Wednesday
(0)I've just killed off another comment spamming attack against Samizdata. It was clearly automated so I expect many of the rest of you are getting hit as well. The methodology is an attempt at subtlety... but it ignores the fact that a blog is actively monitored.
I suggest you all immediately ban the ip if you haven't done so already: 80.58.11.45.
The attacker hits comments sections of old articles; the comment itself is trivial and innocuous. "nice website" "interesting post" and the like. They payload is the URL field.
This looks like a google-bash for hire scheme to me.
A DNS lookup on 80.58.11.45 points to what appears to be a proxy server at rima-tde.net, which from a whois lookup appears to belong to Telefonica, which is a major telco in Spain.
It probably isn't official Telefonica policy to spam comments sections in UK blogs. It probably *is* official Telefonica policy to come down hard on customers who are caught using their ISP accounts for nefarious purposes, so a mail to their admins might get somebody's account killed. Could be worth a try.
Here are the details:
Domain Name................ rima-tde.net
Creation Date............ 14/09/2001
Expiry Date.............. 14/09/2004
Last Update Date......... 29/08/2003
Organization Contact Id.... PROP-1052-00039049
Organization Name........ TELEFONICA, S.A.
Organization Org......... TELEFONICA, S.A.
Organization Street...... GRAN VIA, 28
Organization City........ MADRID
Organization State....... MADRID
Organization PC.......... 28013
Organization Country..... ES
Organization Phone....... 28013
Organization e-mail...... null
Administrative Contact Id.. 1052-00037117
Administrative Name...... LUIS CASADO CARRASCO
Administrative Org....... TELEFONICA, S.A.
Administrative Street.... GRAN VIA, 28
Administrative City...... MADRID
Administrative State..... MADRID
Administrative PC........ 28013
Administrative Country... ES
Administrative Phone..... 34 915844500
Administrative Fax....... 34 915844509
Administrative e-mail.... LUIS.CASADOCARRASCO@TELEFONICA.ES
Technical Contact Id....... 1052-00122052
Technical Name........... DOMAIN MANAGER
Technical Org............ *
Technical Street......... NULL NULL
Technical City........... NULL
Technical State.......... NULL
Technical PC............. NULL
Technical Country........ ES
Technical Phone.......... +34.914138956
Technical Fax............ 34 915844509
Technical e-mail......... TECNICO.DOMINIOS@TELEFONICA.ES
Posted by Alan Little at October 22, 2003 12:51 PM
Thanks for the heads-up. I banned 213.213.89.130 (apparently from Italy) yesterday.
Posted by Tim Hall at October 22, 2003 12:58 PM
Alan: Yes, I'd done the lookups. The IP banning stopped the attack, but often these are just dialup users.
In this case, it is possibly an open web-proxy attack so that the attacker can remain anonymous. If that is indeed the case, they could be anywhere at all.
Posted by Dale Amon at October 22, 2003 01:23 PM
Dale,
sorry, presumptuous of me to assume you might not have already checked all that. I have had occasional positive responses from admins in these situations though.
Alan
Posted by Alan Little at October 22, 2003 01:37 PM
Not at all Alan. I haven't had time to follow up on it; and if I'd not had the time yet to check the data, you'd have saved me the application of a few neurons when most of them are quite busy :-)
Posted by Dale Amon at October 22, 2003 01:40 PM
If you haven't done so already you might like to take a look at the free new anti-spamming plugin for Movable Type, MT-Blacklist. This plugin helps filter spam from both comments and trackbacks based on a blacklist of spam strings, logs attempted spammings, features a web interface and takes the hassle out of removing spam comments and then blocking the associated IP addresses.
Definately worth a look: http://www.jayallen.org/projects/mt-blacklist/
Posted by Stephen Hodgson at October 22, 2003 01:47 PM
These attacks show the mentality of someone who doesn't have the power to burn your books yet...
Posted by Will (Davis, CA) at October 22, 2003 03:11 PM
Dear Mr e,
Very funny !
In addition to deep-seated computer illiteracy, I'm not interested in disrupting Samiz activities either. Why? For free speech at least.
I assume (?) you were being humourous...
Posted by Kodiak at October 22, 2003 03:23 PM
Of course, - a little humour leavens the otherwise sometimes overserious discussions here...and you do seem do revel in, and appreciate the role of court jester.
Posted by E Young at October 22, 2003 04:37 PM
Arin says is Dutch:
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
ReferralServer: whois://whois.ripe.net
NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2003-09-19
OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail: search-ripe-ncc-not-arin@ripe.net
# ARIN WHOIS database, last updated 2003-10-21 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
Posted by Patrick at October 22, 2003 04:42 PM
Nope. RIPE NCC is the IP registry for all of Europe. All that tells you is the ip in question is in a european subnet.
Posted by Dale Amon at October 22, 2003 04:55 PM
Apparently commenters like me are getting spams too. I guess they think I own your website...
Here's the text of an e-mail I just got:
On Tue Oct 21, 2003 at 04:54:12 PM EDT we were unable to reach your website:
http://www.samizdata.net/blog/archives/003073.html
due to the following reason: Time Out
As of Wed Oct 22, 2003 at 11:44:17 AM EDT we were able to access your website again.
We discovered this error during our normal course of website content checking for one of our search engine clients.
If you would like your website monitored for free and receive notifications like this in the future, click here.
We found this page by following a link on one of the URLs listed below:
URL Date Last Indexed
http://www.samizdata.net/blog/archives/003080.html 03-19-2003
Click here to learn more about us.
Sincerely,
Connie Davis
InternetSeer.com
--------------------------------------------------------------------------------
Your email address was found during a prior visit to your website on 03-19-2003. The error listed above was verified from both of our indexing servers in Philadelphia, Pa. and Los Angeles, Ca. This error could have been caused by any number of events, including connectivity problems on our part and/or connectivity problems in the Internet as we tried to reach your site. This error should not be construed as a guaranteed problem on the part of your website or hosting company since there are never any guaranteed connection routes on the Internet.
If would like to be excluded from any potential future contact, click here.
Posted by FeloniousPunk at October 22, 2003 11:10 PM
FP - I got one of those, too, referring to the blog site dailypundit.com which I haven't accessed in months. It's rather odd, isn't it?
Posted by Reid at October 23, 2003 03:47 AM
