[Dshield] Under attack from bloggers

Malcolm Warden malcolm.warden at virgin.net
Wed Feb 1 13:49:47 GMT 2006


Thanks everyone for your very full comments. I am on digest so could not reply before now.
Please excuse the consolidated reply to several postings!


> It is the member list pages that they are after infecting. 
> There are some scripts out there that will then if succesful try and log in
> and create spam posts, but the member list page on my test blog was full up
> within weeks and I think this was their main aim (second unproven
> assumption).

Plenty of discussion on the phpbb list but common agreement that the first purpose of these 
things is to create a user with a web-link in the signature.
Agreed defence is: 
 Turn on visual confirmation (but some robots can now defeat this)
 Require confirmation e-mail for registration (again not 100% any more)
 Prohibit new users from adding a signature with a link
 Confuse robot registration (see below)
 'Hide' all users in the memberlist that have not used the confirmation e-mail
 (and extreme view - hide user until submitted nn posts)

> 
> To get round the problem was quite simple in the end, and it's the same sort
> of thing I did with most of my blogger installations...
> i. Do a search and replace for the sign up page filename and change it to
> something completely different. (Instead of signup.php for example, change
> it to 42theanswer.php).
There is a published phpbb mod to change the _POST variable 'confirm' on the signup page 
to something else.
I have done this - and also drop the session and ban the ip address if 'confirm' shows up as 
a field in the data.

> 
> As regards to Blogger, I have been an active advisor on a number of blogger
> forums for some while and it has been a problem that has incresed more since
> Google took over. But this was simply down to the massive uptake by Joe
> Public to get a blogger blog.
> At first Blogger didn't have any verification steps during the submission of
> a comment or trackback, but now they have. Since they installed that
> feature, it has dropped a lot, but is still open to abuse.
I was only expecting to bounce a few robots in my quiet backwater of the internet so I 
intalled a routine to e-mail me about each one. What a mistake that was!
So far a fairly consistent 93% of them point back to blogger (I won't name the remainder 
since it would put this e-mail into everyone's spam box)
Each of the pages that I have looked at is pure junk - English words but nonsense and full of 
links.

> They also have a report button on their taskbar which allows you to report a
> Spam Blog (the new correct term for the spam blog escapes me right now).
I'm just writing the routine to log to a file rather than e-mail me each time. I'll try your contact 
suggestion and, if I get anywhere, I'll have a full file of junk blogs to give them. 

>Drop a mail to blogger_user_support at yahoogroups.com and someone on there
>might be able to help you out. They (google or Blogger) are quite good at
>taking action about violations of AUP, IF and only IF you can find the
>damn email address to report to).
I will let the list know if I get any success.

Thanks for everyone's comments

Watch this space....

Mal

-- Malcolm Warden

[P] 01608 685592
[F] 01608 685595
[M] 07905 185406




More information about the list mailing list