punkwalrus (punkwalrus) wrote,

  • Mood:
  • Music:

Tech - Stupid Spammers...

Holy crap...

My personal journal is getting SLAMMED with Blog Spam. Usually there are a few tests messages, and then I get hit with 5-10 post attempts, but this is the worst by far:

[09/21/04 02:54 PM] [] A banned IP (, "Mass spam -various") attempted to post a comment to entry #440 [then follows the text of the spam]

I have gotten 440 attempts, one link at a time, about 1 second apart from that IP address. The spam is about a page full of links to the usual places that send spam. The script is obviously geared towards my Graymatter software, but because I blocked the first 5 attempts (and cleaned them), the last 440 only ended up in my log. But this post got my attention, because it had this text in it:

People posting to these types of boards are ruining SEO (Search Engine Optimization) as we know it. If the owner of this site is interested in curbing this problem, please obtain another script that does not allow HTML or that requires verification and you will stop the endless advertizing on this board. Otherwise people will continue to do this indefinitely. Or perhaps you don't mind?

Its far better to exchange links! Won't you please?

WTF? Who is that message for, me? Or the spammer? Is it an artifact from another blog that injected its own text or some ironic statement from the spammer, hoping to confuse me? And why send out blogging spam?


Anyway, because I am curious, I scanned the originating IP. It comes from "Shaw Communications Inc." in Calgary, Alberta, Canada. It's part of their cable IP pool. An nmap scan shows that quite a lot is open on it, but it's "oddly secured." Like a lot of ports are responding, but nmap can't tell what OS its running (that IS unusual). Usually it's a Microsoft hacked box, although I have seen a few RedHat servers hacked (usually with a 2.0.x kernel, so maybe RH 5.x or something, which was known to have security holes on a default install). I think it's not a hacked box, though, because certain things are secured. I looked on the nmap website, and realized a new version since 3.50 had come out (3.70). I downloaded and installed the new RPMs, and ran nmap again. Then new 3.70 seems to be more thorough, and the scan took almost 12 minutes (even with a -F default port scan).

Host px1ht.ok.shawcable.net ( appears to be up ... good.
Interesting ports on px1ht.ok.shawcable.net (
(The 1202 ports scanned but not shown below are in state: closed)
23/tcp    open     telnet?
25/tcp    filtered smtp
53/tcp    open     domain?
80/tcp    open     http?
135/tcp   filtered msrpc
136/tcp   filtered profile
137/tcp   filtered netbios-ns
138/tcp   filtered netbios-dgm
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
514/tcp   open     shell?
554/tcp   open     rtsp?
1755/tcp  open     wms?
3128/tcp  open     squid-http?
8080/tcp  open     http-proxy?
27374/tcp filtered subseven
6 services unrecognized despite returning data.

OS unknown. I tried to connect to ports 23, 80, and 8080, and all three returned some unknown, non-telling service. Conclusion? Not a hacked box; a box specifically tuned to send spam. I reported to the abuse center, and if they ever get around to it, they might find the empty space where the spammer was. Or an unsecured wireless connection.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded