[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

What's going on!?

Posted on 2006-11-30
13
Medium Priority
?
201 Views
Last Modified: 2010-04-12
Folks,

I'm hosting a couple of Web Sites with CrystalTech. I recently got an e-mail from them telling their customers that they had been subjected to a DDoS attack.

My own site is not too dissimilar to EE in the sense that it allows people to sign up and sends out a notification with a Verification link that they need to click on to activate the account.

In the last couple of weeks, I have a consistent trickle of two to four signups a day. Every time, they use an e-mail address as their login (something we strongly discourage as we, just like EE, do never display the actual e-mail address entered in the appropriate box, but of course if you use an e-mail address as your username, what can one do, eh?)

The e-mail address is typically somedork@yahoo.com or somemoron@aol.com and so on.

None of them ever bother to activate their accounts. So I delete them again.

But what I'm wondering is, what might be happening here? What are they, or what is "it", trying to achieve by signing up like this all the time!? It or they obviously never participate.

A friend of mine, also hosting with CrystalTech, was using a catch-all e-mail account. Yesterday he had to disable this as his SPAM exploded to about 1,000 mails per minute.

Anybody got any news on something out there that has recently started causing havoc?
0
Comment
Question by:WernerVonBraun
  • 7
  • 6
13 Comments
 
LVL 8

Expert Comment

by:jako
ID: 18047698
I suspect that these are the signs of growing trend of programmatic bulletin board spamming. Include the Captcha (http://en.wikipedia.org/wiki/Captcha) into the registration and you won't see them (until they figure out how to OCR these or pay some poor moron to aid them with the OCR. Captchas without the distortion on them have already fallen victim to some OCR specialist leechers http://captcha.megaleecher.net/ :)
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18052311
Hm. Ok. Well so far they haven't succeeded for the simple fact that they never validate their accounts.

I'll ask CrystalTech whether they have resources for CAPTCHAs that I could use.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18103061
Whoever it is, they're not very smart. They always use an e-mail address as their username. It's the same e-mail address as the one they use for registering. I'm now blocking the option to enter a username with an "@" symbol in it. Every time someone tries, I send myself a notification. This is the last one I got:

Subject: Some Wanker Is Trying It Again


Wanker: gonitmile@yahoo.com

Using Password: ndfpvkyp

Using E-mail Address: gonitmile@yahoo.com


There are three small textboxes on that form. The above three bits of information are *all* that is entered; I HTMLEncode them before sending them on to myself. It is obvious that they cannot succeed in using the form itself for any mass-mailing purpose. But they keep coming back. What is it about my site that keeps attracting this "bot" or whatnot?!
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 8

Expert Comment

by:jako
ID: 18113828
It is an attempt most probably tied to spam. Either to harvest e-mail addresses off the user profiles (since a non-member wouldn't get to see them) or, if e-mail harvesting doesn't work,  possibly spread it's spam right there on the forum.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18113846
Ah well. Good luck to 'em. No user ever gets to see any e-mail address other than their own, and in order to spread any spam the very least they should do is follow the instruction in the verification mail because otherwise their login won't be activated. Anyhoo. I now reject these new IDs out of hand. At least they're consistently stupid....
0
 
LVL 8

Expert Comment

by:jako
ID: 18113860
... stupid or their bot generates too much failures so that to go through all of them manually, tweaking the script for higher success rate doesn't pay off and they are happy with address lists that they do get.
0
 
LVL 8

Expert Comment

by:jako
ID: 18113867
btw, whatever forum scripts you run, don't forget to check for updates and patches. regularly.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18113949
> btw, whatever forum scripts you run, don't forget to check for updates and patches. regularly.

Huh? That one went over my head, I'm afraid.

Oh. I think I see. You mean updates and patches to the forum software? I don't need to. Dumbo here wrote the lot himself.... <g>
0
 
LVL 8

Accepted Solution

by:
jako earned 200 total points
ID: 18114093
it puzzles me for if you're not using something popular off_the_shelf forum software, why would their script think it would be successful in harvesting your site.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18114192
Beats me. Maybe it looks similar enough to something off-the-shelf to fool something into believing it is. Judge for yourself: www.carobit.com

a bit of history: back in the year dot it looked for a while like EE might go under. I created Carobit back then so that if the worst happened, the community could find a new home. It never did, but Carobit is still around. I eventually got rid of its point system - no pun intended but.... it was a bit pointless - and re-focused Carobit on having a bit of fun outside the daily grind. You'll find there is a small core of dedicated friends still hanging around the Lounge there :-)
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18164923
They're still trying. It's obviously a 'bot. A human would have copped on by now.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18292381
<shrug>

Frequency has gone down a bit. They're still trying, but I gather they're starting to process the feedback telling them it's goin' nowhere.
0
 
LVL 8

Expert Comment

by:jako
ID: 18292483
thank you for the closure (even though the users scanning for answers to their similar problems might find previous postings of mine more relevant and therefore I advise them to read the whole thread from the beginning http://www-new.experts-exchange.com/Security/Vulnerabilities/Q_22077586.html#18047698 )

and stay secure ;)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Loops Section Overview
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question