spam resurfacing


Advanced search

Message boards : Problems and Help : spam resurfacing

Author Message
AMDave
Send message
Joined: 22 Apr 05
Posts: 4
Credit: 100,075
RAC: 0
Message 8421 - Posted: 13 Jun 2008, 9:11:53 UTC

I am sure this would not be endorsed by the admins:

http://burp.boinc.dk/view_profile.php?userid=8131&key=Order-wellbutrin

I there someone who can clean up that mess?
____________

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4253
Credit: 2,093,452
RAC: 0
Message 8428 - Posted: 13 Jun 2008, 22:59:44 UTC - in response to Message 8421.

Thanks, if you find any more of that please post about it.

Profile X-O-I
Send message
Joined: 13 May 07
Posts: 1
Credit: 348
RAC: 0
Message 8506 - Posted: 4 Jul 2008, 10:02:20 UTC - in response to Message 8428.

Thanks, if you find any more of that please post about it.


please check/remove users with id
9407 - 9533

I get spam with links to that users.

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4253
Credit: 2,093,452
RAC: 0
Message 8509 - Posted: 4 Jul 2008, 21:21:44 UTC - in response to Message 8506.
Last modified: 5 Jul 2008, 15:43:19 UTC

Thanks a lot for your report, appropriate action has been taken with regard to these users.

---

It turns out that a considerable amount of accounts have been created with the sole intent of spamming users here and elsewhere on the web. During this past week spambots have been automatically posting into webforms all over the net with links back to profiles created both manually and in an automated fashion in advance on the BURP website.
These actions have been carried out primarily by the use of two machines, one located in Russia and one in the US (masked security traces can be found in trace #3 and trace #4).
Additionally a botnet has been sending out emails appearing to originate from our mailserver with similar links back to profiles on this website. These mails do not originate from us (and a correctly set up anti-spam firewall will detect this automatically and reject the mail based on our SPF DNS records for the boinc.dk mailserver).

As a consequence we have taken the following actions:


  • The user and profiles database has been manually scanned for SPAM
  • 247 profiles and accounts have been removed due to severe violations of our policies
  • Involved IPs have been perma-banned and a notice sent to their ISP with enough details to allow them to contact the owners and issue a warning (the machines are probably infested with trojans and acting as part of a botnet).
  • Account creation has been temporarily disabled in order to avoid a repetition of this incident in the near future. The plan is to open up for account creation again later this year with a new set of rules (all accounts must have validated email addresses, creation can happen only based on an invitation from an existing member and users must enter a set of letters and number from a hard-to-read image in order to prove that they are humans).



We have received a lot of emails from people around the world who have been exposed to the spambot activity. The content in the mails we receive varies from helpful notices about the issue to swearing and threats.
I would like to make it perfectly clear that BURP can only take action with regard to content posted on our own domain (burp.boinc.dk). Any malicious use of services that are not located on this domain (for instance webforms hosted on your own website) are outside of our control. Hence we can only remove the offending profiles and users here - there is no way that we can or could have prevented the bots from posting to your webforms and forums, nor can we remove the links that they have posted.

That said, it is of course regrettable that the profiles were created and misused for spamming purposes. I\'m sorry.

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4253
Credit: 2,093,452
RAC: 0
Message 8510 - Posted: 5 Jul 2008, 17:36:47 UTC - in response to Message 8509.
Last modified: 5 Jul 2008, 17:40:13 UTC

Additional information somewhat relevant in connection with this:


Below is a copy of the message sent to people who helped with the issue:

Thank you for your report about abuse of our user profile service.
The infringing profiles have been removed from our website and appropriate action taken in order to make a similar event less likely in the future.

The issue is, however, not entirely on our end and the removal of the profiles will not necessarily stop the SPAM that you receive. In order to avoid these issues in the future we suggest that you or your provider protect your webforms with a Captcha so that bots cannot automatically fill out the forms with SPAM.
If you received the SPAM as an email appearing to originate from our servers (addresses ending with the domain boinc.dk) we suggest that you install an SPF-aware anti-spam firewall. The boinc.dk domain and many other domains on the web have an SPF DNS entry which allows any such firewall to automatically detect and reject attempts to create fake emails appearing to originate from these domains.

