Solved

What's going on!?

Posted on 2006-11-30
13
190 Views
Last Modified: 2010-04-12
Folks,

I'm hosting a couple of Web Sites with CrystalTech. I recently got an e-mail from them telling their customers that they had been subjected to a DDoS attack.

My own site is not too dissimilar to EE in the sense that it allows people to sign up and sends out a notification with a Verification link that they need to click on to activate the account.

In the last couple of weeks, I have a consistent trickle of two to four signups a day. Every time, they use an e-mail address as their login (something we strongly discourage as we, just like EE, do never display the actual e-mail address entered in the appropriate box, but of course if you use an e-mail address as your username, what can one do, eh?)

The e-mail address is typically somedork@yahoo.com or somemoron@aol.com and so on.

None of them ever bother to activate their accounts. So I delete them again.

But what I'm wondering is, what might be happening here? What are they, or what is "it", trying to achieve by signing up like this all the time!? It or they obviously never participate.

A friend of mine, also hosting with CrystalTech, was using a catch-all e-mail account. Yesterday he had to disable this as his SPAM exploded to about 1,000 mails per minute.

Anybody got any news on something out there that has recently started causing havoc?
0
Comment
Question by:WernerVonBraun
  • 7
  • 6
13 Comments
 
LVL 8

Expert Comment

by:jako
ID: 18047698
I suspect that these are the signs of growing trend of programmatic bulletin board spamming. Include the Captcha (http://en.wikipedia.org/wiki/Captcha) into the registration and you won't see them (until they figure out how to OCR these or pay some poor moron to aid them with the OCR. Captchas without the distortion on them have already fallen victim to some OCR specialist leechers http://captcha.megaleecher.net/ :)
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18052311
Hm. Ok. Well so far they haven't succeeded for the simple fact that they never validate their accounts.

I'll ask CrystalTech whether they have resources for CAPTCHAs that I could use.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18103061
Whoever it is, they're not very smart. They always use an e-mail address as their username. It's the same e-mail address as the one they use for registering. I'm now blocking the option to enter a username with an "@" symbol in it. Every time someone tries, I send myself a notification. This is the last one I got:

Subject: Some Wanker Is Trying It Again


Wanker: gonitmile@yahoo.com

Using Password: ndfpvkyp

Using E-mail Address: gonitmile@yahoo.com


There are three small textboxes on that form. The above three bits of information are *all* that is entered; I HTMLEncode them before sending them on to myself. It is obvious that they cannot succeed in using the form itself for any mass-mailing purpose. But they keep coming back. What is it about my site that keeps attracting this "bot" or whatnot?!
0
 
LVL 8

Expert Comment

by:jako
ID: 18113828
It is an attempt most probably tied to spam. Either to harvest e-mail addresses off the user profiles (since a non-member wouldn't get to see them) or, if e-mail harvesting doesn't work,  possibly spread it's spam right there on the forum.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18113846
Ah well. Good luck to 'em. No user ever gets to see any e-mail address other than their own, and in order to spread any spam the very least they should do is follow the instruction in the verification mail because otherwise their login won't be activated. Anyhoo. I now reject these new IDs out of hand. At least they're consistently stupid....
0
 
LVL 8

Expert Comment

by:jako
ID: 18113860
... stupid or their bot generates too much failures so that to go through all of them manually, tweaking the script for higher success rate doesn't pay off and they are happy with address lists that they do get.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 8

Expert Comment

by:jako
ID: 18113867
btw, whatever forum scripts you run, don't forget to check for updates and patches. regularly.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18113949
> btw, whatever forum scripts you run, don't forget to check for updates and patches. regularly.

Huh? That one went over my head, I'm afraid.

Oh. I think I see. You mean updates and patches to the forum software? I don't need to. Dumbo here wrote the lot himself.... <g>
0
 
LVL 8

Accepted Solution

by:
jako earned 50 total points
ID: 18114093
it puzzles me for if you're not using something popular off_the_shelf forum software, why would their script think it would be successful in harvesting your site.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18114192
Beats me. Maybe it looks similar enough to something off-the-shelf to fool something into believing it is. Judge for yourself: www.carobit.com

a bit of history: back in the year dot it looked for a while like EE might go under. I created Carobit back then so that if the worst happened, the community could find a new home. It never did, but Carobit is still around. I eventually got rid of its point system - no pun intended but.... it was a bit pointless - and re-focused Carobit on having a bit of fun outside the daily grind. You'll find there is a small core of dedicated friends still hanging around the Lounge there :-)
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18164923
They're still trying. It's obviously a 'bot. A human would have copped on by now.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18292381
<shrug>

Frequency has gone down a bit. They're still trying, but I gather they're starting to process the feedback telling them it's goin' nowhere.
0
 
LVL 8

Expert Comment

by:jako
ID: 18292483
thank you for the closure (even though the users scanning for answers to their similar problems might find previous postings of mine more relevant and therefore I advise them to read the whole thread from the beginning http://www-new.experts-exchange.com/Security/Vulnerabilities/Q_22077586.html#18047698 )

and stay secure ;)
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now