Warning - Drupal website spammer - Deny this spammer access to your website
The following spammer uses different usernames to register at your website. A few days later this spammer is posting spam messages for porn related website and other crap.
This spammer has signed up on three of my drupal website, so I know he is out there seeking other drupal type sites.
The email address used in all three cases was: blogger4@sdial.biz
The user name varies but the location he has always used was New York
When I first noticed this spammer, I just deleted his account. But the next day, he signed up again.
Therefore, you must deny this spammer access to your website. Use your Access Control rules to deny access (administer >> access control >> account rules > add rule)
To deny his email use: %sdial.biz%
To deny his host use: sdial.biz
Good Luck,
Sam
How is he spamming. Does he
How is he spamming. Does he repeated send out emails from your site or something or is it more sinister like advertising viagra all over the place?
Best regards, Derek Webb
http://makefunds.com
eCommerce made easy!
RE: How is he spamming
This spammer is posting spam messages (ads) in the forums for porn related website and other crap. No email spams were observed.
I have been doing daily database backups on all of my sites in case this a-hole strikes again. If any of you happen to get victomized by him and have any good revenge tactics, use them.
Sam
So far all I've gotten from
So far all I've gotten from him is 3 different attempts at trying to create a user-id on a site that is just an empty shell with no visible content. two random strings of characters and one using the name of an eastern European comedian
-------------------
http://www.PrivacyDigest.com/ News from the Privacy Front
http://www.SunflowerChildren.org/ Helping children around the world
Are his spam attacks
Are his spam attacks automated? Does he post massive amounts of posts nearly simultaneously? If so then you may want to look into using the Captcha module to thwart those attepts.
I'll keep my eyes open and my fingers ready though. Thanks for the heads up.
Best regards, Derek Webb
http://makefunds.com
eCommerce made easy!
RE: Are his spam attacks
I use Captcha on all of my sites, therefore he appears to be a person and not a bot.
After I delete his account, I can see his login attempts in the stats. After about three attempts, he signs up again with a new account.
Remember, he uses New York as his address in the profile field if you happen to have an address field.
By the way, It is useless to ban / deny his IP address because I noticed that every time he visits one of my sites or repeatedly visits the same site, that his IP address keeps changing. This may indicate that he is using a dynamic IP dial-up connection.
Sam
what about....
his mac address, he cant change that easily without changing his network card...
RE: what about....
How would I obtain his mac address from the druapl logs?
And if so, can I deny access to the site using the mac address via my site's hosting control panel? I know I can deny access for an IP address or domain via my site's hosting control panel, but what about the mac address?
Sam
weird, i've been getting
weird, i've been getting registrations from the same email on both of my drupal sites. One 4.7-based, one 5.1-based. He blog-spammed some gibberish on one site, and didn't really do anything on the second. Weird thing is he registered and sat around for a few days first.
RE: weird, i've been getting
I noticed with three of my sites, that after signing up, he waits around for a few days before he starts posting ad links.
As state above, he uses the email address blogger4@sdial.biz. He also uses the email address: blogger@sdial.biz.
Sam
lurking
Yes, this user is lurking on a number of my sites. Hitting about three pages per minute, just looking at pages. No attempts to post yet. I've blocked the account, and blocked sdial.biz email addresses. Whack-a-mole!
Need some Evidence of his Spamming?
Below is some evidence of his spamming:
Spammed sites:
htt p://72.14.253.104/search?q=cache:p7Es9P3YEy0J:w-i.dk/al-nethest/node/248+blogger%40sdial.biz&hl=en&ct=clnk&cd=2&gl=us
htt p://72.14.253.104/search?q=cache:JGJWTcfbSZEJ:www.spice.lt/index.php%3Fid%3D120+blogger%40sdial.biz&hl=en&ct=clnk&cd=3&gl=us
htt p://www.spice.lt/index.php?id=46
htt p://www.dyingearth.co.uk/?q=node/50&PHPSESSID=6827c9acc05c66631c2fc48cfcc93315
htt p://72.14.253.104/search?q=cache:DH_tbbBaiZ4J:www.infoski.lv/jaunumi/363/+blogger%40sdial.biz&hl=en&ct=clnk&cd=24&gl=us
htt p://72.14.253.104/search?q=cache:qw6zB_ojb68J:www.baltgames.lv/v2/users/69135/+blogger%40sdial.biz&hl=en&ct=clnk&cd=28&gl=us
Need more evidence?
htt p://www.google.com/search?q=blogger%40sdial.biz&hl=en&start=10&sa=N&filter=0
Sam
=-=
The akismet.module should stop him.
Thanks for the info! I've
Thanks for the info! I've just encountered this guy on one of my Drupal sites - same pattern that others have described.
No big deal for us
Hello,
That moronic spammer has just been asking for registration on our web site and Google has led me to this page!
We have few people registering so we have the time to check on people before allowing a new user.
1. We don't allow automatic registration
2. As we're in France and we're French-speakers we've added to the automatic mail that's sent to subscribers something telling them that sending us an email in French explaining who they are and why they want to become members of our web site will speed things up. Not that we wouldn't welcome foreigners (quite the contrary) but as our web site is in French I doubt anyone without any inkling of French would be able to understand what we publish.
3. An email with biz would probably be a spammer on our web site as we don't do anything commercial and it would be great news if a commercial enterprise would join our tiny and rural Linux user group!!
