Back to previous post: Last days

Go to Making Light's front page.

Forward to next post: Howie!

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

October 29, 2004

Comments turned off
Posted by Patrick at 08:09 PM * 34 comments

Our apologies. Comments have been disabled while we deal with a massive spam attack.

We have obligations this evening, so it may be a few hours before commenting is enabled again. We’ll update this post when that happens.

UPDATE, 11:29 EST: Comments have been re-enabled. Several hundred spam comments stuffed with what appeared to be pornographic URLs have been deleted.

At one point in the process, it’s possible that some legitimate posts containing the string “men” were deleted as well. If you spot such a deletion, let us know and we’ll do our best to restore the comment.

On a more unhappy note, Jim Macdonald pointed out something very odd about these hundreds of spam comments: every one of the URLs in them led to a 404 message, not to a real site.

In other words, this wasn’t just some nitwit trying to boost their Google pagerank. This was somebody trying to shut us down.

If Patrick posts any further remarks on this particular spam attack, they’ll be found here.

Addenda: I’ve done some hunting for other web pages where these spam ISP addresses occur. So far I’ve matched one ISP address, 67.171.148.156, with one other weblog, The Backroom Brief. They got hit in the trackbacks from this article, “Supreme Court decision on lobbyist campaign spending,” which was posted in May of this year. Oddly, that spam consisted of one word, “iixifa”, supposedly posted by “eiaiie”. That was about a week ago, on 24 October. This morning, the trackback list for that same article got hit with three porn spams—all of which have URLs that lead to 404 messages. I haven’t yet determined whether those URLs match any of ours. There are hundreds of these things.

More: On 26 October, the RightBiz Enterprises WWW Bulletin Board got hit from 68.198.39.19 with the message, Hello from Zimbabwe!, posted by “garfield”, iwanhyqueu64@jefldedos.com. The RightBiz Bulletin Board appears to be very poorly maintained, and has become a repository of porn spam. Some of them match earlier porn spam attacks that hit Making Light.

More: 24.98.115.37 turns up quite a few hits, including another “hello from Zimbabwe!” from “garfield”, uyhh91@eusatav.com, in another area of the RightBiz board. That area’s a veritable museum of comment spam in all its nasty varieties. And: 68.198.39.19 does the same. As does 24.22.18.250; the latter is also listed on something called the Temporary Blackhole List. As does 67.167.252.219, which is also mentioned on a number of densely technical pages I don’t understand.

This much data ought to be susceptible to traffic and pattern analysis. Given the manifest ability of comment spammers to swamp websites, you’d think the administration would allocate some of its security efforts to figuring out who’s doing this, instead of wasting its time terrorizing romance writers who research the wrong subjects.

More: 24.126.178.69 is listed at SenderBase, the significance of which is lost on me.

More: ISP addresses for which Google can find no other occurrences:
24.99.203.58
66.245.112.144
68.42.46.205
68.9.210.50
68.97.20.217
Comments on Comments turned off:
#1 ::: JamesG ::: (view all by) ::: October 30, 2004, 10:02 AM:

Filthy spammers! They are worse than the plague. They have even resorted to sending trash over my fax at work. We recieve two or three faxes a day that are uring us to take a trip or buy cheaper meds.

#2 ::: James D. Macdonald ::: (view all by) ::: October 30, 2004, 11:59 AM:

Sending spam by fax is actively illegal. Go get 'em.

-----

I haven’t yet determined whether those URLs match any of ours.

They do.

Not only are those non-existent sites, there's no evidence that they ever did exist.


Given the time delays between posts, someone was pasting those in by hand, hitting the preview and post buttons with their own personal mouse.

Congrats, guys, you're on someone's radar.


#3 ::: Greg London ::: (view all by) ::: October 30, 2004, 12:02 PM:

I was very disappointed to find out all the porn links were dead ends. I mean, I was very upset to hear you say the links were dead ends. Not that I would have had a reason to click on them myself. OK, I clicked, but it was all part of research for an up and coming story I'm working on. No, really!

;)

#4 ::: Dan Blum ::: (view all by) ::: October 30, 2004, 12:19 PM:

I don't know if those IP addresses are likely to point back to the actual spammers, but if so, doing a whois on most of them will give you an abuse-reporting address. Several of them are ComCast addresses (from different areas of the country, which leads me to think they will in fact not point to anything), one from Earthlink, and one from Cox.

#5 ::: Patrick Nielsen Hayden ::: (view all by) ::: October 30, 2004, 12:25 PM:

Jim Macdonald writes:

"Congrats, guys, you're on someone's radar."

