Welcome to WebmasterWorld Guest from 3.80.38.5

Forum Moderators: Ocean10000

Message Too Old, No Replies

guestbook spammers

webbots that are sniffing around guestbook pages

     

Jaf

10:58 pm on Apr 13, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:May 9, 2001
posts:45
votes: 0


I'm seeing a series of robots hitting my guestbook, and following the post links. In the past I managed to correlate visits from the following with the posting of multiple

"Great site! visit my [URL]"

posts to the guestbook. When I get attacked in this manner it was usually 3 posts in a 24 hour period (possibly exacerbated by the fact I was deleting them)

Agents I've seen:

- DSurf15a, PSurf15a, RSurf15a,
- DBrowse, EBrowse, PBrowse, RBrowse

etc. These had common "version numbers" which I stripped out and I've now added all to my htaccess file.

As a result of the above, I monitor access to the guest page closely, and recently I've seen agents of the form

- Production Bot
- Web Bot
- Demo Bot

and in the last few days

- Educate Search
- Franklin Locator
- Industry Program
- Mac Finder
- Program Shareware
- Missauga Locate

all going straight to my guest page. A brief google search suggests they're visiting other people's guestbooks as well.

The IP addresses used are different and might vary.

So this is a mixture of a "heads up" for people, plus a request for anyone who knows anything about these agents to share.

It looks to me like someone has a database of spammable guestbook pages, which they are tryimg to verify and access using a form of distributed attack (variable IP address).

Cheers, Jaf

11:01 pm on Apr 13, 2003 (gmt 0)

Full Member

10+ Year Member

joined:Mar 18, 2002
posts:309
votes: 0


We got spammed on address book on a site that wasn't even live (no DNS). I altered the guestbook to not include URL's
11:29 pm on Apr 13, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 27, 2002
posts:1685
votes: 0


It looks to me like someone has a database of spammable guestbook pages, which they are tryimg to verify and access using a form of distributed attack (variable IP address).

While I've never had guestbooks, I've followed these threads with interest in order to figure out why in the World someone would want to turn a bot loose on a simple guestbook.

Could there be any other reasons, other than "...a form of distibuted attack..."?

In other words, why?

Pendanticist.

11:34 pm on Apr 13, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 1, 2002
posts:774
votes: 0


Pendanticist:

I THINK it is becaues one adds one's e-mail address when posting to a typical guest book. E-Mail spammers- looking for e-mails- would looks for e-mail-rich environments like gurstbook pages!

dave

11:40 pm on Apr 13, 2003 (gmt 0)

New User

10+ Year Member

joined:Dec 3, 2002
posts:17
votes: 0


I suspect many of these bots are trying to harvest email addresses... guestbooks are notoriously rich with them. My girlfriend's guestbook got nailed once (I seem to recall that it was DSurf or some variant), and nearly everyone who'd signed it with an email addy got spammed. That's actually what led me to webmasterworld - it was the only site that had any helpful info. Since then, I've secured all of my sites (and her's) against various bots... including a spider trap expressly for bots seeking the word guestbook.

-Lars

11:46 pm on Apr 13, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 27, 2002
posts:1685
votes: 0


UCE/SPAMers. <Blech!> I shoulda know'd dat. <sheepish look on face now>

Good Luck to all! I hope you find a verrrrrry effective solution.

Pendanticist.

Jaf

11:46 pm on Apr 13, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:May 9, 2001
posts:45
votes: 0


I didn't really mean to imply a DDOS "attack" in the usual sense.

I can think of two motives, email harvesting, and placing spam messages onto the board.

The latter would be a way of boosting your google ranking, and indeed I had a ticket agency post an ad on my board, and for weeks Google sent me traffic looking for sports tickets. I replaced the message with one labelling the agency concerned as spammers.

I think most of the ones I've seen are looking to spam or improve their link popularity. I say this because they follow the POST links and call my CGI file. As it happens this won't work unless they fill in the fields correctly (like email address twice).

Some of the "spam" messages I get have been blatant ads, but others have been "hey! great site, keep it up" and then a URL. For the guestbook concerned these messages disn't make sense (I'm *not* saying it isn't a great site, mind :-)

If you do a Google search for "Franklin Locator" there are only a few hits, but one is a Glasgow guestbook showing recent entries from the agents I've named, although in that case there doesn't appear to be any messages. Those messages that are present simply exist to display porn URLs. In fact the browser agents on that page are a virtual who's who of the robots I'm talking about.

I've sent an email to the webmaster there.

