Subject: Fourthed (nm)
Author:
Posted on: 2008-08-19 15:45:00 UTC
-
An update on the board... by
on 2008-08-19 05:22:00 UTC
Reply
So, the flooder switched servers for last night's bombardment. The new server seems to be coming through GoDaddy, although I'm really not sure - the IP is a good bit harder to trace, to the point where I don't want to start bothering admins.
The MO is still entirely the same - most likely a script that posts the same thing over and over, as often as it can get away with it.
Now, I've E-mailed back and forth a few times with the original host, and they really can't do anything about it without logs, which will tell them a whole ton more than the IP address can - that IP address is the address of a server running more than three hundred website accounts, so finding a single script running what's really a commonplace request is nearly impossible to track down.
So, I E-mailed the server.com people, and while they removed the first set of spamming, they didn't even E-mail me back to say that they really can't give me (or the first host) the logs needed to axe the spammer's account.
And then the flood came back from a different IP address last night...
That's all I know for a fact. What comes after this is just speculation.
The flooder seems to be out to get us. The first server he used was not a free (or even terribly inexpensive - $100 per year) service, and I suspect the second was the same. Furthermore, he didn't stop after the first banning and go after easier targets.
Also, try googling for phrases that he used - the only hits you'll get are from our board. This wasn't a mass spamming of server.com forums, this was a rather precisely targeted attack.
As a correlary to that last point, note that the PPC board is rather hard to find if you don't know what you're looking for. All the Google searches I could think of to find an active server.com forum don't bring us up for ten pages or more, after tons of other forums, including some rather controversial political ones. If our flooder was just looking for a good target, we really aren't it.
So, where does this leave us?
We can't get the logs we need to get the flooder's server space killed. Thus, at least for now, we can't get the attack to stop.
On the plus side, the server.com people responded very promptly to my E-mail by removing the flood and quite probably banning the IP address as well. Reporting to them seems to be, at least temporarily, the best option.
I'm sorry I haven't had more time to spend on this - work is absolutely crazy, I'm working nine hour days, and expecting closer to twelve on Wednesday.
-Dann -
This may or may not be important... by
on 2008-08-19 16:28:00 UTC
Reply
...but I found something very strange while Googling for answers. I'm not techno savvy enough to really help out, so I went about looking in my own way. Namely, I Googled the phrases binservices spambot, and got one hit. A site called Sign Up 4 Spam. I don't know if this is relevant or not, since I could not load the page, but to me it seemed extremely suspicious.
-
That does look suspicious. by
on 2008-08-19 16:59:00 UTC
Reply
In the text of the search result, it even lists the exact address we've been spammed with.
-
signupforspam.com by
on 2008-08-19 18:15:00 UTC
Reply
That site seems to be one where people post the email addresses of people they want to get spammed (it's been down for a couple of days, btw). I noticed yesterday that binservices was there. Someone's clearly pissed at them. Whether that somebody is our board flooder, someone else who got targeted in some way by the flooder, or someone else who has an unrelated grudge against binservices, though, is impossible to determine. There have been some spam-bait posts on Usenet using the binservices email as well.
I can't find the pattern here, and it's annoying me. -
Is it possible... by
on 2008-08-19 20:51:00 UTC
Reply
that binservices is a sockpuppet email account? I'm a complete noob with all of this, but I just thought that maybe someone created the binservices account just to spam.
I'm probably adding 2+2 and getting 60 or something, but I just thought I'd add what I think. Of course, it doesn't explain binservices being on signupforspam.com.
Would it be advisable for someone to email binservices and tell them what's going on? -
Re: Is it possible... by
on 2008-08-20 01:57:00 UTC
Reply
We all started as noobs. Let me see if I can explain somewhat less geekly than I usually do.
The yourwebapps.com forums are vulnerable to spam because no login, or authentication of any type, is required. If you look down the board a bit, you'll see a post entitled "If this posts, the proxy IP isn't blocked (nm)". You'll also see that it was posted from 72.167.203.129, the IP that the spammer has been using. He didn't post that, though; I did.
72.167.203.129 is a proxy server. It acts as an intermediary between a user (me, the spammer, someone whose company's firewall blocks Fark, whoever) and the actual site. Let's say I want to post "If this posts..." here via that proxy. I tell the proxy what web page I want, it sends the request to the webserver, then passes it back to me. The webserver only ever sees the proxy's IP, not mine; only the proxy server knows who I am. When I enter my post, it goes to the proxy server, not yourwebapps.com; the proxy server then submits it to yourwebapps, and it gets posted as normal. In fact, I'm using a proxy server right now, though not that one.