That's what I think, too, but I'm sure plenty of people will be eager to explain how this can't possibly be the case.

Certainly there's nothing suggestive of incipient fascism happening out there. Certainly no widespread thuggery or outbreaks of creepy political violence.

#6 ::: Lucy Kemnitzer ::: (view all by) ::: October 30, 2004, 01:12 PM:

Are comments on older posts going to remain turned off, or is my browser wonky?

I wanted to comment on the motivational posters thing. Honestly, I thought "oh goody! links to posters!" because if I get a classroom again -- I _like_ corny things on the walls. Not that I think that they "motivate." They do something else -- they give the kids something to look at when they get bored. And if they have an interesting picture, and a couple of words on them that you sort of want them to think about sometimes, they'll look at them and think "that's corny," and then maybe think about what they really think about the topic . . . and when they snap out of it, they'll have been thinking about something. I usually put lots of maps on the walls too, and examples of work, and directions for how to do things.

Anyway, I followed the links. And I noticed three things: all of the people on all of the posters I could find were white (and I didn't see any women, either, though I supposed they must be there somewhere), and they were all involved in luxury activities (most in sports which are mostly indulged in by wealthy people), and the photographic style on most of them is cold, isolating, sculptural -- kind of like (sorry) Nazi youth sports posters.

Which makes them useless to _me_. I need representations of a variety of people, like and unlike my students, and I want them engaged in activities my students can relate to, as well as activities I want them to aspire to. What's wrong with showing _basketball_ players for teamwork, instead of just white guys rowing those boats nobody ever sees except in motivational posters? (maybe they're more common back east, but out here, if you're on the water, you're on a surfboard, or in a kayak or a fishing boat) Or for perserverance -- what's with the lonely pictures? My students use the word "loner" as a synonym for "loser." Why not show a bunch of people standing around practising free throws?

And why not show teams of firefighters, folklorico or Aztec dancers in formation, musical groups (now there's a nice nuanced message -- everybody does their individual thing, but they all cooperate in one whole venture), even line workers (think Saturn ads)? Why is "challenge" illustrated with stupid-ass endeavors that could get you killed for no reason -- and a golf course? Why not a half-pipe and a _bunch_ of guys standing around while some guy gets some air?

I suppose, if I get a classroom again, I could make a lesson or three about these: hang 'em up for a week and then invite a critique session and have them write their own analytical essays.

But in general, I guess I'm going to stick to the maps and stuff.

Oh, and I knew about the demotivational posters already, but my type of students hate irony unless they generate it themselves: I think because of the language issue, it's just too many things to be doing at once.

#7 ::: Jon Meltzer ::: (view all by) ::: October 30, 2004, 01:15 PM:

It was damned obvious before I even saw that nyaah-nyaah-nyaah comment on Electrolite.

Get those bastards.

#8 ::: Lucy Kemnitzer ::: (view all by) ::: October 30, 2004, 01:17 PM:

Oh crap, my browser is wonky, and I posted twice because of it, and it's a long post. Can the second one be removed somehow?

#9 ::: Joseph Holmes ::: (view all by) ::: October 30, 2004, 01:58 PM:

In purely practical terms, the latest MT Blacklist plug-in 2.x, which requires MovableType 3.x, is much more than just a blacklist for stopping comment spam in blogs. It's got some flexible settings that will shut down spam based on, for example, multiple comments from the same source, postings in older inactive entries, and multiple URLs within one comment. Rather than simply block these, it will notify you and allow you to review the comments -- "forced moderation" they call it. And each of those parameters can be fine-tuned in the configuration pane of MovableType -- for example, you can set how many URLs within a comment will trigger forced moderation. It's very slick. The plug-in also stops spam based on a GREP-like matching that looks for combinations of words in the subject.

These new capabilities have come in really handy on my photoblog, where the plug-in has successfully stopped spam that isn't yet part of the master blacklist. I looked at my MT Blacklist log today and saw dozens of spams that had been turned away. I'm normally blissfully unaware that anyone is attempting to post that shit. Only two or three spams get past the plug-in each week for me.

#10 ::: Teresa Nielsen Hayden ::: (view all by) ::: October 30, 2004, 02:04 PM:

That sounds heavenly.

#11 ::: JamesG ::: (view all by) ::: October 30, 2004, 03:11 PM:

Sending spam by fax is actively illegal. Go get 'em.

#12 ::: JamesG ::: (view all by) ::: October 30, 2004, 03:12 PM:

Illegal, huh? I had no idea, I thought it was just an annoyance. I will see what I can do about them first thing Monday morning.

