Spambot Security Blog

Laycat and it's ilk are finally machina non grata here.

Okay, a few months ago, I had some chit-chat with the people running this service, they actually seemed to be on the up and up about it, and claimed several things, that turned out not to be true. Here's some of what I found at fault with them.

1. Their robot does NOT pay attention to robots.txt and has caused what amounts to a DoS attack on a friend's website. (Site got shut down due to excessive use spike).
2. Their registrar is also a favorite of the RBN.
3. They claim they use 3 domain names, aceleo.com, laycat.com, and kyklo.com to supposedly detect if a site is masquerading as something different to them, but this is also a lie as they also probe from many points in the dedibox.fr domain!
4. They ignore 403 FORBIDDENs and continue to slam them. More on that in a bit.
5. It fakes http: referers to seem like it's allready "in session". (Where have we seen THAT before?)
6. Their bot masquerades as a browser. (Gee, ya reckon we've seen that too perhaps?)
7. No word outside of their own that anything will come of them.

Whoo, that's a lot of black to say about anyone online, but, I got logs to share with you!

#: 263 @: Wed, 11 Mar 2009 17:47:41 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://spambotsecurity.com/

That was the first rejection, Laycat has received it's first 403. It should not continue to try to go where it's not welcome, but...

#: 264 @: Wed, 11 Mar 2009 17:57:37 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://spambotsecurity.com/advice.php

Please note, it was never allowed to access the root in the first place, but somehow, it now has a referer saying it was sent to this page from the root! (BULLS**T!) It's scraping Google or some other search for these URLs.

#: 265 @: Wed, 11 Mar 2009 19:37:11 -0600
Host: laycat.com
IP: 88.191.79.43
Score: 1
Why blocked: Exploit probe? Possibly RBN? Claims to be search engine in dev. No 3rd party info on this. Ignores robots.txt.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/about.php

It tries 2 more URLs, both giving 403s, with the reason they were blocked. Then to be crafty, they pull the ace out of their sleeve, but I was waiting for it. (Remember, ZB Block doesn't like a lot of server farms, as they usually have no business surfing other sites.)

#: 266 @: Wed, 11 Mar 2009 19:44:56 -0600
Host: sd-16074.dedibox.fr
IP: 88.191.88.79
Score: 1
Why blocked: Bothost / Server.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/anti-spyware.php

THROUGH

#: 271 @: Wed, 11 Mar 2009 20:24:13 -0600
Host: sd-16074.dedibox.fr
IP: 88.191.88.79
Score: 1
Why blocked: Bothost / Server.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/contact.php

And then right back into laycat, and dedibox again for 10 more connects up to:

#: 281 @: Wed, 11 Mar 2009 22:00:24 -0600
Host: sd-16074.dedibox.fr
IP: 88.191.88.79
Score: 1
Why blocked: Bothost / Server.
File: removed for security
Post:
Query:
Referer: http://www.spambotsecurity.com/
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Reconstructed URL: http://www.spambotsecurity.com/tos.php

GAWD! How stupid can a bot be? Each connection resulted in a 403, each connection ignored robots.txt, each connection did not announce itself via user agent as a search engine robot.

My thoughts on this? Well, they aren't nice. To put it blunt and succinctly, I smell a rat.

To go into detail on my thoughts, I honestly think this is the "innocent" (cough) arm of the Russian Business Network.

One of the Ruskies favorite things to do is name their network something "<something>box.tld". Well, dedibox.fr fits the mold. Why would they have a scan-only network? Because, no one ever really catches the thief casing the joint he's going to rob. It's only during the burglary that they get noticed. Problem is, the burglar is locked up on the internet (blacklisted) and is not able to snoop elsewhere. If you split your surveillance, and attack portions, no one ever expects the snoop, well, no one who isn't into security at least. I will keep investigating. And as for now I am NOT SURE this is RBN, but it feels that way, and shall be blocked in ZB Block's signature update #21.

Zap.