As for dynamic IP it may be worth banning them all the same, or track them to the main server or ISP. We had a bunch of would-be users that originated from a Russian server, and we banned their various IPs and we've never heard of them anymore. We also googled for their IPs.
cheers,
---
Libres-Ailé(e)s (Association for Linux and libre software) (France, Cévennes)
That moron is back with the
That moron is back with the same IP. Now it seems that the deny access rule %@sdial.biz or blogger%@sdial.biz doesn't work. I've just checked. So I've set the rule to deny both email and IP in full.
How do you use %?
---
Libres-Ailé(e)s (Association for Linux and libre software) (France, Cévennes)
RE: How do you use %?
To deny his email use: %sdial.biz%
To deny his host use: sdial.biz
To get oher information about him, see: http://whois.domaintools.com/
To make a complaint to kill his domain, contact: abuse@publicdomainregistry.com
His whois record
Server Data:
Server Type: Apache/1.3.36 (Unix) mod_ssl/2.8.27 OpenSSL/0.9.7e PHP/4.4.6 FrontPage/5.0.2.2510 (Spry.com also uses Apache)
IP Address: 64.92.163.74
IP Location: - Massachusetts - Cambridge - Layered Technologies Inc
Response Code: 206
Blacklist Status: Clear
SSL Cert: www.snakeoil.dom SSL is expired!
Website Status: Active
DomainTools Exclusive:
NS History: 1 change. Using 1 unique name server in 1 year.
IP History: 2 changes. Using 2 unique IP addresses in 1 year.
Whois History: 11 records have been archived since 2007-05-04
Reverse IP: 25 other sites hosted on this server.
Whois Record:
Domain Name: SDIAL.BIZ
Domain ID: D15526417-BIZ
Sponsoring Registrar: DIRECT INFORMATION PVT LTD DBA PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Domain Status: ok
Registrant ID: DI_3038906
Registrant Name: Markus Lee
Registrant Organization: N/A
Registrant Address1: av.Street h.54
Registrant City: New York
Registrant State/Province: 3547
Registrant Postal Code: 556600
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +805.4412141
Registrant Email: soul_s@list.ru
Administrative Contact ID: DI_3038906
Administrative Contact Name: Markus Lee
Administrative Contact Organization: N/A
Administrative Contact Address1: av.Street h.54
Administrative Contact City: New York
Administrative Contact State/Province: 3547
Administrative Contact Postal Code: 556600
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +805.4412141
Administrative Contact Email: soul_s@list.ru
Billing Contact ID: DI_3038906
Billing Contact Name: Markus Lee
Billing Contact Organization: N/A
Billing Contact Address1: av.Street h.54
Billing Contact City: New York
Billing Contact State/Province: 3547
Billing Contact Postal Code: 556600
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +805.4412141
Billing Contact Email: soul_s@list.ru
Technical Contact ID: DI_3038906
Technical Contact Name: Markus Lee
Technical Contact Organization: N/A
Technical Contact Address1: av.Street h.54
Technical Contact City: New York
Technical Contact State/Province: 3547
Technical Contact Postal Code: 556600
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +805.4412141
Technical Contact Email: soul_s@list.ru
Name Server: NS2.SEBLG.COM
Name Server: NS1.SEBLG.COM
Created by Registrar: DIRECT INFORMATION PVT LTD DBA PUBLICDOMAINREGISTRY.COM
Last Updated by Registrar: DIRECT INFORMATION PVT LTD DBA PUBLICDOMAINREGISTRY.COM
Domain Registration Date: Wed Dec 06 10:29:29 GMT 2006
Domain Expiration Date: Wed Dec 05 23:59:59 GMT 2007
Domain Last Updated Date: Tue Feb 06 03:37:04 GMT 2007
----------------------------------------------------------------
Sam
Good work Sam.Why does this
Good work Sam.
Why does this US pest have some kind of a Russian mail address -- just to give the wrong impression as if we were being flooded by Russian nasties?
:-\
This rule doesn't work for me, nor does %@sdial.biz. I checked bala@sdial.biz and it was allowed :-\
---
Libres-Ailé(e)s (Association for Linux and libre software) (France, Cévennes)
RE: Good work Sam.Why does this
The following rules work for me on my Drupal 4.6.x and 4.7.x sites. I do not have any 5.x sites.
To deny his email use: %sdial.biz%
To deny his host use: sdial.biz
Sam
To deny his email use:
To deny his email use: %sdial.biz%
To deny his host use: sdial.biz
Where do you put this? This guy has been been around my sites since blogger1! :p
RE: To deny his email use
To Deny this spammer access to your website, use the administration menu:
administer >> access control >> account rules >> add rule
Sam
The rules work for me too
The rules work for me too now after I deleted two allow rules that conflicted with the deny rules. :-/
---
Libres-Ailé(e)s (Association for Linux and libre software) (France, Cévennes)
The domain name sdial.biz
The domain name sdial.biz seems to that of a hosting company, so it's rather difficult to ask for its closure, isn't it?
---
Libres-Ailé(e)s (Association for Linux and libre software) (France, Cévennes)
Spam the spammer
Got him too. So why not publish this mailaddress (for me, it was blogger5@sdial.biz) on some pages ...