Thanks for the info.

#13 ::: Joseph Holmes ::: (view all by) ::: October 30, 2004, 03:46 PM:

Re: unsolicited commercial faxes. They're illegal and you can collect as much as $2500 per junk fax by suing the faxers in small claims court. Info here:

http://www.junkfax.org/fax/action/outside_how_to_sue.html
http://ftp.fcc.gov/cgb/consumerfacts/unwantedfaxes.html
http://www.junkfax.org/fax/basic_info/junk_fax_qa.htm
http://www.junkbusters.com/fax.html

Nothing will stop these people faster than taking lots of their money.

#14 ::: Kathryn Cramer ::: (view all by) ::: October 30, 2004, 04:49 PM:

I got about 400 comment spams when I was in Boston for the WorldCon. I didn't check whether they fed through to real sites. But it was really discouraging. The spammers found some chink inf MT Blacklist's armor and exploited it.

I've got Comment Moderation turned on in my MT3.11 install at this point because the Perl on my ISPs server is too crude to run MT Blacklist. It's still really irritating to get large batches of comment spam (which I do from time to time) but since spammers get no gratification of seeing their comments appear, I'm getting a lot less than I used to.

If I was getting more, I would change the name of the comment script once a week. (I do it now whenever I begin to receive comment spam regularly). These attacks are automated now, so the spammers aren't actually visiting you site at all. Rather, your comment script is in someone's malign database.

(Beware, those of you thinking about changing the name of your comment script for the first time. It is possible to screw up your MT install doing it. Back up everything first. Delete the mt.cfg file entirely before uploading a modified version.)

#15 ::: erin ::: (view all by) ::: October 30, 2004, 04:58 PM:

Patrick, thanks for those links. That reaches levels of disturbing and creepy I wasn't even aware existed in this election. (Which obviously means I hadn't been paying enough attention.) It also makes me wonder what sort of collateral violence will occur with a Kerry win.

#16 ::: Kathryn Cramer ::: (view all by) ::: October 30, 2004, 05:00 PM:

By the way, Googlung for "hello from zimbabwe!" garfield produces over 700 results. My best guess is that the post is used to find out the name of the comment script.

#17 ::: James D. Macdonald ::: (view all by) ::: October 30, 2004, 07:47 PM:

If I recall correctly, P&T, this is the second time y'all have been hit with over a hundred nasty-porno comment spams each. Check the timing.

(Note that the Friday Evening time is designed to hit when most moderators are away from their keyboards.)

#18 ::: Nancy Hanger ::: (view all by) ::: October 30, 2004, 10:09 PM:

Strangely, the day after a political troll who was trying to bait my readers found my LJ blog, I woke up to 140 (and still counting) bounces in my email box from someone spoofing my domain for spam. I think the bounces are up over 400 only a few hours later, and still coming in. No way to shut it off without shutting down my email server entirely.

If this blacklists my domain for email, you're going to hear the screams all the way down in NYC.

Any advice?

#19 ::: James D. Macdonald ::: (view all by) ::: October 30, 2004, 10:28 PM:

The number of viruses in my email (the address I use for posting here) is up by two standard deviations, starting last Thursday.

Could just be a statistical fluke.

#20 ::: Paula Lieberman ::: (view all by) ::: October 30, 2004, 11:32 PM:

"Marat we're poor, and the poor stay poor...."

#21 ::: JM Kagan ::: (view all by) ::: October 31, 2004, 01:21 AM:

Given that certain political black ops have flooded phone banks with hang-up calls to prevent voters who needed rides to the polls from calling in to say they needed that ride and given that all too many of the new voter and get out the vote sites are relying completely on the internet, I can only extrapolate that a lot of the internet is gonna go down shortly.
If you can't just walk next door and ask your neighbor if she needs a ride or a baby-sitter Tues, may I strongly suggest that you get a way to contact your new voter OTHER than the internet by tomorrow? ---And that you give her a way to contact you other than a known Democratic/other phone bank?
(Oh, and take down all those other phone numbers you might need, too, like Election Protection.)

Worst Case Scenario: The internet (or huge chunks of it on the left side of my screen) goes down late night on Nov. 1 and stays down through several weeks of disputed ballots.

No, I am not crushed. The staunch Republicans in my family are so alarmed by Bush's policies that they'll be voting Kerry this year..."so long as you understand this is only gonna happen just this once, Janet, and just because of Bush." One of them called Bush "the Anti-Republican"; I won't tell you what another one called him because it shocked even me.

