Spambot Security Blog

A little bird told me about an aviary.com full of poopy pigeons.

"But there's one thing that makes spring complete for me,
And makes ev'ry Sunday a treat for me.

All the world seems in tune
On a spring afternoon,
When we're poisoning pigeons in the park.
Ev'ry Sunday you'll see
My sweetheart and me,
As we poison the pigeons in the park." - Tom Lehrer

Okay, to start this story, I have to give proper credit to Amber MacArthur and her netcast on TWiT.tv. She's the little bird that told me about a big nasty pidgeon ready to poop on my site, and yours, just the way tynted does. No, I have not had a chance to listen to the show, but the notes gave me all the "beef" I needed.

The pidgeon's name is Aviary.com. It's another content scraper / content theif that also allows an attacker to send a malicious request to your machine, both from the previously protected against AmazonAWS cloud, and the newly killed pwebtech / FortressITX spamhost. Modus operandi? Same as tynt.com, that being content theft and acting as an un-regulated proxy for hackers.

Here is my first screenshot I wish to share with you after establishing that Aviary.com is operating out of multiple netblocks. What you see is a shot of the aviary.com site loading my site into their "screenshot". But, by the tests below, you can see it passes queries just fine, as in any exploits out there could have been done through them as an unregulated proxy server. The method used to send this query was http://aviary.com/http://www.spambotsecurity.com/?xtestx . As you can see, it bounced the AmazonAWS perfectly, and caught the trigger. Click the image for a larger (readable) one in a new window. And here is the block that it generated.

#: 6896 @: Mon, 13 Jul 2009 11:48:48 -0600
Host: ec2-174-129-94-22.compute-1.amazonaws.com
IP: 174.129.94.22
Score: 1
Why blocked: Amazon Web Services. Not an ISP. Used by hackers, Keyword spamming SEO bots, and other unsavories. Checked for bypass.
Query: xtextx
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; Data Center; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Reconstructed URL: http:// www.spambotsecurity.com /?xtextx

Yet another probe of Aviary.com after addition of the new spamhost ( pwebtech/FortressITX ). Please note that now it is pulling from viary.com! Viary.com, is, like Aviary.com, hosted on the same ridin' dirty webhost. You can see, however, this time it choked. But, it still did actually hit my site. Here's the blocked request. Please note it is using random user agents to try to cloak itself. This is EXCEEDINGLY bad, and very suspicious behavior.

#: 6899 @: Mon, 13 Jul 2009 12:32:21 -0600
Host: 65.98.13.118
IP: 65.98.13.118
Score: 2
Why blocked: pwebtech/FortressITX spam-friendly host/aviary.com unregulated proxy service. Test Trigger to test function.
Query: xtestx4
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Reconstructed URL: http:// www.spambotsecurity.com /?xtestx4

I also used their services, if they check their logs, to send them a "you've been bad, so here's the scoop, all you get for Christmas is snowman poop!" message. And, here's the logging of that hit. (Which actually came before the previous image, but cemented FortressITX / pwebtech's doom.)

#: 6897 @: Mon, 13 Jul 2009 11:51:10 -0600
Host: 65.98.13.118
IP: 65.98.13.118
Score: 1
Why blocked: Test Trigger to test function.
Query: xtestx=your_site_is_an_unregulated_proxy_server_used_by_hackers_and_will_be_added_to_the_signatures_of_ZB_block
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Reconstructed URL: http:// www.spambotsecurity.com /?xtestx=your_site_is_an_unregulated_proxy_server_used_by_hackers_and_will_be_added_to_the_signatures_of_ZB_block

I would be remiss if I didn't mention IncrediBILL's Random Rants, his pages first turned me onto a good description of this kind of problem. (Also, previous logs were showing hacking attempts from tynt.com / tynted.net).

Zap!  

Blocking the *.amazonaws.com domain with ZB Block, and why.

This domain has been a continual source of content theft and hacking attempts.

Now first, I must admit that I have seen a couple good services using a *.amazonaws.com domain name, but all of the domain names are cryptic, and you just can't be sure you aren't dealing with a spoofed user client string. Now onto some finds!

Tynted
Host: ec2-67-202-60-246.compute-1.amazonaws.com
User Agent: Java/1.6.0_02

Here's the most egregious of the lot, tynt.com. This site claims straight out that it's copying the content of your site. Who da #&*%! gave them that right, especially when I claim copyright? Also, they will cause duplicate content to appear on the web, and in the eyes of google, this messes up your page rank, badly! But, that's not the worst thing...

