We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

Calling all bloggers: attack in progress

I’ve just killed off another comment spamming attack against Samizdata. It was clearly automated so I expect many of the rest of you are getting hit as well. The methodology is an attempt at subtlety… but it ignores the fact that a blog is actively monitored.

I suggest you all immediately ban the ip if you haven’t done so already: 80.58.11.45.

The attacker hits comments sections of old articles; the comment itself is trivial and innocuous. “nice website” “interesting post” and the like. They payload is the URL field.

This looks like a google-bash for hire scheme to me.

16 comments to Calling all bloggers: attack in progress

  • A DNS lookup on 80.58.11.45 points to what appears to be a proxy server at rima-tde.net, which from a whois lookup appears to belong to Telefonica, which is a major telco in Spain.

    It probably isn’t official Telefonica policy to spam comments sections in UK blogs. It probably *is* official Telefonica policy to come down hard on customers who are caught using their ISP accounts for nefarious purposes, so a mail to their admins might get somebody’s account killed. Could be worth a try.

    Here are the details:
    Domain Name……………. rima-tde.net
    Creation Date………… 14/09/2001
    Expiry Date………….. 14/09/2004
    Last Update Date……… 29/08/2003
    Organization Contact Id…. PROP-1052-00039049
    Organization Name…….. TELEFONICA, S.A.
    Organization Org……… TELEFONICA, S.A.
    Organization Street…… GRAN VIA, 28
    Organization City…….. MADRID
    Organization State……. MADRID
    Organization PC………. 28013
    Organization Country….. ES
    Organization Phone……. 28013
    Organization e-mail…… null
    Administrative Contact Id.. 1052-00037117
    Administrative Name…… LUIS CASADO CARRASCO
    Administrative Org……. TELEFONICA, S.A.
    Administrative Street…. GRAN VIA, 28
    Administrative City…… MADRID
    Administrative State….. MADRID
    Administrative PC…….. 28013
    Administrative Country… ES
    Administrative Phone….. 34 915844500
    Administrative Fax……. 34 915844509
    Administrative e-mail…. LUIS.CASADOCARRASCO@TELEFONICA.ES
    Technical Contact Id……. 1052-00122052
    Technical Name……….. DOMAIN MANAGER
    Technical Org………… *
    Technical Street……… NULL NULL
    Technical City……….. NULL
    Technical State………. NULL
    Technical PC…………. NULL
    Technical Country…….. ES
    Technical Phone………. +34.914138956
    Technical Fax………… 34 915844509
    Technical e-mail……… TECNICO.DOMINIOS@TELEFONICA.ES

  • Thanks for the heads-up. I banned 213.213.89.130 (apparently from Italy) yesterday.

  • Matthew O'Keeffe

    In English anyone?

  • Dale Amon

    Alan: Yes, I’d done the lookups. The IP banning stopped the attack, but often these are just dialup users.

    In this case, it is possibly an open web-proxy attack so that the attacker can remain anonymous. If that is indeed the case, they could be anywhere at all.

  • Dale,

    sorry, presumptuous of me to assume you might not have already checked all that. I have had occasional positive responses from admins in these situations though.

    Alan

  • Dale Amon

    Not at all Alan. I haven’t had time to follow up on it; and if I’d not had the time yet to check the data, you’d have saved me the application of a few neurons when most of them are quite busy :-)

  • If you haven’t done so already you might like to take a look at the free new anti-spamming plugin for Movable Type, MT-Blacklist. This plugin helps filter spam from both comments and trackbacks based on a blacklist of spam strings, logs attempted spammings, features a web interface and takes the hassle out of removing spam comments and then blocking the associated IP addresses.

    Definately worth a look: http://www.jayallen.org/projects/mt-blacklist/

  • e

    You must have really pissed that Kodiak guy off!

  • Will (Davis, CA)

    These attacks show the mentality of someone who doesn’t have the power to burn your books yet…

  • Kodiak

    Dear Mr e,

    Very funny !

    In addition to deep-seated computer illiteracy, I’m not interested in disrupting Samiz activities either. Why? For free speech at least.

    I assume (?) you were being humourous…

  • E Young

    Of course, – a little humour leavens the otherwise sometimes overserious discussions here…and you do seem do revel in, and appreciate the role of court jester.

  • Patrick

    Arin says is Dutch:

    OrgName: RIPE Network Coordination Centre
    OrgID: RIPE
    Address: Singel 258
    Address: 1016 AB
    City: Amsterdam
    StateProv:
    PostalCode:
    Country: NL

    ReferralServer: whois://whois.ripe.net

    NetRange: 80.0.0.0 – 80.255.255.255
    CIDR: 80.0.0.0/8
    NetName: 80-RIPE
    NetHandle: NET-80-0-0-0-1
    Parent:
    NetType: Allocated to RIPE NCC
    NameServer: NS.RIPE.NET
    NameServer: NS3.NIC.FR
    NameServer: SUNIC.SUNET.SE
    NameServer: AUTH62.NS.UU.NET
    NameServer: SEC1.APNIC.NET
    NameServer: SEC3.APNIC.NET
    NameServer: TINNIE.ARIN.NET
    Comment: These addresses have been further assigned to users in
    Comment: the RIPE NCC region. Contact information can be found in
    Comment: the RIPE database at http://www.ripe.net/whois
    RegDate:
    Updated: 2003-09-19

    OrgTechHandle: RIPE-NCC-ARIN
    OrgTechName: RIPE NCC Hostmaster
    OrgTechPhone: +31 20 535 4444
    OrgTechEmail: search-ripe-ncc-not-arin@ripe.net

    # ARIN WHOIS database, last updated 2003-10-21 19:15
    # Enter ? for additional hints on searching ARIN’s WHOIS database.

  • Dale Amon

    Nope. RIPE NCC is the IP registry for all of Europe. All that tells you is the ip in question is in a european subnet.

  • FeloniousPunk

    Apparently commenters like me are getting spams too. I guess they think I own your website…

    Here’s the text of an e-mail I just got:

    On Tue Oct 21, 2003 at 04:54:12 PM EDT we were unable to reach your website:
    http://www.samizdata.net/blog/archives/003073.html
    due to the following reason: Time Out

    As of Wed Oct 22, 2003 at 11:44:17 AM EDT we were able to access your website again.

    We discovered this error during our normal course of website content checking for one of our search engine clients.

    If you would like your website monitored for free and receive notifications like this in the future, click here.

    We found this page by following a link on one of the URLs listed below:
    URL Date Last Indexed
    http://www.samizdata.net/blog/archives/003080.html 03-19-2003

    Click here to learn more about us.

    Sincerely,

    Connie Davis
    InternetSeer.com

    ——————————————————————————–
    Your email address was found during a prior visit to your website on 03-19-2003. The error listed above was verified from both of our indexing servers in Philadelphia, Pa. and Los Angeles, Ca. This error could have been caused by any number of events, including connectivity problems on our part and/or connectivity problems in the Internet as we tried to reach your site. This error should not be construed as a guaranteed problem on the part of your website or hosting company since there are never any guaranteed connection routes on the Internet.

    If would like to be excluded from any potential future contact, click here.

  • Reid

    FP – I got one of those, too, referring to the blog site dailypundit.com which I haven’t accessed in months. It’s rather odd, isn’t it?