SA Security Bloggers
SensePost
Junaid LoonatPopular Entries
Articles
Vulnerability Life Cycle - threat modelling
Web Hacking 2.0
Why Exploit Markets are Bad
Ettercap-NG Workings and Defence
The Zotob Summary
How-To's
Linux SSH Jail with pam_chroot
Firefox Privacy & Security Extensions
Papers
Managing Patching, my MSc Thesis
Risk Analysis of Monthly Patch Schedules
Tools
Automated Vodacom SMS (VodaSMS)
RSS 2 SMS
DShield Hack Detection
Neologisms
Encryption principles
Zoolander's Law
Syndicate This Blog
SSL
Certificate fingerprints:
SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89
HTTPS version.
You can find an explanation here.
License
Disclaimer
This blog and its contents are in no way affiliated with, or endorsed by my employer.
Friday, September 3. 2004
Crazy Comment SPAM
It seems the Rhodes Serendipity blogging community just got hit by a comment SPAM blitz. It is still going on and involves the keywords "phentermine diet pills casino".
First off, for those unfamiliar with MySQL and Serendipity, this SQL statement will get rid of it for you:
This assumes your DB prefix was the default 'serendipity', mine wasn't and so my table was called blog_comments.
It came from a variety of IP's, here is a list.
The one IP "61.145.73.222", viewed 1109 pages giving me 1612 hits and using 18.54 MB of bandwidth andother one, "210.5.71.243.pldtvibe.com", viewed 405 pages with 640 hits and using 6.67 MB of bandwidth. So far I have recieved 257 SPAM comments today. I have denied those IP's in my .htaccess. Could other Rhodents or people in the community at large experiencing the "phentermine diet pills casino" SPAM, contribute IP's for a block list.
All of the domains referenced in the SPAM, namely:
Marketing Team
132 Main Street
Seatons, Seatons W1
Antigua and Barbuda
casinogroup2000@yahoo.com
+2684636957
Two of the domains were registered by GoDaddy.com with the third registered by Global Registration Services
All three domains use ns(0,1).marketing-team-2004.us as their nameservers. With the marketing-team-2004.us domain also registered by GoDaddy.com but with a different address and phone number:
Marketing Team
166 West 98 Street
New York 10030
casinogroup2000@yahoo.com
+1.2128235517
The site http://www.marketing-team-2004.us/ only has the text "here you are".
Now how does one go about getting them shut down? Do I write to GoDaddy and say they are SPAMMERS?
It seems Rhodes is not the only one who has had trouble with these guys. A google search for their e-mail address turned up this blog entry by someone who has had similar problems.
As they seem to use their yahoo address I sent them this mail:
On September the 3rd you started comment spamming our entire netblock. You sent me alone in excess of 150 spam entries.
Since this is a commercial message, and since I have not requested to recieve commercial communications from you, this message constitutes an unsolicited communication in terms of section 45 of the Electronic Communications and Transactions Act (Act 25 of 2002).
In terms of section 45(4) of this Act, this message serves as notification that I do not wish to receive any further communications from you. Failure to comply with this request constitutes a criminal
offense in terms of the ECT Act.
Additionally, I hereby request that you immediately disclose where you obtained my contact details, as per section 45(1) of the ECT Act. Failure to respond to this request also constitutes a criminal offense.
Should you wish to familiarise yourself with the relevant legislation, or check my facts, a copy of the ECT Act is available on-line via the Government's web site: http://www.gov.za/gazette/acts/2002/a25-02.pdf.
Your co-operation in this matter will be appreciated.
Let's wait and see if they reply. They are not South African and I don't think the ECT law applies to comment spam anyway. This is more of a scare tactic. They have been reported to the US Federal Trade Commission once before. Can I report them if I am not an American?
UPDATE I
I just got hit by some more comment SPAM. I am maintaining a block list here. Only 97 this time. Also there are some common blocks they are coming from. I am going to mail their owners. If I get no reply then I will deny the whole block.
UPDATE II Sep 14th
I just got a reply, it said:
Hi Dominic,
Sorry for the trouble
Please send me the spammed blog URL and we will take it out from our database
All the best
Susan
My reply said:
Hi
Thanks very much for the offer. There are quite a few blogs on our student server which has the rucus.net and rucus.ru.ac.za domain, most belong to computer science masters students and a few to some final year law students who whould also like to be removed, so could you remove all blogs in that domain.
If you are unable to remove the whole domain here is an incomplete list, there may be others who wish to be removed:
rucus.ru.ac.za
singe.rucus.net
ings.rucus.net
dmackie.rucus.net
dbrowe.rucus.net
lunda.rucus.net
cliff.rucus.net
jersey.rucus.net
Thanks again for your response.
