Comment Spammers from easymanaged.com?
Some (new?) spambot is trawling my site lately, possibly looking for open comment forms. I see some of them coming in from hosts like nac6.easymanaged.com (18.104.22.168) and nac3.easymanaged.com (22.214.171.124). Searching the web for references to easymanaged.com shows lots of guestbook and bulletin board bot entries and a page on the "Spam Huntress" weblog (and following to this one about "new master spambot"). Tracerouting those IPs reveals that they seem to go through 0.so-7-3-0.gbr2.mmu.nac.net -- which belongs to nac.net (Net Access Corporation, a spam-friendly hosting provider, who knows?). Maybe I'll send the URL of this post here to email@example.com. Read on for a bit more details...
The bot lists several typical IE user agent strings. Typical for the log entries is that they don't load images or css files and that the referrer is the same page that it accesses, but without the ending slash. Some samples:
126.96.36.199 - - [25/Oct/2005:15:10:17 +0200] "GET /blogs/ch-athens/112/ HTTP/1.1" 200 6917 "http://betabug.ch/blogs/ch-athens/112" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1)" 188.8.131.52 - - [25/Oct/2005:15:19:10 +0200] "GET /blogs/ch-athens/89/ HTTP/1.1" 200 5616 "http://betabug.ch/blogs/ch-athens/89" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 184.108.40.206 - - [25/Oct/2005:15:24:49 +0200] "GET /blogs/ch-athens/88/ HTTP/1.1" 200 6257 "http://betabug.ch/blogs/ch-athens/88" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"The rate of access is not very high, the bot is possibly trying to avoid throttle defenses. It sounds very much like this bot is just searching for blogs/guestbooks/bulletin boards to spam, while the spamming itself will be done by another bot (what "Spam Huntress" refers to as "master spambot"). Filtering them out could be done at the IP level, untill they move on to another provider.
UPDATE: It seems my thoughts on Net Access Corporation were right, see this Senderbase report on Net Access Corporation showing lots of SPAM coming from their IPs.