Comments on: KattyBlackyard IP: 89.28.14.35 in massive blog spam attack http://www.techwatch.co.uk/2009/06/15/kattyblackyard-ip-89281435-in-massive-blog-spam-attack/ Digital & Satellite TV, 3DTV, HDTV, IPTV, Computers, Mobiles, Gaming, Internet, and Telecoms Fri, 03 Feb 2012 23:04:56 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Rune Jensen http://www.techwatch.co.uk/2009/06/15/kattyblackyard-ip-89281435-in-massive-blog-spam-attack/#comment-5111 Rune Jensen Mon, 29 Mar 2010 16:01:07 +0000 http://www.securitywatch.co.uk/?p=1479#comment-5111 Well, not the same IPrange, but its done via Starnet also. The signature of the spammer is: IE6 as user agent, and the time between GET and POST is atound one second. Also the IP of GET and POST is the same. The useragent seems valid, which makes me think if this is only half automated, not a real spambot, but some kind of batch-program to do the spamming. And a real human being pressing the "send" button. The spammer could acrually be using his own browser to do it. Well, not the same IPrange, but its done via Starnet also.

The signature of the spammer is: IE6 as user agent, and the time between GET and POST is atound one second. Also the IP of GET and POST is the same.

The useragent seems valid, which makes me think if this is only half automated, not a real spambot, but some kind of batch-program to do the spamming. And a real human being pressing the “send” button.

The spammer could acrually be using his own browser to do it.

]]> By: Rune Jensen http://www.techwatch.co.uk/2009/06/15/kattyblackyard-ip-89281435-in-massive-blog-spam-attack/#comment-5110 Rune Jensen Mon, 29 Mar 2010 15:32:17 +0000 http://www.securitywatch.co.uk/?p=1479#comment-5110 I have this IP from the same range today: 89.28.3.241 It does the same, only this time it places a link to Yahoo.com Since I have numorous security levels, it was blocked on two of them, and thrown to the honeypot, but I am now thinking about blocking the whole range from the start. I consiider it dangerous, much more "intelligent" than other bots I have seen so far. I have the suspicion that Starnet itself is involved in the spamming or is "looking the other way", only I can not prove this yet. But looking for information around the net, it seems like it has been spamming for years now. I have this IP from the same range today:

89.28.3.241

It does the same, only this time it places a link to Yahoo.com

Since I have numorous security levels, it was blocked on two of them, and thrown to the honeypot, but I am now thinking about blocking the whole range from the start. I consiider it dangerous, much more “intelligent” than other bots I have seen so far.

I have the suspicion that Starnet itself is involved in the spamming or is “looking the other way”, only I can not prove this yet. But looking for information around the net, it seems like it has been spamming for years now.

]]> By: Internet Threat http://www.techwatch.co.uk/2009/06/15/kattyblackyard-ip-89281435-in-massive-blog-spam-attack/#comment-5109 Internet Threat Mon, 24 Aug 2009 09:28:32 +0000 http://www.securitywatch.co.uk/?p=1479#comment-5109 Possibly a professional spammer showing a potential client what we can do? Possibly a professional spammer showing a potential client what we can do?

]]> By: Shady http://www.techwatch.co.uk/2009/06/15/kattyblackyard-ip-89281435-in-massive-blog-spam-attack/#comment-5108 Shady Tue, 07 Jul 2009 23:27:59 +0000 http://www.securitywatch.co.uk/?p=1479#comment-5108 Hey Guys, I actually had spam from this IP but under a different name (KonstantinMiller). Perhaps he/she knows that we're on to them lol! It's good to know that i'm not the only one... Hey Guys,

I actually had spam from this IP but under a different name (KonstantinMiller). Perhaps he/she knows that we’re on to them lol!

