new jokes (OR: dealing with botnet generated message board spam)

[newsjokes77]

Hello

A blonde, a brunette, and a redhead are crossing an enchanted bridge in Magical Fairyland when they run into a fairy. The fairy says that they can be granted a transformation if they jump off the bridge and call out their wish. The brunette immediately jumps off the bridge and yells "Eagle!" She turns into a beautiful bird of prey and flies away. The redhead jumps off the bridge and yells out "Salmon!" She turns into a gorgeous shimmering salmon and swims upstream to spawn. The blonde is at this point so excited that she jumps off the bridge without thinking of her wish. She panics.
"Crap!"

---

Your mama's teeth are so yellow, when she smiles the cars start to slow down.

---


Yo mama is so dumb that she was on her way to the airport and saw a sign that said “airport left.” So she turned around and went home.

---

 A frog leaps out of the magical forest where he has lived all his life and into a real forest. Since he lived in the magical forest he has magical powers. He sees a bear chasing a rabbit and thinks to himself, this isn't right, everyone should live in peace. So he stops the bear and rabbit and tells them that if they stop chasing each other he'll give them both three wishes.
The bear thinks for a second and wishes that all the rest of the bears in the forest were female. Poof, all of them are female. Next the rabbit wishes for a crash helmet. The bear looks at the rabbit wondering why he would want a crash helmet.

The bear thinks for a second making sure he makes a good second wish and wishes that all the rest of the bears in the country were female. Again -- poof -- all the rest became female. Then the rabbit wishes for a motorcycle. Now the bear steps back and looks at the rabbit in amazment. How dumb is this rabbit he thinks to himself. All he had to do was wish for money and he could buy all the motorcycles he ever wanted. This has to be the dumbest creature the bear has ever seen, he thinks to himself.

It is time for the bear's final wish and he takes a second to think and makes sure he doesn't waste it. After a minute he wishes that all the other bears in the whole world were female. And again poof they are all female.

Next the rabbit puts on his helmet and jumps on the bike. He turns around and smiles. Then he says, ''I wish that that bear is gay.''

---

Be happy


________________________
[Link removed.  See below. -Pete]

[Pete]

Boooooooooo**** booooooooo****
**** throws tomato ****

Stupid jokes, right?  Harmless, stupid jokes.  Not quite.  If you run a website, spammers may be targeting you and using your site to illicitly boost their rank in search engines.  Posts like this might seem harmless, but they can actually hurt your site's rank in search engines once these sites are identified as spam -- because your site is associated with the spammer!  In this case, the remote user probably was running a program that automatically registers and posts to internet forums like this one.  Part of the problem is that this site doesn't require new users to register to post (makes you wonder why they went through the trouble of registering -- probably because the program registered to make the post seem like a new user, less likely to be regarded as spam).

But the devil is in the details here.  In the user's signature, there was some markup instructing the bulletin board to create a link.  For example, I can create a link to a site I like:

INeedAttention.com

by using the code:

[]INeedAttention.com[]

But in this case the user inserted the code:

[download mp3]

Which of course links to the address:

music.download-madonna-mp3.com/Download-mp3.html

Go to this site and you get a message saying "This site was deleted from hosting".  Funny, because they just posted it today.  But in any event, I obviously removed the link and blocked the IP address of the spammer.  There's no future protection afforded by blocking the IP addresses here since hardcore spammers use botnets anyway (as you'll see).  In fact, these spammers are so determined that you will probably get a few posts every couple of days just by having a message board exposed to the internet!  So if you run a forum and don't give it as much care as you should, make today the day you go to it and look for strange, off-topic posts or users with strange habits.

Here's the list of accounts that were registered by the spammer, as well as the IP address & host name they were coming from, the email address they used, and some other notes about the host.

These computers all have a couple of things in common (other than that the same hacker is maliciously using them).  First note that these are probably compromised servers.  They all are overseas, also.  Two of them were running Windows Server 2003, with some services (such as Remote Desktop and IIS without an active webpage) were exposed.  A few had other services exposed, such as SMTP (obviously a spammer would prefer if the hacked computer could send emails too).  If this is all interesting to you but you don't actually want to get this hardcore about tracking the spammer down, you can just click on the IP addresses in the table below and see a Google search for these IPs.  They all show up on Google because other people, like me, identify these computers as abusive and tag them.  But is that really a solution?  No, because I keep getting spam posts (and probably always will).  If you build it they will come.  But anyway:

