t think that the server was used as a proxy. The outbound connections were made by his spam tool and unless someone set a sniffer on this machine, there’s no trace of the programme left in logfiles. Well, almost: In theory the php code could be faulty and causing a couple of notices or even warnings to show up in logfiles each time it runs. But that’s only if the server is set to dump php error messages to Apache’s error log (or any other logfile specified in php.ini).
But keep in mind that you are just one out of thousands of targets, so you wouldn’t be able to recognise a corresponding pattern anywhere, since the error message only points to the faulty code, but not to any connection made.
Vasily
August 27th, 2006 at 2:16 pm
To Vasily,
About synchronization/time. It’s not my server in that sense, so not really my business to do that. But yes, I do sync my own servers. I have spamhuntress on a server in the US, because most of the readers are there. My own servers are in Norway.
August 27th, 2006 at 3:46 pm
Yes, I forgot that your domain is on shared hosting
Syncing requires root privileges, so from that this would only work with a dedicated box. Perhaps I should add, there’s one machine querying an external NTP server. This machine serves then as NTP server for the internal network. Each machine will query the local NTP server with rdate as daily cronjob.
October 2nd, 2006 at 4:31 am
I can’t believe anyone can be this stupid showing files like that for everyone to manipulate.