Trackback spam?

Got 2 Trackbacks on my blog overnight.

Here they are:

#1:

Website: jzlmiiv
URI : http://xtjegohtvuvwx.com/
Excerpt:
<trackback /><strong>lgjalpppa</strong>
twxdeaeffep

#2:

Website: vcoazrkyq
URI : http://iroycskuvwx.com/
Excerpt:
<trackback />&ltstrong>ihpivek</strong>
vhalvciyy

So why do I think it could be spam?

Well, all the listed details are just plain gibberish, and also neither of the domains are real ones.

Both of the IP addresses (not listed above) associated with the trackbacks actually look like it was from something hosted on a local machine running off a “home” ISP account.

Could very well be the start of things to come.

I am still yet to get new spam comments go by my spam filter word list. Which is good, but if they spammers are that determined, they will find a way through sooner or later.

The battle is never won forever, it is only for the time being.

I’ll be deleting the two trackbacks and going to observe what happens.

Oh, and also noticed that despite the different IP addresses (may be spoofed, or otherwise an infected machine of some sort) they all have the same User Agent (UA) string (a commen trend when looking for patterns amongst the spammers).

Here is the UA string according to my logs:

Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Here is another item to consider.

In my logs I have 4 different IPs logged for two spam trackbacks.

Basically I get one IP address visiting an individual post, when it gets the “200” (everything is A-OK) response, a few seconds later, I get another IP address doing a Trackback to that exact post which was just visited.

A few minutes later, another one of my blog posts gets the exact same treatment!

Looking further into my logs I see two IP addresses listed as being from Bermuda:

216.249.43.3 and 216.249.43.4

These two IP addresses i’ve seen quite often over a period of time.

Both have the following user agent:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; PCUser)

Oh, and my other visitor tracker states the following UA (instead of the above) for the particular IP addresses:
Mozilla 3.01

Makes me suspect that the two IP addresses may have something to do with this whole comment spamming thing.

Ah, here we go, found something else.

A page of anonymous proxies: http://www.samair.ru/xwww/proxy.htm

The two of the suspect Bermuda IP addresses are listed there as anonymous proxies.

They are listed as “Elite Proxies”, here is a description of an Elite Proxy on that site:

High anonymity (elite proxy) – HTTP Servers of this type does not send HTTP_X_FORWARDED_FOR, HTTP_VIA and HTTP_PROXY_CONNECTION variables. Host doesn’t even know you are using proxy server an of course it doesn’t know your IP address.

It also has a “+” next to it, which indicates ssl_support.

So, now we have something that seems a bit more interesting, and particularly suspect!

From the RAW access logs:

216.249.43.3 – – [01/Jan/2005:09:57:44 -0600] “POST /blog/wp-comments-post.php HTTP/1.0” 302 0 “http://will.id.au/blog/archive/2004/07/21/project-ideas-simplify-javascript-learn-c-20” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; PCUser)”
216.249.43.3 – – [01/Jan/2005:09:57:45 -0600] “GET /blog/archive/2004/07/21/project-ideas-simplify-javascript-learn-c-20 HTTP/1.0” 200 14224 “-” “Mozilla/3.01 (compatible;)”
216.249.43.3 – – [01/Jan/2005:09:57:45 -0600] “POST /blog/archive/2004/07/21/project-ideas-simplify-javascript-learn-c-20 HTTP/1.0” 200 17638 “http://will.id.au/blog/archive/2004/07/21/project-ideas-simplify-javascript-learn-c-20” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; PCUser)”

216.249.43.3 – – [02/Jan/2005:16:41:23 -0600] “POST /blog/wp-comments-post.php HTTP/1.0” 302 0 “http://will.id.au/blog/archive/2004/09/03/more-on-ntt-docomo-i-mode” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; PCUser)”
216.249.43.3 – – [02/Jan/2005:16:41:24 -0600] “GET /blog/archive/2004/09/03/more-on-ntt-docomo-i-mode HTTP/1.0” 200 14224 “-” “Mozilla/3.01 (compatible;)”
216.249.43.3 – – [02/Jan/2005:16:41:24 -0600] “POST /blog/archive/2004/09/03/more-on-ntt-docomo-i-mode HTTP/1.0” 200 18962 “http://will.id.au/blog/archive/2004/09/03/more-on-ntt-docomo-i-mode” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; PCUser)”

A rough appromixation of the above RAW access logs are as below:

IP Address – – [dd/Mmm/yyyy:hh:mm:ss timezone] “FORM_ACTION /directory/file HTTP_MODE” HTTP_RESPONSE FILE_SIZE “User Agent”

Noticed any patterns?

Here’s one:

When it retrieves the file from my blog, it’ll post its’ User Agent as: Mozilla/3.01 (compatible;)
When it wants to post, the posted User Agent is listed as: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; PCUser)

1 thought on “Trackback spam?”

  1. I have found a combination of Spam Karma and editing of my site’s .htaccess file has drastically reduced the amount of trackback and comment spam I am receiving.

    I have a copy of my .htaccess file available for review at http://www.tomandpilar.net/tom/htaccess.txt if you are interested.

    I have also put a few posts on my blog about my various struggles with comment and trackback spam – click on the appropriate categories to review.

    Hope this helps,

    Tom

Comments are closed.