Anatomy of a spam blog attack

UCalgaryBlogs gets hammered rather hard by cretins looking to insert their rancid spam into any corner of the internet that helps people publish content. One just got through, and I did some quick digging to see how they did it. Persistent buggers.

I get an email notification any time an account or blog site is created. The username looked suspicious. I popped it into an IP locator, and found they claim to be from Alabama. Dothan, Alabama, to be precise. About 100 miles northeast of Pensacola, Florida. Not many UofC students are likely to be signing up for a new account from Alabama…

I poked around in the webserver logs, to see what that person had been up to.

Turns out they spent almost an hour and a half trying to get an account created. Their first attempt triggered the antispam scripts, and they got sent to a page that scolded them for being spammy spammers. Almost 45 minutes later, they came back to the signup page, but not before changing the user agent of their browser. It looks like they modify their browser’s user agent regularly, claiming to be either running MSIE 8 on a Media Center PC, Mozilla on a Media Center, Firefox on Windows NT, Google Chrome on NT, Safari, etc… They get to the point where it looks like the user agent string is reporting strange hybrid combinations that probably don’t exist in the wild.

Eventually, they get through to the signup page, and get the confirmation email. They click the link to confirm that they’re a verified human (ironically, reporting their user agent that time as being Googlebot 2.1).

They get a site created, and start customizing it a bit. The user agent strings settle down, so I’m guessing an actual human was doing this part. They change the blog’s theme, and start to access the xmlrpc interface to automate publishing content.

Right when I come down and flag their account as spam, take the blog site down, and ban their IP range.

So, they spent an hour and a half trying to circumvent antispam measures in an attempt to set up a splog site, and I squashed them in maybe 2 minutes (really, it took only a few seconds to squish them, but I got curious, and that took a little longer). This little exchange cost them far more time and effort than it did me, even though much of their work may have been automated. I just don’t get why they keep coming back…

Screen shot 2010-11-24 at 4.05.11 PM.png

Update: It just hit me – it’s even more obvious that something is fishy with this particular douchenozzle. There are no requests for images, css, or javascript files that are part of the pages they’re requesting. Clearly not a normal browser, and likely some custom scumbag spam automation app.