betabug... Sascha Welter

home english | home deutsch | Site Map | Sascha | Kontakt | Pro | Weblog | Wiki

25 October 2005

Comment Spammers from easymanaged.com?

Stepping into an ugly mess

Some (new?) spambot is trawling my site lately, possibly looking for open comment forms. I see some of them coming in from hosts like nac6.easymanaged.com (209.123.8.173) and nac3.easymanaged.com (66.246.252.87). Searching the web for references to easymanaged.com shows lots of guestbook and bulletin board bot entries and a page on the "Spam Huntress" weblog (and following to this one about "new master spambot"). Tracerouting those IPs reveals that they seem to go through 0.so-7-3-0.gbr2.mmu.nac.net -- which belongs to nac.net (Net Access Corporation, a spam-friendly hosting provider, who knows?). Maybe I'll send the URL of this post here to abuse@nac.com. Read on for a bit more details...


The bot lists several typical IE user agent strings. Typical for the log entries is that they don't load images or css files and that the referrer is the same page that it accesses, but without the ending slash. Some samples:

65.75.166.200 - - [25/Oct/2005:15:10:17 +0200] "GET /blogs/ch-athens/112/ HTTP/1.1" 200 6917 "http://betabug.ch/blogs/ch-athens/112" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1)"
209.123.8.173 - - [25/Oct/2005:15:19:10 +0200] "GET /blogs/ch-athens/89/ HTTP/1.1" 200 5616 "http://betabug.ch/blogs/ch-athens/89" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.246.252.86 - - [25/Oct/2005:15:24:49 +0200] "GET /blogs/ch-athens/88/ HTTP/1.1" 200 6257 "http://betabug.ch/blogs/ch-athens/88" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
The rate of access is not very high, the bot is possibly trying to avoid throttle defenses. It sounds very much like this bot is just searching for blogs/guestbooks/bulletin boards to spam, while the spamming itself will be done by another bot (what "Spam Huntress" refers to as "master spambot"). Filtering them out could be done at the IP level, untill they move on to another provider.

UPDATE: It seems my thoughts on Net Access Corporation were right, see this Senderbase report on Net Access Corporation showing lots of SPAM coming from their IPs.

Posted by betabug at 16:02 | Comments (2) | Trackbacks (0)
ch athens
Life in Athens (Greece) for a foreigner from the other side of the mountains. And with an interest in digital life and the feeling of change in a big city. Multilingual English - German - Greek.
Main blog page
Recent Entries
Best of
Some of the most sought after posts, judging from access logs and search engine queries.

Apple & Macintosh:
Security & Privacy:
Misc technical:
Athens for tourists and visitors:
Life in general:
<< Making COREBlog Comment Moderation Admin Friendlier | Main | Scary Temperatures and Nice Music >>
Comments
Re: Comment Spammers from easymanaged.com?

"Check" on that! They came in from a fellow blogger who linked to me. They detected the comment cgi straight away and went entry after entry, for the range of some days now. It looks like the script stops after a "set" of hits. Each sneak attack of them was eventually followed by comment spam coming from totally different locations. So ... I guess this is another confirm, huh? :)
And thanks for this post - I was just researching about what's been hitting my site lately.

Posted by: avitali at November 06,2005 19:42
Re: Comment Spammers from easymanaged.com?

Thanks for posting this - I was getting quite a few hits from the same source and was a little concerned. Looks like I'll be updating htaccess.....

Posted by: Jeff at January 04,2006 16:04
Trackbacks
You can trackback to: http://betabug.ch/blogs/ch-athens/220/tbping
There are no trackbacks.
Leave a comment