FEAR NOT
Hi Guys,
Hmmm...Yep, my plan appears to be working then!
Mr Blogger (who was blogger4 but is now blogger5) has become blogger5 because I have totally f*****d his inbox with my deadly email proggy!
It sends the same email message (whatever I want it to say) from 1 - infinity (depending how long I can be bothered to wait)
I sent 1000 emails to blogger4 the other day....never had any spam for 2 days...then got hit by him again as blogger5.
I have just sent another 1000 emails to his blogger5 account.
He may well come back as blogger6 or whatever, but he will only get another...hmm...maybe 3000?...4000? emails?
the effect of having to attempt to download that many emails is catastrophic on an inbox...and usually results in the email address he uses being killed by the ISP
This proggy was written by a friend of mine (a software developer) and it works by sending the identical email however many times you want. Spam filters are useless against it, because of the way they filter...they cannot filter identical messages, as its the same message over and over again.
I will keep hitting this imbercile until he gets sick as a pig!....hang in there guys!... revenge is a dish best served cold!!!
hahaha.. He is now up to
hahaha.. He is now up to Blogger6..... what a twat
Anti-spam Question
I've been getting fake registration from this guy and others on my 4.7 Drupal site recently. I ended up writing my own bare-bones module to add a simple question to the registration process. So far it's keeping out the bots.
Anti-spam Question Module for Drupal 4.7
Not registering...
Blogger4 and blogger6 have not been registering on my sites, but have been using the contact form to send me spam... I have the hourly threshold set to 5, so it ends up being 5 to 10 emails a day... Any thoughts on how to deal with this at the drupal level, rather than with spamassasin or something like that?
Darren
At our site it is also
At our site it is also blogger 4 and 6
I've banned and blocked these 2 users.
I'm wondering if there will come more?
Is there now already a solution to get off from these registration from blogger4,6 or other one don't know?
Greetings
Sound Good!
That sounds like a very good idea.
I'd like to install something like this and have had a look at your link but being unbelievably new to all this malarky, I haven't got a clue what I am reading or doing!
I tried to understand your instructions and yes it is probably me being a bit thick but I couldn't reconcile that with anything I know of the site I am attempting to develop! I am using the standard Garland Theme at the moment (until i work out how to change stuff properly) so if you or anyone else can offer any advice I would be really grateful.
Thanks
Q
What you don't know can't hurt you - except in web design!!
Damn, got it on my site too,
Damn, got it on my site too, using "qwyghxh" for a user name. I think I deleted him before his 3 days of lying in wait were up. Must keep on the lookout.
I figured this guy was a serial spammer because for a few days before I saw him on my site, I had noticed the same stupid user name sitting in several Drupal-based sites' Active Users blocks.
Yeh got this guy spamming 2
Yeh got this guy spamming 2 of my sites... Access rules work good tho!
Well he must be pretty quick
Well he must be pretty quick because the site I set up was only intended to be for a private group of people... he made it in to a fresh install and set up a user before I got around to switching off user registrations!
A disgruntled Drupal user?
That frantic moronic spammer could be one of us... :-(
---
Libres-Ailé(e)s (Association for Linux and libre software) (France, Cévennes)
New tactic?
For the last few weeks I was getting the bloggerx@sdial.biz attempts to register. Now, every day I get this in my logs (see below). When I try to look up the IP address that this supposedly comes from, it is a false IP address. The times suggest that the attacker has automated some of this. Anyone have any thoughts?
Here is the log from 6/6/07 (it looked the same the day before):
page not found 06/06/2007 - 15:45 phpMyAdmin-2.6.0-beta1/main.php Anonymous
warning page not found 06/06/2007 - 15:45 phpMyAdmin-2.6.0-alpha2/main.php Anonymous
warning page not found 06/06/2007 - 15:45 phpMyAdmin-2.6.0-alpha/main.php Anonymous
warning page not found 06/06/2007 - 15:45 phpMyAdmin-2.5.7-pl1/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2.5.7/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2.5.6/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2.5.6-rc2/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2.5.6-rc1/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2.5.5-pl1/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2.5.5/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2.5.5-rc2/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2.5.5-rc1/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2.5.4/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2.5.1/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2.2.6/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2.2.3/main.php Anonymous
warning page not found 06/06/2007 - 15:44 php-my-admin/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin-2/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin2/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpmyadmin2/main.php Anonymous
warning page not found 06/06/2007 - 15:44 myadmin/main.php Anonymous
warning page not found 06/06/2007 - 15:44 mysql/main.php Anonymous
warning page not found 06/06/2007 - 15:44 dbadmin/main.php Anonymous
warning access denied 06/06/2007 - 15:44 admin/main.php Anonymous
warning page not found 06/06/2007 - 15:44 PMA/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpMyAdmin/main.php Anonymous
warning page not found 06/06/2007 - 15:44 phpmyadmin/main.php Anonymous
What do you mean a false IP
What do you mean a false IP address? Its definitely automated. Hes got a script/program thats trying to gain access to phpMyAdmin so he can change your databases.
All these spam things come from different addresses because the attacker would use something like zombie computers/proxies/anonymising services like Tor etc to disguise his real IP.
IP addresses are fake
Each of these log entries lists an IP address. However, when I look the IP address up, its fake... doesn't exist. Sometimes his IP address is a Google IP. So far there's been no damage but its annoying and I wonder what tricks he'll come up with next.
