Ladies and gentelmen, here is another IP address to put in your .htaccess deny list: 209.160.72.10
This IP apparently belongs to hopone.net which looks like a legitimate company. I was surprised to see that this machine is accessible from the outside and it’s port 80 is open for inbound traffic: see for yourself.
Of course I portscanned the asshole and he seems to also have open ftp, ssh and mysql ports. It runs Apache 1.3 which is a little outdated and can be potentially xploited. They even left the Apache manual for us. This looks like some sort of workstation on their network – a workstation that probably should sit behind the NAT and firewall but for some reason it is out in the open. It might have been rooted and now it acts as some spammers proxy… Sigh…
This dude has been manually spamming me for some time now. He seems to average 20-30 comments a day, and does not get discouraged when Akismed eats up all of them. Anyways, if you are into commernt spamming you really need to look into some sort of roaming proxy setup. Because with a static IP, I can just lock you out each time. :P
Btw, Akismet is the best!
[tags]comment spam, spamming, spammer, htaccess, ip, hopone[/tags]
I think it’s a FreeBSD server in their CoLo facility. You can see the ssh and freebsd versions are pretty old : SSH-2.0-OpenSSH_3.8.1p1 FreeBSD-20040419
You might want to get in touch with their Abuse contact, the more we are, the more chance we have they turn this box off.
And as far as I can tall, it’s not manual spamming, it’s a script.
Is it really a script? I haven’t really seen many scripts that can do OCR on the fly, and my comments have a CAPTCHA. Admittedly, it’s not the strongest one, but still.
I shot an email to their abuse contact. Let’s see if it does anything.
I’m pretty sure it’s a script, otherwise the guy in front of the keyboard is absolutely dumb. He/it is trying again and again to post trackbacks spam on my blog and get a 403 from the very beginning. Few more facts :
– it simulates a Windows Firefox browser, and the machine runs FreeBSD
– POST requests have no Browser, but GET requests have one
– neither POSTs nor GETs have a referer
– it tries to POST before GET’ing the web page it’s trying to POST to
– it GETs only html, never img/css/js content
– it’s working like a robot, I get POST requests every hours of the day, from 00 to 23.
But, may be, there is a human AND a script :/
Hmmm… Very interesting. It does looks like script then. I’m wondering how it is bypassing my CAPTCHA though.
You might want to google “bypass captcha”, it’s very interesting. It seems that some captcha systems can be bypassed without any OCR. In some cases for example, you just “log” to the captcha once manually, and you can reuse the session ID for ever in a script after that.
Damn, I better check how my CAPTCHA system is working. It’s very possible that this is what they are doing.
I’m using Filosofo Comments Preview plugin to generate my CAPTCHA so I’m not exactly sure how they implement it..