Thanks for the Lolita heads-up. I've been getting those discount-insurance spam comments too, and now will be waiting on the edge of my seat for Monday's MT upgrade. Except that means I have to get my shell access working again. *goes and pokes at it* Anyway, thanks.

The link she posted on mine was supposed to be an image although it never appeared for some reason. There was a short text that said, "Nice site!" followed by the linked image. was deleting the links for a few days until I finally banned the IP address. No Lolita posting since.

I'm looking forward to Jay Allen's hack too.

Count me as another Lolita victim, not on my personal blog but on my my business blog. I eventually just shut off commenting on that blog, too much spam, trolling and other noise, not enough content.

After she stopped laughing at Patrick's proposed technical solution, Davey suggested finding out if this McFarland creep lives in an area with a neighborhood watch. Visions of posters on every telephone pole in his area dance in our heads....

Blogcritics and The Gamer's Nook got hit badly as well.

Can we put their snail mail address on as many junk mail lists as possible? Or sic some fundies on them?

Folks, do *not* put faith into the data from nslookup. Yes, spammers are stupid, and often put thier home addresses into the form. They also often lie. Though, doing a little research shows that video-lo.com does offer "young teen porn movies". (Don't look if you're at work.)

I don't want to see the IP address that they want you to go to. There have been cases where one pornographer spams another porn site, in order to get a hostile reaction against the competitor. It could be a case of "let's you and him fight."

I'd much rather see the IP address that posted the comments. Can somebody dig out the logs? Remember: Trust *nothing* that the bad guy tells you. This is why sysadmins are protective of thier logs, and do everything they can to protect them.

Do not post with only one cup of coffee. In the above, read "whois" for "nslookup" -- though the recent spam networks with the comprimised DNS server shows that nslookup isn't trustworthy either, nslookup isn't the relevant utility.

Use this form:

209.210.176.

WITHOUT the * (MT ain't Apache) to block the range.

God *damn* it.

I just got hit again. 35 comments. The URL goes to the same site, but this time the person is calling himself "Preteen."

I am going to have to shut off my comments until I can get this fixed.

This person needs to be arrested, NOW.

There's more--I hosed 11 comments from Lolita off the pier yeterday morning, and now I find "Preteen" is posting similar crap, from a related IP number--

209.210.176.20

Also: I got 1 comment this morning from www.zipcodesmap.com, a perfectly safe for work website for generating maps based on ZIP codes. IP number--

219.95.14.69

Testy email was sent. What a brave new world this is...

Well, hell, --kip, didn't you always want to live in the future?

It's just like voting--ban early, ban often.

Scott at The Gamer's Nook got hit by 70 comments, and Blogcritics is currently offline altogether.

Messages sent to abuse@ikano.com, and the company I *think* hosts the spammer's website (didn't bother with the Ukranian click-through).

This @$a3% needs to die slowly and painfully.

I want to echo what Erik Olson said: don't assume that the porn site to which Lolita is linking her comments is the perpetrator.

For example, I normally simply delete email spam. Occasionally, though I get fake PayPal click-this-link-and-use-your-PayPal-password email, intended for harvesting PayPal passwords for account looting purposes. Those I report. I carefully unwrapped the sender info from the message header and the link to which the message pointed ... and discovered that it was a frame-up job, intended to bring the authorities down on some relatively innocent third party.

The point of attack is the IP address of the spambot. Block that, and contact the people who own it and their upstream connectivity providers. Let the porn site owner know what is going on (although by now I'm sure he does) ... but do not assume he is complicit. He could be guilty of no more than hiring the wrong people to generate hits 96 or of incurring the wrath of a 133t h4x0r who knows how to socially engineer denial-of-service attacks.

And then notify the FBI. Child pornography is punishable by prison, period. You get caught dealing in it, you go to jail. Period. You get caught *looking* at it, jail. Period. Go here for more info. Let's not just ban them from our blogs. Let's ban them from society. Period.

adamsj: Well, hell, --kip, didn't you always want to live in the future?

I say: Live it, or live with it.

(And by the way, thanks for the info about blocking address ranges in MT; the documentation is, ahem, less than clear on the subject.)

Tracy: What part of "All models are eighteen years old or older" don't you understand?

Note that the netblock you want to block is

209.210.176.0 - 209.210.176.63

or 209.120.176.0/26,

Blocking 209.210.176. would block

209.210.176.0 - 209.210.176.255

or 209.120.176.0/24.

Since MT is written in Perl, it *might* use the Perl resolver code, or it might just pass it to the system. In either case, this may mean you can block by network call or by CIDR addresses.

Try

209.120.176.0/26

and see if they get blocked.

