Comment Spam...

245

Comments

  • bwgbwg Registered Users, Retired Mod Posts: 2,119 SmugMug Employee
    edited February 21, 2006
    Damn poker bastard. OK, here is what im finding out. I have my image comment button (not the gallery comment button) and comments left by others invisible by using:
    #imageCommentSummary {display: none;}
    
    #comments {display: none;}
    
    The bastard can still leave comments, but they wont show up on your page. Also, I have my email notifactions turned off in the meantime. Turning off your gallery comments from within the customize gallery options or enabling comment approval is kinda useless.

    enabling comment approval wont prevent you from getting them, but it will prevent them from showing up in your galleries..


    update: 1017 comments and still rising!
    Pedal faster
  • FrancoisFrancois Registered Users Posts: 140 Major grins
    edited February 21, 2006
    Damn poker bastard. OK, here is what im finding out. I have my image comment button (not the gallery comment button) and comments left by others invisible by using:
    #imageCommentSummary {display: none;}
     
    #comments {display: none;}
    
    The bastard can still leave comments, but they wont show up on your page. Also, I have my email notifactions turned off in the meantime. Turning off your gallery comments from within the customize gallery options or enabling comment approval is kinda useless.

    Seems to have worked in my case..... 'it' moved to another gallery, and then another.. and now it seems to have stopped. I got some 12 in total, so I am not complaining for myself.... but companies like these should be attacked, either by law or by white hackers mwink.gif
    Francois A. Dumas
    Founder
    Silver Cloud Publishing
    fssupport.smugmug.com
  • JamesJWegJamesJWeg Registered Users Posts: 795 Major grins
    edited February 21, 2006
    Francois wrote:
    Seems to have worked in my case..... 'it' moved to another gallery, and then another.. and now it seems to have stopped. I got some 12 in total, so I am not complaining for myself.... but companies like these should be attacked, either by law or by white hackers mwink.gif

    working on the latter :D

    James.
  • bwgbwg Registered Users, Retired Mod Posts: 2,119 SmugMug Employee
    edited February 21, 2006
    JamesJWeg wrote:
    working on the latter :D

    James.

    vigilante justice!

    it's what the internets was meant for.thumb.gif
    Pedal faster
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited February 21, 2006
    Hi everyone,

    I have called and awakened the West Coast. Please standby while we work on this and we'll provide as much info as we can, when we get it.

    Thank you for your patience and understanding while we sort this out.
  • rainforest1155rainforest1155 Registered Users Posts: 4,566 Major grins
    edited February 21, 2006
    JamesJWeg wrote:
    working on the latter :D

    James.
    So you were able to trace them back? If so, I would like to know how you did it! :D

    Thanks,
    Sebastian
    Sebastian
    SmugMug Support Hero
  • JamesJWegJamesJWeg Registered Users Posts: 795 Major grins
    edited February 21, 2006
    as far as I can tell so far this company may be behind the attack

    http://oversee.net/

    James.

    edit: If they are not doing it, they own some domains in use, and or have some connection.
  • rainforest1155rainforest1155 Registered Users Posts: 4,566 Major grins
    edited February 21, 2006
    bigwebguy wrote:
    update: 1017 comments and still rising!
    Heavy!eek7.gif I'm still in the 300-400 range and I personally killed around 150 by hand. ( :gun2 comment-spamer)
    I'm a bit more chilled as the queue at the mail notification server finally seems to be empty for me.

    Sebastian
    Sebastian
    SmugMug Support Hero
  • JamesJWegJamesJWeg Registered Users Posts: 795 Major grins
    edited February 21, 2006
    So you were able to trace them back? If so, I would like to know how you did it! :D

    Thanks,
    Sebastian

    It is a redirect scheme, bounced arouns a couple times. These guys are just the first stop.

    DO NOT FOLLOW THIS WITHOUT ANTI SPYWARE/ADDWARE SOFTWARE WORKING AND COOKIES BLOCKED!!!!!! THEY WILL TRY TO GET INTO YOUR SYSTEM!!!!!!!
    kiszka-blada.com
    then off to
    proredirect.com
    who then goes to
    oversee.net

    James.
  • FrancoisFrancois Registered Users Posts: 140 Major grins
    edited February 21, 2006
    JamesJWeg wrote:
    as far as I can tell so far this company may be behind the attack

    http://oversee.net/

    James.

    edit: If they are not doing it, they own some domains in use, and or have some connection.

    This kind of 'marketing' goes in the same range as the Osama's of this world...... just terrorizing innocent people for the heck of it. Nobody in his right mind is ever going to use one of these casino links they put in our comments.... so it is a total futile and criminal action.
    Francois A. Dumas
    Founder
    Silver Cloud Publishing
    fssupport.smugmug.com
  • rainforest1155rainforest1155 Registered Users Posts: 4,566 Major grins
    edited February 21, 2006
    JamesJWeg wrote:
    It is a redirect scheme, bounced arouns a couple times. These guys are just the first stop.
    Ah, okay...so you simply followed the link. I thought that you perhaps had some tracking code on your page that captured the bot while it was doing it's dirty business.

