Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

What's going on!?

Posted on 2006-11-30
13
Medium Priority
?
199 Views
Last Modified: 2010-04-12
Folks,

I'm hosting a couple of Web Sites with CrystalTech. I recently got an e-mail from them telling their customers that they had been subjected to a DDoS attack.

My own site is not too dissimilar to EE in the sense that it allows people to sign up and sends out a notification with a Verification link that they need to click on to activate the account.

In the last couple of weeks, I have a consistent trickle of two to four signups a day. Every time, they use an e-mail address as their login (something we strongly discourage as we, just like EE, do never display the actual e-mail address entered in the appropriate box, but of course if you use an e-mail address as your username, what can one do, eh?)

The e-mail address is typically somedork@yahoo.com or somemoron@aol.com and so on.

None of them ever bother to activate their accounts. So I delete them again.

But what I'm wondering is, what might be happening here? What are they, or what is "it", trying to achieve by signing up like this all the time!? It or they obviously never participate.

A friend of mine, also hosting with CrystalTech, was using a catch-all e-mail account. Yesterday he had to disable this as his SPAM exploded to about 1,000 mails per minute.

Anybody got any news on something out there that has recently started causing havoc?
0
Comment
Question by:WernerVonBraun
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 8

Expert Comment

by:jako
ID: 18047698
I suspect that these are the signs of growing trend of programmatic bulletin board spamming. Include the Captcha (http://en.wikipedia.org/wiki/Captcha) into the registration and you won't see them (until they figure out how to OCR these or pay some poor moron to aid them with the OCR. Captchas without the distortion on them have already fallen victim to some OCR specialist leechers http://captcha.megaleecher.net/ :)
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18052311
Hm. Ok. Well so far they haven't succeeded for the simple fact that they never validate their accounts.

I'll ask CrystalTech whether they have resources for CAPTCHAs that I could use.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18103061
Whoever it is, they're not very smart. They always use an e-mail address as their username. It's the same e-mail address as the one they use for registering. I'm now blocking the option to enter a username with an "@" symbol in it. Every time someone tries, I send myself a notification. This is the last one I got:

Subject: Some Wanker Is Trying It Again


Wanker: gonitmile@yahoo.com

Using Password: ndfpvkyp

Using E-mail Address: gonitmile@yahoo.com


There are three small textboxes on that form. The above three bits of information are *all* that is entered; I HTMLEncode them before sending them on to myself. It is obvious that they cannot succeed in using the form itself for any mass-mailing purpose. But they keep coming back. What is it about my site that keeps attracting this "bot" or whatnot?!
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 8

Expert Comment

by:jako
ID: 18113828
It is an attempt most probably tied to spam. Either to harvest e-mail addresses off the user profiles (since a non-member wouldn't get to see them) or, if e-mail harvesting doesn't work,  possibly spread it's spam right there on the forum.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18113846
Ah well. Good luck to 'em. No user ever gets to see any e-mail address other than their own, and in order to spread any spam the very least they should do is follow the instruction in the verification mail because otherwise their login won't be activated. Anyhoo. I now reject these new IDs out of hand. At least they're consistently stupid....
0
 
LVL 8

Expert Comment

by:jako
ID: 18113860
... stupid or their bot generates too much failures so that to go through all of them manually, tweaking the script for higher success rate doesn't pay off and they are happy with address lists that they do get.
0
 
LVL 8

Expert Comment

by:jako
ID: 18113867
btw, whatever forum scripts you run, don't forget to check for updates and patches. regularly.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18113949
> btw, whatever forum scripts you run, don't forget to check for updates and patches. regularly.

Huh? That one went over my head, I'm afraid.

Oh. I think I see. You mean updates and patches to the forum software? I don't need to. Dumbo here wrote the lot himself.... <g>
0
 
LVL 8

Accepted Solution

by:
jako earned 200 total points
ID: 18114093
it puzzles me for if you're not using something popular off_the_shelf forum software, why would their script think it would be successful in harvesting your site.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18114192
Beats me. Maybe it looks similar enough to something off-the-shelf to fool something into believing it is. Judge for yourself: www.carobit.com

a bit of history: back in the year dot it looked for a while like EE might go under. I created Carobit back then so that if the worst happened, the community could find a new home. It never did, but Carobit is still around. I eventually got rid of its point system - no pun intended but.... it was a bit pointless - and re-focused Carobit on having a bit of fun outside the daily grind. You'll find there is a small core of dedicated friends still hanging around the Lounge there :-)
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18164923
They're still trying. It's obviously a 'bot. A human would have copped on by now.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18292381
<shrug>

Frequency has gone down a bit. They're still trying, but I gather they're starting to process the feedback telling them it's goin' nowhere.
0
 
LVL 8

Expert Comment

by:jako
ID: 18292483
thank you for the closure (even though the users scanning for answers to their similar problems might find previous postings of mine more relevant and therefore I advise them to read the whole thread from the beginning http://www-new.experts-exchange.com/Security/Vulnerabilities/Q_22077586.html#18047698 )

and stay secure ;)
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question