Subject: An update on the board...
Posted on: 2008-08-19 05:22:00 UTC
So, the flooder switched servers for last night's bombardment. The new server seems to be coming through GoDaddy, although I'm really not sure - the IP is a good bit harder to trace, to the point where I don't want to start bothering admins.
The MO is still entirely the same - most likely a script that posts the same thing over and over, as often as it can get away with it.
Now, I've E-mailed back and forth a few times with the original host, and they really can't do anything about it without logs, which will tell them a whole ton more than the IP address can - that IP address is the address of a server running more than three hundred website accounts, so finding a single script running what's really a commonplace request is nearly impossible to track down.
So, I E-mailed the server.com people, and while they removed the first set of spamming, they didn't even E-mail me back to say that they really can't give me (or the first host) the logs needed to axe the spammer's account.
And then the flood came back from a different IP address last night...
That's all I know for a fact. What comes after this is just speculation.
The flooder seems to be out to get us. The first server he used was not a free (or even terribly inexpensive - $100 per year) service, and I suspect the second was the same. Furthermore, he didn't stop after the first banning and go after easier targets.
Also, try googling for phrases that he used - the only hits you'll get are from our board. This wasn't a mass spamming of server.com forums, this was a rather precisely targeted attack.
As a correlary to that last point, note that the PPC board is rather hard to find if you don't know what you're looking for. All the Google searches I could think of to find an active server.com forum don't bring us up for ten pages or more, after tons of other forums, including some rather controversial political ones. If our flooder was just looking for a good target, we really aren't it.
So, where does this leave us?
We can't get the logs we need to get the flooder's server space killed. Thus, at least for now, we can't get the attack to stop.
On the plus side, the server.com people responded very promptly to my E-mail by removing the flood and quite probably banning the IP address as well. Reporting to them seems to be, at least temporarily, the best option.
I'm sorry I haven't had more time to spend on this - work is absolutely crazy, I'm working nine hour days, and expecting closer to twelve on Wednesday.