Just a brief word before I begin the bulk of this post, and that is... I have received permission from Gossamer-Threads before posting this.
Ok here we go....
Well today I received 1100+ spam submissions to one of my contact forms (well actually it ended up being three different forms before I blocked it).
The first thing I did apart from secure the form to prevent anyone being able to spam it was check my access log.
Here's what I saw:
www21.web2010.com - - [19/Apr/2002:00:43:29 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
www21.web2010.com - - [19/Apr/2002:00:43:29 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
www21.web2010.com - - [19/Apr/2002:00:43:29 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
www21.web2010.com - - [19/Apr/2002:00:43:30 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
www21.web2010.com - - [19/Apr/2002:00:43:30 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
....around 1100 entries.
So I went to web2010.com and sent an email to the hostmaster asking him to investigate who had posted 1100 form submissions.
Whilst I was waiting for the reply I also noticed the user-agent was ServerAgent/1.0.....the code used to do this was code I myself had posted at the forum yesterday so I came to the conclusion it had to be a forum member who had used my own code against me.
Well for anyone to spam me they have to know how the contact form works and in order to do this they have to visit the form in person to check it out. So I checked back in my log for the hour or so before the attack.....here's what I found:
bus178s048.colorado.edu - - [19/Apr/2002:00:25:50 -0500] "GET /contact/ HTTP/1.1" 200 2292 "http://www.wiredon.net/" "Mozilla/4.0 ($
bus178s048.colorado.edu - - [19/Apr/2002:00:26:08 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.1" 302 338 "http://www.wiredon.net$
bus178s048.colorado.edu - - [19/Apr/2002:00:26:08 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.1" 302 5 "http://www.wiredon.net/c$
bus178s048.colorado.edu - - [19/Apr/2002:00:26:08 -0500] "GET /contact/success.shtml HTTP/1.1" 200 1563 "http://www.wiredon.net/con$
n
...a happy camper testing out my contact form....funny that as just before the spamming I received two test submissions from test@test.tv
So Im getting closer........this gives me an ISP hostname.....but who can it be......
So I go back to the forum and find the ip of the most obvious suspect and do a traceroute....
IP: 128.138.178.48
Traceroute leads me to....
17 bus178s048.Colorado.EDU (128.138.178.48) 42.579 ms 43.683 ms 46.521 ms
Well hang on a minute....thats the same as the hostname for the "tester"
Maybe Im on to something here.....
So who do I know from Colorado?.....hm....a forum member from Colorado is Eliot Lee....hmmm his URL is Anthrotech.com.....
Oh look:
Anthro TECH, L.L.C was established in December 1997. Anthro TECH provides innovative Web resources and services for the anthropological community and general public. Anthro TECH, L.L.C is currently based in Rollinsville, Colorado.
Well well well......
So I tootle off to networksolutions.com to use their handy whois service....
Whois anthrotech.com I wonder?.....well I'll tell you......
http://www.netsol.com/...om&SearchType=do
Would you look at that. Who is the technical contact for the domain anthrotech.com ?......surprise...it is HOSTMASTER@WEB2010.COM...the email address I originally emailed right at the beginning which matched the several thousand hits in my access log.
We have our culprit ladies and genlemen.
Eliot Lee - anthrotech.com aka Heckler, Chewbacca and Anthrorules
I will be notifying Eliot's Internet Service Provider and it goes without saying the whole colorado.edu network has been banned from my server.
I will also be notifying Colorado University too that Eliot has been spamming websites from their network (infact I sent them an email 10 minutes ago).
Thanks for reading.
Edit: Hehe next time I won't publically post that my form mailer was put together in about 10 mins....for any Eliot wannabe's you won't be able to do it again...thats not a challenge :)
Ok here we go....
Well today I received 1100+ spam submissions to one of my contact forms (well actually it ended up being three different forms before I blocked it).
The first thing I did apart from secure the form to prevent anyone being able to spam it was check my access log.
Here's what I saw:
www21.web2010.com - - [19/Apr/2002:00:43:29 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
www21.web2010.com - - [19/Apr/2002:00:43:29 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
www21.web2010.com - - [19/Apr/2002:00:43:29 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
www21.web2010.com - - [19/Apr/2002:00:43:30 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
www21.web2010.com - - [19/Apr/2002:00:43:30 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
....around 1100 entries.
So I went to web2010.com and sent an email to the hostmaster asking him to investigate who had posted 1100 form submissions.
Whilst I was waiting for the reply I also noticed the user-agent was ServerAgent/1.0.....the code used to do this was code I myself had posted at the forum yesterday so I came to the conclusion it had to be a forum member who had used my own code against me.
Well for anyone to spam me they have to know how the contact form works and in order to do this they have to visit the form in person to check it out. So I checked back in my log for the hour or so before the attack.....here's what I found:
bus178s048.colorado.edu - - [19/Apr/2002:00:25:50 -0500] "GET /contact/ HTTP/1.1" 200 2292 "http://www.wiredon.net/" "Mozilla/4.0 ($
bus178s048.colorado.edu - - [19/Apr/2002:00:26:08 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.1" 302 338 "http://www.wiredon.net$
bus178s048.colorado.edu - - [19/Apr/2002:00:26:08 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.1" 302 5 "http://www.wiredon.net/c$
bus178s048.colorado.edu - - [19/Apr/2002:00:26:08 -0500] "GET /contact/success.shtml HTTP/1.1" 200 1563 "http://www.wiredon.net/con$
n
...a happy camper testing out my contact form....funny that as just before the spamming I received two test submissions from test@test.tv
So Im getting closer........this gives me an ISP hostname.....but who can it be......
So I go back to the forum and find the ip of the most obvious suspect and do a traceroute....
IP: 128.138.178.48
Traceroute leads me to....
17 bus178s048.Colorado.EDU (128.138.178.48) 42.579 ms 43.683 ms 46.521 ms
Well hang on a minute....thats the same as the hostname for the "tester"
Maybe Im on to something here.....
So who do I know from Colorado?.....hm....a forum member from Colorado is Eliot Lee....hmmm his URL is Anthrotech.com.....
Oh look:
Anthro TECH, L.L.C was established in December 1997. Anthro TECH provides innovative Web resources and services for the anthropological community and general public. Anthro TECH, L.L.C is currently based in Rollinsville, Colorado.
Well well well......
So I tootle off to networksolutions.com to use their handy whois service....
Whois anthrotech.com I wonder?.....well I'll tell you......
http://www.netsol.com/...om&SearchType=do
Would you look at that. Who is the technical contact for the domain anthrotech.com ?......surprise...it is HOSTMASTER@WEB2010.COM...the email address I originally emailed right at the beginning which matched the several thousand hits in my access log.
We have our culprit ladies and genlemen.
Eliot Lee - anthrotech.com aka Heckler, Chewbacca and Anthrorules
I will be notifying Eliot's Internet Service Provider and it goes without saying the whole colorado.edu network has been banned from my server.
I will also be notifying Colorado University too that Eliot has been spamming websites from their network (infact I sent them an email 10 minutes ago).
Thanks for reading.
Edit: Hehe next time I won't publically post that my form mailer was put together in about 10 mins....for any Eliot wannabe's you won't be able to do it again...thats not a challenge :)