Hang tough and we'll see ya again when the internet's back up and running (I hope)...
Janet K

#22 ::: Paula Liebeman ::: (view all by) ::: October 31, 2004, 01:34 AM:

But Janet, I want to know what it was your relative called Bush that shocked even you! [I started referring to him as the schmuck, except that that doesn't work for people who don't think he's a bumbling malevolent [etc.]. I think used "the Residency" as the mildest term I was willing to apply to his Residency... I am NOT calling him by the title that a court that includes a corrupt sexual harrasser and at least one religious fanatic who doesn't let civil law get in the way of what he regards as Right because of his religious zealotry appointed him to.]

#23 ::: Lisa Spangenberg ::: (view all by) ::: October 31, 2004, 01:46 AM:

Nancy

Contact the ISP who is hosting your server; it's in their interest to help you track down the spammer, and they have the tools to do it. I'd be surprised if they won't--and if they aren't responsive, I've got a fabulous ISP for you, and I'm pretty picky. You should never have gotten all those bounces if your ISP was proactive in the least.

And as little as I trust or respect the current regime, I do respect the underlying technology in the 'net. It may hiccup but it'll go on.

#24 ::: Larry Brennan ::: (view all by) ::: October 31, 2004, 03:06 AM:

Janet - I've received a few canvassing calls over the last few days, all of them coming from the numbers of either local businesses, individuals or mobile phones and none from recognizable Democratic sources. I suspect that this distributed network thing for outbound calling will work, although I don't know if it's typical.

I do think that the GOP and its agents, as part of their Block The Vote™ program, will be jamming the voter protection hotlines.

If a good chunk of the web does go down (which I doubt will happen), they're sure to blame it on Osama.

#25 ::: JM Kagan ::: (view all by) ::: October 31, 2004, 01:20 PM:

Paula---
Once or twice a month, my staunch Republican and I have lively political debates over dinner. We run up one side of an issue and down the other. Neither of us shies from playing devil's advocate. We have a wonderful time having at it, and he's convinced me as many times as I've convinced him to shift positions. Sometimes we both wind up somewhere in the middle. (Ricky and his lady play at keeping score and throwing in the best of the zingers.) Great fun, and we always wind up laughing.
But the last time we had dinner with them, he shook his head wearily and said, "No politics." Then he leaned across the table and said, "Janet, this administration is evil."

You may think that all Republicans toss off the word "evil" with abandon but I assure you I have never heard that word come out of his mouth as long as we've been debating each other. Sometimes being shocked is all in the context.
Since then I've been officially scared spitless.
Janet

#26 ::: Graydon ::: (view all by) ::: October 31, 2004, 02:10 PM:

Teresa --

Most of those IPs are from IP broadband pools, it looks like, and one doesn't properly exist.

14:05 graydon % host 66.245.112.144
144.112.245.66.in-addr.arpa domain name pointer user-11fas4g.dsl.mindspring.com.

14:05 graydon % host 68.42.46.205
205.46.42.68.in-addr.arpa domain name pointer pcp09341499pcs.albqrq01.nm.comcast.net.

14:05 graydon % host 68.9.210.50
50.210.9.68.in-addr.arpa domain name pointer ip68-9-210-50.ri.ri.cox.net.

14:05 graydon % host 68.97.20.217
217.20.97.68.in-addr.arpa domain name pointer ip68-97-20-217.ok.ok.cox.net.

14:05 graydon % host 24.99.203.58
Host 58.203.99.24.in-addr.arpa not found: 2(SERVFAIL)
#27 ::: Joanne Jacobs ::: (view all by) ::: October 31, 2004, 02:23 PM:

TypeKey shut out the robots who were spamming my comments. I had MT Blacklist before, but it took too much time to use it. I was getting hundreds of spam messages on some days.

However, a few days ago, I realized Trackback was being spammed: So far, I've deleted more than 100 hard-core pornographic trackbacks. I eliminated Trackback from recent posts, but I've got thousands of old posts that they can hit.

Today there were only four new ones that came in overnight, and not as vile in content.

#28 ::: Teresa Nielsen Hayden ::: (view all by) ::: October 31, 2004, 06:41 PM:

Graydon, what are the implications?

#29 ::: Graydon ::: (view all by) ::: October 31, 2004, 06:53 PM:

Teresa --

Widespread comment spam from a lot of varied telco DSL IP address pool addresses like that would indicate to me that it's likely that the comment spam is being piped through a botnet.

(Telco DSL address pools are under constant attack -- integer-attempts-per-second -- and the machines at the addresses are generally not protected in useful ways. This makes them prime candidates for botting.)