    Thanks for the info though. Keep us posted. :)

    Sebastian
    Sebastian
    SmugMug Support Hero
  • bwgbwg Registered Users, Retired Mod Posts: 2,119 SmugMug Employee
    edited February 21, 2006
    JamesJWeg wrote:
    It is a redirect scheme, bounced arouns a couple times. These guys are just the first stop.

    DO NOT FOLLOW THIS WITHOUT ANTI SPYWARE/ADDWARE SOFTWARE WORKING AND COOKIES BLOCKED!!!!!! THEY WILL TRY TO GET INTO YOUR SYSTEM!!!!!!!
    kiszka-blada.com
    then off to
    proredirect.com
    who then goes to
    oversee.net

    James.

    the domain is registered at nameking.com

    Abuse Desk Email Address: abuse@nameking.com

    he'll probably just pop up somewhere else, but we can make it inconvenient for a little while.
    Pedal faster
  • JamesJWegJamesJWeg Registered Users Posts: 795 Major grins
    edited February 21, 2006
    from what I see in my own site log I suspect this is the direct source

    Sachsen, Leipzig, Germany
    p54B9A603.dip0.t-ipconnect.de (84.185.166.3)

    It is a windows 2000 box, it has been hitting my page for a duration of 0 sec, and it has plenty of open ports that a normal workstation would not be listening too. mwink.gif

    James.
  • bwgbwg Registered Users, Retired Mod Posts: 2,119 SmugMug Employee
    edited February 21, 2006
    JamesJWeg wrote:
    from what I see in my own site log I suspect this is the direct source

    Sachsen, Leipzig, Germany
    p54B9A603.dip0.t-ipconnect.de (84.185.166.3)

    It is a windows 2000 box, it has been hitting my page for a duration of 0 sec, and it has plenty of open ports that a normal workstation would not be listening too. mwink.gif

    James.

    i doubt that you would see anything in your logs.

    more than likely its hitting www.smugmug.com/hack/RPC/gallery.mg and just passing in the image id

    it's not actually hitting your page now which is why adding a site level password doesnt do anything..


    however...this information would've had to be mined previously unless the bot is just doing an incremental hit & miss...
    Pedal faster
  • JamesJWegJamesJWeg Registered Users Posts: 795 Major grins
    edited February 21, 2006
    bigwebguy wrote:
    i doubt that you would see anything in your logs.

    more than likely its hitting www.smugmug.com/hack/RPC/gallery.mg and just passing in the image id

    it's not actually hitting your page now which is why adding a site level password doesnt do anything..


    however...this information would've had to be mined previously unless the bot is just doing an incremental hit & miss...

    How many browsers would hit my main page for 0 sec every little while? Yes, that one is just guessing off the time duration, which is why it is not a ourright target........yet, pending more info.

    James.
  • JamesJWegJamesJWeg Registered Users Posts: 795 Major grins
    edited February 21, 2006
    well, not hit from that IP the last couple times I got new commants, maybe that was a scanning run of some kind or it could be unrelated, but most people don't listen to ports 21 (ftp), 135 (epmap), 389 (ldap), 1002, and 1720 on a browser station.

    James.
  • bwgbwg Registered Users, Retired Mod Posts: 2,119 SmugMug Employee
    edited February 21, 2006
    update: 1528 comments and rising.

    looks like the deck is stacked against me.
    Pedal faster
  • JamesJWegJamesJWeg Registered Users Posts: 795 Major grins
    edited February 21, 2006
    ldap 389 can be from netmeeting, which has a known hole, I bet that is someone's system that has been hijacked.

    James.
  • rainforest1155rainforest1155 Registered Users Posts: 4,566 Major grins
    edited February 21, 2006
    JamesJWeg wrote:
    from what I see in my own site log I suspect this is the direct source

    Sachsen, Leipzig, Germany
    p54B9A603.dip0.t-ipconnect.de (84.185.166.3)

    It is a windows 2000 box, it has been hitting my page for a duration of 0 sec, and it has plenty of open ports that a normal workstation would not be listening too. mwink.gif

    James.

    Hey, hey easy! That's me!! I clicked on your link to see if you've got site pw turned on too!

    EDIT: Statcounter lists 0sec when someone comes to your main page and doesn't click on any other page by just closing the browser.
    Sebastian
    SmugMug Support Hero
  • JamesJWegJamesJWeg Registered Users Posts: 795 Major grins
    edited February 21, 2006
    Hey, hey easy! That's me!! I clicked on your link to see if you've got site pw turned on too!
    If that is you, why is your system listening to those ports? ftp? ldap? epmap? 1002? 1720?

    James.

