Yesterday we were hijacking comment links, today we are scoping the spammer’s proxies.
The post title pretty much says it all, but I’m in the library now and its raining pretty hard and I don’t feel like walking home so let me flesh it out a bit.
Spammers worth half their salt will use proxies (often “open”) to get around IP blocking measures.
Knowing that, doesn’t it make sense to put the IPs of your comments through a proxy checking script? This is an old hat trick for anyone who plays on IRC.
When someone POSTs to your blog, you put their IP in a database, you then port scan thoses IPs for everyone’s favorite open proxy ports 80,8080,3128, etc…
If any are open you try to connect through it as a proxy. Hey you already know that there is 90% chance that if its open it supports POST.
You can give it a go, by using the wordpress comments on one of your open *logs.
Get Comment IPs From Wordpress DB
mysql> SELECT comment_author_IP FROM `wp_comments`;
So why not leave comments open so they can post their little rants, you hijack there links and scope their proxies? Well because the text sucks, but hey you can clean that up too. You could leave them open, but then erase them with cron every night or two.
Comments are just one example, also record IPs for failed captchas, off-the-screen text areas, questionable forum posts, etc…
Why wont this work for email spam you say? Because most of those spammers use rented botnets, which don’t have open ports.
Loading ...
2 Comments
Just want to say I enjoy reading your blog.
Your blog is great, mate! Can’t believe I never found it before, having read pretty much all of Eli’s stuff.