Blacklist Candidate 2008-10-19

Welcome to the Perishable Press “Blacklist Candidate” series. In this post, we continue our new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..

[ Photo: Television Flashback ] From time to time on the show, a contestant places a bid that is so absurd and so asinine that you literally laugh out loud, point at the monitor, and openly ridicule the pathetic loser. On such occasions, even the host of the show will laugh and mock the idiocy. Of course, this same situation happens frequently here at Perishable Press, where the scumbags that manage to escape the 3G Blacklist are proving themselves to be increasingly desperate and pathetic. Such is the case with this month’s official Blacklist Candidate Number 2008-10-19:

Come on down! You’re the next POS to get banished from the site!


On June 10th, 2008 IP address demonstrates its brilliance with 223 unresolved URL requests. The first recorded request occurs at 11:59 pm and the final recorded request occurs at 12:23 am. Over the course of this 24-minute period, the rate of attack fluctuates significantly. The average rate of attack is approximately 9.3 hits per minute — or 1 hit every 6.5 seconds — however, the maximum attack rate is 1 hit per 1.6 seconds. The user agent recorded throughout the attack is the ubiquitous Mozilla/4.0.

Although it is not clear whether this attack was automated (i.e., bot) or manually executed (i.e., loser), its maliciousness is plainly observed in the recorded data. Note that this attack was stopped during its execution — 24 minutes into the game. Surely the number of ill hits would have skyrocketed without blacklist intervention.


As mentioned, the recorded duration of this attack is about 24 minutes, but the number of hits per minute fluctuates considerably:

[ Chart: Attack Frequency ]
Attack frequency of Blacklist Candidate 2008-10-19

Or, numerically speaking:

Time - Hits
11:59pm - 11
12:00am - 31
12:01am - 9
12:02am - 9
12:03am - 6
12:04am - 0
12:05am - 1
12:06am - 0
12:07am - 0
12:08am - 4
12:09am - 0
12:10am - 4
12:11am - 0
12:12am - 0
12:13am - 0
12:14am - 0
12:15am - 14
12:16am - 5
12:17am - 14
12:18am - 13
12:19am - 37
12:20am - 14
12:21am - 18
12:22am - 31
12:23am - 2

While the rate of attack may or may not be significant in this admittedly non-critical situation, it should definitely be considered while diagnosing larger, more significant attacks. The interesting aspect of this particular attack are the various URLs that were targeted. Each of the 223 unresolved requests targets a legitimate (valid) URL. “Aha!” I hear you say, “sounds like some sort of DoS” attack, perhaps with only a relatively small number of requests failing to respond. Then again, the IP address,, remains consistent throughout the attack. I am no expert, but most DoS attacks involve decentralized networks of compromised (“zombie”) machines, each with its own unique IP address. But then again, perhaps this was some sort of “pseudo”-DoS attack, executed manually or via script by some lone-ranger script-nobody out there sucking air in cyberspace. But wait, there’s more..

Looking closer at the collection of targeted URLs, we notice another interesting clue. Every one of the 223 hits requests a page-specific anchor, such as #content, #comments, and #search. Here is a list showing some of the anchors targeted during the attack:

[ + many more ]

Each of these anchors were appended to an apparently random collection of valid URLs, indicative of a search-engine spider crawl or other automated bot-like behavior. For whatever reason, similar 404 errors are frequently recorded during spidering. Also, the main URLs themselves seem to all stem from the site’s common footer area — recent articles, popular posts, recent changes, etc. Further, the IP address associated with the attack resolves to Road Runner HoldCo LLC, a well known ISP that is supposedly well-known for harboring a healthy number of spider runners.

So, at this point, all clues point to some pathetic spidering attempt from somewhere in the seedy Road Runner neighborhood. One final note about the behavior of our little raid-sprayed spider friend is that it somehow managed to change the site’s theme from the previous default theme, Perishable, to one of my older themes, Garbage. This theme switch is observed after around 48 log entries, and persists throughout the remaining 175 logged requests. To see this behavior in the complete log file, check out the fourth line (“SOURCE”) in each entry, as demonstrated below:

Note: in the following log entries, each instance of was replaced with This was required to prevent endless 404 errors from googlebot constantly crawling plain-text URLs.

TIME: June 11th 2008, 12:01am
404: *
SOURCE: Perishable/Perishable          << PERISHABLE THEME
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)



TIME: June 11th 2008, 12:01am
404: *
SOURCE: Perishable/Garbage             << GARBAGE THEME
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)


Here is what we know about the identity of this month’s candidate:

  • IP Address:
  • Reverse IP Lookup:

Complete reverse lookup courtesy of

Reverse Lookup Results

Type	PTR

IP Address Contact Information

OrgName:    Road Runner HoldCo LLC 
OrgID:      RRWE
Address:    13241 Woodland Park Road
City:       Herndon
StateProv:  VA
PostalCode: 20171
Country:    US

ReferralServer: rwhois://

NetRange: - 
NetName:    RR-WEST-2BLK
NetHandle:  NET-66-74-0-0-1
Parent:     NET-66-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS1.RR.COM
NameServer: DNS2.RR.COM
NameServer: DNS3.RR.COM
NameServer: DNS4.RR.COM
RegDate:    2001-01-30
Updated:    2003-02-11

RTechHandle: ZS30-ARIN
RTechName:   ServiceCo LLC 
RTechPhone:  +1-703-345-3416

OrgAbuseHandle: ABUSE10-ARIN
OrgAbuseName:   Abuse 
OrgAbusePhone:  +1-703-345-3416

OrgTechHandle: IPTEC-ARIN
OrgTechName:   IP Tech 
OrgTechPhone:  +1-703-345-3416

# ARIN WHOIS database, last updated 2008-06-10 19:10


This month’s candidate is either malicious, amateurish, or both. Whatever the reason — spider running, test crawls, email harvesting, exploit scanning, whatever — the final verdict is the same: blacklist the idiot. You just don’t need this type of instable, unpredictable, resource-hogging agent hanging around. Block it out via HTAccess:

# blacklist candidate 2008-10-19: block mindless spider running
Deny from

..or via PHP:

<?php // blacklist candidate 2008-10-19: block mindless spider running
$deny = array("");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
} ?>


This concludes another blood-pumping edition of the Blacklist Candidate. Thanks for playing, #2008-10-19 — we wouldn’t have done it without you!


For the purists among us, here is a copy of the logged activity recorded for this month’s Blacklist Candidate.

Download log file »