thoughton:digitallife One angry young man

One angry young man

Had an interesting comment on this site today, from someone identifying himself as 'El Mexicano' with the email address of chico@chipala.com. This fellow posted this comment from the 207.248.240.119 IP address, which resolves to a Mexican IP address governed by LACNIC, the Latin American and Caribbean IP address Regional Registry. The address is dynamic, but I have noted the IP address, the date and time in case I need to report him.

"Why report him?", I hear you say. Well, that's a long story. It began about ten hours earlier when this character started an automated script to flood this site with trackbacks advertising online poker. The first hit was at six o'clock this morning :

207.248.240.119 - - [14/Jul/2005:06:03:19 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=181 HTTP/1.1" 200 8615 "http://www.sportscribe.com/play-party-poker-for-fun.html" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT Windows CE)"

There is then a lull for several hours, then a new wave of attacks started. Notice the identical IP and the constantly changing User Agent and entry IDs:

207.248.240.119 - - [14/Jul/2005:13:09:54 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=225 HTTP/1.1" 200 8915 "http://www.yachtdurak.com/poker-games.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 3.0)"

207.248.240.119 - - [14/Jul/2005:13:27:51 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=12 HTTP/1.1" 200 8568 "http://www.yachtdurak.com/pacific-poker.html" "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"

207.248.240.119 - - [14/Jul/2005:13:29:29 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=168 HTTP/1.1" 200 8561 "http://www.yachtdurak.com/party-poker.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 3.0)"

207.248.240.119 - - [14/Jul/2005:13:35:20 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=208 HTTP/1.1" 200 8571 "http://www.yachtdurak.com/texas-holdem.html" "Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]"

207.248.240.119 - - [14/Jul/2005:13:35:25 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=66 HTTP/1.1" 200 8570 "http://www.yachtdurak.com/poker-games.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"

207.248.240.119 - - [14/Jul/2005:13:45:46 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=199 HTTP/1.1" 200 8559 "http://www.yachtdurak.com/free-poker.html" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"

207.248.240.119 - - [14/Jul/2005:14:30:53 +0100] "GET /digitallife/ HTTP/1.1" 200 23920 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.8&41; Gecko/20050511 Firefox/1.0.4"

At about two o'clock in the afternoon this angry young fella started to probe this site, apparently looking for an administrator login screen. He tried to access directories at /upload/, /test/ and /tim/admin/. At least he's read enough of this site to find out my name!

He then returns to the automated script attack (does he not get the hint?):

But wait! He's not done. Mr Angry now starts trying from several different IP addresses. If I was using MTBlackList this might be a problem. But I'm not, I'm using something else so he's outta luck:

148.244.150.58 - - [14/Jul/2005:13:35:28 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=18 HTTP/1.1" 200 8550 "http://www.yachtdurak.com/empire-poker.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"

Here's another IP:

200.106.160.70 - - [14/Jul/2005:13:41:34 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=126 HTTP/1.1" 200 8589 "http://www.yachtdurak.com/poker.html" "Mozilla/4.0 (compatible; MSIE 4.01; AOL 4.0; Windows 98&41;"

And another:

63.230.254.28 - - [14/Jul/2005:13:43:07 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=223 HTTP/1.0" 200 8601 "http://www.yachtdurak.com/texas-hold-em.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; N_o_k_i_a)"

And another:

63.230.254.29 - - [14/Jul/2005:13:44:50 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=31 HTTP/1.0" 200 8592 "http://www.yachtdurak.com/texas-holdem.html" "Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]"

And another:

200.106.160.70 - - [14/Jul/2005:13:52:11 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=206 HTTP/1.1" 200 8593 "http://www.yachtdurak.com/empire-poker.html" "Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC; AtHome021)"

And another:

202.175.234.163 - - [14/Jul/2005:13:53:42 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=16 HTTP/1.1" 200 11192 "http://www.yachtdurak.com/party-poker.html" "Mozilla/4.0 (compatible; MSIE 5.0; YANDEX)"

And here's anoth... no, wait - he's already tried this IP:

200.106.160.70 - - [14/Jul/2005:14:01:30 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=150 HTTP/1.1" 200 8571 "http://www.yachtdurak.com/poker-rules.html" "Mozilla/4.0 (compatible; Opera/3.0; Windows 4.10) 3.51 [en]"

I've gotta hand it to him for persistence:

148.244.150.58 - - [14/Jul/2005:14:12:40 +0100] "GET /cgi-bin/mt-comments.cgi?entry_id=138 HTTP/1.1" 200 9004 "http://www.yachtdurak.com/free-poker.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.0.3705)"

This continues for another 15 minutes or so. In total Mr Spamtastic makes 74 attempts.

Here is the moment when he finally gives up, and posts his comment manually:

207.248.240.119 - - [14/Jul/2005:14:35:03 +0100] "POST /cgi-bin/mt-comments.cgi HTTP/1.1" 302 - "http://thoughton.co.uk/cgi-bin/mt-comments.cgi" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.8&41; Gecko/20050511 Firefox/1.0.4"

I have since deleted his comment, but here's a sample: Mad Spammer

Do you think he's a little annoyed?

The poor fella took the time to post 77,148 (yes, seventy seven thousand) smilies!

Interestingly enough, this evening I received 7 unsolicited emails asking me to confirm my subscription to random mailing lists. Obviously I deleted them rather than confirm anything, but I'd bet my last dollar that this is the work of the same angry young man. He really must be peeved off about his inability to spam this site to go to all this effort! Bless his cotton socks.

Posted on 14 July 2005, to Bereft of Reason | Internet | Site News

Related entries

Spamadelic - 8 October 2004
Installing MT-Captcha (aka SCode) - 14 November 2004
Another Movable Type Captcha - 17 November 2004
MT-Captcha report card - 12 December 2004
Trackback spammers try their luck - 2 February 2005
The solution to Blog spamming? - 19 December 2004
Installing MT-Blacklist - 14 November 2004
Bayesian filtering on Movable Type - 14 November 2004
SCode reinstalled, GD issue solved - 16 May 2005

Trackback Pings

TrackBack URL for this entry:
http://thoughton.co.uk/cgi-bin/mt-tb-dlosx.cgi/48

Comments

In the last two days I have received approximately twenty new unsolicited "confirm your subscription" emails. This might have been a pain if I was using some other email program. However in Mail.app all I have to do is highlight the email and click the 'Junk' button and the email is banished to my junk mail folder. The nice part is that all future emails from that address automatically get classed as junk, so I never see them again. (Some of the lists he subscribed me to, notably some Astrology ones, have already sent me 3 emails each).

by: Tim Houghton at July 16, 2005 6:14 PM

do you talk just to hear yourself speak. If a tim makes a sound on the web and no one is around to give a fuck...

by: Chris Wilson at July 20, 2005 6:47 PM

In case no one had realised, "Chris Wilson" is the angry young man this entry refers to.

by: Tim Houghton at July 20, 2005 7:21 PM

Amigo, Do you like you men angry.

by: chico at July 20, 2005 7:37 PM

he likes his men the same way he likes his code. Clean and Fast..

by: Chris Wilson at July 22, 2005 6:14 PM

Are you saying Tim is gay... I always thought so... I'd ask but he has a snide fucking comment for everything. He can be a real dick sometimes. I guess when he finds that special male someone he'll change.

by: joe at July 22, 2005 6:18 PM

Thanks a lot for this info.

It is so nice to see these spammers waste their time and cpu

On my sites I tend to let theme in, but all comments are stopped, then information is shared to other webmasters