Subject: Re: Is it possible...
Author:
Posted on: 2008-08-20 01:57:00 UTC

We all started as noobs. Let me see if I can explain somewhat less geekly than I usually do.

The yourwebapps.com forums are vulnerable to spam because no login, or authentication of any type, is required. If you look down the board a bit, you'll see a post entitled "If this posts, the proxy IP isn't blocked (nm)". You'll also see that it was posted from 72.167.203.129, the IP that the spammer has been using. He didn't post that, though; I did.

72.167.203.129 is a proxy server. It acts as an intermediary between a user (me, the spammer, someone whose company's firewall blocks Fark, whoever) and the actual site. Let's say I want to post "If this posts..." here via that proxy. I tell the proxy what web page I want, it sends the request to the webserver, then passes it back to me. The webserver only ever sees the proxy's IP, not mine; only the proxy server knows who I am. When I enter my post, it goes to the proxy server, not yourwebapps.com; the proxy server then submits it to yourwebapps, and it gets posted as normal. In fact, I'm using a proxy server right now, though not that one.

So, anyone who has net access can post on our board. They don't need an email address, an account anywhere (a library or other public computer will work fine), or much of anything else. It's like the old days of the Net, before the great spam plague. If they go through a proxy server, they can post without giving anyone but the owner of the proxy server any clue who they are, and for obvious reasons, the proxy owner won't talk without (or even with, if they're offshore) a court order.

The binservices email address is listed on the home (and only) page, a placeholder, of binservices.com, which was registered for a while before this happened. So it has at least some solidity to it, unlike the other phantoms I've been chasing.

It wasn't created to spam because the type of spam that has been done -- namely, of this board -- doesn't need a valid email account. Or a valid anything, actually. It just needs someone knowing where the board is. The Usenet posts connected to it, which also (like signupforspam.com, and our flood) seem to be attempts at getting the real binservices spammed, likewise don't require any type of verification.

So, there's no need for the actual binservices gmail account, website, or anything else, to be involved at all. It's apparently someone else our spammer has a beef with, and he's trying to kill two birds with one spam by flooding our board, and getting us mad at the other guy, who had nothing to do with the spam.

I could post here as binservices, the Queen, Techno-Dann, or you, and the board would be equally happy to accept my posts. No sock puppet accounts required. You know I'm not you, and you could figure out that I'm not Dann because I'm not using the same IP he does, but for all you know, I am binservices or the Queen.

Does that make any sense?

There's a great webiste — How Stuff Works — that explains about how all sorts of things work, including a lot of Internet things. It's a good place to go to get de-noobified, and a lot more fun than reading RFC's.

(yes, that part about RFC's was a bit of intentional geekery)

Reply Return to messages