And, once again, make sure you look in your posting log to see that this is acutally the IP address they are posting from. If it isn't, blocking this isn't going to do you any good.

Kip. You're new spammer...

inetnum: 219.95.0.0 - 219.95.255.255
netname: TMNET
descr: TMNET, TELEKOM MALAYSIA BERHAD,
descr: INTERNET SERVICE PROVIDER
country: MY
admin-c: AS115-AP
admin-c: EU3-AP
admin-c: SM135-AP
admin-c: SS456-AP
tech-c: AS115-AP
tech-c: EU3-AP
tech-c: SM135-AP
tech-c: SS456-AP
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20030314
mnt-by: APNIC-HM
mnt-lower: TM-NET-AP
source: APNIC

It's an ISP in Malaysia. It may be a dialup.
There's lots of contact info, "whois -p 219.95.14.69" will get you all of them. I don't know how effective at spamslapping Malaysian ISPs are, I've never dealt with them.

Has anyone contacted SISNA in SLC? I'm guessing a Salt Lake City ISP would not look favorably upon being used to spam for a pornography site.

Tracy: What part of "All models are eighteen years old or older" don't you understand?

I'm trying very, very hard to refrain from swearing here. I'm guessing that Tracy, like myself, saw all she needed to see from the content of the spam comments, and didn't bother to actually click through to the site.

The comments advertising the site repeatedly state that it is "preteen" and "underage" sex.

Do you understand what "preteen" means? It means twelve and under.

That is worse than reprehensible.

Anyway, I hope you can understand if Tracy took the spammer at his word and was aghast and angry at the thought of child pornography. There was no need for you to get all snarky on her.

There should be laws against even advertising pornography as child pornography, even if there is later an explicit disclaimer stating the models are "18 years of age and above."

I'm sorry, but using the promise of "preteen" (i.e., 12 and under) girls to lure people into looking at porn is sick.

Just to clarify, since there seems to be some confusion on this point: That 209.210.176 etcetera IP address is where the comments came from; MT provides you with that information. We didn't get it via whois.

Alan: Besides, this sort of spamming is harrassment, and that is a jailing offense in and of itself.

Yes, but the name "Guy McFarland" and the address "4009 etc" in Destin may have nothing to do with that IP address. That IP range is where the spam is coming from, that address, name, and phone # in Florida could be completely false information.

Correct.

I've had two Lolitas and one Preteen to date.

spacewaitress: I clicked through to Lolita's link, and saw a bunch of pictures of adult women in pigtails; and the "All models are over eighteen" disclaimer in plain evidence.

As a general rule: you don't need to inform the FBI about apparently genuine kiddy porn. Chances are, not only do they already know about it, but it's them who is peddling it, as a sting.

Alan: Yes I know you clicked through to the site. Obviously. I did not, and apparently neither did Tracy. I had no desire to whatsoever.

All I was saying was that there was no need of you to get snarky toward the non-porn-savvy among us.

I think using the concept of "underage" girls to advertise porn is reprehensible (regardless of the actual content of the site or the age of the models therein). Do you disagree?

Arggg! Ikano/Sisna. These people are famed for letting Usenet spam out into the world. I used to work for their upstream feed and we had to cut them off permanently.

I don't work there any more so I'm sorry to say that I don't have any strings to pull to get this person cut off.

Kinda funny that this porn is coming from Utah, though.

Here is a list of IPs from whom I have received this sort of thing. The first one was eight months ago or so:

207.88.76.143
219.95.12.122
219.95.14.239
209.210.176.22

We had 3 waves over at Winds of Change.NET during the last week. About 5-6 Lolita, which made Blogdex and apparenrtly validated the idea. About an equal number of Preteen, then 50+ Underage.

Looks like the first 2 were just probing attacks, and the 3rd was the opening shot of something more serious.

We have more suggestions re: what needs to be done on our blog. The solutions required go beyond MT-Blacklist and IP bans - because mark my words, the industrial-strength stuff has not even begun.

Several Lolitas, a couple of Preteens, and the ZipCode guy is back.

His last auto-comment said something like “Interesting articles. Please post more before I come back.” I couldn’t help hearing that as some sort of threat. :)

Lolita and Preteen ran through my wife's blog, and that took some doing in cleaning up. I've had my share of Preteens and ZipCode guys as well.

Fume.

That MT plugin is coming just in time!

I'm so mad. I come home from church just to find myself hammered with 32 messages.

I swear, sometimes I wish we'd all agree on a date and time to use wGet the same way some slashdotter's did .. http://yro.slashdot.org/comments.pl?sid=77014&threshold=-1&commentsort=3&tid=111&mode=thread&cid=6855944 ... but then we would be stooping to their level.

