Blacklist Candidate 2008-10-19
Welcome to the Perishable Press “Blacklist Candidate” series. In this post, we continue our new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..
From time to time on the show, a contestant places a bid that is so absurd and so asinine that you literally laugh out loud, point at the monitor, and openly ridicule the pathetic loser. On such occasions, even the host of the show will laugh and mock the idiocy. Of course, this same situation happens frequently here at Perishable Press, where the scumbags that manage to escape the 3G Blacklist are proving themselves to be increasingly desperate and pathetic. Such is the case with this month’s official Blacklist Candidate Number 2008-10-19:
Come on down! You’re the next POS to get banished from the site!
Synopsis
On June 10th, 2008 IP address 66.74.199.125
demonstrates its brilliance with 223 unresolved URL requests. The first recorded request occurs at 11:59 pm and the final recorded request occurs at 12:23 am. Over the course of this 24-minute period, the rate of attack fluctuates significantly. The average rate of attack is approximately 9.3 hits per minute — or 1 hit every 6.5 seconds — however, the maximum attack rate is 1 hit per 1.6 seconds. The user agent recorded throughout the attack is the ubiquitous Mozilla/4.0
.
Although it is not clear whether this attack was automated (i.e., bot) or manually executed (i.e., loser), its maliciousness is plainly observed in the recorded data. Note that this attack was stopped during its execution — 24 minutes into the game. Surely the number of ill hits would have skyrocketed without blacklist intervention.
Discussion
As mentioned, the recorded duration of this attack is about 24 minutes, but the number of hits per minute fluctuates considerably:
Attack frequency of Blacklist Candidate 2008-10-19
Or, numerically speaking:
Time - Hits
11:59pm - 11
12:00am - 31
12:01am - 9
12:02am - 9
12:03am - 6
12:04am - 0
12:05am - 1
12:06am - 0
12:07am - 0
12:08am - 4
12:09am - 0
12:10am - 4
12:11am - 0
12:12am - 0
12:13am - 0
12:14am - 0
12:15am - 14
12:16am - 5
12:17am - 14
12:18am - 13
12:19am - 37
12:20am - 14
12:21am - 18
12:22am - 31
12:23am - 2
While the rate of attack may or may not be significant in this admittedly non-critical situation, it should definitely be considered while diagnosing larger, more significant attacks. The interesting aspect of this particular attack are the various URLs that were targeted. Each of the 223 unresolved requests targets a legitimate (valid) URL. “Aha!” I hear you say, “sounds like some sort of DoS” attack, perhaps with only a relatively small number of requests failing to respond. Then again, the IP address, 66.74.199.125
, remains consistent throughout the attack. I am no expert, but most DoS attacks involve decentralized networks of compromised (“zombie”) machines, each with its own unique IP address. But then again, perhaps this was some sort of “pseudo”-DoS attack, executed manually or via script by some lone-ranger script-nobody out there sucking air in cyberspace. But wait, there’s more..
Looking closer at the collection of targeted URLs, we notice another interesting clue. Every one of the 223 hits requests a page-specific anchor, such as #content
, #comments
, and #search
. Here is a list showing some of the anchors targeted during the attack:
#
#top
#explore
#discuss
#search
#content
#comment-form
#comment-56626
#comment-65403
#comment-65428
#comment-65457
#comment-65497
.
.
.
[ + many more ]
Each of these anchors were appended to an apparently random collection of valid URLs, indicative of a search-engine spider crawl or other automated bot-like behavior. For whatever reason, similar 404 errors are frequently recorded during spidering. Also, the main URLs themselves seem to all stem from the site’s common footer area — recent articles, popular posts, recent changes, etc. Further, the IP address associated with the attack resolves to Road Runner HoldCo LLC, a well known ISP that is supposedly well-known for harboring a healthy number of spider runners.
