Just a brief word before I begin the bulk of this post, and that is... I have received permission from Gossamer-Threads before posting this.

Ok here we go....

Well today I received 1100+ spam submissions to one of my contact forms (well actually it ended up being three different forms before I blocked it).

The first thing I did apart from secure the form to prevent anyone being able to spam it was check my access log.

Here's what I saw:

www21.web2010.com - - [19/Apr/2002:00:43:29 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
www21.web2010.com - - [19/Apr/2002:00:43:29 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
www21.web2010.com - - [19/Apr/2002:00:43:29 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
www21.web2010.com - - [19/Apr/2002:00:43:30 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$
www21.web2010.com - - [19/Apr/2002:00:43:30 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.0" 302 0 "-" "SecretAgent/1.0 libwww-per$


....around 1100 entries.

So I went to web2010.com and sent an email to the hostmaster asking him to investigate who had posted 1100 form submissions.

Whilst I was waiting for the reply I also noticed the user-agent was ServerAgent/1.0.....the code used to do this was code I myself had posted at the forum yesterday so I came to the conclusion it had to be a forum member who had used my own code against me.

Well for anyone to spam me they have to know how the contact form works and in order to do this they have to visit the form in person to check it out. So I checked back in my log for the hour or so before the attack.....here's what I found:

bus178s048.colorado.edu - - [19/Apr/2002:00:25:50 -0500] "GET /contact/ HTTP/1.1" 200 2292 "http://www.wiredon.net/" "Mozilla/4.0 ($
bus178s048.colorado.edu - - [19/Apr/2002:00:26:08 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.1" 302 338 "http://www.wiredon.net$
bus178s048.colorado.edu - - [19/Apr/2002:00:26:08 -0500] "POST /cgi-bin/contact/index.cgi HTTP/1.1" 302 5 "http://www.wiredon.net/c$
bus178s048.colorado.edu - - [19/Apr/2002:00:26:08 -0500] "GET /contact/success.shtml HTTP/1.1" 200 1563 "http://www.wiredon.net/con$
n

...a happy camper testing out my contact form....funny that as just before the spamming I received two test submissions from test@test.tv

So Im getting closer........this gives me an ISP hostname.....but who can it be......

So I go back to the forum and find the ip of the most obvious suspect and do a traceroute....

IP: 128.138.178.48

Traceroute leads me to....

17 bus178s048.Colorado.EDU (128.138.178.48) 42.579 ms 43.683 ms 46.521 ms

Well hang on a minute....thats the same as the hostname for the "tester"

Maybe Im on to something here.....

So who do I know from Colorado?.....hm....a forum member from Colorado is Eliot Lee....hmmm his URL is Anthrotech.com.....

Oh look:

Anthro TECH, L.L.C was established in December 1997. Anthro TECH provides innovative Web resources and services for the anthropological community and general public. Anthro TECH, L.L.C is currently based in Rollinsville, Colorado.

Well well well......

So I tootle off to networksolutions.com to use their handy whois service....

Whois anthrotech.com I wonder?.....well I'll tell you......

http://www.netsol.com/...om&SearchType=do

Would you look at that. Who is the technical contact for the domain anthrotech.com ?......surprise...it is HOSTMASTER@WEB2010.COM...the email address I originally emailed right at the beginning which matched the several thousand hits in my access log.

We have our culprit ladies and genlemen.

Eliot Lee - anthrotech.com aka Heckler, Chewbacca and Anthrorules

I will be notifying Eliot's Internet Service Provider and it goes without saying the whole colorado.edu network has been banned from my server.

I will also be notifying Colorado University too that Eliot has been spamming websites from their network (infact I sent them an email 10 minutes ago).

Thanks for reading.

Edit: Hehe next time I won't publically post that my form mailer was put together in about 10 mins....for any Eliot wannabe's you won't be able to do it again...thats not a challenge :)

Sorry to hear that Paul.

I've had the same problem with Cricket Web with a hacker targeting my site .

Contacted my host (Tera-byte) and they said it wasn't their problem and left it at that .

Oh well, things seem to be getting back to normal again now.

---------------
Cricket Web - http://www.cricketweb.net
Cricket Web Forum - http://forum.cricketweb.net/
---------------

Nice bit of detective work Paul.
Exactly the reason I do not give away a web address or contact info in support forums or submit sites to "Using Our Software Sections".

I also change the file names and main function calls of scripts so as to hide their origins from potential hackers and inquisitive searchers .

Its a shame to be like that, but there are always spoilers who ruin it for everybody else, I am always on my guard. PARANOID

chmod

Yeah I learned my lesson

....I have to admit that I didn't think anyone at GT was in the frame of mind to undertake something like that though....I would have maybe expected it more for a lurker....not a prominent member.