Username	IP (Hostname)	Email	Notes
newsjokes77	217.10.43.102 (av206-2.comex.ru)	newsjokes77@cashette.com
looqeu	200.122.132.182 (somewhere in Buenos Aires)	whoops, deleted it!	Mail and Application firewall page open on HTTP port that identifies itself as smtp.lindsay.k12.ca.us; it resolves to dotnetfitnesscenter.net (WHOIS)
Gregory124	206.78.27.231	yrtyfghvbnytu6@cashette.com	Server 2003, Remote desktop open, IIS default page
StevensonArera	218.56.144.42 (somewhere in red China)	loginmt@cashette.com
Interneoforums	66.226.75.89 (66-226-75-89.dedicated.abac.net)	loginmks@cashette.com	Server 2003, Remote desktop open
christian_co	85.141.251.51 (ppp85-141-251-51.pppoe.mtu-net.ru)	christiande2@cashette.com	Unresponsive SMTP server
Interneoforumm	66.226.75.89 (66-226-75-89.dedicated.abac.net)	loginmk@cashette.com
sentimentarin	217.147.41.147 (traceroute stopped at gate.sugardas.lt, Lithuania)	linruser25@cashette.com
Advertizer2006	12.108.203.147 (Identifies itself as server.Albion.Niewohner.com)	loginns@cashette.com	Remote desktop open
Strekotok	84.204.165.213 (definitely in Russia)	kechutkin.yulyan@mail.ru	Remote desktop open, system runs in Russian Windows XP
I-want-know	195.131.214.212 (Deutch!)	www.searchvia.net@cashette.com
viagra12	83.237.45.54 (ppp83-237-45-54.pppoe.mtu-net.ru)	dfefefwe@mail.ru	Some daemon on port 25 TCP
JiggerLova	217.172.21.99 (host99-21-172-217.starnet.ru)	jiggerlova@cashette.com	Some daemon on port 25 TCP
mr.Asertiovat	206.51.229.192 (in the US?  wow)	pavlii.genadii@mail.ru	Remote desktop open, IIS default page, another SMTP port daemon
gratis-casino	80.134.62.205 (p50863ECD.dip0.t-ipconnect.de)	gratiscasino@users.1go.dk	Unresponsive SMTP server
millaerbv	219.140.165.91 (somewhere in China)	vcv5bbv@cashette.com	Unresponsive SMTP server, running IIS 6.0 + ASP.NET, serves a WML file on port 80 with no content and a title of "MoSpace".  This domain also resolves to: 52cao.net (WHOIS) sesewa.com (WHOIS) sexwowo.com (WHOIS) waplian.com (WHOIS) - Active site waptd.com (WHOIS) - Active site xsita.net (WHOIS)
seowarez	200.63.213.2 (2.213.uio.satnet.net)	seowarez@cashette.com	Unresponsive SMTP server, open telnet & HTTP server identifies itself as "Application and Content Networking System Software 5.0.9" by Cisco
Comiss79	82.179.73.10 (73-10.umostel.ru)	comiss@cashette.com
fantalltheweb	82.114.69.130 (82.114.69.130)	cbonjourlz@yahoo.com
Fucker	70.87.87.98 (62.57.5746.static.theplanet.com)	loginr@cashette.com
getfunhere2008	61.129.102.208 (61.129.102.208)	logintr@cashette.com
viagra-shop	202.202.0.92 (202.202.0.92)	viagra@shop.de
movieanimexx	192.168.6.81 (192.168.6.81)	movieanimexx@cashette.com
Farmatseft666	87.248.173.155 (87-248-173-155.starnet.md)	meta1986@cashette.com
splitcam2008	88.152.252.29 (bzq-88-152-252-29.red.bezeqint.net)	friendsfinder@yandex.ru
mortgage_loan_s123q1	69.231.250.53 (adsl-69-231-250-53.dsl.irvnca.pacbell.net)	koryagin.abdula@mail.ru
ntprSid	206.225.145.34 (hsc-uu-ce.hearstsc.com)	logintpr@cashette.com
Dernik552	69.61.78.23 (pixelfresh.co.in)	dernik552@cashette.com

My particular favorite Google search result was found while searching for "66.226.75.89":

Hello! I offer the services on dispatch of messages on forums. My site {http://}www.interneo.ru/eng/

Email me interneo{at}list.ru

Efficiency of dispatch on forums:

the Analysis of the existing sites subjected to procedure of registration in forums,
has shown, that 1000 backlink from forums raise PR a site from 100 up to 200 units
(depending on subjects)
Reference ranging: 1000 references with key words from forums allow a site almost
precisely (naturally depending on subjects and a competition) to appear in the first five
in search system
Target visitors: for the first week your announcement will read about 25-30 person at
each forum. For all time of existence of the announcement of it will see 100-200 person
(depending on attendance of a forum).