I reported the Spam Abuse, but need additional help from you all
The following is both my complaint sent to abuse@publicdomainregistry.com via their web form on Friday, May 25, 2007 and their email response. I then responded back with more evidence. So far they have done nothing about it.
I urge you all to send and email to these people (abuse@publicdomainregistry.com) so that they can stop this spammer at the source. If you want to use the online complaint form, you can find it here: http://www.publicdomainregistry.com/contactus/report-spam/
Reference this topic page (http://drupal.org/node/146176) when submitting a complaint.
Below is some evidence of his spamming:
Spammed sites:
http://72.14.253.104/search?q=cache:p7Es9P3YEy0J:w-i.dk/al-nethest/node/248+blogger%40sdial.biz&hl=en&ct=clnk&cd=2&gl=us
http://72.14.253.104/search?q=cache:JGJWTcfbSZEJ:www.spice.lt/index.php%3Fid%3D120+blogger%40sdial.biz&hl=en&ct=clnk&cd=3&gl=us
http://www.spice.lt/index.php?id=46
http://www.dyingearth.co.uk/?q=node/50&PHPSESSID=6827c9acc05c66631c2fc48cfcc93315
http://72.14.253.104/search?q=cache:DH_tbbBaiZ4J:www.infoski.lv/jaunumi/363/+blogger%40sdial.biz&hl=en&ct=clnk&cd=24&gl=us
http://72.14.253.104/search?q=cache:qw6zB_ojb68J:www.baltgames.lv/v2/users/69135/+blogger%40sdial.biz&hl=en&ct=clnk&cd=28&gl=us
Need more evidence?
http://www.google.com/search?q=blogger%40sdial.biz&hl=en&start=10&sa=N&filter=0
Reference article: http://drupal.org/node/146176
----- Original Message -----
From: "PDR Abuse Desk" <abuse@publicdomainregistry.com>
To: <sam>
Sent: Friday, May 25, 2007 11:50 AM
Subject: RE: Spam Complaint for sdial.biz [2233652:89411]
Hello,
We have received the mail sent by you.
However, We request you to provide us the website links where these comments are posted which will facilitate us to investigate the issue.
Also provide us the spam postings and logs of these blogs postings so that we will be in a position to assist you in this case.
Please provide us with the necessary details for us to take a prompt action towards your complaints.
We assure you of a prompt action towards this.
Regards,
PublicDomainRegistry Abuse Desk
PublicDomainRegistry Spam Reporting Tool -
http://www.publicdomainregistry.com/contactus/report-spam/
PublicDomainRegistry False Whois Reporting Tool -
http://www.publicdomainregistry.com/contactus/report-false-whois/
Spam originating Domain Name - sdial.biz
Message Headers - Reall the comments below
Complete Email - The following spammer is posting spam messages (ads) in the forums for porn related website and other crap. He is attacking a large number Drupal CMS websites.
blogger4@sdial.biz
He uses different usernames to register at these websites. A few days later this spammer is posting spam messages for porn related website and other crap.
Reference article: http://drupal.org/node/146176
The email address used in all cases is: blogger4@sdial.biz. The user name varies but the location he has always used was New York.
Can you please drop his domain (sdial.biz) so he can at least be stopped somehow?
Thanks
Sam
Sam
I also wrote to the abuse email
Hi Sam
Thanks for the info.
Such attempts are big pain - you never know whe he/she would post on a site after breaking in with another id! - Such stupid guys must be thrown in jail.
--
Roshan Shah
T : 604-630-4292
Vancouver, Canada
Skype/GoogleTalk/Yahoo : bpocanada
It's a bot
I look it up on google and this is what I got: Results 1 - 10 of about 1,140,000 for qwyghxh.
More than a million pages - mostly user accounts. Then I visited this guy's website, with FF, and look at the source. I'm no MS programmer but it seems he's using a Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability to run something on the users' machine. I might be wrong so please someone with more experience please check. Don't open it with IE, please. And make sure your machine is all patched up.
qwyghxh and other user names
I am plaged with him too. Clearly a bot as on one site, I deleted his id and changed to admin approve logon. However the bot is still pounding my site and getting invalid logon attempt messages. This site is on Dreamhost and their status message says they have DDOS going on. At the moment I can't get to any of my Dreamhost sites.
i had the same problem on my
i had the same problem on my website but we have stoped him with the acces rules...
i addes these rules:
weigeren(deny) e-mailadres @sdial.biz
weigeren e-mailadres @%sdial.biz%
weigeren host @sdial.biz
this looks to work for now.. he is not even trying tot get acces to oure website anymore so try those rules and even try to find a .htacces file with a list of bat bots..
You added these in the
You added these in the htaccess?
And you did it in dutch? Dat vind ik nogal knap :-)
The spambot failed at our site?
On our site, the bot registered (mail was "blogger6" in this case) more than a week ago, but never even activated the account. So I guess he was unable to, for some of the following reasons:
-- The site is written in Czech, so perhaps the link "Registrace" was the only "international" word (in case it's a human)
-- The "account details" mail is also written in Czech and customized to our local needs, so it DIFFERS from default message
-- The activation link in our "account details" mail is not on a separate line, it's inside a text paragraph.
I don't know which is the real reason (if any of these), but the bot seems to be unable to work with our site.
