Blog spam scripts still running on Ubiquity Servers
In 2009 I wrote about trackback spammers using scripts they have installed on servers owned by Ubiquity Server Solutions and Nobis Technology Group before. After 1.5 years they still haven't cleaned up this abuse. It seems that every day or two I see numerous POST attempts to my blog, which are either comment or trackback spam.
I'd like to let the people installing these scripts targeting my blog know, that in my case, their efforts are futile. That is because I run a Perl based Movable Type blog and these spam scripts assume that the target is running on a more common, but less secure, PHP driven blog, usually Wordpress.
It appears that if one uses WordPress as their blog software, a simple POST command is sufficient to post comments or trackbacks to that blog page. Not so with Movable Type! With MT, one must visit a particular scripted page to submit a comment or a trackback. Not only must they have valid credentials to submit, but anything submitted is held until the owner of the blog approves that submission. It goes without saying that nobody in his or her right mind is going to approve spam comments or trackbacks!
I take matters one step farther: I do not accept either comments or trackbacks on any of my blog articles. It says so right at the top of every page on this blog. Yes, I have the scripts installed to do comments and trackbacks, but, they are disabled in the Dashboard. I can't even comment om my own posts. If the time ever comes where I feel like allowing public comments, it will only be from people holding approved credentials and then, all comments would be held for moderation. Nothing would ever get posted that was in any way spammy!
This brings me back to the title of this article. A majority of the failed attempted spam comments and trackbacks are emanating from IP space under the control of Ubiquity Server Solutions. In the last few days I have logged several attempts coming from various IP addresses covered by the following CIDR ranges: 173.234.124.0/22, 173.234.172.0/22 and 173.234.184.0/22. All of these CIDRs are part of the entire Class C network assigned to Ubiquity and Nobis: 173.234.0.0/16.
Note: This CIDR is not the only one assigned to Ubiquity Servers. They hold several other ranges.
So, they're spamming your blogs ... Let's block them from your Apache hosted websites...
If you have a blog or website hosted on a shared Apache Web Server and you are allowed to use .htaccess overrides, and are being spammed by scripts coming from IP space within the range of 173.234.0.0 - 173.234.255.255, you can deny access to every IP within that range, or to some of the more specific IP ranges listed above, by adding one of the following directives to your .htaccess file:
Note: These directives use Mod_Access, which is allowed by almost every web hosting company.
Block all of Ubiquity's 173.234/16 Class C:
<Files *>
order deny,allow
deny from 173.234.0.0/16
</Files>
Or, for one or more individual and narrower CIDR ranges:
<Files *>
order deny,allow
deny from 173.234.124.0/22 173.234.172.0/22 173.234.184.0/22
</Files>
Or, you may want to just block individual IP addresses that are spamming your blog or guestbook:
<Files *>
order deny,allow
deny from 173.234.127.93 173.234.174.195 173.234.186.113
</Files>
The above listed IP addresses are actual addresses used to try to POST spam to my blog. They were obtained from my access logs of July 25, 2011.
The result shown to any person or script that is covered by the deny from directives is a 403 Forbidden.
When I investigate some of these POST spam attacks I often find they are coming from an unconfigured website on a shared, or dedicated server. Due to certain lax security measures, hackers are able to inject timer operated scripts, known as Cron Jobs, into web spaces that are not well secured, or whose login credentials were harvested by a keylogger Trojan on the domain owner's computer. If you have patience and want to fight back, file an abuse report with the abuse department of the web hosting company. Sometimes this results in halting the spam script and education of the site owner. Other times, it leads directly to the termination of a hosting account leased by the spammer him or her self.
One can decipher where to send abuse reports by running a Whois inquiry on the IP address, through DomainTools.com
PS: I have yet to find that blocking the entire Class C of 173.234.0.0/16 has blocked any actual visitors to my website (I can tell the difference). But, I cannot guarantee that this won't happen to someone, somewhere, some day. ISPs are wheeling and dealing for new IP addresses all the time, as their broadband customer base grows.
If you are worried about blocking innocent visitors who might someday come from an IP that is on a blocklist (a list of blocked IP addresses or CIDRs) - and if your host allows you to use Mod_Rewrite Directives (full overrides), there is another method that may work for you. I will cover this in a forthcoming article.
In the meantime, secure your blog scripts. Make sure you are using the most current version of the blog software. Choose a hard to guess, non-dictionary password for the blog's admin account. Also, keep the best legitimate anti malware program you can afford on any PCs that are used to login to your blog or website. Scan often. You do not want to allow a keylogger to steal all of your login credentials!
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.