Practice shows, that dispatch on 1000 forums gives 150 unique, interested in the promoted
goods or service of visitors every day in the first week after dispatch. Then the amount of
visitors is reduced up to 50-100 hosts in day.


Email me interneo{at}list.ru


Opportunities of posting:

• Registration at a forum with editing a profile of the user
• Dispatch on the forums supporting a guest input
• Notices on e-mail about answers at a forum or private messages
• the Opportunity of registration without posting (increases PR Google)

On the ending of dispatch you receive the report on the done work - direct references to
your announcement.

Write to me on interneo{at}list.ru

The prices for mass dispatch on forums:

2)1000 forums - $35/1000
3)4000-6000 forums - $33/1000
4)7000-9000 forums - $31/1000
5)10000-13000 forums - $30/1000
5)20000 forums and more - $20/1000

Total of Russian forums - 45.000
Amount of English-speaking forums - 70.000

Upon end of dispatch the full report - direct references to your announcement is given.

UNIQUE software for dispatch on forums - 1500$. Bypasses all protection, all is
automated!!!

Email me interneo{at}list.ru
IP : 66.226.75.89

Last updated: 6/10/2006 18:05 EDT

[D. J. Berson]

Interesting.... Its too bad the internet is teeming with this type of lowlife. I wish they would go find something productive to do with themselves.

[Sam Zeng]

I just noticed many new IDs created on my BBS running YaBB SP1.1 Gold. They didn't use regular browsers because my image counter didn't register them, and I was wondering where they came from. They haven't started posting on my BBS yet, and I have removed all the IDs. Thanks for the information. I didn't know their intention until reading this post. Looks like they use a robot program doing the same thing to many YaBB forums, so, they don't care if they need to register to post.
Here is a list of email address I collected. I didn't compare with yours but I bet they are the same list. Oh, I need also remove those IDs from .ru.

Thanks again!

Sam

Alan128.dat loginnet@cashette.com
datasheet.dat logintks@cashette.com
SuperGirl06.dat loginss@cashette.com
Grunopoter.dat loginrti@cashette.com
Diogen77.dat loginirm@cashette.com
hotelmaster1.dat travelguide@cashette.com
xtenchsoft.dat tender_net@cashette.com
Feofan_Greek_2006.dat f_greek2006@cashette.com
Mr_Jems.dat sergeevpahan2@cashette.com
Horny.dat loginiti@cashette.com
Mr_Jams.dat sergeevpahan@cashette.com
nikolaskerry.dat loginem@cashette.com
Bob555777.dat login@cashette.com
getfunhere2008.dat logintr@cashette.com
Advertizer2006.dat loginns@cashette.com
Advandarusa.dat logine@cashette.com
Trinity_Fillsen.dat loginte@cashette.com
OEMsoft69.dat logintnsn@cashette.com
Viagrocolossus.dat loginre@cashette.com
seowarez.dat seowarez@cashette.com
Exclusive69.dat exclusive69@cashette.com
Platonchik.dat loginpt@cashette.com
I-want-know.dat www.searchvia.net@cashette.com
Gaymen.dat logintt@cashette.com
newsjokes77.dat newsjokes77@cashette.com
Antonio-Siro.dat loginkks@cashette.com
Interneoforums.dat loginmks@cashette.com
InterBizz.dat loginmp@cashette.com
Gregory124.dat yrtyfghvbnytu6@cashette.com
Mr_Jam.dat logini@cashette.com
Penetrator.dat loginr@cashette.com
christian_co.dat christiande2@cashette.com

[kkey]

This was exactly as I suspected - but I am gratefull to have this confirmed.
And now back to clearing this crap off the member list - as if I didn't have plenty else to do today!
Thanks!

[kkey]