Do you have captcha
Do you have captcha installed?
Nothing special installed
Our configuration (at http://www.naturista.cz) is pretty basic, Drupal 4.7.3, no extra modules installed regarding the user registrations, no anti-spam solution, no SMTP mail (sending via the default Drupal's mail() solution)... Public registration allowed, nothing special. I'm not aware of anything that might play a sensible role, other than the non-english and non-default "account details" mail syntax, and perhaps Drupal version. We've never had any problem with spam, speaking of the content submitted by our users. Don't know what's captcha, to be honest.
Drupal 4.7.3
I urge you to update to Drupal 4.7.6 and to subscribe to the security announcement mailing list (http://drupal.org/security).
--
The Manual | Troubleshooting FAQ | Tips for posting | How to report a security issue.
I agree...
I agree...
I know...
I know that updating is a recommended thing, but to be honest, we've a lot of things custom-patched (which proved itself to be the only effective way how to make Drupal compliant with our users' needs), and no time to redo everything on a new version. So in present time, updating is out of our possibilities. We're frequently backing-up all our data though.
Access rules
Anyone know why %sdial.biz% works for banning emails but %sdial.biz doesn't?
When you test the %sdial.biz rule it works, but spam still comes through. Although putting %sdial.biz% works in both cases.
Block emails in anonymous comments
Dammit!
When anonymous comments are allowed, the email address field isn't checked against the access rules.
I have submitted a patch here which fixes the problems.
I've got him on my various
I've got him on my various sites, too (most of them link to each other, so I assume his bot's been following the links).
All blocked now (he came in as "blogger6@..."). Let's see if he finds a way around the blocks.
Diane Duane | The Owl Springs Partnership | Co. WIcklow, Ireland
http://www.dianeduane.com/outofambit | http://www.youngwizards.com
Other logins from this guy: also, a possible change of tactic?
I also have (at europeancuisines.com and youngwizards.com) "qdrewirtsc" (as blogger1@), "otmoqgh" (as blogger3), "qwrqwerwe" (as blogger 4).
However, I'm looking at some new logins at the-big-meow.com over the last few days, and I think I see a shift in pattern. Suddenly (starting over the last week) I'm getting a lot of garbage logins with mixed upper & lowercase usernames and with all email addresses ending in "mail.ur". Same guy, perhaps? (I note a mail.ru address on his whois.) Or someone new playing with the same tactic or script? I am seeing different IPs this time -- Germany, Hong Kong.
Here are the usernames I've seen so far:
ZhQdZn | dpMrnl | cWByMX | KDJhdhbcins | SGMPaN | nhXvnc
All of these have addresses like (in order): disseducom @mail.ru | cheburahim @mail.ru | snegoviklll @mail.ru | etc.
I dislike painting with so broad a brush, but I see that I'm going to be blocking mail.ru registrations on my sites for the foreseeable future.
Finally, a new twist: I'm seeing registrations the past week or so with usernames of varying lengths of mixed upper-and-lower-case garbage, and then email addresses all starting with the word "registrator", a sequence of numbers, and then varying domains (mail15.com, Phreaker.net). Somebody else's script or bot, perhaps?
And one more note: if you Google on "Layered Technologies", the provider, you will find some evidence that a number of people (especially in the blogosphere) feel they're much too soft on spammers using their facilities, or just plain don't care.
Diane Duane | The Owl Springs Partnership | Co. WIcklow, Ireland
http://www.dianeduane.com/outofambit | http://www.youngwizards.com
mail.ru with Germany, Hong Kong IPs
Anybody has seen this before?
akstctssumnsdgs
I have no user registration to my Drupal site under this, but domain name have been used to spam servers all over the world. Notables are a lot of undeliverables from ru, de, and some references to hk in well cryptic email bodies and subject lines. Our server ended up being balcklisted last week, and I disabled, than deleted completely the contact module on our Drupal instalation to see if this would affect the undeliverables. Domain name has been used by contact module of course.
akstctssumnsdgs(at)mydomain.com
Mira
Registration bypassing mandatory fields
Hi,
I have a weired problem with my site, either it is possible security breach on my site or possible loophole in drupal/ civicrm. I am using drupal version 5.1 and module CiviCRM 1.7.9821.
The thing is i created two profiles "Name" and "Address" through civiCRM and made it available at the time of drupal registration. All data fields in these two profiles are mandatory (required). If i try by myself to try to register without filling these fields it gives friendly error messages as what i was expecting, but eventhough i found atleast 6-7 users registered without filling these info. I tried again by myself registering by just providing username and email id but it giving friendly error messages as what i was expecting then how come these new users are registering without filling these info.
The usernames are all weired just as dduane has mentioned on her June 16, 2007 post. The email address provided by these users are all mail.ru domains.
Let me know whats the problem. These new users have weired user names and giving russian email ids (which are not our intended clients) that makes me suspect that possibly somebody trying to do something nasty.
please let me know whats the problem and how to correct it. This clearly a breach of security in either drupal or civicrm. I also posted the same thing in civicrm forum few days back but nobody replied there anything. But i am suspecting its drupal problem.
