Solved

What's going on!?

Posted on 2006-11-30
13
192 Views
Last Modified: 2010-04-12
Folks,

I'm hosting a couple of Web Sites with CrystalTech. I recently got an e-mail from them telling their customers that they had been subjected to a DDoS attack.

My own site is not too dissimilar to EE in the sense that it allows people to sign up and sends out a notification with a Verification link that they need to click on to activate the account.

In the last couple of weeks, I have a consistent trickle of two to four signups a day. Every time, they use an e-mail address as their login (something we strongly discourage as we, just like EE, do never display the actual e-mail address entered in the appropriate box, but of course if you use an e-mail address as your username, what can one do, eh?)

The e-mail address is typically somedork@yahoo.com or somemoron@aol.com and so on.

None of them ever bother to activate their accounts. So I delete them again.

But what I'm wondering is, what might be happening here? What are they, or what is "it", trying to achieve by signing up like this all the time!? It or they obviously never participate.

A friend of mine, also hosting with CrystalTech, was using a catch-all e-mail account. Yesterday he had to disable this as his SPAM exploded to about 1,000 mails per minute.

Anybody got any news on something out there that has recently started causing havoc?
0
Comment
Question by:WernerVonBraun
  • 7
  • 6
13 Comments
 
LVL 8

Expert Comment

by:jako
ID: 18047698
I suspect that these are the signs of growing trend of programmatic bulletin board spamming. Include the Captcha (http://en.wikipedia.org/wiki/Captcha) into the registration and you won't see them (until they figure out how to OCR these or pay some poor moron to aid them with the OCR. Captchas without the distortion on them have already fallen victim to some OCR specialist leechers http://captcha.megaleecher.net/ :)
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18052311
Hm. Ok. Well so far they haven't succeeded for the simple fact that they never validate their accounts.

I'll ask CrystalTech whether they have resources for CAPTCHAs that I could use.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18103061
Whoever it is, they're not very smart. They always use an e-mail address as their username. It's the same e-mail address as the one they use for registering. I'm now blocking the option to enter a username with an "@" symbol in it. Every time someone tries, I send myself a notification. This is the last one I got:

Subject: Some Wanker Is Trying It Again


Wanker: gonitmile@yahoo.com

Using Password: ndfpvkyp

Using E-mail Address: gonitmile@yahoo.com


There are three small textboxes on that form. The above three bits of information are *all* that is entered; I HTMLEncode them before sending them on to myself. It is obvious that they cannot succeed in using the form itself for any mass-mailing purpose. But they keep coming back. What is it about my site that keeps attracting this "bot" or whatnot?!
0
ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

 
LVL 8

Expert Comment

by:jako
ID: 18113828
It is an attempt most probably tied to spam. Either to harvest e-mail addresses off the user profiles (since a non-member wouldn't get to see them) or, if e-mail harvesting doesn't work,  possibly spread it's spam right there on the forum.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18113846
Ah well. Good luck to 'em. No user ever gets to see any e-mail address other than their own, and in order to spread any spam the very least they should do is follow the instruction in the verification mail because otherwise their login won't be activated. Anyhoo. I now reject these new IDs out of hand. At least they're consistently stupid....
0
 
LVL 8

Expert Comment

by:jako
ID: 18113860
... stupid or their bot generates too much failures so that to go through all of them manually, tweaking the script for higher success rate doesn't pay off and they are happy with address lists that they do get.
0
 
LVL 8

Expert Comment

by:jako
ID: 18113867
btw, whatever forum scripts you run, don't forget to check for updates and patches. regularly.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18113949
> btw, whatever forum scripts you run, don't forget to check for updates and patches. regularly.

Huh? That one went over my head, I'm afraid.

Oh. I think I see. You mean updates and patches to the forum software? I don't need to. Dumbo here wrote the lot himself.... <g>
0
 
LVL 8

Accepted Solution

by:
jako earned 50 total points
ID: 18114093
it puzzles me for if you're not using something popular off_the_shelf forum software, why would their script think it would be successful in harvesting your site.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18114192
Beats me. Maybe it looks similar enough to something off-the-shelf to fool something into believing it is. Judge for yourself: www.carobit.com

a bit of history: back in the year dot it looked for a while like EE might go under. I created Carobit back then so that if the worst happened, the community could find a new home. It never did, but Carobit is still around. I eventually got rid of its point system - no pun intended but.... it was a bit pointless - and re-focused Carobit on having a bit of fun outside the daily grind. You'll find there is a small core of dedicated friends still hanging around the Lounge there :-)
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18164923
They're still trying. It's obviously a 'bot. A human would have copped on by now.
0
 
LVL 4

Author Comment

by:WernerVonBraun
ID: 18292381
<shrug>

Frequency has gone down a bit. They're still trying, but I gather they're starting to process the feedback telling them it's goin' nowhere.
0
 
LVL 8

Expert Comment

by:jako
ID: 18292483
thank you for the closure (even though the users scanning for answers to their similar problems might find previous postings of mine more relevant and therefore I advise them to read the whole thread from the beginning http://www-new.experts-exchange.com/Security/Vulnerabilities/Q_22077586.html#18047698 )

and stay secure ;)
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is there a standard for IT business audits? 3 62
iv got locky virus in my server 21 133
Exploits in Kali Linux 4 334
ACAS / Nessus 2 135
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question