Back to previous post: Lolita, damn her

Go to Making Light's front page.

Forward to next post: More porn spam

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

October 11, 2003

Further Lolita alert
Posted by Teresa at 11:31 PM *

“Lolita” is the name used by a robot that’s posting spam in the comments sections of weblogs. The brief, meaningless messages it posts contain links to a notably blatant come-on page for a porn site.

Weblogs whose comment sections are known to have been hit with “Lolita” posts: Joseph Duemer’s Reading & Writing, some indeterminate number of messages. Making Light, seven of them. Geek News Central, a dozen. Space Waitress Gate A and Talk Left, about fifteen apiece. John Cole’s Balloon Juice, twenty. Electrolite, thirty-two. I’m sure many other sites have been hit as well.

Joseph Duemer went poking around and came up with this:
209.210.176.20 Leonid@yahoo.com

domain: video-lo.com
status: production
organization: Video LO
owner: Guy McFarland
email: video_lo@yahoo.com
address: 4009 Dancing Cloud Ct. #42
city: Destin
state: Florida
postal-code: 32541
country: US
admin-c: video_lo@yahoo.com#0
tech-c: video_lo@yahoo.com#0
billing-c: video_lo@yahoo.com#0

nserver: ns1.smartdns.org
nserver: ns2.smartdns.org
registrar: JORE-1
created: 2003-03-09 15:54:35 UTC JORE-1
modified: 2003-08-31 16:07:25 UTC JORE-1
expires: 2004-03-09 09:54:19 UTC
source: joker.com

Phone: 850-269-2814
4009 Dancing Cloud Ct,
Destin, FL 32541-3388

When we tried to resolve the IP address, we got “pfilter3.ikano.com.”
Joseph Duemer also posted that information to Talk Left’s comment thread on this subject, where Felix Deutsch replied:
The IP address (the machine where the robot lives) is located in the following netblock:

felixd@fubar:~$ whois 209.210.176.20
Electric Lightwave Inc ELI-NETBLK98 (NET-209-210-0-0-1)
209.210.0.0 - 209.210.255.255
SISNA ELI-209-210-176-0-20 (NET-209-210-176-0-1)
209.210.176.0 - 209.210.191.255
SISNA, Inc. SISNA-SLC-SERV (NET-209-210-176-0-2)
209.210.176.0 - 209.210.176.63

felixd@fubar:~$ whois SISNA-SLC-SERV

OrgName: SISNA, Inc.
OrgID: SISNAI
Address: 265 East 100 South Suite 310
City: Salt Lake City
StateProv: UT
PostalCode:
Country: US

NetRange: 209.210.176.0 - 209.210.176.63
CIDR: 209.210.176.0/26
NetName: SISNA-SLC-SERV
NetHandle: NET-209-210-176-0-2
Parent: NET-209-210-176-0-1
NetType: Reassigned
Comment:
RegDate: 1998-12-02
Updated: 1998-12-02

TechHandle: PN44-ARIN
TechName: Ngai, Peter
TechPhone: +1-801-924-0900
TechEmail: pngai@sisna.com
First order of business: If your weblogging software plus the above information gives you the option of blocking these guys from posting to your journal, weblog comments sections, guestbook, etc., go take care of it right now. The weblogging and journaling community has already spent too much time today cleaning Lolitas out of our sites.

Useful stuff: Movable Type’s support forum topic about comment spam and how to fight it.

Jay Allen’s anti-comment-spam program “MT Blacklist” will be released on Monday. It doesn’t come a moment too soon. The incidence of this stuff can only increase.

Hope that’s everything. Must go to sleep now.

Comments on Further Lolita alert:
#1 ::: catie murphy ::: (view all by) ::: October 12, 2003, 02:35 AM:

Thanks for the Lolita heads-up. I've been getting those discount-insurance spam comments too, and now will be waiting on the edge of my seat for Monday's MT upgrade. Except that means I have to get my shell access working again. *goes and pokes at it* Anyway, thanks.