Instead, after Jay gives us a solution, I volunteer to set up a blog where we can try some new and creative ways of beating the tool ... then fixing it ... staying one step ahead of the perps.

I got spammed as well, and I haven't made a new post in months.

I think if we are going to build a blacklist, we are going to have to do more than each of us having our own blacklist, but build some sort of mechanism for a communal list as well. Maybe build some sort of rpc call to a central site, like a blogdex for spammers.

I'm waiting for the day this dingbat posts porn advertisements into a presidential campaign blog.

I've been hit about a dozen times by both the Lolita and the discount insurance clown, as well as a jewelry store outfit and a porn site advertising well-endowed women.

Ms. Hayden, the prospect of one of those hitting the Dean Blog or any of the others made me laugh out loud.

thanks for all the info everyone! my blog was hit with at least 60 Lolita and Preteen messages over the weekend. they all seemed to be coming from 5 IP's, i blocked those and have been ok so far...
*knocks on wood*

now to try some of the other suggestions.

Yoz suggests a couple of easy fixes..

I'm not sure if this is one of them, but the problem might be solveable by doing robo-authentication, similar to, what Yahoo does to authenticate you when you sign up for a free e-mail account.

Mitch, are you referring to the use of "type the text you see in this image" bot-blockers? The trouble with those is that they're also visually-impaired-person-blockers.

Spacewaitress, I agree. They advertise that their site has footage of underage girls, and that's sure what it looks like. Reading the notice that they're all at least eighteen takes more time, and it's a head thing, not a gut reaction.

I knew without reading it that the girls were almost certainly eighteen or older, but that's a function of having some experience with this stuff. Most people who click on those links would react the same way you did.

Alan, I'm going to call it a special-case violation of the line-of-sight rule.

LisaJulie, I'm truly sorry to hear that their provider is irresponsible about spam. I was hoping they'd quash the sucker first thing this morning.

Mindles, how recent were the rest of those spams?

Joe, thanks for the link to your post on Winds of Change. I'll link to that up front.

David, who's the Zip Code Guy? Can you give me his IP address?

Mean Dean, you should write about this idea in more detail, with pictures and conversations, for the benefit of those of us who are kind of hazy about this stuff.

John Bono: List. Yes. I'm inadequate to the task.

Aha, Mitch, another good link. I'll post that one too.

You know what? I'd planned to spend these last couple of days writing and editing. If I do the best job I can do, dealing with these @#$%!!! spammers, it's still not what I wanted to do, nor what I had in mind when I started my weblog.

Jeremy, yes that is what I am referring to and of course you are correct.

Teresa, what's the "line-of-sight rule"?

This lolita-preteen creep spammed me so hard on Saturday that he/she/they/it corrupted my database and I was forced to reinstall MT. The problem occured when 3 of the 30 or so postings were malformed, causing permanent errors in my db. The 3 broken comments couldn't be deleted without removing the postings they were attached to. Even after deleting the postings, my db was still losing functionality and failing. Fortunately, I was able to save my backup my templates and export all my entries and comments before the corruption worsened, but this cost me several hours that could have been devoted to more meaningful pursuits.

If anyone is able to obtain verification of this spammers true identity, please let me know.

I'd like to file a lawsuit for destruction of personal property due to the corruption of my database.

I was hit, but it appears that Jay Allen's Blacklist has taken care of most of it. Way to go Jay.

I'm pretty sure those last two were comment spam...'underage' and 'Googl'? Right.

s/two/four/

Hey, did I get here first?

That reminds me, I still wanna know what the "line-of-sight" rule is.

The line of sight rule states that some things which are acceptable in theory are intolerable if they happen within your line of sight -- or within earshot, or if you can still smell it the next day, et cetera.

Why, Dolores! You're back...

Edward Schwab III, you are not welcome here. Your posts have been deleted. Any future posts from you will meet the same fate. Go away and don't come back.

Whenever I see something like that, I wonder what the person did...Teresa doesn't ban people lightly, so it must have been really ugly. Perhaps too ugly to discuss...so I'll never know. [sigh]

Xopher, me too. I feel like a mouse poking her head out from under the Throne on the Day of Judgement.

It was unpleasant and obscene, he posted it three times over, and he'd never been seen here before. It's not a good way to introduce yourself.

Still, if I got e-mail from him saying he didn't mean it like that, I'd say "okay, fine, welcome back". We're all fallible. I'd just need an indication that he's something other than a roving vandal.

Is it my imagination, or is this one actually targeting the threads about comment spam?