EVEN WORSE tynt.com / tynted.net act as a no-registration-required proxy server! This allows previously blocked hackers, to come right back in and start pushing, pulling, tweaking, and investigating your site. This bad behaviour was the genesis of me blocking them. This by itself is bad, but wait, there's MORE...

REDIFF
Host: ec2-72-44-45-196.compute-1.amazonaws.com
User Agent: rdfbot/1.0 (Indian Language Web Search Engine; Rediff.com; rdfbotsupport AT rediffmailpro DOT com)

No habla hindi senõr! This is actually a content scraper, and their site seemed to be in English.

SimilarPages
Host: ec2-174-129-187-47.compute-1.amazonaws.com
User Agent: SimilarPages/Nutch-1.0-dev (SimilarPages Nutch Crawler; http://www.similarpages.com; info@similarpages.com)

If this isn't saying "Hi, I'm an SEO scraper!" I don't know what it's saying. Buhbyenow. Usually Nutch is used by scrapers.

Conductor
Host: ec2-72-44-52-94.compute-1.amazonaws.com
User Agent: Caliperbot/1.0 (+http://www.conductor.com/caliperbot)

They say (here): "Perfect ads are only possible when the publisher retains 100% editorial control over content and advertising. It's possible with Conductor. If interested, first review our publisher requirements and then submit your site for review."

I say: "I never submitted my site for review, so why are you here? I use, and am happy with adsense."

They say (here): "So if you can compete with those other articles, other competitors, those other affiliates and aggregators that are in front of you - you can discover millions of dollars of revenue every year - without even taking into consideration brand value or the synergy that results when you appear on the first page in both paid and natural search."

I say: "So you're really keyword spamming SEO scum. Get lost. My site is high ranked for content, not stolen words."

***

I am sure there will be more as time goes on, the next version of ZB Block's signatures should have bypasses for the valid bots (currently under test), but for now, the AmazonAWS cloud is banned.

Zap.

UPDATE: The bypasses are in. Amazon AWS can be blocked from your site with impunity, without harming any valid search engines.

Stop Keyword Poaching - It's mutiny on your bounty!

You may notice that now ZB Block is blocking SEO keyword scrapers. You may ask just what they are, and why I am directing your site to block it. Well, I will do my best to fill you in on the scoop.

First off, no keyword scraping SEO robot ever drove traffic to YOUR site. Quite the opposite, they attempt to tear traffic away from your site. Worse, they try to do this by fooling the legitimate search engines, and they make money in the process. Even beyond this, some of these are known to feed the Russian Business Network (A giant cybercrime conglomerate). They RBN is interested in this so they can make bogus pages (especially security related) that have high page ranks, to attract those with legitimate interest, away to pages with bogus scam software (Like the very evil AntiVirusPro XP 2010, otherwise known as Troj/FakeXPA).

Let's use a probable hypothetical example, one that happens far too often, to describe this:

*John, an expert in the field of wonder widgets, decides to share his knowledge with the world on the best way to care for and maintain wonder widgets. He works long and hard on a site describing how to do this, and even how you can make your own wonder widget if you can't afford to buy one. His site is very informative, and well written, and the great google gods decide to give him a good page rank as an award for his hard labor.

The SEO botmasters notice his up and coming star, and decide to scrape his site for keyword content, and build a profile of his site.

Then, Gidget's Gadgets notices that their business is failing a little, and hires a SEO firm to find out why. The SEO firm compares keywords in her site, to known profiles of other sites, and finds that John's site, and wonder widgets, have a lot in common with the gadgets that Gidget sells. Not caring that they aren't the same product, and each one fills a different, but related niche, they then sell the keywords that John has, to Gidget. Gidget adds these keywords into her site, and her page rank goes up a bit on these words, and John's pagerank gets diluted.

Now John's visits drop, and people are no longer getting helped. Gidget's site gets much more traffic, but she isn't making sales, because people really want wonder widgets, and her drop is sales was due to market saturation of gadgets, not a competing site. Now no one is happy... except the SEO company that has Gidget's money.*

This sort of behavior is in the realm of keyword spamming, it helps no one. Keyword spam turns the internet into a sargassosistic morass of false leads generated by tricked search engines, that just cause more traffic overload, and more confused, and frustrated innocent victims.

Someday, search engines may find a way to stop this, but for now, and until the expiration of P.T. Barnum's Maxim "You can fool all of the people some of the time, some of the people all of the time, but not all of the people all of the time.", and until the invention of decent AI, keyword spam will be a threat. Your best defense is to send the SEO bots packing with something like ZB Block, while welcoming legitimate search bots with open arms.

~Zaphod

P.S. Thanks WY G&F for a title idea. To be honest, it fits!