#2 ::: Perfectly Sassy ::: (view all by) ::: October 12, 2003, 02:49 AM:

The link she posted on mine was supposed to be an image although it never appeared for some reason. There was a short text that said, "Nice site!" followed by the linked image. was deleting the links for a few days until I finally banned the IP address. No Lolita posting since.

I'm looking forward to Jay Allen's hack too.

#3 ::: Mitch Wagner ::: (view all by) ::: October 12, 2003, 03:33 AM:

Count me as another Lolita victim, not on my personal blog but on my my business blog. I eventually just shut off commenting on that blog, too much spam, trolling and other noise, not enough content.

#4 ::: CHip ::: (view all by) ::: October 12, 2003, 08:57 AM:

After she stopped laughing at Patrick's proposed technical solution, Davey suggested finding out if this McFarland creep lives in an area with a neighborhood watch. Visions of posters on every telephone pole in his area dance in our heads....

#5 ::: Tim Hall ::: (view all by) ::: October 12, 2003, 09:52 AM:

Blogcritics and The Gamer's Nook got hit badly as well.

Can we put their snail mail address on as many junk mail lists as possible? Or sic some fundies on them?

#6 ::: Erik V. Olson ::: (view all by) ::: October 12, 2003, 12:42 PM:

Folks, do *not* put faith into the data from nslookup. Yes, spammers are stupid, and often put thier home addresses into the form. They also often lie. Though, doing a little research shows that video-lo.com does offer "young teen porn movies". (Don't look if you're at work.)

I don't want to see the IP address that they want you to go to. There have been cases where one pornographer spams another porn site, in order to get a hostile reaction against the competitor. It could be a case of "let's you and him fight."

I'd much rather see the IP address that posted the comments. Can somebody dig out the logs? Remember: Trust *nothing* that the bad guy tells you. This is why sysadmins are protective of thier logs, and do everything they can to protect them.

#7 ::: Erik V. Olson ::: (view all by) ::: October 12, 2003, 12:44 PM:

Do not post with only one cup of coffee. In the above, read "whois" for "nslookup" -- though the recent spam networks with the comprimised DNS server shows that nslookup isn't trustworthy either, nslookup isn't the relevant utility.

#8 ::: adamsj ::: (view all by) ::: October 12, 2003, 12:48 PM:

Use this form:

209.210.176.

WITHOUT the * (MT ain't Apache) to block the range.

#9 ::: spacewaitress ::: (view all by) ::: October 12, 2003, 12:51 PM:

God *damn* it.

I just got hit again. 35 comments. The URL goes to the same site, but this time the person is calling himself "Preteen."

I am going to have to shut off my comments until I can get this fixed.

This person needs to be arrested, NOW.

#10 ::: --kip ::: (view all by) ::: October 12, 2003, 12:53 PM:

There's more--I hosed 11 comments from Lolita off the pier yeterday morning, and now I find "Preteen" is posting similar crap, from a related IP number--

209.210.176.20

Also: I got 1 comment this morning from www.zipcodesmap.com, a perfectly safe for work website for generating maps based on ZIP codes. IP number--

219.95.14.69

Testy email was sent. What a brave new world this is...

#11 ::: adamsj ::: (view all by) ::: October 12, 2003, 12:59 PM:

Well, hell, --kip, didn't you always want to live in the future?

It's just like voting--ban early, ban often.

#12 ::: Tim Hall ::: (view all by) ::: October 12, 2003, 01:16 PM:

Scott at The Gamer's Nook got hit by 70 comments, and Blogcritics is currently offline altogether.

Messages sent to abuse@ikano.com, and the company I *think* hosts the spammer's website (didn't bother with the Ukranian click-through).

This @$a3% needs to die slowly and painfully.

