* 色々な掲示板spam
#掲示板spam対策 #Web
うちの掲示板へ書き込みを試みたspam投稿ロボットの形跡を挙げる。
・名前や題名の文字列はランダムか何かのハッシュで、戦果確認用と思われる
・GET,POSTの間隔が1秒ぐらいで、それで弾かれてる
formに一つしかないtextareaであっても。
書き込みが正常に行われたかどうかのチェックのためのものだと考えられる。
ちなみに、うちの改造版PicoBBSは、spamと判断したPOSTに対しては通常の応答を返すが、データファイルへの書き込み処理を行わない。だから、おそらくは、spam投稿ロボットの方では書き込み成功と判定されていると思われる。
…はた迷惑な話だ…。spamと判定したPOSTには問答無用で403でも返すべきか?
がごっちゃになっている。
create : 2006/12/19 (Tue)
update : 2007/02/16 (Fri)
うちの掲示板へ書き込みを試みたspam投稿ロボットの形跡を挙げる。
GET, POST, GET
・フォーム取得、投稿、投稿確認を行う・名前や題名の文字列はランダムか何かのハッシュで、戦果確認用と思われる
・GET,POSTの間隔が1秒ぐらいで、それで弾かれてる
2007/02/16,09:41:10,64.69.39.28,"reverse.bhangra.fm","-","-",GET,"/BBS/BBS.cgi","","1.1",200
2007/02/16,09:41:11,64.69.39.28,"reverse.bhangra.fm","-","-",POST,"ttp://baku.homeunix.net/BBS/BBS.cgi","","1.1",404
2007/02/16,09:41:13,64.69.39.28,"reverse.bhangra.fm","-","-",GET,"/BBS/BBS.cgi","","1.1",200
1171586471 Fri Feb 16 09:41:11 JST 2007 rep_num 0 pass 1q2w3e4r jikan 1171586470 do post name Sxpkufnbtveq data 3412 ttp://www.1000pills.com <p><br> 8174 ttp://tramadolshop.blogspot.com , , 1293 ttp://ixbt.blogspot.com <br> 2277 ttp://www.sexherbalpills.com <p><BR> 3861 ttp://ixbt.blogspot.com <P><BR> mail xxzmhlcfak@gmail.com subj Gebcaltmoepv
qwerty12(仮称)
- 特に特徴は無いが、まぬけな点も無い
- やたら長い本文。picoBBSデフォルトの4096バイトを越えて、spam判定前にエラーになっていた。ただし、列挙するURLを2つ程度にして短くしたのも試行中っぽい。
- + 激しく連投 +
- GETは一度(?)で、それをずっと使い回してPOST
1171434078 Wed Feb 14 15:21:18 JST 2007
rep_num 0
pass qwerty12
jikan 1171261505
do post
name Impotent
mail slash@click.com
data Keep up a good work on the site
http://kristara-barrington.buy-ringtone.info/ kristara barrington <a href="http://kristara-barrington.buy-ringtone.info/">kristara barrington</a> [url=http://kristara-barrington.buy-ringtone.info/]kristara barrington[/url]
(20行ほど省略)
http://ringtone-reik.firstssite.info/ ringtone reik <a href="http://ringtone-reik.firstssite.info/">ringtone reik</a> [url=http://ringtone-reik.firstssite.info/]ringtone reik[/url]
Thanks.
