We got spammed on address book on a site that wasn't even live (no DNS). I altered the guestbook to not include URL's

It looks to me like someone has a database of spammable guestbook pages, which they are tryimg to verify and access using a form of distributed attack (variable IP address).

While I've never had guestbooks, I've followed these threads with interest in order to figure out why in the World someone would want to turn a bot loose on a simple guestbook.

Could there be any other reasons, other than "...a form of distibuted attack..."?

In other words, why?

Pendanticist.

Pendanticist:

I THINK it is becaues one adds one's e-mail address when posting to a typical guest book. E-Mail spammers- looking for e-mails- would looks for e-mail-rich environments like gurstbook pages!

dave

I suspect many of these bots are trying to harvest email addresses... guestbooks are notoriously rich with them. My girlfriend's guestbook got nailed once (I seem to recall that it was DSurf or some variant), and nearly everyone who'd signed it with an email addy got spammed. That's actually what led me to webmasterworld - it was the only site that had any helpful info. Since then, I've secured all of my sites (and her's) against various bots... including a spider trap expressly for bots seeking the word guestbook.

-Lars

UCE/SPAMers. <Blech!> I shoulda know'd dat. <sheepish look on face now>

Good Luck to all! I hope you find a verrrrrry effective solution.

Pendanticist.

I didn't really mean to imply a DDOS "attack" in the usual sense.

I can think of two motives, email harvesting, and placing spam messages onto the board.

The latter would be a way of boosting your google ranking, and indeed I had a ticket agency post an ad on my board, and for weeks Google sent me traffic looking for sports tickets. I replaced the message with one labelling the agency concerned as spammers.

I think most of the ones I've seen are looking to spam or improve their link popularity. I say this because they follow the POST links and call my CGI file. As it happens this won't work unless they fill in the fields correctly (like email address twice).

Some of the "spam" messages I get have been blatant ads, but others have been "hey! great site, keep it up" and then a URL. For the guestbook concerned these messages disn't make sense (I'm *not* saying it isn't a great site, mind :-)

If you do a Google search for "Franklin Locator" there are only a few hits, but one is a Glasgow guestbook showing recent entries from the agents I've named, although in that case there doesn't appear to be any messages. Those messages that are present simply exist to display porn URLs. In fact the browser agents on that page are a virtual who's who of the robots I'm talking about.

I've sent an email to the webmaster there.

[edited by: Jaf at 12:13 am (utc) on April 14, 2003]

Actually searching that Glasgow page yields the following list of non-Mozilla UA'a

- CBrowse 1.4b
- DBrowse 1.4b
- DBrowse 1.4d
- DDemo
- Demo Bot DOT 16b
- Demo Bot Z 16b
- DSurf15a 01
- DSurf15a 21
- DSurf15a 31
- DSurf15a 51
- DSurf15a 61
- DSurf15a 71
- DSurf15a 81
- DSurf15a 91
- DSurf15a VA
- EBrowse 1.4b
- Educate Search V0B
- Educate Search V10B
- Educate Search V16B
- Educate Search V1B
- Educate Search V24B
- Educate Search V2B
- Educate Search V32B
- Educate Search V34B
- Educate Search V36B
- Educate Search V38B
- Educate Search V39B
- Educate Search V4B
- Educate Search V5B
- Educate Search V9B
- Educate Search VDemoB
- Franklin Locator 1.8
- FSurf15a 01
- Full Web Bot 0216B
- Full Web Bot 0416B
- Full Web Bot 0516B
- Full Web Bot 2816B
- Industry Program 1.0.1
- Industry Program 1.0.4
- Industry Program 1.0.5
- Mac Finder 1.0.24
- Mac Finder 1.0.33
- Mac Finder 1.0.34
- Mac Finder 1.0.36
- Mac Finder 1.0.39
- Mac Finder 1.0.9
- Missauga Locate 1.0.0
- Missigua Locator 1.9
- PBrowse 1.4b
- PEval 1.4b
- Production Bot 0016B
- Production Bot 0116B
- Production Bot 0416B
- Production Bot 0716B
- Production Bot 0816B
- Production Bot 0916B
- Production Bot 1316B
- Production Bot 1416B
- Production Bot 1516B
- Production Bot 2416B
- Production Bot DOT 3016B
- Production Bot DOT 3116B
- Production Bot DOT 3316B
- Production Bot DOT 3516B
- Production Bot DOT 3616B
- Production Bot DOT 3716B
- Production Bot DOT 3816B
- PSurf15a 11
- PSurf15a 41
- PSurf15a 51
- PSurf15a 61
- PSurf15a VA
- RBrowse 1.4b
- RSurf15a 41
- RSurf15a 51
- RSurf15a 81
- SSurf15a 11

Stripping out the version numbers gives pretty much the same list as I posted earlier. I forgot about PEval etc, and DDemo.

BTW, I think "IBrowse" (not on the above list) is a legitimate browser, so be careful with your regexp's :-)

Another one turned up today

- WEP Search 00

from IP 134.22.68.190

Another day, another spambot

- Missouri College Browse

IP was 66.156.238.205

Today's addition is

- IUPUI Research Bot

from IP address 66.139.78.133. I'm not sure how useful it is to people to keep posting followups to this thread, as these "bots" seem to be appearing with new names every few days.