[edited by: Jaf at 12:13 am (utc) on April 14, 2003]

Jaf

11:54 pm on Apr 13, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:May 9, 2001
posts:45
votes: 0


Actually searching that Glasgow page yields the following list of non-Mozilla UA'a

- CBrowse 1.4b
- DBrowse 1.4b
- DBrowse 1.4d
- DDemo
- Demo Bot DOT 16b
- Demo Bot Z 16b
- DSurf15a 01
- DSurf15a 21
- DSurf15a 31
- DSurf15a 51
- DSurf15a 61
- DSurf15a 71
- DSurf15a 81
- DSurf15a 91
- DSurf15a VA
- EBrowse 1.4b
- Educate Search V0B
- Educate Search V10B
- Educate Search V16B
- Educate Search V1B
- Educate Search V24B
- Educate Search V2B
- Educate Search V32B
- Educate Search V34B
- Educate Search V36B
- Educate Search V38B
- Educate Search V39B
- Educate Search V4B
- Educate Search V5B
- Educate Search V9B
- Educate Search VDemoB
- Franklin Locator 1.8
- FSurf15a 01
- Full Web Bot 0216B
- Full Web Bot 0416B
- Full Web Bot 0516B
- Full Web Bot 2816B
- Industry Program 1.0.1
- Industry Program 1.0.4
- Industry Program 1.0.5
- Mac Finder 1.0.24
- Mac Finder 1.0.33
- Mac Finder 1.0.34
- Mac Finder 1.0.36
- Mac Finder 1.0.39
- Mac Finder 1.0.9
- Missauga Locate 1.0.0
- Missigua Locator 1.9
- PBrowse 1.4b
- PEval 1.4b
- Production Bot 0016B
- Production Bot 0116B
- Production Bot 0416B
- Production Bot 0716B
- Production Bot 0816B
- Production Bot 0916B
- Production Bot 1316B
- Production Bot 1416B
- Production Bot 1516B
- Production Bot 2416B
- Production Bot DOT 3016B
- Production Bot DOT 3116B
- Production Bot DOT 3316B
- Production Bot DOT 3516B
- Production Bot DOT 3616B
- Production Bot DOT 3716B
- Production Bot DOT 3816B
- PSurf15a 11
- PSurf15a 41
- PSurf15a 51
- PSurf15a 61
- PSurf15a VA
- RBrowse 1.4b
- RSurf15a 41
- RSurf15a 51
- RSurf15a 81
- SSurf15a 11

Stripping out the version numbers gives pretty much the same list as I posted earlier. I forgot about PEval etc, and DDemo.

BTW, I think "IBrowse" (not on the above list) is a legitimate browser, so be careful with your regexp's :-)

Jaf

11:31 pm on Apr 17, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:May 9, 2001
posts:45
votes: 0


Another one turned up today

- WEP Search 00

from IP 134.22.68.190

Jaf

11:01 pm on Apr 18, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:May 9, 2001
posts:45
votes: 0


Another day, another spambot

- Missouri College Browse

IP was 66.156.238.205

Jaf

12:11 am on Apr 22, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:May 9, 2001
posts:45
votes: 0


Today's addition is

- IUPUI Research Bot

from IP address 66.139.78.133. I'm not sure how useful it is to people to keep posting followups to this thread, as these "bots" seem to be appearing with new names every few days.

Jaf

11:26 pm on Apr 25, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:May 9, 2001
posts:45
votes: 0


This is getting tedious

- Lincoln State Web Browser

from 66.118.178.42

Jaf

12:08 am on May 1, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:May 9, 2001
posts:45
votes: 0


Today's new agent is

- 8484 Boston Project v 1.0

from 66.243.130.176

9:24 am on May 16, 2003 (gmt 0)

Full Member

10+ Year Member

joined:Aug 2, 2002
posts:216
votes: 0


See also this thread:

[webmasterworld.com...]

Basically after renaming the guestbook directory from "guestbook" to something else, the problem went away. I still have every day these spambots hitting my site with GET /guestbook requests, but they only generate 404 errors now.

9:47 am on May 16, 2003 (gmt 0)

Full Member

10+ Year Member

joined:Sept 2, 2002
posts:210
votes: 0


Our guestbook has been spammed to death the last month or so. We are going to put a new version of our site on line next month and will not have a guestbook, or if we do, I'll just have a page where entries are completed in a form and emailed to us. We can then copy and paste it to our guestbook and keep only customer comments and not 50 entries that all say "Nice Site!"

Jaf

9:48 am on May 16, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:May 9, 2001
posts:45
votes: 0


Thanks for that link. These guestbook spammers come straight in on the guestbook link, so it's obviously been harvested somehow peviously.

In my case the URL is .../somedir/guestbook/guestbook.html so just guessing it wouldn't find it, but searching for the word "guestbook" in a link or URL would.

I don't think I'm going to use gifs in the link, but I think I might try renaming the page and taking a page out of the spammers book and add spurious HTML comments in the middle of the word guestbook, although I'm not sure that will work as search engines may be smart enough to re-assemble the word.