subj We lol
2007/02/14,12:51:35,66.232.118.177,"","-","-",POST,"ttp://baku.homeunix.net/BBS/BBS.cgi"
2007/02/14,12:51:50,66.232.118.177,"","-","-",POST,"ttp://baku.homeunix.net/BBS/BBS.cgi"
2007/02/14,12:51:51,66.232.118.177,"","-","-",POST,"ttp://baku.homeunix.net/BBS/BBS.cgi"
2007/02/14,12:51:56,66.232.118.177,"","-","-",POST,"ttp://baku.homeunix.net/BBS/BBS.cgi"
2007/02/14,12:52:15,66.232.118.177,"","-","-",POST,"ttp://baku.homeunix.net/BBS/BBS.cgi"
リンクは一つ。ただし連投
- 本文にリンクは一つだけ。リンクの数で弾くのをすり抜けるためだろう
- それを補うのに、何度も投稿
- GETからPOSTまで数秒
- 各(GET・POST)の各々の間隔は1分程度
- 2007年2月初頭から目にする様になった
1171247975 Mon Feb 12 11:39:35 JST 2007
1171247984 Mon Feb 12 11:39:44 JST 2007
書き込み(W)
rep_num 0
pass 165779448
do post
name Michael
data The Site is excellent! Great job
<a href='http://hammock.dl.am '>hammock</a>
subj Berotti
jikan 1171247976
mail Michael@kxiluoay.com
2007/02/12,11:39:43,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",GET,"/BBS/BBS.cgi","","1.1",200
2007/02/12,11:39:44,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",POST,"/BBS/BBS.cgi","","1.1",404
2007/02/12,11:40:29,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",GET,"/BBS/BBS.cgi","","1.1",200
2007/02/12,11:40:31,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",POST,"/BBS/BBS.cgi","","1.1",404
2007/02/12,11:41:21,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",GET,"/BBS/BBS.cgi","","1.1",200
2007/02/12,11:41:24,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",POST,"/BBS/BBS.cgi","","1.1",404
2007/02/12,11:42:13,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",GET,"/BBS/BBS.cgi","","1.1",200
2007/02/12,11:42:18,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",POST,"/BBS/BBS.cgi","","1.1",404
2007/02/12,11:43:10,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",GET,"/BBS/BBS.cgi","","1.1",200
2007/02/12,11:43:12,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",POST,"/BBS/BBS.cgi","","1.1",404
2007/02/12,11:44:10,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",GET,"/BBS/BBS.cgi","","1.1",200
2007/02/12,11:44:12,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",POST,"/BBS/BBS.cgi","","1.1",404
2007/02/12,11:45:19,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",GET,"/BBS/BBS.cgi","","1.1",200
2007/02/12,11:45:23,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",POST,"/BBS/BBS.cgi","","1.1",404
2007/02/12,11:46:27,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",GET,"/BBS/BBS.cgi","","1.1",200
2007/02/12,11:46:29,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",POST,"/BBS/BBS.cgi","","1.1",404
2007/02/12,11:47:32,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",GET,"/BBS/BBS.cgi","","1.1",200
2007/02/12,11:47:42,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",POST,"/BBS/BBS.cgi","","1.1",404
2007/02/12,11:48:24,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",GET,"/BBS/BBS.cgi","","1.1",200
2007/02/12,11:48:28,86.106.209.249,"host-86-106-209-249.moldtelecom.md","-","-",POST,"/BBS/BBS.cgi","","1.1",404
「Hi, nice site!」系
- ひたすらURLを列挙する
- GETとPOSTは同一ホストから
- 投稿間隔は短い。10秒固定っぽい?と思ったが、そういうわけでもないようだ
- 特に芸はないが、一つしかないtextareaを本文と判断できないほど馬鹿でもない
2006/12/19,21:14:57,121.1.6.130,"","-","-",GET,"/BBS/BBS.cgi","","1.1",200,23287,"-","","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
2006/12/19,21:15:07,121.1.6.130,"","-","-",POST,"/BBS/BBS.cgi","","1.1",200,1096,"http://baku.homeunix.net/BBS/BBS.cgi","","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
1166530507 Tue Dec 19 21:15:07 JST 2006
rep_num 0
pass crogiapb
jikan 1166530497
do post
name Ahmed
data Hi, nice site!
http://topmed.byethost9.com/home/best-home-security-system.html http://topmed.byethost9.com/home/home-based-business-for-moms.html (中略)http://topmed.byethost9.com/home/home-depot-online.html
mail hasret@daswer.biz
subj None
ー
固定文字列以外一切解釈できない馬鹿
特定のname以外は空白のまま。formに一つしかないtextareaであっても。
1166474914 Tue Dec 19 05:48:34 JST 2006
ー
1166474925 Tue Dec 19 05:48:45 JST 2006
rep_num 0
pass
jikan 1166474915
do post
name Mc\'Corin
data
mail rocjilae@usa.net
subj buy diazepam
ー
GETとHOSTの間隔を開けるけど、formの解釈が馬鹿?
