cogdogblog

Note: CogDogBlog has a new WordPress powered home at http://cogdogblog.com/. All entries from this version have been moved there, so as a guide dog service try finding this article in its new home by title search.

MLX Spam Direct Route to Trash

Yes, I have been a bit obsessed lately with the roaches who have been spamming our Maricopa Learning eXchange. This is not all I have been doing this week, but it grinds away.

I have a latest fix which will be secretive since I believe the spammer is a reader here ("howdy!")- but so far, from the new spam logs I am running, they are going directly to the dung heap. From the patterns I recorded up to now, it is apparently the work of one spam roach, and this roach has likely written a script to do this, or they just enjoy cutting and pasting their spam into forms. His/her format is sadly predictable.

In a way, I set one trap. We now have a spam key hat is generated from the comment submission form, but it is embedded in the for as a hidden form element. Any script kiddie knows how to get that, so the roach thinks he/she is pretty smart.

Little do they know about diversions.

Anyhow, we've got a few levels of protection running, and maybe I can devote a little more time on working on the open source version of the MLX.

The sad thing is that in the last few weeks of watching the spam comments roll in there have been no legitimate ones ;-)

Update: The spam originates from an IP address traced to Korea. In fact in the last 4 hours, I have recorded spam comments sent from 220.93.120.39 and they occur exactly at one hour intervals. They obviously are stupidly tryiong to guess that my spam hash key is based on time (ha ha on you, Korean spammer!).

Using the address digger tool from SamSpade, I traced this IP to an address controlled by Korea.net. I certainly doubt that they will do anything, but I gave it a try to abuse@korea.net. I know they will not do anything about spammers, since they would rather collect a few pennies per spammer for giving them IP addresses than doing something that is constructive for the rest of the world. But hey, you never know....

For the last two weeks, the educational web site I maintain at: http:///www.mcli.dist.maricopa.edu/mlx/

has been repeatedly attacked by a computer at the address:
220.93.120.39

which according to SamSpade is withing your range:
http://www.samspade.org/t/lookat?a=220.93.120.39

This person has repeatedly attempted to insert URLs into a comment feedback for that goes to our teachers. This spam includes various unwanted, unrelated links to web sites (there is no educational connection between online gampling, online phramcies, etc and our site. I have documented more than 40 examples of this abuse (four are attached as examples).

Please verify to me that you have closed this person down and refuse to allow these kinds of peopleto ruin the internet experience for teachers and learners from around the world who use our web site. If no action is taken, I will start a publicity campaign to ask that other web sites start banning access to their content from anyone within your IP range.

Please stop promoting spam and start shutting it down. It will hurt you in the long tun.

In the meantime, remember to ban

220.93.120.3

from all of your sites.

as well as:

61.50.172.143

I now have all identified spam automatically adding to an MLX blacklist.

Update 8 hours later Stupid spammers, every hours on the hourkeeping at at although all of their attempts are going to dev/null (trash). An excerpt from my log:

10.02.04 08:10:01 am	220.93.120.39	napoleon2621@bigfoot.com
10.02.04 09:10:26 am	220.93.120.39	azaddin6651@home.com
10.02.04 09:10:55 am	220.93.120.39	azaddin6920@work.com
10.02.04 10:10:05 am	220.93.120.39	bushmills1946@mail.com
10.02.04 11:10:49 am	61.50.172.143	napoleon2483@bigfoot.com
10.02.04 11:10:01 am	220.93.120.39	absinth591@mail.ru
10.02.04 12:10:44 pm	220.93.120.39	absinth472@mail.ru
10.02.04 01:10:10 pm	220.93.120.39	absinth1191@hotmail.com
10.02.04 02:10:26 pm	218.50.2.74	napoleon2367@mail.com
10.02.04 03:10:49 pm	210.251.92.104	jane_doe7143@classnet.pl
10.02.04 04:10:58 pm	220.93.120.39	bushmills1800@rocketmail.com
10.02.04 04:10:59 pm	220.93.120.39	gocha9536@see.it
10.02.04 04:10:07 pm	220.93.120.39	bushmills1800@rocketmail.com
10.02.04 04:10:35 pm	210.251.92.104	gocha9659@see.it
10.02.04 04:10:47 pm	220.93.120.39	absolut4626@arrivo.br
10.02.04 04:10:47 pm	80.55.203.182	huy_lo5779@mail.me
10.02.04 05:10:44 pm	220.93.120.39	johndoe7916@come.to
10.02.04 05:10:33 pm	220.93.120.39	huy_lo5854@mail.me
10.02.04 06:10:39 pm	220.93.120.39	absinth712@mail.ru

And All those fake "absinth" emails have shown up in my MTBlacklist traps as well.

Stupid stupid, spammer.