>>Nice bit of detective work Paul. <<

Yes I was proud of that :)

Eliot you mean?....no I believe he isn't a moderator.

You just never know, maybe a lot of attempted hacks are coming from this forum but the people who are hacked don`t know how to find out who did it, or don`t realise they have been hacked in the first place. Perhaps this isn`t the first time for this hacker/spammer.

If you do a search on a particular user it can be surprising when you add up all the snippets just what they give away over the course of a large number of threads.

chmod

hehe, just did a search on my username to make sure I was ok. PARANOID

Hey, just thought people may wish to take a look at Apache::BlockAgent and Apache::SpeedLimit relating to this issue.

http://www.kuzbass.ru/...he_c_mod_perl/70.htm

http://modperl.com:9000/book/chapters/ch6.html

There's some really nice stuff there.

http://modperl.com:9000/...cking_Greedy_Clients

http://stein.cshl.org/...s/mp_blockAgent.html

Hehe thats too funny....lincoln stein made some booboo's in his code. Can you spot 'em?

Whilst on the subject...I can't get his code to work even after fixing the bugs...it either blocks everything or nothing...grrr.

Yeppers.... here's a related thread, while I have no opinion/comment on the above mentioned mischief I think there is a lesson in this for everyone.

As with all crimes there has to be a motive...ideally I'd like to know what it was.

Clearly there is some sort of deep psychological thing going on...very strange.....kinda reminds me of umm what is it...oh I know, "The hand that rocks the cradle".

Maybe I watch too many movies

Edit: Thats a good film btw for anyone who hasn't seen it.

I've never mentioned this in the forums before, but it's funny when myself or others have upset Eliot in the past within a few days we were added to various mailing lists.

There was no way to prove this was from him, but my intuition does not fail me very often. I do remember trying to verify where the request initiated from and at one point was able to see (when it required verification before subscribing) what server it came from.

So just something to look out for and be aware of if all of a sudden you get subscribed to various mailing list.

I wrote back to several and told them they should always verify it was actually requested before adding any email to their lists.

Unoffical DBMan FAQ

http://creativecomputingweb.com/dbman/index.shtml/

>>
I've never mentioned this in the forums before, but it's funny when myself or others have upset Eliot in the past within a few days we were added to various mailing lists.
<<

Hi,

I started to write a post about something like this but decided to delete it which is why there is one post above with just a sad smilie face in it....but now you've mentioned it, I'll post my experience too....

A while back I posted a thread about my site not working in Netscape and after receiving a reply from Eliot stating my html was "poor" ...about an hour or so later I found my self subscribed (amongst others) to "webpagesthatsuck.com" newsletter.

The email address used was in my forum profile and never normally received spam.

After reading your post above I have good reason to believe that was Eliot too.

I find that quite strange behaviour for a 30yr old.

Bloody hell,

Been at these forums for years now, can't believe someone would do something so stupid and childish. Good work figuring out who it was (I'm sure you had some idea in the back of your head when you were looking )
Cheers,
Michael Bray

Your forgetting Paul already did this to me! He sent me 300-400 emails with the script that Eliot used ;) So really, he is just as guilty, although, at least he stopped before the 1000 email cycle was completed :) Its not really that annoying...cos Outlook 2002 comes with some good junk email filters...it more the strain on the server, and the time it takes to download the emails.

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

You should bill him for the bandwidth ;-)

- wil

I'm not too fussed. At least Ilearned my lesson ;)

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

>>
Your forgetting Paul already did this to me! He sent me 300-400 emails with the script that Eliot used ;) So really, he is just as guilty, although, at least he stopped before the 1000 email cycle was completed :)
<<

My intention was to send a few emails which is why I publically announced that I'd done it...unfortunately I didn't realise how fast they'd send.

...and I apologised in private

Slightly different situation and intention.

I know..and that is why I said I wasn't too fussed. I know what you intentions were. If you had hidden the fact you did it, then that would be another matter

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

hmmmm .... I'm not pointing fingers yet, but ... strange that all of a sudden I'm starting to get all kinds of strange emails.

It could be just a knee jerk reaction but ... I never had this many as in the past day and a half ...

---

openoffice + gimp + sketch ...

Well hmm as you know I've been getting them too...strange korean junk mail.

Just as a follow up...I have spoken to someone at colorado.edu and they are investigating.

Wow..I'm not the only one then! I had a french one today, and then 2 japanese/chinese ones a day or 2 ago :( Is it a virus I wonder?

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

>>2 japanese/chinese<<

Thats what I thought until QooQ told me they were Korean...