So, at this point, all clues point to some pathetic spidering attempt from somewhere in the seedy Road Runner neighborhood. One final note about the behavior of our little raid-sprayed spider friend is that it somehow managed to change the site’s theme from the previous default theme, Perishable, to one of my older themes, Garbage. This theme switch is observed after around 48 log entries, and persists throughout the remaining 175 logged requests. To see this behavior in the complete log file, check out the fourth line (“SOURCE”) in each entry, as demonstrated below:
perishablepress.com
was replaced with example.com
. This was required to prevent endless 404 errors from googlebot constantly crawling plain-text URLs.>> PERISHABLE THEME >>
TIME: June 11th 2008, 12:01am
404: *https://example.com/press/2006/08/28/spamless-email-address-via-javascript/#content
SITE: https://example.com/
SOURCE: Perishable/Perishable << PERISHABLE THEME
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 66.74.199.125
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
REMOTE IDENTITY:
.
.
.
>> SWITCH TO GARBAGE THEME >>
TIME: June 11th 2008, 12:01am
404: *https://example.com/press/tag/javascript/#top
SITE: https://example.com/
SOURCE: Perishable/Garbage << GARBAGE THEME
REFERRER:
QUERY STRING:
REMOTE ADDRESS: 66.74.199.125
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
REMOTE IDENTITY:
Identification
Here is what we know about the identity of this month’s candidate:
- IP Address:
66.74.199.125
- Reverse IP Lookup:
cpe-66-74-199-125.san.res.rr.com
Complete reverse lookup courtesy of kloth.net:
Reverse Lookup Results
Host 125.199.74.66.in-addr.arpa
Type PTR
Value cpe-66-74-199-125.san.res.rr.com
IP Address Contact Information
OrgName: Road Runner HoldCo LLC
OrgID: RRWE
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US
ReferralServer: rwhois://ipmt.rr.com:4321
NetRange: 66.74.0.0 - 66.75.255.255
CIDR: 66.74.0.0/15
NetName: RR-WEST-2BLK
NetHandle: NET-66-74-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.RR.COM
NameServer: DNS2.RR.COM
NameServer: DNS3.RR.COM
NameServer: DNS4.RR.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-01-30
Updated: 2003-02-11
RTechHandle: ZS30-ARIN
RTechName: ServiceCo LLC
RTechPhone: +1-703-345-3416
RTechEmail: abuse@rr.com
OrgAbuseHandle: ABUSE10-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-345-3416
OrgAbuseEmail: abuse@rr.com
OrgTechHandle: IPTEC-ARIN
OrgTechName: IP Tech
OrgTechPhone: +1-703-345-3416
OrgTechEmail: abuse@rr.com
# ARIN WHOIS database, last updated 2008-06-10 19:10
Blacklist
This month’s candidate is either malicious, amateurish, or both. Whatever the reason — spider running, test crawls, email harvesting, exploit scanning, whatever — the final verdict is the same: blacklist the idiot. You just don’t need this type of instable, unpredictable, resource-hogging agent hanging around. Block it out via HTAccess:
# blacklist candidate 2008-10-19: block mindless spider running
Deny from 66.74.199.125
..or via PHP:
<?php // blacklist candidate 2008-10-19: block mindless spider running
$deny = array("66.74.199.125");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
header("location: http://www.google.com/");
exit();
} ?>
Done.
This concludes another blood-pumping edition of the Blacklist Candidate. Thanks for playing, #2008-10-19 — we wouldn’t have done it without you!
Download
For the purists among us, here is a copy of the logged activity recorded for this month’s Blacklist Candidate.
9 responses to “Blacklist Candidate 2008-10-19”
If you had got these people adresses, I wonder if you’d be the kind of man who go visit them with an iron baseball bat. Maybe you would do something more subtil and annoying, like a slow and painful vendetta :p
Hey, while I’m here, I’d like to say some words about the new design in action.
The comment area is very cool, seriously. Quicktags appart, everything is perfect. Great typography on my mac also!
The inline code snippets look great too, but the preformatted area are a little bit too dark I think. There are tools online that measure the optical distance between a background and a font color. I think the preformatted text would show a very small difference of brightness between text and background.
Okay, no more criticism : this place is getting awsomer every time I come by.
