Message Board

Tracking Harvesters/Spammers

Older Posts ]   [ Newer Posts ]
 P.H.P use of resources & spambot swarm
Author: S.Enbom   (29 May 07 10:16am)
I just noticed a swarm of bots stuck on my P.H.P. I've got a script that makes links such as


I noticed the load on my very limited (only 256mb memory...) virtual server was up to 4, 5...and it sank after i banned these ips from my site.

Does the P.H.P php script take up noticeable resources when one reloads it rapidly? Would a "sleep" in the script help some? I tried modifying the script only to notice it checks it's own hash.

Here's another interesting spam thing. Yesterday (still continuing right now) I noticed what seemed like a one person/team spam-run on my site. The script was aware of the site being drupal, tried to add comment spam whereafter it used the site's search feature to see if the comment went through. I've seen that the next phase would be to spam another site with reference to my site, and not directly to the spammers own site.

What was amazing was that over 150 different IP's was used to this same spamrun yesterday, and the total is up at 230 now. I googled quite a lot of these IP's and they all came up with similar results; lots of spammed guestbooks, forums, often in asian (thai?). The user agents where also the same "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

But I don't think these get stuck in the project honeypot. Their POST attempts get stuck in my mod_security rules:

[29/May/2007:17:03:52 +0300] [][rid#25427e8][/comment/reply/97][1] Access denied with code 403 (phase 2). Pattern match "(silagra|ritalin|levitra|ringtones|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\\w\\-_.]*\\.[a-z]{2,}" at ARGS:comment.[29/May/2007:17:05:24 +0300] [][rid#24f26b8][/comment/reply/1456][1] Access denied with code 403 (phase 2). Pattern match "[\\w\\-_.]*poker.*\\.[a-z]{2,}" at ARGS:comment.[29/May/2007:17:06:15 +0300] [][rid#211ee58][/comment/reply/1671][1] Access denied with code 403 (phase 2). Pattern match "(silagra|ritalin|levitra|ringtones|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\\w\\-_.]*\\.[a-z]{2,}" at ARGS:comment.[29/May/2007:17:08:01 +0300] [][rid#23585a8][/comment/reply/1466][1] Access denied with code 403 (phase 2). Pattern match "(male|penis).*(enlarg|enhanc|natural|pill|surgery|traction)" at ARGS:comment.[29/May/2007:17:10:05 +0300] [][rid#22d91c8][/comment/reply/1479][1] Access denied with code 403 (phase 2). Pattern match "[\\w\\-_.]*poker.*\\.[a-z]{2,}" at ARGS:comment.[29/May/2007:17:10:25 +0300] [][rid#23c8af8][/comment/reply/1482][1] Access denied with code 403 (phase 2). Pattern match "(male|penis).*(enlarg|enhanc|natural|pill|surgery|traction)" at ARGS:comment.[29/May/2007:17:11:36 +0300] [][rid#20f1dc8][/comment/reply/1105][1] Access denied with code 403 (phase 2). Pattern match "(www\\.)?transexual" at ARGS:comment.[29/May/2007:17:12:02 +0300] [][rid#20f1dc8][/comment/reply/1488][1] Access denied with code 403 (phase 2). Pattern match "(male|penis).*(enlarg|enhanc|natural|pill|surgery|traction)" at ARGS:comment.[29/May/2007:17:13:37 +0300] [][rid#20efdb8][/comment/reply/1113][1] Access denied with code 403 (phase 2). Pattern match "(male|penis).*(enlarg|enhanc|natural|pill|surgery|traction)" at ARGS:comment.[29/May/2007:17:13:50 +0300] [][rid#238a738][/comment/reply/1498][1] Access denied with code 403 (phase 2). Pattern match "(male|penis).*(enlarg|enhanc|natural|pill|surgery|traction)" at ARGS:comment.

Where I to turn of these mod_security rules then akismet would catch them which would be better since it would contribute to the akismet database.

Here's the complete list of this spambot swarm:
 Re: P.H.P use of resources & spambot swarm
Author: S.Enbom   (29 May 07 10:26am)
Some of the spam they give leads to an .edu site.

A couple of days ago each message they spammed contained up to 4 different poorly maintained forums on various american and canadian colleges and other similar forums. The admins I mailed where a bit surprised and took care of the forums quite quickly. The one below seems to be cleande up already too.

Blonde teen with huge tits rides principal cock like a pro <a href=>Adult Escorts </a><a href=>Uk Free Swingers Websites </a><a href=>Anal Hardcore Fist </a><a href=>Celebrities Nudity Japanese Teenagers </a><a href=>Black Teen Booty </a><a href=>Blonde Bikini Fitness Model </a><a href=>Young Blondes </a><a href=>Birthday Spankings </a><a href=>Big Dick Shemales </a><a href=>Teen Girls Bikini </a><a href=>Oral Yeast Infection </a><a href=>The Big Breast Archive </a><a href=>3d Porn Cartoons </a><a href=>Celeb Sex Scene </a><a href=>Manchester Community College </a><a href=>Clit Stories </a><a href=>Hot Asian Girls </a><a href=>Creampie Eating Men </a><a href=>Dildo Slut </a><a href=>Passed Out Drunk Girls </a><a href=>Exploited Black Teen Movies </a><a href=>Free Adult Story Site </a><a href=>Trish Stratus Sexy </a><a href=>Fat Chicks Porn </a><a href=>Horny Old Women </a><a href=>Femdom Secretary </a><a href=>Effects Of Smoking Weed </a><a href=>Girls Fingering Their Selves </a><a href=>Free Hardcore Sex Videos </a><a href=>Gay Father Son </a><a href=>Gangbang Facials </a><a href=>Gay Hairy Sex </a><a href=>Hand Job Cumshot </a><a href=>Mouth Fucking </a><a href=>Final Fantasy 8 Hentai </a><a href=>Lindsay Lohan Sexy </a><a href=>Teens Incest </a>
 Re: P.H.P use of resources & spambot swarm
Author: S.Enbom   (31 May 07 8:35am)
Actually, incredibly, the User- Agent isn't just

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

There's "User-Agent" in there too, so he's really blown it by not being able to fake a real browser user-agent string. This spam-run still continues from all and all over 600 IPs. All getting a slow 403 page on my site.
 Re: P.H.P use of resources & spambot swarm
Author: M.Zraik   (29 Jun 08 12:18am)

It looks as though you are using pattern matching on the words themselves. It may serve you better to match on special characters such as <> .. | /, etc., in order to catch and trigger a filter. Most if not all spamming includes a link, or an insertion attempt, reverse directory transversal attempt; All of which need the special characters. If you don't allow posting of links, then your job is simple, don't allow those characters through, gracefully stop the script and exit, thus reducing resources spent on the un-wanted.

I do a lot of perl scripting, not PHP, but I am sure there is a way to place a routine or function to handle this. Use the error 410 in your .htaccess rather than 403 for your re-write rules when blocking ip's. This helps when you are scanning your statistics to separate legitimate errors from spammers.

Happy Hunting

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–18, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email