My personal journal is getting SLAMMED with Blog Spam. Usually there are a few tests messages, and then I get hit with 5-10 post attempts, but this is the worst by far:
[09/21/04 02:54 PM] [22.214.171.124] A banned IP (126.96.36.199/188.8.131.52, "Mass spam -various") attempted to post a comment to entry #440 [then follows the text of the spam]
I have gotten 440 attempts, one link at a time, about 1 second apart from that IP address. The spam is about a page full of links to the usual places that send spam. The script is obviously geared towards my Graymatter software, but because I blocked the first 5 attempts (and cleaned them), the last 440 only ended up in my log. But this post got my attention, because it had this text in it:
Its far better to exchange links! Won't you please?
WTF? Who is that message for, me? Or the spammer? Is it an artifact from another blog that injected its own text or some ironic statement from the spammer, hoping to confuse me? And why send out blogging spam?
Anyway, because I am curious, I scanned the originating IP. It comes from "Shaw Communications Inc." in Calgary, Alberta, Canada. It's part of their cable IP pool. An nmap scan shows that quite a lot is open on it, but it's "oddly secured." Like a lot of ports are responding, but nmap can't tell what OS its running (that IS unusual). Usually it's a Microsoft hacked box, although I have seen a few RedHat servers hacked (usually with a 2.0.x kernel, so maybe RH 5.x or something, which was known to have security holes on a default install). I think it's not a hacked box, though, because certain things are secured. I looked on the nmap website, and realized a new version since 3.50 had come out (3.70). I downloaded and installed the new RPMs, and ran nmap again. Then new 3.70 seems to be more thorough, and the scan took almost 12 minutes (even with a -F default port scan).
Host px1ht.ok.shawcable.net (184.108.40.206) appears to be up ... good. Interesting ports on px1ht.ok.shawcable.net (220.127.116.11): (The 1202 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 23/tcp open telnet? 25/tcp filtered smtp 53/tcp open domain? 80/tcp open http? 135/tcp filtered msrpc 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 514/tcp open shell? 554/tcp open rtsp? 1755/tcp open wms? 3128/tcp open squid-http? 8080/tcp open http-proxy? 27374/tcp filtered subseven 6 services unrecognized despite returning data.
OS unknown. I tried to connect to ports 23, 80, and 8080, and all three returned some unknown, non-telling service. Conclusion? Not a hacked box; a box specifically tuned to send spam. I reported to the abuse center, and if they ever get around to it, they might find the empty space where the spammer was. Or an unsecured wireless connection.