So, anyone who has net access can post on our board. They don't need an email address, an account anywhere (a library or other public computer will work fine), or much of anything else. It's like the old days of the Net, before the great spam plague. If they go through a proxy server, they can post without giving anyone but the owner of the proxy server any clue who they are, and for obvious reasons, the proxy owner won't talk without (or even with, if they're offshore) a court order.
The binservices email address is listed on the home (and only) page, a placeholder, of binservices.com, which was registered for a while before this happened. So it has at least some solidity to it, unlike the other phantoms I've been chasing.
It wasn't created to spam because the type of spam that has been done -- namely, of this board -- doesn't need a valid email account. Or a valid anything, actually. It just needs someone knowing where the board is. The Usenet posts connected to it, which also (like signupforspam.com, and our flood) seem to be attempts at getting the real binservices spammed, likewise don't require any type of verification.
So, there's no need for the actual binservices gmail account, website, or anything else, to be involved at all. It's apparently someone else our spammer has a beef with, and he's trying to kill two birds with one spam by flooding our board, and getting us mad at the other guy, who had nothing to do with the spam.
I could post here as binservices, the Queen, Techno-Dann, or you, and the board would be equally happy to accept my posts. No sock puppet accounts required. You know I'm not you, and you could figure out that I'm not Dann because I'm not using the same IP he does, but for all you know, I am binservices or the Queen.
Does that make any sense?
There's a great webiste — How Stuff Works — that explains about how all sorts of things work, including a lot of Internet things. It's a good place to go to get de-noobified, and a lot more fun than reading RFC's.
(yes, that part about RFC's was a bit of intentional geekery) -
Okay, I think I get it. by
on 2008-08-20 14:53:00 UTC
Reply
Thanks for explaining - back there, I just did what I usually do and jumped in with both feet before remembering I couldn't swim. Your explanation made a lot of sense.
-
It makes a lot of sense by
on 2008-08-20 07:02:00 UTC
Reply
This from a I-don't-care-HOW-it-works-I'm-much-more-interested-in-what-I-can-DO-with-it type. Cheers, WC.
-
That makes a frightening amount of sense. by
on 2008-08-20 03:28:00 UTC
Reply
I'm scared.
-
I sincerely fear this might be my fault... by
on 2008-08-19 10:28:00 UTC
Reply
Because of my interviews of various authors for my university essay - I included a bunch of obvious badficcers (some of whom never responded), including a Legendary Badfic author (who did respond).
It wouldn't have been hard for any one of them to google my penname and find both my livejournal (which does link to the PPC, as I archive my missions there), my FFN account, and the Board, all three of which appear in the first two pages of a google search.
I don't think I said anything offensive to anyone, but the very fact that I went out and interviewed some cough 'Highly Sensitive' authors about their work, while being part of a community that so blatently mocks it, could have offended them. (I'm not inclined to suspect the Legendary Badfic author, though, as his tone in the emails was quite satisfied, but then again, I could be wrong.)
If this is the case... guys, I am SO sorry. I considered using a second (little used) penname to send my interviews to the badficcers and other random writers (as opposed to the people who know me by this name), but figured that it would be all too easy for them to be connected (how many people do the same project at the same time?), so I didn't bother.
Until now, I didn't really think it was connected, but from what you've said above, Dann... well, the timing is just too close.
I really, really hope I'm wrong. I'm even hoping that the offended spammer (if that is indeed the case) found this through another link just so I can stop feeling guilty. It wasn't even a foolish choice on my part, but if this is the result... damm, I'm sorry. -
don't worry about it.. *hug* by
on 2008-08-19 17:14:00 UTC
Reply
If someone is out looking for trouble, they'll find it - this time they found us. It happens to every internet community, the only difference is we aren't quite as prepared as most.
We'll deal with this thing, we've done it before. -
*hugs back* Thanks, friend. (nm) by
on 2008-08-20 00:50:00 UTC
Reply
-
Don't worry, you weren't to know. by
on 2008-08-19 11:42:00 UTC
Reply
Besides which, I doubt it is your fault. If someone approached me for an internet interview (hey, alliteration! :D) I wouldn't think to google their penname. I'd just sit down and do the questions, and tell them if teir was something I found offensive.
Besides which, you're not getting spam on your LJ account, so I doubt it's them. I might be demonstrating my complete naivety on the minds of badficcers here, but I don't think that it's your fault. Partly because I doubt they'd be this dedicated. -
I hope you're right by
on 2008-08-20 00:51:00 UTC
Reply
On all counts, really. Thanks, lynx.
-
Regarding the IP by
on 2008-08-19 09:28:00 UTC
Reply
You're not going to get the logs. 72.167.203.129 traces back to a proxy server. Several, actually, including unblockedspace.com. I don't have the IP from the previous attack, but I wouldn't doubt that it was another one. Kind of by definition, they don't have or won't hand over logs, and getting their host's logs will generally require a court order.