#13 ::: Alan Bostick ::: (view all by) ::: October 12, 2003, 01:19 PM:

I want to echo what Erik Olson said: don't assume that the porn site to which Lolita is linking her comments is the perpetrator.

For example, I normally simply delete email spam. Occasionally, though I get fake PayPal click-this-link-and-use-your-PayPal-password email, intended for harvesting PayPal passwords for account looting purposes. Those I report. I carefully unwrapped the sender info from the message header and the link to which the message pointed ... and discovered that it was a frame-up job, intended to bring the authorities down on some relatively innocent third party.

The point of attack is the IP address of the spambot. Block that, and contact the people who own it and their upstream connectivity providers. Let the porn site owner know what is going on (although by now I'm sure he does) ... but do not assume he is complicit. He could be guilty of no more than hiring the wrong people to generate hits 96 or of incurring the wrath of a 133t h4x0r who knows how to socially engineer denial-of-service attacks.

#14 ::: Tracy ::: (view all by) ::: October 12, 2003, 01:20 PM:

And then notify the FBI. Child pornography is punishable by prison, period. You get caught dealing in it, you go to jail. Period. You get caught *looking* at it, jail. Period. Go here for more info. Let's not just ban them from our blogs. Let's ban them from society. Period.

#15 ::: Alan Bostick ::: (view all by) ::: October 12, 2003, 01:22 PM:

adamsj: Well, hell, --kip, didn't you always want to live in the future?

I say: Live it, or live with it.

(And by the way, thanks for the info about blocking address ranges in MT; the documentation is, ahem, less than clear on the subject.)

#16 ::: Alan Bostick ::: (view all by) ::: October 12, 2003, 01:23 PM:

Tracy: What part of "All models are eighteen years old or older" don't you understand?

#17 ::: Erik V. Olson ::: (view all by) ::: October 12, 2003, 01:25 PM:

Note that the netblock you want to block is

209.210.176.0 - 209.210.176.63

or 209.120.176.0/26,

Blocking 209.210.176. would block

209.210.176.0 - 209.210.176.255

or 209.120.176.0/24.

Since MT is written in Perl, it *might* use the Perl resolver code, or it might just pass it to the system. In either case, this may mean you can block by network call or by CIDR addresses.

Try

209.120.176.0/26

and see if they get blocked.

And, once again, make sure you look in your posting log to see that this is acutally the IP address they are posting from. If it isn't, blocking this isn't going to do you any good.

#18 ::: Erik V. Olson ::: (view all by) ::: October 12, 2003, 01:29 PM:

Kip. You're new spammer...

inetnum: 219.95.0.0 - 219.95.255.255
netname: TMNET
descr: TMNET, TELEKOM MALAYSIA BERHAD,
descr: INTERNET SERVICE PROVIDER
country: MY
admin-c: AS115-AP
admin-c: EU3-AP
admin-c: SM135-AP
admin-c: SS456-AP
tech-c: AS115-AP
tech-c: EU3-AP
tech-c: SM135-AP
tech-c: SS456-AP
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20030314
mnt-by: APNIC-HM
mnt-lower: TM-NET-AP
source: APNIC


It's an ISP in Malaysia. It may be a dialup.
There's lots of contact info, "whois -p 219.95.14.69" will get you all of them. I don't know how effective at spamslapping Malaysian ISPs are, I've never dealt with them.

#19 ::: David Bilek ::: (view all by) ::: October 12, 2003, 01:30 PM:

Has anyone contacted SISNA in SLC? I'm guessing a Salt Lake City ISP would not look favorably upon being used to spam for a pornography site.

#20 ::: spacewaitress ::: (view all by) ::: October 12, 2003, 01:51 PM:

Tracy: What part of "All models are eighteen years old or older" don't you understand?

I'm trying very, very hard to refrain from swearing here. I'm guessing that Tracy, like myself, saw all she needed to see from the content of the spam comments, and didn't bother to actually click through to the site.