For more information about the issue and what we have done about it have a look here:
http://burp.boinc.dk/forum_thread.php?id=1166&nowrap=true#8509

I\'m terribly sorry about the grief that this has caused both you and us. Spam is a terrible waste of time and resources - I wish there was more we could do to fight the source of it.

Once again, thanks for your report.


Best regards

Janus Kristensen
BURP administrator

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4253
Credit: 2,093,452
RAC: 0
Message 8512 - Posted: 9 Jul 2008, 14:57:22 UTC
Last modified: 9 Jul 2008, 15:04:45 UTC

It appears someone is trying very hard to get our servers offline. Everything I\'ve seen so far points towards it being a very sophisticated form of harassment.

For the past two days our network link has also been down because our ISP was receiving reports about mail-related abuse on the link. I am currently working together with the ISP to figure out exactly what is going on (since it seems there are some unclear points about the validity of the reports they\'ve gotten).
It will take a little while to go through the logs on both their end and our end.

As a temporary solution we have moved to a different IP address and established some heavy network monitoring.
Unfortunately this is all draining an awful lot of resources - both human and system resources (the latter in form of storage spent on logging while in heavy monitoring mode).

If no conclusions can be reached today or at latest tomorrow morning I have no other choice but to take down the server until an explanation and a lasting solution can be found.

diederiks
Send message
Joined: 25 Sep 06
Posts: 26
Credit: 259,335
RAC: 0
Message 8513 - Posted: 12 Jul 2008, 11:13:53 UTC

Hi there,

I have had the same problem on a few of my websites/servers. I did resolve this problem by placing a extra anti spam computer with opensource scan software and routing al email trafic trough it, it did not finish the activity of the nasty bot, but it stop them from emailing, after 2 weeks they finaly gafe up and the situation returnd to normal.

Greetings Diederiks

Profile Jonathan Brier
Avatar
Send message
Joined: 1 Oct 06
Posts: 3
Credit: 16,104
RAC: 0
Message 8523 - Posted: 31 Jul 2008, 18:49:30 UTC

I recently stumbled across an article in PC Mag from 2007 and It mentioned www.projecthoneypot.org which allows servers to help track and eventually eliminate bots that SPAM and crawl the Internet to SPAM.

Recently they announced the individual\'s way to help with this by adding some links visible only to bots on their personal web pages. I thought this may be a way for BOINC to fight SPAM and for those who read this to find out how they can help fight SPAM.

I\'m not sure if this would be possible to distribute this with the server software or making a link default on the BOINC sites, but it may if possible help fight SPAM. As BOINC servers grow the more possibilities of SPAM Bots can be tracked and trapped. It may be something to look into.

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4253
Credit: 2,093,452
RAC: 0
Message 8525 - Posted: 1 Aug 2008, 7:21:15 UTC - in response to Message 8523.
Last modified: 1 Aug 2008, 7:30:12 UTC

It mentioned www.projecthoneypot.org which allows servers to help track [of] bots that SPAM and crawl the Internet to SPAM.

Thank you for bringing this site up, this is certainly an interesting idea. I\'ll check it out.

I\'m not sure if this would be possible to distribute this with the server software or making a link default on the BOINC sites, but it may if possible help fight SPAM. As BOINC servers grow the more possibilities of SPAM Bots can be tracked and trapped. It may be something to look into.

Indeed. Already BURP is using a small custom-made script to monitor who are scraping our site. Currently this information is not used for anything but traffic control when the network link is congested. Adding honeypots and a blacklist lookup could be useful in order to get an even better view on who are legitimate users, who are scrapers and who are harvesting bots.

For the past two days our network link has also been down because our ISP was receiving reports about mail-related abuse on the link. I am currently working together with the ISP to figure out exactly what is going on (since it seems there are some unclear points about the validity of the reports they\'ve gotten).

No news on this yet. The ISP is still working on finding out exactly why they closed our network connection (it\'s summer holidays here, meaning that everything is a bit slow).


Post to thread

Message boards : Problems and Help : spam resurfacing