What's intersting is the binservices connection. That's the email address listed on binservices.com ... are they the targets of a joe job? Why are we getting flooded with something that is apparently trying to get them spammed or abused? If it's someone who has it in for us, which is certainly possible, why not flood us with some suitable PPC-targeted insults?
There's something about this that doesn't add up. Something missing. -
I think I may have been misunderstood... by
on 2008-08-19 09:33:00 UTC
Reply
The first attack came from an IP belonging to a web hosting website, cyrtexhosting.com. I E-mailed their abuse line, and they agreed that flooding our forum was most definitely abuse worth terminating the account that was responsible, but they needed the logs from yourwebapps.com to work out who it was. I E-mailed yourwebapps.com's abuse line, and while they deleted the spam posts, they didn't send the logs to either myself or Cyrtex.
You are entirely correct, though, there is something about this that definitely does not add up. I'm still trying to work out exactly what it is... -
Logs by
on 2008-08-19 09:42:00 UTC
Reply
Ah, yes, I misunderstood which logs you meant. I really should be doing my sleeping somewhat more horizontally.
If you want to discuss this out of view of the perpetrator, contact me via the Pit or GAFF and I'll give you my email. For obvious reasons I don't want to post it here; I'd rather not find it being used to solicit ypur pics in some other forum. -
If this posts, the proxy IP isn't blocked (nm) by
on 2008-08-19 09:33:00 UTC
Reply
-
Like I asked earlier... by
on 2008-08-19 06:56:00 UTC
Reply
Who the hell did we piss of this time?
-
God knows. Who links the PPC on their LiveJournals? by
on 2008-08-19 08:54:00 UTC
Reply
May be that someone who got their fic sporked is taking it a little too hard...
Perhaps the author of Cbn? -
If I was a Suethor...(Eru forbid...) by
on 2008-08-21 20:45:00 UTC
Reply
...And the PPC sporked me, I would probably look for revenge, too...
But at least I haven't really linked the PPC on my LJ, though it's on my Friends page. I don't think that they targeted you guys through MY LJ...my name doesn't strike fear into the hearts of badficcers just yet...
(ducks wrath of Ironic Overpower) -
Let's hope not. by
on 2008-08-19 23:45:00 UTC
Reply
I think the author of Clbr**n got troll superpowers from the sheer horrificness of their 'fic. If they come after us, computers will probably start spitting flames at anyone who tries to enter the Board.
-
I linked to it once... by
on 2008-08-19 21:16:00 UTC
Reply
but that was only when the PPC movie was first announced, and it was long before anyone knew my LJ existed. So that doesn't really help.
-
*checks LJ* by
on 2008-08-19 23:34:00 UTC
Reply
I link to the Board. I also link to the Wiki. However, I don't recall pissing anyone off recently.
-
I've linked a couple Suethors to the Wiki FAQ. by
on 2008-08-19 15:03:00 UTC
Reply
From the Wiki, they would be able to find the address of the Board.
But these were Suethors who had responded nicely to my concrit and asked for help improving their work--not the sort I'd expect to be behind a vicious spam attack.
But anyone who Googles "PPC" can find Miss Cam's website, which links to the Board. -
I wish I knew... (nm) by
on 2008-08-19 06:58:00 UTC
Reply
-
Yeah. by
on 2008-08-19 05:36:00 UTC
Reply
The logic of that does look about right.
It's also possible they're using friends for server access as well, whoever is doing this, instead of shelling out the cash to do it themselves. -
we really appreciate you doing all this, Dann by
on 2008-08-19 05:24:00 UTC
Reply
and for keeping us all up to date. Without you, hS and July we wouldn't even have a temporary Board going.
-Trojie, appreciatively -
Sixthed! You guys rock! (nm) by
on 2008-08-19 21:09:00 UTC
Reply
-
Fifthed! :D (nm) by
on 2008-08-19 20:53:00 UTC
Reply
-
Fourthed (nm) by
on 2008-08-19 15:45:00 UTC
Reply
-
Thirded. by
on 2008-08-19 15:06:00 UTC
Reply
Thank you, people!
-
*flail* by
on 2008-08-19 05:32:00 UTC
Reply
I didn't do anything though!
-
As I said after the first lot stopped... by
on 2008-08-19 08:56:00 UTC
Reply
We have you to thank for alerting Techno-Dann in the first place, July. We also have you to thank for helping spread the word so people could find this new haven.
-
you ran around shouting 'CONSTANT VIGILANCE POTTER!' by
on 2008-08-19 07:22:00 UTC
Reply
at people until someone knew how to fix it.
That counts as 'doing something' -
*Snickers* by
on 2008-08-21 13:13:00 UTC
Reply
Can't go by this on the main page without chuckling to myself.
-
Seconded. (nm) by
on 2008-08-19 05:31:00 UTC
Reply