One more thing, when i checked my drupal logs the "Location" field of that user registration log entry is also weired. it is:
http://www.mysite.comhttp//www.mysite.com/drupal/?q=user/register , it should be either http//www.mysite.com/drupal/?q=user/register or http//www.mysite.com/drupal/user/register as i have enabled the "clean URLs" on my site.
for time being i have put a filter to deny all mail.ru email domains. "%@mail.ru"
regards,
--rafi
Public Domain Registry The Culprit
Hi all,
I would not bother complaining to publicdomainregistry.com - in my experience they are often the actual culprit and probably run this program / script that targets Drupal deliberatly. I have some idea that it does try and do some XSS attacks and i have figured the program uses Google search to propogate because Drupal installs are easy to find, add to a database and then attack automatically from Google search results. When it successfuly registers user accounts, it comes back after a set period of time and checks on its previous work to make sure it is still registered. It looks like a huge percentage of Drupal sites have been attacked by this robot, so something must be done in the Drupal core for the stable releases to stop this - because its starting to amount to a full blow exploit in Drupal.
Going back to what I said about publicdomainregistry.com... For a few years now they have been in a huge number of cases of law suits for cybersquatting and barely legal practices. Last I heard is that some rich guy bough all of the servers from the Enron company failure really cheap and then setup an evil plan to regsiter domains as soon as they are not paid for automatically even if it violates ICANN rules etc by infringing on trademarks and company name spaces. They hold domains to ransom by the hundreds of thousands for crazy prices. So although that sounds irrelevant it is actually valuable info when dealing with this spam bot because it could be a coincidence or this could be another dirty trick tactic by an immoral "information tech" company making money from the Internet in all of the wrong ways.
If it is the case, and it is publicdomainregistry.com behind it all then there is little we can do other than get together as developers to block their "marketing" attempts using Drupal. We are not pawns in their sordid attempt to make millions of dollars from Drupal by spamming and we should do something about it. We dont make Drupal and build the drupal community for a-holes like these people to go and get rich off all of our great hard work.
The number of results in google that come up for this bot is insane. Its so prolific that it could be considered a network WORM. AV companies should look into that aspect and anyone with some spare $$$'s should think about getting signatures from Drupal developers and users and taking all of the evidence to court against the people comiting these crimes.
Dan Gibas, HYGEN
nm
never mind..
He's baaaaaa-aaaaack...
Now with email addresses from czups.info. Same pattern -- garbage letters strung together (emurhfkq this time. He likes the letter q, this guy.)
Diane Duane | The Owl Springs Partnership | Co. WIcklow, Ireland
http://www.dianeduane.com/outofambit | http://www.youngwizards.com
The spammer is back using a new email address and domain name
The spammer is back using a new email address and domain name.
Below are the details he used to signup at one of my sites:
Email address: sweet@czups.infoYour Real Name: emurhfkq
Business Name: emurhfkq
Type of Business: New-York
Address: New-York
Alternative Email Address: New-York
Phone Number: 33333
Web Site: http: //www.google.com
To deny his email use: %czups.info%
To deny his domain (host) use: czups.info
Below is the Whois Information for the czups.info doamin. As you can see, this is the same spammer also using the sdial.biz domain.
His whois Information
Domain ID: D16209137-LRMS
Domain Name: CZUPS.INFO
Created On: 23-Jan-2007 15: 30: 25 UTC
Last Updated On: 26-Mar-2007 03: 06: 06 UTC
Expiration Date: 23-Jan-2008 15: 30: 25 UTC
Sponsoring Registrar: Direct Information Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS)
Status: OK
Registrant ID: DI_3038906
Registrant Name: Markus Lee
Registrant Organization: N/A
Registrant Street1: av.Street h.54
Registrant City: New York
Registrant State/Province: 3547
Registrant Postal Code: 556600
Registrant Country: US
Registrant Phone: +805.4412141
Registrant Email: soul_s@list.ru
Admin ID: DI_3038906
Admin Name: Markus Lee
Admin Organization: N/A
Admin Street1: av.Street h.54
Admin City: New York
Admin State/Province: 3547
Admin Postal Code: 556600
Admin Country: US
Admin Phone: +805.4412141
Admin Email: soul_s@list.ru
Billing ID: DI_3038906
Billing Name: Markus Lee
Billing Organization: N/A
Billing Street1: av.Street h.54
Billing City: New York
Billing State/Province: 3547
Billing Postal Code: 556600
Billing Country: US
Billing Phone: +805.4412141
Billing Email: soul_s@list.ru
Tech ID: DI_3038906
Tech Name: Markus Lee
Tech Organization: N/A
Tech Street1: av.Street h.54
Tech City: New York
Tech State/Province: 3547
Tech Postal Code: 556600
Tech Country: US
Tech Phone: +805.4412141
Tech Email: soul_s@list.ru
Name Server: NS1.SEBLG.COM
Name Server: NS2.SEBLG.COM
-----------------------------
Sam
Again failed at our site?
I confirm the new bot also on our site, exactly the email and username as reported here. But again, it only registered, but never logged-in. I guess it was unable to decode our welcome-email AGAIN, probably because of its customized layout and Czech language: Registration form visited a lot of times, but no further step done.
I analyzed our logs: The bot visited 197 pages total, 162 of these being the user-registration-form, the rest mostly various RSS feeds, very few times frontpage, and only once the login-form. All done from the host 62.141.56.97 (might be fake, I know), with the "referrer" saying "www.google.com". (I've banned user-profile, email domain and the IP for our site.)
