2

Possible Duplicate:
What kind of spam is this?

I'm running a web site with a forum where one small part is open for posting from unregistered users. The site uses captcha, but still some spam posts get through every day. Here is the thing. All of the messages follow the same pattern, but all also come from different IP's. That makes me thing this is some sort of automated scripted "attack" from a botnet of some sorts.

The strange thing is that all the messages start with six random characters and contains a couple of links. The words have no meaning and the domains in the links does not even exist.

Why would anyone use time and resources spreading these things? Below you can see two of these messages:

A5Zfs6 exrzvrbspntz, [url=http://nktqoqllnuab.com/]nktqoqllnuab[/url], [link=http://wtrenldadvsy.com/]wtrenldadvsy[/link], [http://rnlrqfgdvdot.com/]

O2oLpL nqeffxhryfdk, [url=http://jutyurbpfxow.com/]jutyurbpfxow[/url], [link=http://jpcdtmdalpow.com/]jpcdtmdalpow[/link], [http://qopqwqxwjdjx.com/]

Since all the messages come from different IP's I can't see blocking those will help much. For now I'm considering just dropping all messages following this pattern since it's quite easy to match with a regexp.

Have anyone else seen these kinds of messages or know the point of posting them?

Community
  • 1
Paaland
  • 165
  • 5

2 Answers2

3

It's probably a test for a real attack, proof of concept for an attackers new system, or a demonstration of an attack for potential buyers maybe? I would tend to think this was not someone harmless doing it for fun as they would probably just write messages and no be trying to insert URL's.

Either way best to remove it asap to reduce the chance you are marked as an easy target. I would ban those IP's, clean up the messages and put some CAPTCHA on, (doesn't have to be permanent, you can switch it on during periods of attacks).

Tom Gullen
  • 2,390
  • 2
  • 18
  • 26
  • 1
    The messages are posted from some 260 different IP addresses and new ones are used every day. CAPTCHA is already on, but clearly it is not working or the implementation is buggy allowing the scripts to bypass it somehow. The site in question has users with different disabilities and using a "proper" captcha will make some users struggle. – Paaland Mar 14 '11 at 09:45
  • 1
    Try a different CAPTCHA script, some work better than others against different attackers. Also, even though there are a lot of IP's I'd still block them all. Being proactive against it will deter the attacker even if it seems a bit pointless. – Tom Gullen Mar 14 '11 at 09:47
  • 1
    Thanks for the feedback. I'll block the IPs in question and switch to reCAPTCHA, atleast for the time being. – Paaland Mar 14 '11 at 09:53
  • 2
    @Paaland if you want to be creative, instead of blocking IP's you can fake a 'HTTP Error 500 - Internal Server Error' messages making the spammer believe the site is down. This might get your off their lists quicker. – Tom Gullen Mar 14 '11 at 09:55
  • 1
    Good idea. What's best though a 500 or a 404? Internal server errors might make them want to investigate further to maybe exploit a potential weakness or something. – Paaland Mar 14 '11 at 09:59
  • If blocking IPs, do bear in mind that (a) a lot of IPs get recycled between different customers of ISPs, and (b) a botnet is typically a bunch of "normal" infected PCs. For example, an infected PC attacks, you block the IP, and that IP is recycled for a different, non-infected customer of the same ISP a half-hour later -- and that's one legitimate, uninfected customer blocked from your site. – Matt Gibson Mar 14 '11 at 10:05
  • @Matt, yeah you are right but I would still block them. You can make the block expire after say 1 month – Tom Gullen Mar 14 '11 at 10:09
  • I've done reverse DNS on the IP's and mostly they are non reversable, but some are. Should I report to the various ISP's abuse accounts, or is that just a waste of time? – Paaland Mar 14 '11 at 10:28
  • @Paaland what countries are they originating from? If you have the free time to report it, then yes you should! – Tom Gullen Mar 14 '11 at 10:30
  • They are from all over the world. The ones in eastern Europe, Russia, Asia, Mexico, Brazil etc I'm not going to report. But there are a few from Norway (my country) and Sweden as well. I'll report those. – Paaland Mar 14 '11 at 10:35
3

Usually, this kind of behavior can be explained in two ways:

First, it can be a test to discover vulnerabilities of your site, your application or your server. Forms can be really dangerous, they can open the door to your software or your server configuration. Several attacks try to guess whether your system is vulnerable by sending you requests including malicious code or strings.

But in your case, because I can see several [URL= strings, chances are the reason is pure SPAM. This is the typical spam request that is sent to forum, blog and guestbook modules.

In fact, the [URL= string is part of BB code, a common markup language used in blogs and forums used to post URLs. Spammers performs a high number of post request including URLs to generate back-links to their websites or to their clients' websites.

Chances are your contact form has been flagged as a kind of forum or blog.

Note. I originally posted this answer to this question, that was closed as duplicated of the current question.

Community
  • 1
Simone Carletti
  • 3,479
  • 19
  • 25