2006/12/22,12:13:46,121.1.6.130,"","-","-",GET,"/BBS/BBS.cgi","","1.1",200,23238,"-","","Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311"
1166757225 Fri Dec 22 12:13:45 JST 2006
2006/12/22,12:14:33,121.1.6.130,"","-","-",POST,"/BBS/BBS.cgi","","1.1",200,1104,"http://baku.homeunix.net/BBS/BBS.cgi","","Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311"
1166757273 Fri Dec 22 12:14:33 JST 2006
rep_num 0
jikan 1166757226
do post
name Jane
mail neo@hotmail.com
2006/12/22,14:36:31,222.109.190.212,"","-","-",GET,"/BBS/BBS.cgi","","1.1",200,23287,"-","","Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
1166765791 Fri Dec 22 14:36:31 JST 2006
2006/12/22,14:39:32,222.99.244.36,"","-","-",POST,"/BBS/BBS.cgi","","1.1",200,1104,"http://baku.homeunix.net/BBS/BBS.cgi","","Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
1166765972 Fri Dec 22 14:39:32 JST 2006
rep_num 0
jikan 1166765791
do post
name Neo
mail aaron@yahoo.com
roti45(仮称)
- GETとPOSTは別のホストから
- textareaを無視する馬鹿
2006/12/22,09:16:59,72.36.205.10,"sql3.christiandnsonline.com","-","-",GET,"/BBS/BBS.cgi","","1.1",200,23287,"-","","-"
2006/12/22,09:17:02,80.227.0.156,"","-","-",POST,"/BBS/BBS.cgi","","1.1",200,1104,"http://baku.homeunix.net/BBS/BBS.cgi","","Opera/9.0 (Windows NT 5.1; U; en)"
2006/12/22,09:17:04,148.233.159.58,"cache-mex-roma-2.uninet.net.mx","-","-",POST,"/BBS/BBS.cgi","","1.1",200,1104,"http://baku.homeunix.net/BBS/BBS.cgi","","Opera/9.0 (Windows NT 5.1; U; en)"
1166746618 Fri Dec 22 09:16:58 JST 2006
1166746622 Fri Dec 22 09:17:02 JST 2006
rep_num 0
pass roti45
jikan 1166746619
do post
name tadalafil
mail trttedfgette@yahoo.com
subj tadalafil
1166746624 Fri Dec 22 09:17:04 JST 2006
rep_num 0
pass roti45
jikan 1166746619
do post
name tadalafil
mail trttedfgette@yahoo.com
subj tadalafil
戦果確認している?
本文の最初と末尾に謎の16進(?)文字列がついている。書き込みが正常に行われたかどうかのチェックのためのものだと考えられる。
ちなみに、うちの改造版PicoBBSは、spamと判断したPOSTに対しては通常の応答を返すが、データファイルへの書き込み処理を行わない。だから、おそらくは、spam投稿ロボットの方では書き込み成功と判定されていると思われる。
…はた迷惑な話だ…。spamと判定したPOSTには問答無用で403でも返すべきか?
1165921942 Tue Dec 12 20:12:22 JST 2006また、直前にGETを行わず、いきなりPOSTするのも特徴。
rep_num 0
pass
do post
name Jayson
data cd5becb6ec14e8d62401ed20beb78a03
<a href="http://8.maravigliar.org/oroscopofoxbranco/"> oroscopofoxbranco </a> http://9.confessar.org/binocololeica/ <a href="http://7.confessar.org/quadrooliofalsiautorearredamento/"> quadrooliofalsiautorearredamento </a> (中略) <a href="http://4.pianeto.org/ludusit/"> ludusit </a>
05d1a8c80a3881238960da10dbcf6235
subj Everardo
jikan ''1161798066''
mail jalen@hotbox.com
1164807166 Wed Nov 29 22:32:46 JST 2006GETしたのは相当昔で、そのデータを延々と使い回しているようだ。
rep_num 0
pass
do post
name Jasper
data ea77f094587f3942b83208b986637bbf
(略)
subj Andre
jikan ''1161798066''
mail ian@royalmail.com
''1161798066'' Thu Oct 26 02:41:06 JST 2006
「do %8F%91%82%AB%8D%9E%82%DD%28W%29 」(仮称)
formの解釈が変で、- input type="submit" value="書き込み(W)" accesskey="W"
がごっちゃになっている。
- いきなりPOST
- 古いGETを使い回す
- passは「password」固定
- textareaを解釈しない馬鹿?
''1166091245'' Thu Dec 14 19:14:05 JST 2006
1166091288 Thu Dec 14 19:14:48 JST 2006
rep_num 0
pass password
name Mp3 Ringtones
do %8F%91%82%AB%8D%9E%82%DD%28W%29
data 06.06.2006
subj Mp3 Ringtones
jikan ''1166091247''
mail karmilita.sukova@yahoo.com
1166383329 Mon Dec 18 04:22:09 JST 2006
rep_num 0
pass password
name Propecia
do %8F%91%82%AB%8D%9E%82%DD%28W%29
data 06.06.2006
subj Propecia
jikan ''1166091247''
mail david.jukova@aol.com
1166719018 Fri Dec 22 01:36:58 JST 2006
rep_num 0
pass password
name 100 Free Ringtones
do %8F%91%82%AB%8D%9E%82%DD%28W%29
data 06.06.2006
subj 100 Free Ringtones
jikan ''1166091247''
mail vika matilda.brown@msn.com
1166719041 Fri Dec 22 01:37:21 JST 2006
rep_num 0
pass password
name Xenical
do %8F%91%82%AB%8D%9E%82%DD%28W%29
data 06.06.2006
subj Xenical
jikan ''1166091247''
mail margarita.piskina@fromru.com
create : 2006/12/19 (Tue)
update : 2007/02/16 (Fri)