The comments advertising the site repeatedly state that it is "preteen" and "underage" sex.

Do you understand what "preteen" means? It means twelve and under.

That is worse than reprehensible.

Anyway, I hope you can understand if Tracy took the spammer at his word and was aghast and angry at the thought of child pornography. There was no need for you to get all snarky on her.

There should be laws against even advertising pornography as child pornography, even if there is later an explicit disclaimer stating the models are "18 years of age and above."

I'm sorry, but using the promise of "preteen" (i.e., 12 and under) girls to lure people into looking at porn is sick.

#21 ::: Patrick Nielsen Hayden ::: (view all by) ::: October 12, 2003, 01:53 PM:

Just to clarify, since there seems to be some confusion on this point: That 209.210.176 etcetera IP address is where the comments came from; MT provides you with that information. We didn't get it via whois.

#22 ::: adamsj ::: (view all by) ::: October 12, 2003, 01:58 PM:

Alan: Besides, this sort of spamming is harrassment, and that is a jailing offense in and of itself.

#23 ::: David Bilek ::: (view all by) ::: October 12, 2003, 01:59 PM:

Yes, but the name "Guy McFarland" and the address "4009 etc" in Destin may have nothing to do with that IP address. That IP range is where the spam is coming from, that address, name, and phone # in Florida could be completely false information.

#25 ::: language hat ::: (view all by) ::: October 12, 2003, 02:39 PM:

I've had two Lolitas and one Preteen to date.

#26 ::: Alan Bostick ::: (view all by) ::: October 12, 2003, 03:20 PM:

spacewaitress: I clicked through to Lolita's link, and saw a bunch of pictures of adult women in pigtails; and the "All models are over eighteen" disclaimer in plain evidence.

As a general rule: you don't need to inform the FBI about apparently genuine kiddy porn. Chances are, not only do they already know about it, but it's them who is peddling it, as a sting.

#27 ::: spacewaitress ::: (view all by) ::: October 12, 2003, 05:12 PM:

Alan: Yes I know you clicked through to the site. Obviously. I did not, and apparently neither did Tracy. I had no desire to whatsoever.

All I was saying was that there was no need of you to get snarky toward the non-porn-savvy among us.

I think using the concept of "underage" girls to advertise porn is reprehensible (regardless of the actual content of the site or the age of the models therein). Do you disagree?

#28 ::: LisaJulie Peoples ::: (view all by) ::: October 12, 2003, 08:19 PM:

Arggg! Ikano/Sisna. These people are famed for letting Usenet spam out into the world. I used to work for their upstream feed and we had to cut them off permanently.

I don't work there any more so I'm sorry to say that I don't have any strings to pull to get this person cut off.

Kinda funny that this porn is coming from Utah, though.

#29 ::: "Mindles H. Dreck" ::: (view all by) ::: October 12, 2003, 09:11 PM:

Here is a list of IPs from whom I have received this sort of thing. The first one was eight months ago or so:

207.88.76.143
219.95.12.122
219.95.14.239
209.210.176.22





#30 ::: Joe Katzman ::: (view all by) ::: October 12, 2003, 09:28 PM:

We had 3 waves over at Winds of Change.NET during the last week. About 5-6 Lolita, which made Blogdex and apparenrtly validated the idea. About an equal number of Preteen, then 50+ Underage.

Looks like the first 2 were just probing attacks, and the 3rd was the opening shot of something more serious.

We have more suggestions re: what needs to be done on our blog. The solutions required go beyond MT-Blacklist and IP bans - because mark my words, the industrial-strength stuff has not even begun.

#31 ::: David Moles ::: (view all by) ::: October 12, 2003, 09:29 PM:

Several Lolitas, a couple of Preteens, and the ZipCode guy is back.

