From: waldo kitty 


i had lost this thread and wrote most of the below in another... then i
remembered how to use this reader ;)  anyway...

Mike N.  wrote in
news:1btc13luri5atdcj3ukhn9p8suhpcqpb1t{at}4ax.com:

> On 6 Apr 2007 12:25:30 -0500, waldo kitty  wrote:
>
>>it has been suggested that maybe it is one site and that the source ips
>>are being spoofed... this is possible but i can't fathom why someone
>>would do this... maybe i've pissed off a forum spammer by blocking their
>>bots in my firewall? i dunno... i don't recall when i turned off guest
>>posting with captcha... i could probably tell by looking at the last
>>system updates post in the forum, though ;)
>
>    It's hard to tell - my guess is that it may be some sort of revenge
>    bot, but running at a low level, not intended to saturate your
>    connection.
>
>    Or , it may be just an email address harvesting bot run amok -
>    getting stuck on that URL and spread out among thousands of bot
>    hosts.
>
>    Spoofing the source IPs is very unusual these days - with all the
>    free botted hosts out there, no one bothers.

i see all too much shit (on my little server) coming from places that it
normally wouldn't and it is definitely not a human doing it... at least not
one there with a browser... i've seen more and more like my windowslinks
stuff i've written about recently... it is definitely being done by a bot
as only the html file is called (no images, scripts, counters, etc) =and=
it also appears that it is spoofing the IP addresses...

here's an example i stumbled across...

localhost - - [02/May/2007:08:42:43 -0400] "GET /windowslinks.html
HTTP/1.1" 200 12642 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

there is absolutely _no_ way for that to be... first of all, there's no
browser on that box... second of all, it flat out cannot run MSIE... thrid
of all, it definitely is _not_ running windows of any kind (it
=can't=!)...

now, how can the origin of spoofed IPs be tracked back?

i'm fixing to convert that page to a php file that actively logs each and
every hit so that the possibly proxy indicators might be seen... of course,
if this is from a spammer botnet and something they wrote, they may have
even left that part out... whatever the case, the above very definitely
demonstrates that i'm being hit with spoofed IPs... it also seems to point
to the hiding of botnet traffic within "legitimate" data
streams...

it may not even be a spammer's botnet... it could be something else... i
dunno... i do have, finally, a full list of CIDRs for CHINA and KOREA and
have stuffed them in the firewall's IPBLOCK list O:)

--
       _\/
      ({at}{at})                      Waldo Kitty, Waldo's Place USA
__ooO_( )_Ooo_____________________ telnet://bbs.wpusa.dynip.com
_|_____|_____|_____|_____|_____|_____ http://www.wpusa.dynip.com
____|_____|_____|_____|_____|_____|_____ ftp://ftp.wpusa.dynip.com
_|_Eat_SPAM_to_email_me!_YUM!__|_____|_____ wkitty42 -at- alltel.net

--- BBBS/NT v4.01 Flag-5