Currently I redirect all known spambots to a small alternative page.

7:48 pm on May 16, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 16, 2003
posts:992
votes: 0


Jaf, do you use a robots.txt on that guestbook to prevent the links on it from making it into the search engines? When a dodgy outbound link can hurt your ranking it's common sense, but I know not all webmasters have access to do this.

Jaf

8:09 pm on May 16, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:May 9, 2001
posts:45
votes: 0


I can't say I do. Since the purpose of the guestbook is for visitors to leave nice comments about my aunt's guest house I don't really want it to not be spidered, on top of which I don't really support links out of the guestbook (other than fixed navigational links)

Most (if not all) of the comments are simply recorded as plain text. Provided it's not abused I'd expect it to be an asset as far as search engine ranking is concerned.

I just want to protect it from spamming, as I have to manually remove all abusive comments.

2:53 pm on June 5, 2003 (gmt 0)

New User

10+ Year Member

joined:Mar 25, 2003
posts:33
votes: 0


Not sure if anyone's seen this one yet... looks like we got a new guestbook spambot... "Program Shareware"...

2003-06-05 07:43:03 68.96.97.124 GET /guestbook/ 302 Program+Shareware+1.0.1
2003-06-05 07:43:03 68.96.97.124 GET /guestbook/Default.asp 200 Program+Shareware+1.0.1

2003-06-05 11:22:46 66.169.140.28 GET /guestbook/ 302 Program+Shareware+1.0.6
2003-06-05 11:22:56 66.169.140.28 GET /guestbook/Default.asp 200 Program+Shareware+1.0.6
2003-06-05 11:24:22 66.169.140.28 GET /default.aspx 200 Program+Shareware+1.0.6

(IIS logs, fyi -- it adds "+" to spaces in the useragent)

No requests for robots.txt. Anyone have the stuff to add to .htaccess for this one?

8:17 pm on June 5, 2003 (gmt 0)

New User from US 

joined:Nov 27, 2015
posts:
votes: 0

After reading this topic, I felt I should reply with something interesting.

I found this link, that has 1200 plus guestbooks that are automated spammed.

http://example/guestbook/post2.asp?id=1

This starts at one, and goes to around id=700

then there is

http:///guestbook/post.asp?id=1
id=500 +
around 500 websites

the thing about this site, is it posts spam to guestbooks with a link back to a casino site

Now what I have done with my guestbook, is some serious modifications. First I have it so that all email address output into the html source as raw ascii, and second, I have a nice spam trap on the page, that dynamically produces thousands of bogus email addresses on the fly. It is a hidden link in the page that the spam spiders have no problems finding. They of course get none of the real email adresses, but get tons of bogus ones.

[1][[b]edited by[/b]: jatar_k at 7:16 pm (utc) on Oct. 7, 2005][/1]

5:27 pm on June 10, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 28, 2003
posts:1979
votes: 0


Mac Finder is back, still sniffing around guestbook pages. Here's a recent log file entry from one of my sites:

2003-06-10 10:08:27 212.179.35.145 - GET /default.asp - 200 Mac+Finder+1.0.44 -

It's now saying it's version 1.0.44 , coming from bezeqint.net, Bezeqint Hosting Customers.

12:16 pm on July 15, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 11, 2001
posts:44
votes: 0



Besides the normal ones that spam guestbooks with urls,I'm getting a lot of strange ones.

Sometimes I get ones that make no sense at all, they say something like "guys i'm here........." , " or don't land................" , no url link at all. Some i already deleted, others are still there.

I did a google search and a found quite a few guestbooks hit exactly the same way, mispelling, email address, sendername exactly the same etc.

Any idea why a bot (assuming it is a bot) would do that? If it was to harvest email (it didn't leave any urls so this is the only reason) why leave any entries at all? Surely it doesn't need the guestbook entry as a reminder that it has already visited this particular guestbook?

12:21 pm on July 15, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 11, 2001
posts:44
votes: 0


I got a even weirder one.

It said

"Hi *realnamecensored*,
very interesting page!
You've done a lot of useful and acribic work.
Good succes, Otto""

Looks normal right? No url spamming, legimate? Something was bugging me though, and suddently i realised what. It was a complete copy of a older comment in 2001, when the site just began.

I scrolled down, and yes, it was exactly the same down to the mispelling of success and the work "acribic" isnt commonly used. The only difference was the name, and email given.

Googling the email, turned up the email given from a email lottery scam.

Could this be a human out to teach the spammer a lesson by leaving his email to be harvested? If so, why not make a real comment?

Or could it be someone creating a bot to randomly duplicate one of the older comments. That way the webmaster probably would treat it as a legimate comment, asumming he didnt remember that it was a duplicate of a older comment.

Puzzled

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members