His last auto-comment said something like “Interesting articles. Please post more before I come back.” I couldn’t help hearing that as some sort of threat. :)

#32 ::: James Bow ::: (view all by) ::: October 12, 2003, 10:49 PM:

Lolita and Preteen ran through my wife's blog, and that took some doing in cleaning up. I've had my share of Preteens and ZipCode guys as well.

Fume.

That MT plugin is coming just in time!

#33 ::: Mean Dean ::: (view all by) ::: October 12, 2003, 11:00 PM:

I'm so mad. I come home from church just to find myself hammered with 32 messages.

I swear, sometimes I wish we'd all agree on a date and time to use wGet the same way some slashdotter's did .. http://yro.slashdot.org/comments.pl?sid=77014&threshold=-1&commentsort=3&tid=111&mode=thread&cid=6855944 ... but then we would be stooping to their level.

Instead, after Jay gives us a solution, I volunteer to set up a blog where we can try some new and creative ways of beating the tool ... then fixing it ... staying one step ahead of the perps.

#34 ::: John Bono ::: (view all by) ::: October 13, 2003, 12:01 AM:

I got spammed as well, and I haven't made a new post in months.

I think if we are going to build a blacklist, we are going to have to do more than each of us having our own blacklist, but build some sort of mechanism for a communal list as well. Maybe build some sort of rpc call to a central site, like a blogdex for spammers.

#35 ::: Teresa Nielsen Hayden ::: (view all by) ::: October 13, 2003, 12:16 AM:

I'm waiting for the day this dingbat posts porn advertisements into a presidential campaign blog.

#36 ::: Linkmeister ::: (view all by) ::: October 13, 2003, 03:16 AM:

I've been hit about a dozen times by both the Lolita and the discount insurance clown, as well as a jewelry store outfit and a porn site advertising well-endowed women.

Ms. Hayden, the prospect of one of those hitting the Dean Blog or any of the others made me laugh out loud.

#37 ::: P ::: (view all by) ::: October 13, 2003, 02:05 PM:

thanks for all the info everyone! my blog was hit with at least 60 Lolita and Preteen messages over the weekend. they all seemed to be coming from 5 IP's, i blocked those and have been ok so far...
*knocks on wood*

now to try some of the other suggestions.

#38 ::: Mitch Wagner ::: (view all by) ::: October 13, 2003, 06:20 PM:

Yoz suggests a couple of easy fixes..

I'm not sure if this is one of them, but the problem might be solveable by doing robo-authentication, similar to, what Yahoo does to authenticate you when you sign up for a free e-mail account.

#39 ::: Jeremy Leader ::: (view all by) ::: October 13, 2003, 07:12 PM:

Mitch, are you referring to the use of "type the text you see in this image" bot-blockers? The trouble with those is that they're also visually-impaired-person-blockers.

#40 ::: Teresa Nielsen Hayden ::: (view all by) ::: October 14, 2003, 12:32 AM:

Spacewaitress, I agree. They advertise that their site has footage of underage girls, and that's sure what it looks like. Reading the notice that they're all at least eighteen takes more time, and it's a head thing, not a gut reaction.

I knew without reading it that the girls were almost certainly eighteen or older, but that's a function of having some experience with this stuff. Most people who click on those links would react the same way you did.

Alan, I'm going to call it a special-case violation of the line-of-sight rule.

LisaJulie, I'm truly sorry to hear that their provider is irresponsible about spam. I was hoping they'd quash the sucker first thing this morning.

Mindles, how recent were the rest of those spams?

Joe, thanks for the link to your post on Winds of Change. I'll link to that up front.

David, who's the Zip Code Guy? Can you give me his IP address?

Mean Dean, you should write about this idea in more detail, with pictures and conversations, for the benefit of those of us who are kind of hazy about this stuff.

John Bono: List. Yes. I'm inadequate to the task.

Aha, Mitch, another good link. I'll post that one too.

You know what? I'd planned to spend these last couple of days writing and editing. If I do the best job I can do, dealing with these @#$%!!! spammers, it's still not what I wanted to do, nor what I had in mind when I started my weblog.

