Rick's World

Ok, our friend the comment spammer has picked up the pace. Today he hit me with 217 comment spams, all in the course of an hour and a half. The comment spam all came from the IP:

62.33.12.24

Let's do a little bit of investigating of this.

We have several pieces of information to work with.

1. The IP address used to post the comment spam: 62.33.12.24
2. The DNS name of that IP address: dialup-24.pskov.ru
3. The User Agent used to send these comment spams (found in my server logs): "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

These three pieces of information tell us a lot about our spammer.

First the IP address begins with '62.33.x.x'. This IP range is assigned to the country of Russia. Looking farther tells us that '62.33.12.x' is owned by domain 'pskov.ru'. The DNS name confirms this. This is actually the third IP address in the 62.33.12.x IP range that I've received spam from.

Second, we see the DNS name. The first part 'dialup-24' tells us that our spammer is connecting to the Internet through a dialup connection. In other words, our spammer is spamming the world using a 56K modem! In the DNS name, we also see 'pskov.ru', which is the domain he is connecting from. This is no doubt the name of his dialup Internet provider. This again is confirmed by looking up the information on the IP.

Third, we see the User Agent. The User Agent is the program that he used to send the comment spam. From the User Agent recording in my server logs, we see that this guy is sending the comment spams using Internet Explorer 6.0 (IE6.0) on Windows XP (Windows NT 5.1). This is unusual. Most 'professional' spammers use scripts to send the spams automatically in large batches. This User Agent tells us that our spammer is entering his spams manually, one by one! This guy wasted an hour and a half manually spamming my web site using Internet Explorer!

Based on the fact that this is the third IP that I've received from the same Internet provider in Russia, and that our spammer is dialing into the Internet leads me to believe that all three of these IP addresses are the same spammer. Since he's on dialup, that means that his ISP likely provides him an IP address using DHCP. This means that he could get a different IP every time he dials into the Internet. I had banned the last two IP addresses individually. Since it seems to be a pattern with this guy, I decided to ban the entire '62.33.12.x' IP range (his entire ISP, or at least a good chunk of it).

Banning Addresses

If you are running Apache as your web server, you ban IP addresses by adding some lines to a file named '.htaccess' (note the period as the first chracter). This file contains various commands to Apache on how to run your web site. Here is the code you would put in to ban this IP range:

<br />order allow,deny<br />deny from 62.33.12<br />allow from all<br />

Note how there are only 3 numbers listed on that 'deny from' line? That means ban all IPs that start with those 3 numbers. This will ban 62.33.12.0 through 62.33.12.255. If you want to ban individual IP addresses, just add another 'deny from' line with the IP address you want. You can have as many 'deny from' lines as you want. Make sure you put all these 'deny from' lines between th e'order allow,deny' line and the 'allow from all'.

One less spammer harrassing me.

*sigh* These comment spammers are amateurs.

Note to comment spammers - if you use the same IP address to send all your comment spams you make it very easy to delete the spams and ban your IP. Today's winner is the IP address:

62.33.12.29

This guy sent 29 comment spams, all from this IP. The comment spam is deleted and his sorry ass is banned from my site.

Nice try moron.

In the last 24 hours, I've received a flood of over 150 comment spams from the same IP address:

62.33.12.104

This IP appears to be coming from somewhere in Russia. All the spams were advertisements for various prescription drugs. I have banned this IP address from my web site. Whomever this spammer is, he's obviously an amateur at this. He sent ALL the spams from the same IP address, making it very easy for me to lock him out for good. Plus, while, I do allow comments to be placed on my site without registering, they are not actually shown until I approve them. This means that this guy's efforts have been wasted. His advertisements never showed up on my site. Because of the easy pattern to his comments, it was also very easy for me to go in and delete all his spams in one shot. (SQL is a very useful thing!)

Nice try buddy. Better luck next time...

