October 12, 2003

silhouette3.JPG From the desk of Mindles H. Dreck:

Comment Spam - sending IPs

[last update and horrible question of the day - anybody want to make odds on when these guys figure out trackback?]

Here is a list of IPs from whom I/we have received this sort of thing. The first one was eight months ago or so:

207.88.76.143
219.95.12.122
219.95.14.239
209.210.176.22

The last one was the "preteen lolita" spam. If you have any others, post 'em in the comments. I've banned these here.

UPDATE: also a few brain damaged insult specialists.

UPDATE: according to an unfindable trackback on Winds of Change, these also:
209.210.176.19
209.210.176.20
209.210.176.21 (and 4 more not in the excerpt)

Looks like a whole block of 'em from 209.210.176.0-63 (just type in 209.210.176. in your IP banning)

UPDATE: from Cronaca
61.189.229.61
219.95.14.69
216.228.168.110

Perhaps it is time to show the IP of every commenter. There is a tag in MT to do exactly that.

SOLUTIONS UPDATE: Here is the most direct solution I've seen. I can't get to it tonight, but this would get rid of any automated spambot, as opposed to blocking each IP as it comes up.

Beyond this, the "spider trap" technique seems attractive. As I understand this, you hide a few forms in the page that trigger the "comment.cgi" script. robots will trigger the form, but humans will not. An entry from a hidden form will take their IP and add it to a banned list. Thus they only get you once. I assume this is what MT will do in a forthcoming patch. This could be done in PHP or PERL now, I suppose.

Steven Den Beste (see the comments) sought out the owner of the 209.210.176 block, responsible for some of the more disgusting spam -

OrgName: SISNA, Inc.
OrgID: SISNAI
Address: 265 East 100 South Suite 310
City: Salt Lake City
StateProv: UT
PostalCode:
Country: US

NetRange: 209.210.176.0 - 209.210.176.63
CIDR: 209.210.176.0/26
NetName: SISNA-SLC-SERV
NetHandle: NET-209-210-176-0-2
Parent: NET-209-210-176-0-1
NetType: Reassigned
Comment:
RegDate: 1998-12-02
Updated: 1998-12-02

TechHandle: PN44-ARIN
TechName: Ngai, Peter
TechPhone: +1-801-924-0900
TechEmail: pngai@sisna.com

I'm not suggesting you write to Pete, or turn these folks in or anything, but there you are...

Posted by Mindles H. Dreck at October 12, 2003 09:15 PM | TrackBack | Technorati inbound links
Comments

WEHT your foreign service ambitions?

Posted by: Potential FSO on October 12, 2003 09:29 PM

According to Making Light, it's 209.210.176.0-63,
so it's probably best to ban the whole block. In MT you can do it with 209.210.176. (don't forget the period at the end), although that will block 0-255 and might end up banning some IPs that don't deserve it. Probably the safest thing to do, though.

Posted by: Kevin Drum on October 12, 2003 09:42 PM

I'm glad it's not just me -- I honestly thought it was a disgruntled reader who had submitted my url to something or other.

Posted by: Michael Tinkler on October 13, 2003 08:43 AM

We got spammed in the comments by this one last week:

65.77.116.28

Posted by: Jonathan Wilde on October 13, 2003 09:20 AM

According to ARIN, that block of 64 IPs belongs to Sisna, Inc, in Salt Lake City.

Posted by: Steven Den Beste on October 13, 2003 10:43 AM

Just in case you want to know, Jane: At least one of those spambots you blocked is now sending emails to every address they've ever gleaned from your pages, reporting a "problem" with your site.

Posted by: Clayton D. Jones on October 13, 2003 06:39 PM

Hey, wait a minute. You're not Jane...

Posted by: Clayton D. Jones on October 13, 2003 06:41 PM

Really?

Posted by: "Mindles H. Dreck" on October 13, 2003 10:01 PM

Meh! >_

Good thing I'd already learned the hard way not to put a real address down when I'm commenting. ^_^;

Posted by: Small Pink Mouse on October 14, 2003 12:22 AM

The address I use for posting nicknonymously is real, but it mostly just gets spam anyway so getting harvested by yet another bot is no big thing. Now and then I get a new 419 letter for my collection, or an actual response to one of my comments, so I keep the hotmail account active.

As for posting every IP number, I would like to point out that there are plenty of people out here who, as I do, post from two different networks, each with dynamic IP numbers. Don't count on IP to verify identity.

Posted by: triticale on October 14, 2003 01:17 AM

SISNA's in Utah.

They got rid of their state porn czar, but they'd probably still put a little heat on that company, where someone to bring this to the attention of state officials.

Posted by: Jon H on October 14, 2003 01:43 AM

Ur... that ARIN whois information simply specifies the administrator for the netbock. It (and several others) appear to belong to a small ISP. I highly doubt anyone working for the company had anything to do with it.

Try emailing abuse@sisna.com with the comment post times and IP addresses used.

As someone who administrates a fairly large set of IP blocks during the course of his day job, I can attest that it's not exactly uncommon for people to fly off the handle and start sending nasty emails to netblock admins based on ARIN lookups.

It is, however, very annoying.

Posted by: Mr. Lion on October 15, 2003 02:08 AM

Cool blog!

Posted by: Mister Y on December 19, 2003 11:17 AM

Happy new year

Posted by: Herdy on January 6, 2004 09:27 AM

Comments are Closed.