Let's hope this works.
delete from serendipity_comments where body like '%phentermine%';
This assumes your DB prefix was the default 'serendipity', mine wasn't and so my table was called blog_comments.
It came from a variety of IP's, here is a list.
The one IP "61.145.73.222", viewed 1109 pages giving me 1612 hits and using 18.54 MB of bandwidth andother one, "210.5.71.243.pldtvibe.com", viewed 405 pages with 640 hits and using 6.67 MB of bandwidth. So far I have recieved 257 SPAM comments today. I have denied those IP's in my .htaccess. Could other Rhodents or people in the community at large experiencing the "phentermine diet pills casino" SPAM, contribute IP's for a block list.
All of the domains referenced in the SPAM, namely:
- waylandenterprises.co.uk
- honeymoon-destination-a.us
- blackjack-123.com
Marketing Team
132 Main Street
Seatons, Seatons W1
Antigua and Barbuda
casinogroup2000@yahoo.com
+2684636957
Two of the domains were registered by GoDaddy.com with the third registered by Global Registration Services
All three domains use ns(0,1).marketing-team-2004.us as their nameservers. With the marketing-team-2004.us domain also registered by GoDaddy.com but with a different address and phone number:
Marketing Team
166 West 98 Street
New York 10030
casinogroup2000@yahoo.com
+1.2128235517
The site http://www.marketing-team-2004.us/ only has the text "here you are".
Now how does one go about getting them shut down? Do I write to GoDaddy and say they are SPAMMERS?
It seems Rhodes is not the only one who has had trouble with these guys. A google search for their e-mail address turned up this blog entry by someone who has had similar problems.
As they seem to use their yahoo address I sent them this mail:
On September the 3rd you started comment spamming our entire netblock. You sent me alone in excess of 150 spam entries.
Since this is a commercial message, and since I have not requested to recieve commercial communications from you, this message constitutes an unsolicited communication in terms of section 45 of the Electronic Communications and Transactions Act (Act 25 of 2002).
In terms of section 45(4) of this Act, this message serves as notification that I do not wish to receive any further communications from you. Failure to comply with this request constitutes a criminal
offense in terms of the ECT Act.
Additionally, I hereby request that you immediately disclose where you obtained my contact details, as per section 45(1) of the ECT Act. Failure to respond to this request also constitutes a criminal offense.
Should you wish to familiarise yourself with the relevant legislation, or check my facts, a copy of the ECT Act is available on-line via the Government's web site: http://www.gov.za/gazette/acts/2002/a25-02.pdf.
Your co-operation in this matter will be appreciated.
Let's wait and see if they reply. They are not South African and I don't think the ECT law applies to comment spam anyway. This is more of a scare tactic. They have been reported to the US Federal Trade Commission once before. Can I report them if I am not an American?
UPDATE I
I just got hit by some more comment SPAM. I am maintaining a block list here. Only 97 this time. Also there are some common blocks they are coming from. I am going to mail their owners. If I get no reply then I will deny the whole block.
UPDATE II Sep 14th
I just got a reply, it said:
Hi Dominic,
Sorry for the trouble
Please send me the spammed blog URL and we will take it out from our database
All the best
Susan
My reply said:
Hi
Thanks very much for the offer. There are quite a few blogs on our student server which has the rucus.net and rucus.ru.ac.za domain, most belong to computer science masters students and a few to some final year law students who whould also like to be removed, so could you remove all blogs in that domain.
If you are unable to remove the whole domain here is an incomplete list, there may be others who wish to be removed:
rucus.ru.ac.za
singe.rucus.net
ings.rucus.net
dmackie.rucus.net
dbrowe.rucus.net
lunda.rucus.net
cliff.rucus.net
jersey.rucus.net
Thanks again for your response.
Let's hope this works.
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
You are aware that if you log in as $su -, then click "Back to weblog", and then read the entry, you can click "delete" next to a comment to /dev/null it?
I recieved 257 of these things. There is no way I am going to go to every entry and delete the comments manually.
Hey, I received somewhere in the region of 257 myself - and then all that mail in my inbox informing me of all the new comments. It was most annoying, however nice to see that you went a little deeper and found out some more about them. In the mean time I deleted all the entries from the db and then have altered the config file that by default I disallow commenting on my entries.
That same group spam Whitedust.net a lot as well. It's quite annoying. I believe it started over xmas and despite the fact we have installed an "Are you human" script within out comment system; they still try and connect/comment spam anyway.
Quicksearch
this blog:
Schneier on Security: Friday Squid Blogging: Squid Launcher from "Despicable Me"