If it is a botnet, it's not a garden variety moron but an actual criminal.

It's also impractical to track backwards through the botnet, which is why they're used.

#30 ::: Bill Blum ::: (view all by) ::: October 31, 2004, 06:57 PM:

Graydon mentioned:
14:05 graydon % host 24.99.203.58
Host 58.203.99.24.in-addr.arpa not found: 2(SERVFAIL)

The 24.98.0.0 -> 24.99.255.255 block belongs to Comcast, according to arin.net.

Yet another case of PC users not bothering to keep antivirus and firewall software up to date.

#31 ::: Bill Blum ::: (view all by) ::: October 31, 2004, 07:02 PM:

Graydon wrote:
(Telco DSL address pools are under constant attack -- integer-attempts-per-second

If I disable my firewall, I generally receive 5-10 blatantly obvious scans per minute on my DSL line, and 2-4 'less obvious' scans.

I've got a nice set of firewall rules that take care of most problems.

#32 ::: Paul ::: (view all by) ::: November 01, 2004, 07:34 AM:

I'm at work, so can't really look properly at this, but just wanted to post a link I thought people might find helpful for this - Sam Spade. (Also some more detailed tools provided there).

It's original purpose was to help people in tracking down spammers (which is something I used to play around with), but it's useful for this kind of stuff too.

#33 ::: Guy Matthews ::: (view all by) ::: November 01, 2004, 10:46 AM:

"If it is a botnet, it's not a garden variety moron but an actual criminal."

Have to disagree somewhat there as nowadays a garden variety moron with a minimum of motivation can easily acquire access to a botnet or build one up from scratch. A few months back we had a security incident on our server, some Brazillians used a web server vulnerability to kill off our IRC server and replace it with their own, they then redirected a domains of their choosing to our server's address and parked a botnet of +-750 clients on the hijacked IRC server to wait for commands. Now at first glance you might think these guys were pretty good to pull all that off, they weren't, here's the facts about what they did:

1. They never rooted the server (i.e. never gained admin rights), everything they did was under a single user's limited priviliges.
2. They couldn't shut down our server, they just got lucky that theirs loaded before ours at the next reboot, causing ours to fail as the ports were in use.
3. They only ever had any control on the server at all because one of our clients installed PHPNuke, a package with massive security flaws in its design.
4. Once the offending package was removed the intruders lost ALL ability to affect the server, they couldn't think of any other way to get in nor had they even tried to provide themselves with alternate means of access whilst they did have control.
5. The intruders failed to realize their botnet was still being allowed to log in to OUR IRC server after I dumped theirs, and was as of that moment being actively observed by the police.
6. The intruders were unable to keep up with me switching IP addresses to avoid their DDoS attack on me when I did finally confront them head on and dump em off the server for good. One individual vs 4 allegedly experienced hackers and a 750 client botnet, they couldn't touch me.

In short, they were very well equipped for spamming, DDoSing, and generally causing chaos, but they were baseline idiots following pre-written instructions to get anything done and completely incapable of improvising a response when the scenario turned on them.

As regards "Actual criminal", keep in mind it doesn't matter whether one is insane enough to spam by hand or are using a botnet (owned or hired), the individual in question IS a criminal when he starts spamming. Even without cybercrime legislations the sort of activity seen here and elsewhere constitutes harassment, disruption of business, and a number of other criminal activities. Hiring or building a botnet just means the spammer's commited MORE crimes above and beyond the spamming.

#34 ::: Maria Ng ::: (view all by) ::: November 03, 2004, 07:13 PM:

Lucy Kemnitzer: re motivational posters

The Festival Shop here in the UK produce a great range of multicultural/inspirational posters & resources for the classroom. Unfortunately their catalogue (still) isn't online yet, but it'll be well worth checking out when it is, and you can request a paper catalogue.
http://www.festivalshop.co.uk/

Syracuse Cultural Workers also have wonderful posters
http://www.syrculturalworkers.com/catalog/posters/Poster1.html

(My favourites are 'How To Build Community' & 'How To Build Global Community', on that first page, closely followed by 'Other Cultures Are Not Failed Attempts At Being You' on page 6 of the online catalogue)

I don't know if they were quite what you were looking for, but both Festival Shop & SCW produce posters with wonderful & positive messages.

(Many many commiserations on the election result)

Welcome to Making Light's comment section. The moderators are Avram Grumer, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="http://www.url.com">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.















(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 by Patrick & Teresa Nielsen Hayden. All rights reserved.