Evidence linking Romanian spammers to Ubiquity Servers
On July 27, 2011, I published a blog article about blog spam scripts running on Ubiquity Servers. For several days those POST attempts from Ubiquity IP space disappeared. They returned today, leading me to a most interesting discovery about the source.
Let me show you how I find information about access log spam attempts and deal with them.
In today's first blog spam attempt, an unknown visitor, with the IP address 108.62.150.52, attempted to POST a trackback comment to my Movable Type blog. If the POST was made by a real person, and if that person understood and read the English language, he or she would have read the bold notice that my blog does not accept either comments or trackbacks.
Of course, if the POST was made by a script, it would neither see that notice, nor care about it. Similarly, if the POST was being attempted by somebody in a very foreign country, in say Romania, they would not understand the text in notices I post on every page, regarding no trackbacks allowed. And from where did this POST originate? Romania!
Here then, without any ado, is the chain of evidence linking a blog spam attempt to Romania, from whence a huge amount of spam and online exploits have been traced.
108.62.150.52 - - [01/Aug/2011:12:15:40 -0600] "POST /cgi-bin/mt/mt-tb.cgi/18/trackback HTTP/1.0" 403 537 "" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3"
Reverse IP: 108.62.150.52.rdns.ubiquityservers.com
network:Network-Name: Secondary Assignment - Ticket ID JCE-507-49771
network:IP-Network: 108.62.150.0/24
network:IP-Network-Block: 108.62.150.0 - 108.62.150.255
network:Org-Name: Boboc, Alexandru
network:Street-Address: Calea Victoriei 91-93
network:City: Bucharest
network:State: RO
network:Postal-Code: 10012
network:Country-Code: RO
network: Tech-Contact:MAINT-26532.108.62.150.0/24
contact:Abuse-Name: Nobis Network Abuse Team
contact:Abuse-Email: [email protected]
First of all, the blog article they attempted to spam (#18) is dated April 28, 2006. It now August 1, 2011: five and a quarter years from when that article was posted by me (and never updated). Since then I have posted hundreds of newer articles. Only a spammer tries to post comments and trackbacks in such out-of-date articles. It is one way they use to sneak spam links into blogs, hoping that the person who started that blog won't notice. This time, the spammer is using a server assigned to one Alexandru Boboc, who runs a web hosting business in Romania. They have 255 IP addresses assigned to this CIDR (Classless Inter Domain Routing; a range of consecutive IP addresses) and I have added all of them to my Russian Blocklist, thusly:
<Files *>
order deny,allow
deny from 108.62.150.0/24
</Files *>
If you have websites hosted on Apache web servers, with shared hosting, you can block tons of badness from accessing your pages and scripts, by adding my Russian Blocklist to your .htaccess file. If you have root privileges to a Linux based web server, you can import my iptables Russian Blocklist into your Linux Firewall. People in this category would lease VPS, or dedicated servers, or would be server administrators.
How did I find all of this out? First of all, I read my raw access logs for my primary website. Using the Search function in my browser (Ctrl + F), I look for any entries beginning with this: "POST . Then, if the POST was made to my blog, and not my official contact form, by anybody other than me (I know my home IP address), I immediately trace the IP address by means of a Whois Look-up. I use two websites to do these look-ups: http://cqcounter.com/whois/ - and - http://www.domaintools.com. Both are free, but supported by either advertisements or memberships. No problem: my websites are also supported by advertising, or donations from grateful users.
A "Whois" look-up will reveal much about the owner of an IP address. Just look at the Whois info listed a few paragraphs above, where we found out that the offending IP belonging to UbiquityServers.com was assigned to a Romanian business. That information was just a tiny excerpt from what was revealed on Domain Tools.
It would appear that Ubiquity Server Solutions, Nobis Tech have some cleaning up to do. Server leasing companies should not turn a blind eye to their customers and hope that they will do nothing unlawful, or against the terms of service. They need to take a closer look at what is going on inside 108.62.150.0/24 - especially from 108.62.150.52. If one Googles the phrase "boboc alexandru spam" one of the results is a forum for tracking Dedicated spam servers running from ubiquityservers.com/nobistech.net. If you go to that page you will see not just UbiquityServers.com, but also IP ranges reassigned to "Boboc, Alexandru." His name appears 21 times, between page 7 and page 8 on that website. This person, whether his name is real or an alias, is himself a spammer. He is leasing out his dedicated servers to other spammers, in Romania and Russia. This is a Romanian Spam Gang.
Interesting note: Googling the phrase "ubiquity servers spam" produces 518,000 results! Webmasters around the World are blocking their entire IP space. I am one of those webmasters. Because my website is on a shared server, I must use the .htaccess method. This results in a Server 403 response to any contact coming from any IP within the Russian (and Romanian) blocklist. Those running or managing their own servers can block them at the firewall and nobody coming from that IP space will even see that a website exists when they try to POST or view spam comments or trackbacks.
In my case, because I do not allow trackbacks (for the very reason that when I did they were ALL SPAM LINKS), I am unable to see the destination URLs being spammed, but, I am fairly certain they aren't dropping by a 5+ year old article to just say hello!. If I was able to decipher them I would report them to the web hosts and domain Registrars with who they received their Internet connections. This usually results in termination of those accounts within hours or days. Thus, they created a little work for me, which happily resulted in this article and an new addition to the ever-increasing Russian Blocklist.
That blocklist, in both htaccess and iptables formats, includes numerous other Countries that used to make up the USSR. It is unbelievable how much spam, hacking, exploiting, identity theft and other badness emanates from the former member States of the Soviet Union. Just search this blog for the keywords Russian and Romanian and you will see lots of articles revealing the badness coming from those sources.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.