    Did you go to my site more than once? To the root only? that is what drew my attention, more then once, right before I got another spam round. Are you running anti spyware? or are you just really using your system :D
  • rainforest1155rainforest1155 Registered Users Posts: 4,566 Major grins
    edited February 21, 2006
    JamesJWeg wrote:
    ldap 389 can be from netmeeting, which has a known hole, I bet that is someone's system that has been hijacked.

    James.
    That's my server and windows update hasn't been working for me anymore for quite some time (just hangs while searching for updates)...looks like I gotta install some patches manually.
    I'm sure it hasn't been hijacked though.

    Sebastian
    Sebastian
    SmugMug Support Hero
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited February 21, 2006
    Francois wrote:
    This kind of 'marketing' goes in the same range as the Osama's of this world...... just terrorizing innocent people for the heck of it. Nobody in his right mind is ever going to use one of these casino links they put in our comments.... so it is a total futile and criminal action.

    Francois I love your new tagline:
  • JamesJWegJamesJWeg Registered Users Posts: 795 Major grins
    edited February 21, 2006
    That's my server and windows update hasn't been working for me anymore for quite some time (just hangs while searching for updates)...looks like I gotta install some patches manually.
    I'm sure it hasn't been hijacked though.

    Sebastian

    yeah then you better do some updates, that is why you research before you attack back, too easy to get the wrong one. If I were you I wouldn't browse from a server. Kinda odd that it only showed you hitting my root page and nothing else.

    James.
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited February 21, 2006
    I've been told that situation has been controlled, and that the spam comments have been deleted. I looked at mine and Lee's accounts, appears so.

    More from Onethumb I'm sure.
  • rainforest1155rainforest1155 Registered Users Posts: 4,566 Major grins
    edited February 21, 2006
    JamesJWeg wrote:
    If that is you, why is your system listening to those ports? ftp? ldap? epmap? 1002? 1720?

    James.

    Did you go to my site more than once? To the root only? that is what drew my attention, more then once, right before I got another spam round. Are you running anti spyware? or are you just really using your system :D
    Those spamers don't show on Statcounter. I've already checked that with my account. Just before the attack I had one visitor (look on the first page), but it's not very likely that it's the one spaming around - or you would have had that hit too.

    I can't recall if I hit your site more than once today, but I have visited it before and may still have the cookie.

    Why the many ports you ask? Because it's my server to which I can connect to when I'm not at home. Has the usual stuff, teamspeak server, ftp etc. But it for sure doesn't spam around.

    Sebastian
    Sebastian
    SmugMug Support Hero
  • peestandinguppeestandingup Registered Users Posts: 489 Major grins
    edited February 21, 2006
    bigwebguy wrote:
    enabling comment approval wont prevent you from getting them, but it will prevent them from showing up in your galleries..


    update: 1017 comments and still rising!
    If you enable comment approval, wont you be bombarded with approval emails?? If you turn off email notifications in you account settings, will you still get comment approval emails??

    BTW, I have only been hit 13 times so far. Is it because I already had my single photo comment link blocked using that code? He seems to only comment on single images & not galleries, in my case. And only hits the very first photo in my galleries, so thats why I only have 13 spams, me thinks.

    BTW, pay backs a mutha!! Lets get these creeps!!!
  • bwgbwg Registered Users, Retired Mod Posts: 2,119 SmugMug Employee
    edited February 21, 2006
    JamesJWeg wrote:
    that is why you research before you attack back, too easy to get the wrong one.
    James.
    in other words, you need to know when to hold 'em, know when to fold 'em?





    sorry.
    Pedal faster
  • JamesJWegJamesJWeg Registered Users Posts: 795 Major grins
    edited February 21, 2006
    Andy wrote:
    I've been told that situation has been controlled, and that the spam comments have been deleted. I looked at mine and Lee's accounts, appears so.

    More from Onethumb I'm sure.

    Yup, nicly done, and fairly fast. thumb.gif That kinda of attack is just a fact of life these days.

    James.
  • arthillarthill Registered Users Posts: 62 Big grins
    edited February 21, 2006
    Stopping them temporarily
    I turned off allowing comments for all 500+ of my galleries after I got about 140 comments. That worked. I turned one gallery back on for comments and it started again.

    arthill.smugmug.com
    In theory, there is no difference between theory and practice. In practice, however, there is.
    In order to understand recursion, you first have to understand recursion.
    Art Hill
  • JamesJWegJamesJWeg Registered Users Posts: 795 Major grins
    edited February 21, 2006
    Those spamers don't show on Statcounter. I've already checked that with my account. Just before the attack I had one visitor (look on the first page), but it's not very likely that it's the one spaming around - or you would have had that hit too.

    I can't recall if I hit your site more than once today, but I have visited it before and may still have the cookie.

    Why the many ports you ask? Because it's my server to which I can connect to when I'm not at home. Has the usual stuff, teamspeak server, ftp etc. But it for sure doesn't spam around.

    Sebastian

    You might want to take another look at security, it looked pretty open to attack.

    James.
Sign In or Register to comment.