Spammer Hassles/Posting Issues

6
1117
Print Friendly, PDF & Email

Morning, everyone!

I wanted to hip you all to a slight problem we’ve been having with spam, specifically the spammer in the image accompanying this little note. I put “Rio” in the trash but that caused many legitimate posts to also get forwarded there for some reason. Hopefully, that’s been corrected. My apologies for “Rio” – who has received something special in the mail from me as a thank-you.

-Eric

 

 

6 COMMENTS

  1. After thinking about it a bit more, I can tell you what I think I’d do, given my history and skillset, but it might not be much help to you:

    I’d turn an old laptop into a server in my garage, always on the internet, something I completely control, running linux, but no servers but *one* that receives *everything* to be “moderated”. I’d configure WP (somehow) to send all moderated posts to this server. This server would run programs I would write and maintain, likely Perl and shell scripts, to impose my arbitrary, capricious, and every changing rules on all posts, sending “approved” posts back to WP, and trashing/archiving all else.

    Now it’s semi-automated, so it can deal with volume in a timely manner, without enslaving me (too much). It can reject or approve a post based on any kind of rule I can define in perl (very text matching language), and send que the remainder for my personal attention, which I would look at to change the scripts to deal with it in future.

    You could even give trusted posters “code” text to insert in their posts which would be stripped from their post, and would ensure it’s approval.

    I’ve done this sort of thing before, back when I used to use email (pre 2000).
    I quit using email for a reason, but I have more time now than I did then. If I start using it again, it will be after I build my own mail server… again. I’ve higher priorities here, but if I ran a blog, I think that’s what I’d do.

  2. I don’t really know the first thing about WP, but I do have long experience securing servers from network attacks. I was just pointing out that the three posts in your snapshot mention is IP address, and all three are the same. Packets on the internet are routed (sent down the correct pipe to the next router) based on the “block” of sequencial numeric IP addresses that it’s a part of (BGP4). The IP that spammer was using gets routed to “In Motion Hosting” in El Sugundo, so it’s likely not a personal computer, but rather a server being hosted there. I can see that server is running a web server, multiple different kinds of mail services, a file transfer server, and a database server (sql).

    I’m guessing hackers found a bug in one of those programs, and used it to get control of the computer, and then sold access to spammers (who are likely not in El Sugundo). The guy paying the bill for that server probably has no clue that any of this happened, and that “his” computer aint really his anymore.

    Used to be, a *long* time ago, reporting this to “In Motion Hosting” would resolve the problem. (might be worth a try, I quit doing that around 1999, life’s too short) These days no one cares as long as the bill is payed.

    I don’t really have any good ideas on solving the problem, mostly because I don’t know anything about WP or your server(s). I was never able to get any real security until I physically controlled all the hardware involved. (and BGP4 gateways) Even then it was work.

    The bottom line is: Security is a “cat and mouse” game. No matter what they do, you can stop them. No matter what you do to stop them, they will eventually find a way around it. Rinse and repeat. A full time job. Security matters though, so we do it. Especially when it becomes existential. Draining and upsetting, so… where possible it tends to escalate to “final solutions”.

    “In a fourth turning, one side is vanquished”

  3. Whatever you’re doing now, you seem to be finally letting me through after literally years of being blocked. (This is partly a test to confirm that I’m really getting through.)

  4. further: it’s running “Pure-FTPd”, Exim (mail), and MariaDB (sql), so it’s almost certainly a *nix derivative, but it’s *not* running ssh, so the admin is likely clueless. (seriously, nobody runs ftp anymore for security reasons)

  5. 199.250.207.248 belongs to a hosting service in El Segundo.
    Very likely a compromised server now “powned” by a hacker or botnet.
    It is running theses services:
    PORT STATE SERVICE
    21/tcp open ftp
    25/tcp open smtp
    80/tcp open http
    110/tcp open pop3
    143/tcp open imap
    443/tcp open https
    465/tcp open smtps
    587/tcp open submission
    993/tcp open imaps
    995/tcp open pop3s
    3306/tcp open mysql

    That’s a lot of crap so it’s likely unsecurable.

    • Hi Fido,

      I wishI had the first clue what you just said!

      This particular spammer manages to get through the WP fence, even when I add its URL and so on to the “moderate” tool. Any thoughts?

LEAVE A REPLY

Please enter your comment!
Please enter your name here