thespamwar.com

Recently we where charged a vengeance service. A host who’s name will remain undisclosed requested we track who was killing one of their servers via eating bandwith. The host company has requested that I publish a summary of the findings.

The admins had detected a user was doing suspicious activities, using curl intensively and with encoded files in his account that they did not understand what they where used for.

The investigations went on for a couple of days. I got involved myself on it, due nobody could get an answer as if the user was really doing something bad or not.

First suspicious thing was that the user just had a test.php and a .htaccess page. I reproduce here the .htaccess
Options +SymlinksIfOwnerMatch -Indexes
RewriteEngine On
RewriteRule ^$ test.php?1=0 [L]
RewriteRule ^([^/]+)/$ test.php?1=1&4=$1 [L]
RewriteRule ^([^/]+)/([^\.]+)\.html$ test.php?1=2&4=$1&5=$2 [L]
RewriteRule ^robots\.txt$ test.php?1=3 [L]
RewriteRule ^style\.css$ test.php?1=4 [L]
RewriteRule ^([^/]+)\.js$ test.php?1=5 [L]

RewriteRule ^testmonkey\.html$ test2.php [L]

RewriteRule ^(webalizer|guestbook|webemail|usage|stats|servertest|cp|cpanel|WEB-INF|reports|modlogan) - [F,L]

If you find this .htaccess in your server, don’t think it twice. Terminate that account. You can get a word to us; we will appreciate.

test.php (and test1, test2.php and so on) is an encrypted md5 code. a cat returns
cat test.php

The test.php, what is does, is to act as a proxy: any page requested using variables 2,3,4,5 is served to the site of destination. It can be just somebody serving the pages that way…. or may be user to spider any site for email harvesting, bot spam posting and so on. Choose the option you think it is used for and act accordingly.

Compromised IPs have been found to be
64.21.36.144 a NET@CCESS home user. A hacked computer (most likely) or the spammer
67.15.182.34 an EV1 server, which likely acts as proxy to further hide the user with another layer.

The sites are hosted at http://www.online-casino-winner.com/ which is an RGP domain (somebody killed it before us! )
IP 205.214.94.202

Unfortunately, the track was lost there. We where able to shut many domains and some IPs at 3 different hosting providers, but the real identity was undisclosed. Paypal did never return to us about the actions done on the IP submitted.

First of all I did not not click on the link in my log file - this would send my referrer whizzing over to the spam site and might only encourage more of the stuff. I wanted to know who was behind the spam so I went to samspade.org and typed in the domains:

Instead I cut and pasted the domain names.

ronnieazza.com
Samspade told me the Registrant was Susan Lee, living in New York and the administrative contact Evelin Porter. I checked the names in the US white pages and these people don’t exist at the addresses given. The IP address of the server is 219.150.118.16.

yelucie.com
Yelucie was hosted by the same IP address. Again the contacts, Harry Graham were bogus. I checked the numbers with a reverse telephone number database and they were not assigned.

6q.org, smsportali.net, future-2000.net
6q.org, smsportali.net and future-2000.net were also on the same IP.

China Telecom
So where was this Web server? Checking the IP address: 219.150.118.16. Showed that the machine was hosted by Chinanet Henan Province. Chinanet and Chinatelecom are notorious spam hosts and should really be booted off the Internet.

Analysis of Keywords
I downloaded my log files for the last week. These were common words used in the referrer fields:

Analysis of IP Addresses of Spammers
I looked at the IP addresses being used by the spammers. For brevity I won’t include them all here. Just to say that well over 50 machines were involved in sending the referrer spam in a single 7 day period. These machines were spread all over the world. From this I conclude that the spam is being sent by compromised “zombie” hosts in much the same way as a lot of email spam. The machines have become infected by a virus or worm which has installed a spam server. This is probably sent a list of sites to spam.

The Spam Sites
Many people who have been hit by the latest wave of referrer spam have gone to check out the spammers and found a message (usually in poor English) saying the spammer has been reported and the site is closing. The site offers you a form to report the spam where you can enter your URL and email. After nearly 20 years doing Internet stuff I was naturally suspicious so a I checked back on the sites a few weeks later. Well blow me down, they were now up and running and selling watches, drugs and gambling.

It seems this spammer is pretty savvy. By initially putting up a page that made his site look like it was closed he probably hoped to avoid any trouble, he would also pick up some useful emails and URLs from spammers if they used his form.

Stopping Referrer

Google is a powerful resource for identifying many kinds of sensitive data in your website. A few simple searches can reveal a lot. Consult the Google Hacking Database for information on the various types of searches you can try.

Good references are in the following link
http://johnny.ihackstuff.com/index.php

Besides, just try one typical search

yoursitename error

in Google. you will be surprised by the number of errors found in your site by Google. And any of those may reveal sensitive information to hackers. Or even worse

yoursitename log

Logs left on the server, cached in Google, may reveal A LOT about you.

At one time spammers would research the target weblogs to find those that were both indexed by search engines and had a high Google PageRank. He would then launch a script, requesting the smallest page with his website as the referrer URL. A number of requests were necessary for each target as many of the logs only displayed the top 25 referrers.

Referrer spam relies on web masters leaving their server logs open to the public or blog owners showing the top referrers in their site statistics. This means that the referrer URLs may get indexed by search engines and provide a source of inbound-links for the spam site. Inbound-links are a component in the ranking processes of the Google, Yahoo! and MSN Algorithmic Search Engines. Some logs have surprisingly high page ranks so there is a value to the links.

Another good tip: having a high pagerank is, in fact, bad for your blog. If you think about this, better to just disallow Google exploring sensitive parts of your site. Except the index and most common pages, but forbid to Google the ones where you have entries where users can add comments. Bot spam will disappear.

Finally. Take revenge.