It’s good to know that i’m not the only one…

]]> By: Don http://www.techwatch.co.uk/2009/06/15/kattyblackyard-ip-89281435-in-massive-blog-spam-attack/#comment-5107 Don Mon, 06 Jul 2009 19:25:35 +0000 http://www.securitywatch.co.uk/?p=1479#comment-5107 I have a very small blog, so already I'm intrigued whenever I am notified that a comment has been submitted. I never have comments automatically published without prior approval - a plus for removing any "instant gratification" that might arise from a perceived score. This new spam wave is cunning in it's generic and realistic comments. Sometimes even the email address looks credible. The number one thing to always look at is the IP. Do a simple whois and find out which country it came from. If you're like me, chances are, your target audience is for non-repressive, English speaking regions/countries. So, this would exclude China, Russia, Moldova, etc etc. Not an automatic indicator, but a very good one if you have a small blog with only a handful of blog posts. Naturally, a red flag would be the altering of the referrer, and more specifically, the lack of the customary URL parameters normally appended to a true Google search query. This means, "http://www.google.com/" is not from a relevant search. Although, it is worth noting that some bots have been known to generate fake Google search URL's as their referrer using keywords found on the target site itself - very cunning. I have a very small blog, so already I’m intrigued whenever I am notified that a comment has been submitted. I never have comments automatically published without prior approval – a plus for removing any “instant gratification” that might arise from a perceived score. This new spam wave is cunning in it’s generic and realistic comments. Sometimes even the email address looks credible. The number one thing to always look at is the IP. Do a simple whois and find out which country it came from. If you’re like me, chances are, your target audience is for non-repressive, English speaking regions/countries. So, this would exclude China, Russia, Moldova, etc etc. Not an automatic indicator, but a very good one if you have a small blog with only a handful of blog posts. Naturally, a red flag would be the altering of the referrer, and more specifically, the lack of the customary URL parameters normally appended to a true Google search query. This means, “http://www.google.com/” is not from a relevant search. Although, it is worth noting that some bots have been known to generate fake Google search URL’s as their referrer using keywords found on the target site itself – very cunning.

]]> By: Jaca http://www.techwatch.co.uk/2009/06/15/kattyblackyard-ip-89281435-in-massive-blog-spam-attack/#comment-5106 Jaca Mon, 06 Jul 2009 18:47:26 +0000 http://www.securitywatch.co.uk/?p=1479#comment-5106 This is what I got on my blog. I did not aloow it thnx to u. KonstantinMiller google.com konstantine@info1a.cn 89.28.14.35 Submitted on 2009/07/06 at 7:36pm Hello. I think the article is really interesting. I am even interested in reading more. How soon will you update your blog? This is what I got on my blog. I did not aloow it thnx to u.

KonstantinMiller
google.com
konstantine@info1a.cn
89.28.14.35
Submitted on 2009/07/06 at 7:36pm
Hello. I think the article is really interesting. I am even interested in reading more. How soon will you update your blog?

]]> By: Leonidas Georgiou http://www.techwatch.co.uk/2009/06/15/kattyblackyard-ip-89281435-in-massive-blog-spam-attack/#comment-5105 Leonidas Georgiou Mon, 06 Jul 2009 17:43:06 +0000 http://www.securitywatch.co.uk/?p=1479#comment-5105 QWO9NI I think its good decision what he did., QWO9NI I think its good decision what he did.,

]]> By: Principles http://www.techwatch.co.uk/2009/06/15/kattyblackyard-ip-89281435-in-massive-blog-spam-attack/#comment-5104 Principles Fri, 19 Jun 2009 03:26:00 +0000 http://www.securitywatch.co.uk/?p=1479#comment-5104 I was also confused by those comments initially. i approved a few and then started getting more and more. Super annoying. Won't make that mistake again. I was also confused by those comments initially. i approved a few and then started getting more and more. Super annoying. Won’t make that mistake again.

]]> By: Anonymous http://www.techwatch.co.uk/2009/06/15/kattyblackyard-ip-89281435-in-massive-blog-spam-attack/#comment-5103 Anonymous Wed, 17 Jun 2009 03:56:37 +0000 http://www.securitywatch.co.uk/?p=1479#comment-5103 I just saw the IP Whois. Thinking an idea its to block entire range of 89.28.14.0 - 89.28.15.255. Not like The Republic of Moldova is high on my visitor stats anyway... I just saw the IP Whois. Thinking an idea its to block entire range of 89.28.14.0 – 89.28.15.255. Not like The Republic of Moldova is high on my visitor stats anyway…

]]> By: Anonymous http://www.techwatch.co.uk/2009/06/15/kattyblackyard-ip-89281435-in-massive-blog-spam-attack/#comment-5102 Anonymous Wed, 17 Jun 2009 03:52:53 +0000 http://www.securitywatch.co.uk/?p=1479#comment-5102 I own a blog and had a bout 8 or so comments when I noticed all from same ip 89.28.14.35, which led me here. I also found it strange that Google was listed as website and the same username. I have since used IP deny from all accounts on my server. No body does something this big without a reason. My guess would be mass spam, OR if blogs and forums are accepting the spam, it could show potential security issues with other 'careless' settings to send out mass spam via nobody or an unsecured folder of something. IP deny 89.28.14.35 seems to have worked so far. No more of this user on my blogs. I own a blog and had a bout 8 or so comments when I noticed all from same ip 89.28.14.35, which led me here. I also found it strange that Google was listed as website and the same username. I have since used IP deny from all accounts on my server. No body does something this big without a reason. My guess would be mass spam, OR if blogs and forums are accepting the spam, it could show potential security issues with other ‘careless’ settings to send out mass spam via nobody or an unsecured folder of something. IP deny 89.28.14.35 seems to have worked so far. No more of this user on my blogs.

]]>