April 29, 2007Spammer Detective: Who Is aabroppi?
Some of the log entries in the Checkbox Challenge log are obviously spammers. What about those that aren’t? What to do about them?
It all started as I was reviewing my logs on another site. I saw three attempts to join, using two different emails and three different IP addresses over three different days. The only thing in common was the user name, which was the same for all three. Why is this a spammer?
Well, for starters they tried to register using the same user name every single time: aabroppi. That in and of itself is not an indication of a spammer. But notice how the name starts with a double-a? That is fairly certain to appear high up in alphabetical order on a memberlist, right?
Their domain was created in January of 2007. That’s more than 60 days old, but still young as far as domains go. Still, not an absolute indication of a spammer. But something about them made me suspicious… so I did a google for their username. Try it, and see what you get. 
You’ll find a bunch of unrelated bulletin boards where aabroppi has joined and has no posts.
So this is – in my judgement – is a spammer. There is no reason for the same username to be used on tens or hundreds of unrelated boards. It could be someone looking for back-links, trying to get their google page ranking up. It could be that it’s a scouting mission, testing out some new method of joining boards. It could also be a sleeper… an account that is used to join a bunch of boards, only to come back later on with a bout of spamming posts.
And you’ll notice they’re not just phpBB, many of the boards where aabroppi is already a member are vBulletin. (phpBB gets a bad rap sometimes, and it bugs me since vB is just as open to hacks and spammers.) Here is a sampling of links from the first page of google results:
Maury Show board, running IPBoard, joined April 29
Real-estate board, running (no copyright), joined April 23, birthday given as Jan 18, 1960
Pueblo Chieftain, running vBulletin, joined April 24
Cellar, running vBulletin, joined April 24
vpslink, vBulletin, joined April 23
Nobody Likes Onions, vBulletin, April 24
The Movie Insider, vBulletin, April 29 (had to use google’s cache on this one)
TVgasm, vBulletin, April 23
Gearwire, vBulletin, April 24
Final Fantasy Gurus, vBulletin, April 28
CarForums.net, vBulletin, April 27, birthday given as June 13, 1976
GlobalGoldTalk, vBulletin, April 24
Are you starting to get the picture? Those links are truly a random assortment of places where this user shows up, at least from the first two pages of the google search results that I ran tonight. Where’s phpBB? 
Their domain is spell-pod and it’s a dot-com domain, if you want to go ahead and ban them before they hit you. At this point I have the Checkbox Challenge MOD installed on several different boards, and they have only showed up on one. Doesn’t matter, they’re banned from them all now. 
I would be interested to hear if aabroppi has joined any of your boards…
Comments (3)
This reminds me of the “FuntKlakow” paranoia, because on many phpBB boards a member with this name registered. Some people were like “phpBB mass-hack being prepared?”.
I personally havn’t had him join yet.
Comment by eviL3 — April 30, 2007 @ 12:11 pm
Yes, I remember that. That one never hit me, but this one has. Whether there is a mass-hack being prepared or not, there’s still no reason for this one person to join all of these different boards. And now they won’t be joining any of mine.
Comment by dave.rathbun — April 30, 2007 @ 2:54 pm
It looks like this one uses the automatic registration/manual activation approach.
It got through Spamper on the OpenID demo board yesterday, but didn’t activate until today.
Comment by damnian — May 2, 2007 @ 4:49 pm