Yup. revenge is useful. If you trace down the origin of the spam log, where the site the links are hosted, and you warn the ISP, the site is surely shut down in no time. This will give you (and many others) at least some days of peace until the spammer finds a new place. WE Provide that service (look at Vengeance! link): we trace where the links are hosted and ensure the site is closed. We even request the ISP to give us details on the user and it’s logs, such as we can trace it further and close other sites the spammer may have and the accounts he uses at those bet sites or porn sites he promotes, loosing his money. This process aims at doing as much economical damage to the spammer as possible, because we know this is the only thing that hurts him.

Miquel

You are an small host, worried about how can the server be safe?

Well. The safest policy is to get it, put it underground and disconnect any cable from it. No one will break that server.

But you want to keep it alive on Internet? he he. Most of us want.

Ok. First the basics.

1. Logon into your WHM and install mod_security. Follow the 123 instructions below:
a. Go to menu Cpanel
b. Submenu Addon modules
c. Browse to the end and select Name: modsecurity ( tick on the box install and keep updated)
d. Click on the ‘Save’ button at the end of the page.
e. DO NOT modify the standard settings. There will be a mod_security entry into the menu now. Just leave it. If you are following this it is clear the best policies are the standard for you. Furthermore than the mod_security interface from cPanel does not work as it should. So leave it. You’re done.

easy, right? mod_security will protect your server from the most common attacks and flaws in apache.

Miquel

Comment spam is simply spam posted in a blog or any page that allows to insert comments. Spammers have discovered bloggers and sooner or later if you allow comments or trackback pings on your weblog you will get spammed.

Blog spam appears in many flavors:

1) Basic comment spam.
The spammer leaves a short uneventful message in a comment field in one of your entries. The spam comes from the URL placed in the comments URL field. These URLs link back to every conceivable scam. The spammers leave URLs here to create a link from your site to theirs, thus increasing their Google ranking. Spammers are also now linking to legitimate sites that have not cleared their pages of comment spam, thus increasing the Google rank of those spam links. This all goes to show you that you really do need to check the links of anyone who leaves a comment on your site.

2) Comment spam flooding.
The spammer uses an automated computer bot to flood your blog with comment spam messages, up to hundreds in an hour. The spammer doesn’t necessarily leave a URL, but can leave garbage messages, almost like a graffiti artist. The comment spam can put a severe load on the server hosting your blog software to the point that it crashes.

3) Trackback Spam.
Spammers have discovered how to take advantage of Trackback. TrackBack spam is very similar to comment spam. The spammer sends TrackBack pings to your site that direct viewers to a totally unrelated URL.

4) Referral spam.
The spammer links to your site from their site, and then pings your site through their link, thus creating a reference and link to their site on the statistics referral log of your website. When you are reviewing your stats and see the reference to an odd site (ex. Paris Hilton), clicking on the link takes you to their site. Many people list “referrals” on their site publicly, so by spamming referral logs, not only does the spammer get a link on your referral log (which is picked up by Google) but may even get a link on your main page.

I do not agree to the crap floating around about productivity decrease, arguing about the time spend reading spam (who on hell believes this, apart from Gartner and Barracuda? , decrease of productivity? come on…) If people reads spam at work is because they have too much time and their workload is low. If they do not read spam, they would be browsing the web, so any of those arguments does not bring benefit therefore cannot be computed as cost. But I understand they have to sell . Really, what do you do when you get one of those pill-selling emails? just goes to the bin without even bothering to read the second word of the subject line. NO-TIME lost then.

So. that’s all??? Spam is annoying just annoying? NO! Spam does real damage.

I’m into the hosting business. And one of the hard parts of that business is spam. Spammers tend to hide behing hosting servers, trying to send email anonimously using security holes into the server. That’s one of the first and most damaging activities. A server may be shut down just because an spammer got in and started sending email from there (Does not take long, about a couple of hours after goes in, it is detected and the NOC will shut the IP down without warning). This means the rest of users will have the sites down for a while, from 2 to 10 hours until all is cleared up again. This implies A LOT OF money lost.

So. We need to protect the servers against security wholes. This cost money as well. Which is reverted to the users, obviously. But even if the spammer does not go in, just the scanning process eats server resources: bandwidth and processor. That’s as well a big cost to the hosting business. Finally, there’s the harvesting or email addresses. Spammers use spiders designed to crawl a site for email addresses. Or spam bots to post into forums. They eat as well server resources: And not an small amount. From my experience, I would say that half of a server capabilities are spent serving pages to spam bots. Or what is the same. 50% of the maintenance cost of a server is lost because of spammers. Nice, uh?

Why I hate spam then? Well. I sumarize the above in a few points
* Spam implies a big cost in server security
* Spam implies a waste of bandwidth and server processor, meaning that I cannot fill the servers to their true capacity.
* Spam implies a business risk of having a server down and loosing customers or reputation.

Overall, 50% of my work is due to spam. If spam fenomena didn’t exist, I would be able to have half day free every day of my life.

I hate spam. It’s a useless activity that exists just because the net is full of good-willing people. And if we don’t stop it, spam will kill the net, will kill this open, colaborative world we have now. So, I have declared war on spam and will publish here any method I find to stop it.

Miquel

90% of spammers are just kiddies discovering the world, thinking they will get tons of money in 2 days from sending messages everywhere. What I can say. No experience at all, so they just grab an spider, create or buy a list of emails and start crawling.

For spiders, a very good way of stopping them is a bot trap. A nice article I like from Neil Gunton. Good examples that you can just copy and run (well … some coding surely will be good to adapt them.)

http://www.neilgunton.com/spambot_trap

What I like from it is the objective: take away the waste of resources, that is, not only protect the pages, but ensure the spider does not kill the site.

Miquel