This is getting tedious

- Lincoln State Web Browser

from 66.118.178.42

Today's new agent is

- 8484 Boston Project v 1.0

from 66.243.130.176

See also this thread:

[webmasterworld.com...]

Basically after renaming the guestbook directory from "guestbook" to something else, the problem went away. I still have every day these spambots hitting my site with GET /guestbook requests, but they only generate 404 errors now.

Our guestbook has been spammed to death the last month or so. We are going to put a new version of our site on line next month and will not have a guestbook, or if we do, I'll just have a page where entries are completed in a form and emailed to us. We can then copy and paste it to our guestbook and keep only customer comments and not 50 entries that all say "Nice Site!"

Thanks for that link. These guestbook spammers come straight in on the guestbook link, so it's obviously been harvested somehow peviously.

In my case the URL is .../somedir/guestbook/guestbook.html so just guessing it wouldn't find it, but searching for the word "guestbook" in a link or URL would.

I don't think I'm going to use gifs in the link, but I think I might try renaming the page and taking a page out of the spammers book and add spurious HTML comments in the middle of the word guestbook, although I'm not sure that will work as search engines may be smart enough to re-assemble the word.

Currently I redirect all known spambots to a small alternative page.

Jaf, do you use a robots.txt on that guestbook to prevent the links on it from making it into the search engines? When a dodgy outbound link can hurt your ranking it's common sense, but I know not all webmasters have access to do this.

I can't say I do. Since the purpose of the guestbook is for visitors to leave nice comments about my aunt's guest house I don't really want it to not be spidered, on top of which I don't really support links out of the guestbook (other than fixed navigational links)

Most (if not all) of the comments are simply recorded as plain text. Provided it's not abused I'd expect it to be an asset as far as search engine ranking is concerned.

I just want to protect it from spamming, as I have to manually remove all abusive comments.

Not sure if anyone's seen this one yet... looks like we got a new guestbook spambot... "Program Shareware"...

2003-06-05 07:43:03 68.96.97.124 GET /guestbook/ 302 Program+Shareware+1.0.1
2003-06-05 07:43:03 68.96.97.124 GET /guestbook/Default.asp 200 Program+Shareware+1.0.1

2003-06-05 11:22:46 66.169.140.28 GET /guestbook/ 302 Program+Shareware+1.0.6
2003-06-05 11:22:56 66.169.140.28 GET /guestbook/Default.asp 200 Program+Shareware+1.0.6
2003-06-05 11:24:22 66.169.140.28 GET /default.aspx 200 Program+Shareware+1.0.6

(IIS logs, fyi -- it adds "+" to spaces in the useragent)

No requests for robots.txt. Anyone have the stuff to add to .htaccess for this one?

After reading this topic, I felt I should reply with something interesting.

I found this link, that has 1200 plus guestbooks that are automated spammed.

http://example/guestbook/post2.asp?id=1

This starts at one, and goes to around id=700

then there is

http:///guestbook/post.asp?id=1
id=500 +
around 500 websites

the thing about this site, is it posts spam to guestbooks with a link back to a casino site

Now what I have done with my guestbook, is some serious modifications. First I have it so that all email address output into the html source as raw ascii, and second, I have a nice spam trap on the page, that dynamically produces thousands of bogus email addresses on the fly. It is a hidden link in the page that the spam spiders have no problems finding. They of course get none of the real email adresses, but get tons of bogus ones.

[1][[b]edited by[/b]: jatar_k at 7:16 pm (utc) on Oct. 7, 2005][/1]

Mac Finder is back, still sniffing around guestbook pages. Here's a recent log file entry from one of my sites:

2003-06-10 10:08:27 212.179.35.145 - GET /default.asp - 200 Mac+Finder+1.0.44 -

It's now saying it's version 1.0.44 , coming from bezeqint.net, Bezeqint Hosting Customers.

Besides the normal ones that spam guestbooks with urls,I'm getting a lot of strange ones.

Sometimes I get ones that make no sense at all, they say something like "guys i'm here........." , " or don't land................" , no url link at all. Some i already deleted, others are still there.

I did a google search and a found quite a few guestbooks hit exactly the same way, mispelling, email address, sendername exactly the same etc.

Any idea why a bot (assuming it is a bot) would do that? If it was to harvest email (it didn't leave any urls so this is the only reason) why leave any entries at all? Surely it doesn't need the guestbook entry as a reminder that it has already visited this particular guestbook?

I got a even weirder one.

It said

"Hi *realnamecensored*,
very interesting page!
You've done a lot of useful and acribic work.
Good succes, Otto""

Looks normal right? No url spamming, legimate? Something was bugging me though, and suddently i realised what. It was a complete copy of a older comment in 2001, when the site just began.

I scrolled down, and yes, it was exactly the same down to the mispelling of success and the work "acribic" isnt commonly used. The only difference was the name, and email given.

Googling the email, turned up the email given from a email lottery scam.

Could this be a human out to teach the spammer a lesson by leaving his email to be harvested? If so, why not make a real comment?

Or could it be someone creating a bot to randomly duplicate one of the older comments. That way the webmaster probably would treat it as a legimate comment, asumming he didnt remember that it was a duplicate of a older comment.

Puzzled