Thanks again for this info!
Here is my list, including the only IP address I was able to find:
loginmk@cashette.com   Interneoforumm
Interneoforums      loginmks@cashette.com
StevensonArera      loginmt@cashette.com
Gregory124         yrtyfghvbnytu6@cashette.com
looqeu         fsdfzeze@cashette.com
newsjokes77      newsjokes77@cashette.com
Trinity_Fillsen      loginte@cashette.com
I-want-know         www.searchvia.net@cashette.com
Viagrocolossus      loginre@cashette.com
JiggerLova         jiggerlova@cashette.com
christian_co         christiande2@cashette.com
adobewarez         adobewarez@cashette.com
seowarez         seowarez@cashette.com
Advertizer2006      loginns@cashette.com
Comiss79         comiss@cashette.com
getfunhere2008      logintr@cashette.com
movieanimexx      movieanimexx@cashette.com
nikolaskerry         loginem@cashette.com
spartankaa         rrfstfs@cashette.com
Grunopotert         loginrtip@cashette.com
Exclusive69         exclusive69@cashette.com
SuperGirl06         loginss@cashette.com
Arnorld         penkovoi-bolesla@mail.ru
Jarwin675         rnbjune15@cashette.com
Nebuchadnezzar      vezhlev-stanisla@mail.ru
splitcam2008      splitcamera@yandex.ru
RussianLolita      loginrs@cashette.com
xtenchsoft         tender_net@cashette.com
VasyaPupkinJiv      yulian-sidyuk@mail.ru
mortgage_loan_s123q1   koryagin.abdula@mail.ru
glevtinw         alevtin-udachin@inbox.ru
Antonio_Marare      hahye29323@mail.ru
mr.Asertiovat         pavlii.genadii@mail.ru
Strekotok         kechutkin.yulyan@mail.ru
Marlen_Branda72345   ndsajhdfadf@mail.ru
Pampushka         yasavii-bubnov@mail.ru
Joke9289d2         sdsjdsdsdp@mail.ru
sekopunt_pr         sekopunt_pr7674@mail.ru
prozac7674         prozac7674@inbox.ru
Lusis_Backwood      rafail.stulov@mail.ru
KrutayaMartishka      alekseenko_valya@mail.ru
Porno-Video-Free      pvf2.com@mail.ru
lloposo1odk         lloposo1odk@mail.ru
Nolionosz         Nolionosz722@mail.ru
Trisha            trisharexi@mail.ru
its_meeeeeee      its_meee@mail.ru
cdgarbage         dispro86@mail.ru
Loponosik         Loponosik72@mail.ru
Lojern999         vadim_shinkar.76@mail.ru
AlexCoppas         alexcoppa@mail.ru
TomSpenda         petruhov.hazrail@mail.ru
Piannerionist0         haris_kaperskii@mail.ru 84.204.232.244%
Information related to '84.204.232.0 - 84.204.232.255'

inetnum:        84.204.232.0 - 84.204.232.255
netname:        DSLVO323-LAN
descr:          JSC Peterstar
descr:          St.Petersburg
country:        RU
admin-c:        DTD1-RIPE
tech-c:         DTD1-RIPE
status:         ASSIGNED PA
mnt-by:         PSTAR-MNT
source:         RIPE # Filtered

role:           Data Transfer Department
address:        ZAO PeterStar
address:        Bld. 31, Line 16
address:        Vassilyevski Island
address:        199178 St.-Petersburg
address:        Russia
phone:          +7 812 329 9004
fax-no:         +7 812 329 9003
abuse-mailbox:  abuse@peterstar.net

[kkey]

This onslaught continues on a daily basis - Is there any mod or upgrade that gives more control over the registration - requiring an approval (after verifying the email) or somesuch? It is taking extreme vigilance and too much time!

tThanks in advance.

[Pete]

I think I was able to develop a solution to the bot spam, but I'll give it time and see if it works the way I expect to.  Stay tuned.

[Pete]

As I mentioned earlier, I implemented a quick fix to stop the botnet spam.  This will cause users without JavaScript to be unable to register.  Note that I don't think this is a serious issue; almost everybody surfs the web with JavaScript enabled and those that don't already have a degraded user experience.  Frankly I'd rather one person, that is surfing the web differently than everyone else, have trouble registering out of a hundred others trying to register, than have to come back to this site every day and delete messages about viagra, cialis, and porn.  Here are the changes I made to the SMF templates to achieve this.

Note the principle here is that the software used to generate botnet spam does not implement JavaScript.  It's a cat and mouse game, so eventually they probably will implement JavaScript in their bots.  Once they do, this solution won't work.  Here are the changes you need to make (pretty easy IMHO!):


Open the file ./Themes/default/Register.template.php

Find the line:

<form action="', $scripturl, '?action=register2" method="post" name="creator" onsubmit="return defaultagree();">

Replace this with:

<form action="', $scripturl, '?action=register2" method="post" name="creator" onsubmit="return defaultagree();">
<input type="hidden" name="myform" id="myform" value="no" />
<script type="text/javascript">
document.creator.myform.value = "yes";
</script>


Then in the file ./Sources/Register.php

Find the line:

if (!empty($modSettings['requireAgreement']) && (empty($_POST['regagree']) || $_POST['regagree'] == 'no'))

Replace this with:

if (!empty($modSettings['requireAgreement']) && (empty($_POST['regagree']) || $_POST['regagree'] == 'no' || $_POST['myform'] != "yes"))


Now you'll be safe for the moment from this particular network of bots.  Another one will come along again some day, though!