We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.
Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]
|
Calling all bloggers: attack in progress I’ve just killed off another comment spamming attack against Samizdata. It was clearly automated so I expect many of the rest of you are getting hit as well. The methodology is an attempt at subtlety… but it ignores the fact that a blog is actively monitored.
I suggest you all immediately ban the ip if you haven’t done so already: 80.58.11.45.
The attacker hits comments sections of old articles; the comment itself is trivial and innocuous. “nice website” “interesting post” and the like. They payload is the URL field.
This looks like a google-bash for hire scheme to me.
|
Who Are We? The Samizdata people are a bunch of sinister and heavily armed globalist illuminati who seek to infect the entire world with the values of personal liberty and several property. Amongst our many crimes is a sense of humour and the intermittent use of British spelling.
We are also a varied group made up of social individualists, classical liberals, whigs, libertarians, extropians, futurists, ‘Porcupines’, Karl Popper fetishists, recovering neo-conservatives, crazed Ayn Rand worshipers, over-caffeinated Virginia Postrel devotees, witty Frédéric Bastiat wannabes, cypherpunks, minarchists, kritarchists and wild-eyed anarcho-capitalists from Britain, North America, Australia and Europe.
|
A DNS lookup on 80.58.11.45 points to what appears to be a proxy server at rima-tde.net, which from a whois lookup appears to belong to Telefonica, which is a major telco in Spain.
It probably isn’t official Telefonica policy to spam comments sections in UK blogs. It probably *is* official Telefonica policy to come down hard on customers who are caught using their ISP accounts for nefarious purposes, so a mail to their admins might get somebody’s account killed. Could be worth a try.
Here are the details:
Domain Name……………. rima-tde.net
Creation Date………… 14/09/2001
Expiry Date………….. 14/09/2004
Last Update Date……… 29/08/2003
Organization Contact Id…. PROP-1052-00039049
Organization Name…….. TELEFONICA, S.A.
Organization Org……… TELEFONICA, S.A.
Organization Street…… GRAN VIA, 28
Organization City…….. MADRID
Organization State……. MADRID
Organization PC………. 28013
Organization Country….. ES
Organization Phone……. 28013
Organization e-mail…… null
Administrative Contact Id.. 1052-00037117
Administrative Name…… LUIS CASADO CARRASCO
Administrative Org……. TELEFONICA, S.A.
Administrative Street…. GRAN VIA, 28
Administrative City…… MADRID
Administrative State….. MADRID
Administrative PC…….. 28013
Administrative Country… ES
Administrative Phone….. 34 915844500
Administrative Fax……. 34 915844509
Administrative e-mail…. LUIS.CASADOCARRASCO@TELEFONICA.ES
Technical Contact Id……. 1052-00122052
Technical Name……….. DOMAIN MANAGER
Technical Org………… *
Technical Street……… NULL NULL
Technical City……….. NULL
Technical State………. NULL
Technical PC…………. NULL
Technical Country…….. ES
Technical Phone………. +34.914138956
Technical Fax………… 34 915844509
Technical e-mail……… TECNICO.DOMINIOS@TELEFONICA.ES
Thanks for the heads-up. I banned 213.213.89.130 (apparently from Italy) yesterday.
In English anyone?
Alan: Yes, I’d done the lookups. The IP banning stopped the attack, but often these are just dialup users.
In this case, it is possibly an open web-proxy attack so that the attacker can remain anonymous. If that is indeed the case, they could be anywhere at all.
Dale,
sorry, presumptuous of me to assume you might not have already checked all that. I have had occasional positive responses from admins in these situations though.
Alan
Not at all Alan. I haven’t had time to follow up on it; and if I’d not had the time yet to check the data, you’d have saved me the application of a few neurons when most of them are quite busy 🙂
If you haven’t done so already you might like to take a look at the free new anti-spamming plugin for Movable Type, MT-Blacklist. This plugin helps filter spam from both comments and trackbacks based on a blacklist of spam strings, logs attempted spammings, features a web interface and takes the hassle out of removing spam comments and then blocking the associated IP addresses.
Definately worth a look: http://www.jayallen.org/projects/mt-blacklist/
You must have really pissed that Kodiak guy off!
These attacks show the mentality of someone who doesn’t have the power to burn your books yet…
Dear Mr e,
Very funny !
In addition to deep-seated computer illiteracy, I’m not interested in disrupting Samiz activities either. Why? For free speech at least.
I assume (?) you were being humourous…
Of course, – a little humour leavens the otherwise sometimes overserious discussions here…and you do seem do revel in, and appreciate the role of court jester.
Arin says is Dutch:
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
ReferralServer: whois://whois.ripe.net
NetRange: 80.0.0.0 – 80.255.255.255
CIDR: 80.0.0.0/8
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2003-09-19
OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail: search-ripe-ncc-not-arin@ripe.net
# ARIN WHOIS database, last updated 2003-10-21 19:15
# Enter ? for additional hints on searching ARIN’s WHOIS database.
Nope. RIPE NCC is the IP registry for all of Europe. All that tells you is the ip in question is in a european subnet.
Apparently commenters like me are getting spams too. I guess they think I own your website…
Here’s the text of an e-mail I just got:
As of Wed Oct 22, 2003 at 11:44:17 AM EDT we were able to access your website again.
We discovered this error during our normal course of website content checking for one of our search engine clients.
If you would like your website monitored for free and receive notifications like this in the future, click here.
We found this page by following a link on one of the URLs listed below:
URL Date Last Indexed
http://www.samizdata.net/blog/archives/003080.html 03-19-2003
Click here to learn more about us.
Sincerely,
Connie Davis
InternetSeer.com
——————————————————————————–
Your email address was found during a prior visit to your website on 03-19-2003. The error listed above was verified from both of our indexing servers in Philadelphia, Pa. and Los Angeles, Ca. This error could have been caused by any number of events, including connectivity problems on our part and/or connectivity problems in the Internet as we tried to reach your site. This error should not be construed as a guaranteed problem on the part of your website or hosting company since there are never any guaranteed connection routes on the Internet.
If would like to be excluded from any potential future contact, click here.
FP – I got one of those, too, referring to the blog site dailypundit.com which I haven’t accessed in months. It’s rather odd, isn’t it?
nice