In general, I reach for the aluminum baseball bat, but for spammers and crackers, I think slow and painful would be much more rewarding :p
Glad to hear you are liking the new design, Louis! I am not sure if it helped, but I recently made a few changes to the design. The most significant change, I think, is the increased opacity on the content panels for both the main content and sidebar columns (and footer panel). The panels now are much darker than they were previously, and thus improve greatly the readability of text on Macs (and other platforms). Additionally, I employed the
text-shadow
method for alleviating the pixel rendering of fonts on Macs. With this, the fonts now appear much cleaner and not so “fat” when viewed on Safari. Camino and other browsers still get the fat stuff, but a majority of Mac users are using Safari, so it’s a step in the right direction, I think.As for the preformatted text areas, you again are absolutely correct. I am aware of the low contrast
<pre>
text and will be working on improving the situation later this week.Meanwhile, as much as I appreciate that you (and others) are enjoying the new design, I am busy working behind the scenes (and in my spare time) on yet another new design. Even with the improved readability, I am still getting a lot of complaints from people who just don’t know how to deal with light text on dark backgrounds. Needless to say, the new design will feature the traditional black-on-white text display, along with a super-functional comment area, replete with everything from gravatars to.. yes, quicktags! ;)
Of course, I noticed the font-shadow! It’s an improvement over the supremely bold old font, but still, I think you can do better. The font-size in particular, while making the text look gorgous, make it harder to read. On the your last “incarnation” (I love this expression of yours) of PP, in the all-dark design, the font was smaller on more effiscient from a reading point of view.
Though, again, it’s better now, and it’s starting to get globally real good :)
So you are going to surrender to the black-text-on-white-background solution? That will be hard to get used to it I guess.
I’m curious about your next creation, but frankly, from a technical and even a sensible point of view, I do start to like this iteration :)
Hmm I think I may start my own blacklist series soon though focused on comment spammers! the bane of the internet! (not really im to bust/lazt at the mo)
Your new design is peeking interest even though your new one is still NEW! Sideline question…how much do you hire out for? :p
@Louis: yes, the new design is my official “surrender” to the pressures of the “proper usability” crowd. I appreciate everyone who visits and uses the site, and certainly don’t want anyone to “suffer” with readability or leave the site because of it. The new design is much cleaner as well, with much less clutter and no monstrous sidebar thing going on..
@Donace: that would be great! I would certainly enjoy reading articles that expose and deal with comment spammers.. There certainly is a variety to choose from (both individual spammers and different spam techniques in general).
Also, glad to hear the new design is peaking some interest! I probably won’t make such a big deal out of it as I did with the current design, but I am excited about it and feel that the change will be an improvement (hopefully).
And, if you are interested in hiring me to work on a design or theme, I would be most inspired to do so. I spent some time this week studying your design ideas and see a lot of great potential and ideas that could be implemented at your site. Send an email if you are serious about it! ;)
hmm working on a bit of pro-bono work at mo so once done with that with defeinately hit you up with an email (the list of tweaks tips and tricks has grown since I emailed it to you alsong with some code snippets).
One poin to note on your Blacklist candidate…were the majority of urls hit comment urls? if that is the case, it may be a ‘dofollower’ ie looking for high PR pages in an attempt to grab a link…I know I was guilty of such offences back in the day.
Yes, that is difficult to say.. most of the targeted links seem rather random, including everything from article pages to tag archives. Each of the random URLs, however, was appended with a hashed sub-target, such as
#top
,#search
,#comment-56626
, and so on. The number of specific comment URLs was significant, so perhaps it was indeed as you suspect. And I wouldn’t be surprised, I see that kind of activity all the time.. it gives me an idea for a WordPress plugin that compares the IP address associated with these types of attacks and subsequently highlights any comments that left by the attacker for easy deletion and/or blacklisting..Stumbled upon and …new fan, just if it were more readable (brighter font)or?
Kazo, I have many alternate themes available for viewing the site. Here is a menu with descriptions:
https://perishablepress.com/switch-themes/
Of those, my favorite black-text-on-white-background theme is called Requiem – it is easy to read and has many subtle features. One of my favorites :)