Not from New York!
Look at the address, I don't think NY has such street address av.Street h.54? And where the hell is state 3547 & zip code 556600?
Pattern
The pattern for this one was a little different than the sdial.biz hits I get. The czups.info bot tried to log in and, failing that, tried to register. This was repeated 5 times in less than a minute. Fortunately my homebrew anti-spambot module kept the bot out. Hopefully we don't reach the point where the spam registration attempts are so frequent as to degrade the performance of website for the real users.
czups.info
User with rabbit@czups.info in my Drupal site.
"Hello from Malaysia! ^^ "
Website: www.indiecom.net
Skype: ga1984
Set of filters and rules i use to prevent spam
I am using a few methods to stop this (and other spammers) from commenting:
No login for this user is allowed, if the access rule fails for some reason, spam content will be automatically marked as spam and deleted (in this particular case).
Since blocking with .htaccess isn't an option (ever changing ip-ranges, a *deny from all* would be a little bit too restrictive), i am content with this set of rules and filters.
I took a similar
I took a similar registration from megajohn@greatvalleymail.info this morning. The domain owner is not the same as the other two (from which I also had registrations from). I'm afraid this is all just getting started.
Working together?
I read all your comments and maybe it's smart to collaborate. We can start a list in the htaccess file that denies the access of several addresses (ip? domain? I'm not an expert in htaccess). Modifying the htaccess is like a border patrol: the spammers don't "come in" the site.
This is however a huge and precisely task and therefore it will be clever to work together.
=========
There are 10 people who can count binary: they who can and they who don't
new spammer e -mail doman ?? yzbid.com
I think I have discovered a new domain used for email addresses of spammers(maybe Russian) I have had two registrations today from this domain whose contact info has a Russian address and uses hotmail for its contact info. Neither of them has completed the reg process (haven't answered the e-mail)
yzbid.com - SPAMers ??
-------------------
http://www.PrivacyDigest.com/ News from the Privacy Front
http://www.SunflowerChildren.org/ Helping children around the world
New spammer
New spammer domain:
kibermail.com
Is Captcha module working yet? :(
Captcha
Not yet, but yesterday Rob Loach committed a promising successor to the current Captcha module. If you can wait a bit, Captcha 5.x-3.0 will become what you are looking for.
--
The Manual | Troubleshooting FAQ | Tips for posting | How to report a security issue.
Is Captcha module working
Is Captcha module working yet? :)
Additional Spammer Email Addresses and Domains to Block / Deny
The following are some additional Spammer Email Addresses and Domains to Block / Deny
I currently have a Drupal shell site setup and the following users are clearly Spammers:
blogger1@sdial.biz
blogger4@sdial.biz
bodya@heremail.com
bodya@runbox.com
h8s8tx@jwpcworld.com
rabbit@czups.info
rbadgj54fly@crypthash.info
RGadgj88fly@crypthash.info
Twadgj41fly@crypthash.info
VXadgj69fly@crypthash.info
Sam
He's baaaaaack, mark 2 (or 3 or 4...)
Our persistent friend has just turned up on my site at EuropeanCuisines.com and is leaving Northwest Airlines comment spam all over everything.
He came in under the username "uketihanahoj" about half an hour ago (we've seen this pattern before...) using the email address "kaliki @ inbox . ru". All the links in the comment spam redirect to variations on the URL-theme of "northwestairlineXXXX.fora.pl".
His IP was 216.9.84.146.
May as well add this one to your lists, everybody. He'll be back some more, I'm sure.
Diane Duane | The Owl Springs Partnership | Co. WIcklow, Ireland
http://www.dianeduane.com/outofambit | http://www.youngwizards.com
block with http:bl module
Hi
I have seen this module , to be honest i did not check it yet
but it's should block those guys
http:BL module can be found here http://drupal.org/project/httpbl
Dev Art- Drupal Based Services and development
How to stop spammers?
I noticed that the spammers keep on sending requests to the site when you delete the account. When I leave the account, but block it, the logs suddenly shows no activity from the spammer. It allow me to 'manage' them.
Maybe it is a case of keep your friends close, but your enemies closer?
This is what I've been
This is what I've been doing. It also allows you to compare instances of attempted spamming and see if there have been changes of tactics, etc.
Diane Duane | The Owl Springs Partnership | Co. WIcklow, Ireland
http://www.dianeduane.com/outofambit | http://www.youngwizards.com
SPAMMER blogger4@sdial.biz
My website has been under attack by this malicious hacker for months now.
S/He is probably reading this, so won't say what I've done to block his/her entry; this malicious hacker is attacking both as an anonymous user and attempting to login using these usernames/email so far:
qwrqwerwe
forum
blogger1@sdial.biz
blogger2@sdial.biz
blogger4@sdial.biz
blogger5@sdial.biz
sts@speedsearch.org
S/he tries access by node/50, robots.txt, node/194, favicon.ico, node/114, node/add/flexinode-3, taxonomy_menu/12, node/add/flexinode-2, taxonomy_menu/9, admin, and node/195.
Now s/he is attempting to run this function: gmmktime()
Not a bad idea to check your database for any of these or any other weird-looking username/email.
Same IP new name
The same spammer using sdial.biz is back and now using xpsim.info and spsva.info. Whois returns the name of this clever? oke as Markus Lee.
