Referrer spam DoS from Israel

On 2005-05-22, 07:32:47 EDT, geeklog.net was hit by the first of several waves of referrer spam from 84.109.108.246. This first wave lasted only 4 seconds, but consisted of 20 requests, with the first 13 requests in the first second alone. Every single request came with a different user agent string, including silly things like "Mozilla/4.0 (compatible; X 10.0; Commodore 64)".

The reason for this? Referrer spam for a blog at blogspot.com. Fortunately, the blog's URL contained the phrase "online-casino", which we already block, for obvious reasons.

Strangely enough, the blog itself only contained a few sentences about online poker, but no links, JavaScripts, or other tricks.

Further waves arrived at 07:37:41, 08:18:48, 10:41:32, , 10:45:13, 15:32:01, 15:36:20, 15:39:41, 15:44:10, 15:47:14, 15:51:30, 15:54:36, 15:58:59, 16:01:56, 16:06:19, 16:09:08, 16:13:13, 16:16:11, 16:20:06, 16:23:02, 16:27:08 (all times EDT), always in waves of about 20 requests within a few seconds. I don't know about you, but I would call this a DoS attack (not DDoS, as all the requests came from a single IP address).

At 16:48:02 EDT, another 20 requests came from the same IP, this time spamming for best-craps.mcr8.com but I missed it since I was only looking for the blogspot.com spams. Again, fortunately, this was already caught by an existing .htaccess rule.

Insufficient Abuse handling

I tried to complain at blogspot.com but couldn't find an abuse contact there. Eventually, I had to settle with the standard contact form, for which you also have to have a blogspot.com account (which I had). I got an automated response, but the blog is still up 48 hours later.

This is completely unacceptable abuse behaviour on Blogger's part. First of all, there should be a proper abuse contact, preferrably an email address or at least a web form that does not require you to be registered with them (and that's tailored for reporting abuse). Blogs at blogspot.com are used a lot in spam and referrer spam these days (amidst all of the above, I saw more referrer spam for other blogspot.com blogs, just not as obtrusive). Blogger really has to get its act together here, and the addition of CAPTCHAs on the sign-in form is certainly not enough.

My next point of contact was the offender's ISP, Bezeq International in Israel. I got an automated reply in response to my abuse report. Half of that reply was in Hebrew, btw, but it fortunately also contained a lengthy section in English. In addition to outlining how to report abuse and what and what not to send with the report (I had already included relevant portions of our server's logfiles), it also promised a response within 48 hours.

Now, I understand that a timely response is not always possible and that this auto reply only covered the basics, but I find a 48 hour response time unacceptable when you're under attack. What if our "friend" here had decided to increase his efforts?

Days 2 and 3

After what was probably a good night's sleep, our Israeli friend started again at 02:14:31 EDT (09:14am in Israel), again for best-craps.mcr8.com, followed by spam for the blogspot.com blog at 02:22:47 EDT. Same IP address, 20 requests at a time within a few seconds, rotating user agent strings. And so it went on throughout the second day, until the last wave ended at 13:13:24 EDT.

And he's back today, so far with 3 waves for play.mcr8.com (different subdomain), 30 requests at a time now, same IP address, rotating user agents.

So it's time to have a closer look at that domain, mcr8.com. It's registered with GoDaddy, and the details of the owner are hidden behind a proxy service (DomainsByProxy.com). So no-go here. The spamvertized subdomains display a page with lots of poker-related links, all of which go to html pages or other subdomains on mcr8.com. The only exception is an option to add this page to "My Yahoo". As with the blog, there are no signs of affiliate IDs or sneaky redirects (which leaves the question what the actual point of the exercise is).

And where is that domain hosted? On 62.219.82.8 which is - surprise, surprise - Bezeq International, Israel, again. The server is still up, btw, but then again I only complained to Bezeq about the referrer spam for the blogspot.com address and didn't include the ones for mcr8.com.

This is not over yet

Lesson learned: Always check all the evidence before sending an abuse report and then include it all when sending it. Even (or: especially) when you're in the middle of a DoS attack attack.

Still, the abuse handling I have seen from both parties involved has been poor, to say the least. I'll give Bezeq another chance by sending them the information about mcr8.com (and if they don't act now, I can only assume that they're with the Bad Guys). Don't know what to do with Blogger / blogspot.com. I don't really feel like filling in yet another unappropriate form and hope for the best ...