I've used eBay and Paypal for many years now. So has my family. One of the ongoing problems lately is phishing attacks that steal your eBay and/or Paypal accounts. These phishing attacks come by way of a forged email that looks like it's from eBay. It convinces you to log in to eBay in order to respond to this email. It does this by providing a link in the email that you click on that takes you to eBay. The problem is that the link doesn't take you to eBay, but to a site that perfectly copies eBay! You then enter your information, 'eBay' says everything is OK and you go about your life, not realizing that you just gave your eBay username and password to a criminal. They then go in, using your eBay username and password and start stealing from you. The same happens to Paypal, which is even worse because it has direct access to your bank account. I'm usually very good at spotting these phishing attacks but they have gotten so good, that even I fell for one once. My brother fell for one too. Fortunately in both cases, I realized it quickly and we were able to go in and change our passwords before any harm was done.

The problem is that these phishing attacks still happen and will continue to happen for the foreseeable future. We all need a way to protect ourselves from this. Recently, eBay has come up with a way. They now provide an electronic security key that you can use to log into your account. Once you get this small device, you activate it and associate it with your account. From that point on, when you log into your account you have to press the button on this device to get a six digit security key. You type this in along with your username and password to log into the site. Since eBay and Paypal now require this six digit number to log in, even if a criminal got your username and password, they would not be able to log in. Essentially, your password is now changing every 30 seconds and there are 1 million possible combinations that your password could change to every 30 seconds. Unless the criminal is a VERY lucky guesser, they have no prayer of ever logging into your account! Granted, it's a bit of an inconvenience to have to use this little device every time you log into eBay or Paypal, but if it prevents theft, I think it's worth it.

The device costs $5.00 and you can order it here. If you use eBay or Paypal a lot, I suggest you pick up one of these right away!

Above you see a screenshot of a graph from my web site statistics. This graph shows the number of hits to my site on a daily basis over the last several months. As you can see, most of the time, the number of hits is pretty consistent. There have been two major incidents where things went way higher than normal.

The first one that you'll notice is the big spike in the center of the graph. That high point in the graph is the release date of the Spiderman 3 movie. A year before the movie, I wrote an article containing lots of pictures describing my predictions for the movie. This article has been very popular, getting 16,000(!) views so far. This is much more, by far than any other article I've written. You'll notice a nice consistent increase in hits over time heading to the release date. Then, after the movie is released, the hits gradually decline. This is to be expected. As the movie release gets closer, people start to be more and more interested in it. Once people see the movie, interest drops off. This was a nice, natural spike in the logs. The other incident, however was not.

The second incident you see is over on the right side of the graph. Here you'll notice a nearly instant doubling of the number of hits going to my site. At first, I didn't think much about it. I just thought I was getting more visitors. It turns out this is not true. This sudden jump that you see is due to one web site - laguna2000.com. This website was singlehandedly doubling the traffic to my site and also sucking down tons of my bandwidth. After a couple weeks of this increased traffic, I found the problem. This is proof of the 'image blogging' problem I mentioned previously. One of the administrators of the discussion forum there decided to use one of my images from my blog about the Transformers movie as his 'avatar' image. In other words, every time he posted an article on the discussion forum or responded to an article, it would include his avatar image. This also mean that anytime someone read a message he posted, it would include his avatar image. The problem is that he chose to use my image as his avatar image. He was directly linking to the image on my web site as his avatar image. Everytime someone read one of his article on laguna2000.com, it was loading the image from my web site. There were a lot of people reading his posts on this site. I was seeing a good 3,000-4,000 hits per day coming from that site. That meant that I was literally giving them hundreds of megabytes of free bandwidth per day! In the several weeks that he was doing this, I likely provided several gigabytes of bandwidth to them for free. This had to change.

Saturday evening, I modified my site, to refuse to send any images to that web site, and only that web site. I'll write more about how I did that later. Ever since I blocked the images going to that site, I've seen laguna2000.com jump to the top of my failed referer list. In one day I got over 3,400 failed referers from this site - exactly what I intended. Looks like my hack to fix this little bit of theft works.

The moral of the story is to always watch your logs. When you see something weird, be sure to investigate. It might be something important.