#41 ::: Mitch Wagner ::: (view all by) ::: October 14, 2003, 12:13 PM:

Jeremy, yes that is what I am referring to and of course you are correct.

#42 ::: Jeremy Leader ::: (view all by) ::: October 14, 2003, 01:57 PM:

Teresa, what's the "line-of-sight rule"?

#43 ::: James Landrith ::: (view all by) ::: October 14, 2003, 03:53 PM:

This lolita-preteen creep spammed me so hard on Saturday that he/she/they/it corrupted my database and I was forced to reinstall MT. The problem occured when 3 of the 30 or so postings were malformed, causing permanent errors in my db. The 3 broken comments couldn't be deleted without removing the postings they were attached to. Even after deleting the postings, my db was still losing functionality and failing. Fortunately, I was able to save my backup my templates and export all my entries and comments before the corruption worsened, but this cost me several hours that could have been devoted to more meaningful pursuits.

If anyone is able to obtain verification of this spammers true identity, please let me know.

I'd like to file a lawsuit for destruction of personal property due to the corruption of my database.

#44 ::: Don ::: (view all by) ::: November 14, 2003, 12:46 PM:

I was hit, but it appears that Jay Allen's Blacklist has taken care of most of it. Way to go Jay.

#45 ::: Xopher finds possible comment spam ::: (view all by) ::: December 31, 2003, 01:08 PM:

I'm pretty sure those last two were comment spam...'underage' and 'Googl'? Right.

#46 ::: Xopher finds more comment spam ::: (view all by) ::: December 31, 2003, 01:09 PM:

s/two/four/

#47 ::: Tom "Is this spam?" Whitmore ::: (view all by) ::: January 04, 2004, 02:07 PM:

Hey, did I get here first?

#48 ::: Jeremy Leader ::: (view all by) ::: January 05, 2004, 11:43 AM:

That reminds me, I still wanna know what the "line-of-sight" rule is.

#49 ::: Teresa Nielsen Hayden ::: (view all by) ::: January 05, 2004, 01:01 PM:

The line of sight rule states that some things which are acceptable in theory are intolerable if they happen within your line of sight -- or within earshot, or if you can still smell it the next day, et cetera.

#50 ::: Andrew Willett ::: (view all by) ::: January 20, 2004, 10:58 AM:

Why, Dolores! You're back...

#51 ::: Teresa Nielsen Hayden ::: (view all by) ::: January 21, 2004, 09:28 PM:

Edward Schwab III, you are not welcome here. Your posts have been deleted. Any future posts from you will meet the same fate. Go away and don't come back.

#52 ::: Xopher ::: (view all by) ::: January 21, 2004, 10:44 PM:

Whenever I see something like that, I wonder what the person did...Teresa doesn't ban people lightly, so it must have been really ugly. Perhaps too ugly to discuss...so I'll never know. [sigh]

#53 ::: pericat ::: (view all by) ::: January 22, 2004, 03:30 AM:

Xopher, me too. I feel like a mouse poking her head out from under the Throne on the Day of Judgement.

#54 ::: Teresa Nielsen Hayden ::: (view all by) ::: January 22, 2004, 09:44 AM:

It was unpleasant and obscene, he posted it three times over, and he'd never been seen here before. It's not a good way to introduce yourself.

Still, if I got e-mail from him saying he didn't mean it like that, I'd say "okay, fine, welcome back". We're all fallible. I'd just need an indication that he's something other than a roving vandal.

#55 ::: Julia Jones finds comment spam ::: (view all by) ::: August 11, 2004, 04:07 PM:

Is it my imagination, or is this one actually targeting the threads about comment spam?

Choose:
Smaller type (our default)
Larger type
Even larger type, with serifs

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 by Patrick & Teresa Nielsen Hayden. All rights reserved.