Domain ID:D16209272-LRMS
Domain Name:XPSIM.INFO
Created On:23-Jan-2007 15:44:39 UTC
Last Updated On:26-Mar-2007 03:07:38 UTC
Expiration Date:23-Jan-2008 15:44:39 UTC
Sponsoring Registrar:Direct Information Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS)
Status:OK
Registrant ID:DI_3038906
Registrant Name:Markus Lee
Registrant Organization:N/A
Registrant Street1:av.Street h.54
Registrant Street2:
Registrant Street3:
Registrant City:New York
Registrant State/Province:3547
Registrant Postal Code:556600
Registrant Country:US
Same guy for spsva.info
Any guys in the US to go kick some @3$^%?
Fake addr
I am in NYC, but that won't help since the address does not exist.
The postal code is in the mid-west and the street is garbage
-------------------
http://www.PrivacyDigest.com/ News from the Privacy Front (Drupal)
http://www.SunflowerChildren.org/ Helping children around the world ( soon to be Drupal)
my email black list
i have had spammer problems for a bit and it become part of my daily maintenance to delete these comments. but i have a demo site which i havent looked at for a while and when i did ..
so instead of just deleting my comments, i decided to create extremely strict rules on the basis that a demo site doesnt have any worth while content and the poster is 1000% spamming and this is what i came up with :
%@dodgeit.com
%@mailinator.com
%@bugmenot.com
%@hotpop.com
%@picspad.com
%@yzbid.com
%@sdial.biz
%@mail.ru
%@czups.info
%@boymail.ru
%@jpegchip.com
%@photowhip.com
%@picspond.com
%@movietroop.com
webmaster@%
%@inbox.lv
%@kibermail.com
%@bk.ru
registrar%
%@fromru.com
%@itua.info
%@mail15.com
%@inMail24.com
%@tut.by
%@i.ua
%@sexmagnet.com
%@sadikhov.net
%@Safe-mail.net
%@1net.gr
regbot%
mailbot%
%@a.ua
%spm%
%spam%
i would seriously appreciate this list being kept up to the date by the community. as well as some method to block add more than 1 email at a time.
also i have a question on how to deny this email address: reg0406@sadikhov.net
thanks
__________
http://namima.in-egypt.net اجدد اخبار ممثلين
Another one?
I also catched suspicious registrations reappearing each few months with this pattern:
Username: forexjob#### (4-digit number, usually 20xx)
Email: forexjob####@ya.ru
I can't be 100% sure this is a spammer, as no spammer ever got so far as posting comments on our site, but the pattern is matching in certain features to other ones listed here, and also the serial-numbered-english-nick/russian-address is alsmot a confession, as all our real content and users are Czech.
and another one bites the dust
%@punkass.com
%@phreaker.net
nick%@clovermail.net
__________
http://namima.in-egypt.net اجدد اخبار ممثلين
http://ads.in-egypt.net/floss - F/LOSS Ads Campaign
Fight the root of the problem...
How about the use of a check box to agree to useage of the website going by rules of use...
Rule #1:
Any automated registrations, or manual registrations to this site for the purpose of submitting links or content deemed by the operators of this website to be "spam" will be subject to charges of US$10,000 per word or link, with no limit to the maximum amout of charges. By registering for this site you (if you are human) or the company that is using you (if you are software) or the company that developed you (if you are software) agrees to be bound to pay the aformentioned charges within 14 days of being billed by the operators of this website and submit a written apology to the operators of this site, detailing your full personal and company information and a signed declaration that you / your company will not break the aformentioned rule again on this website or any other website.
----
If you follow up with several breeches of the rules, then soon after it will be all over CNN and the spamming companies will be out of business quite fast. Oh... and you will have a good side income for your efforts!
Dan Gibas, HYGEN
I've been hit too
Looking though this list I see a lot of familiar logins.
The problem he has had with my site is that I have email verification and administrator approval turned on and besides that when I activate a user he can not add any content without administrator moderation until he proves himself to not be a troublemaker. Even then I have 3 levels of users that you can only advance by having good comments..etc.
I'm getting anywhere from 5 to 10 attempts a day, I'm sick and tired of it so I blocked China as a whole and Russia also, tonight I will be adding some of the other domains I seen here.
He got me one time but I am notified when a new comment is posted and within a few minutes of him posting, I deleted his postings and killed his account, I then implemented the above rules, and went through all my accounts and noticed the pattern of logins and put them all on hold, I emailed them for personal details, if there was no response in 24 hours I deleted the account, I didn't receive a single response.
Cecil
K5NWA
Blessed are the cracked for they shall let the light in.
how can i stop posting , if
how can i stop posting , if spammers is posting external site's url or ads.
and ip address is different.
RE: how can i stop posting
Just set your postings to be approved by the administrator before they can go live.
Sam
Sam Raheb (Sam308)
It's not possible for me.
It's not possible for me. can't i stop posting of some special keywords.
RE: stop posting of some special keywords
This cannot be done by keywords only using the Drupal core installation.
You should check out if there are any third party modules than can do that.
Sam Raheb (Sam308)
A good way of leading the
A good way of leading the site in a good manor is to avoid "multiple admins", such as admin1 or adminadmin, so I just add:
deny username %_admin
deny username admin_%
--
Robert
Sweden