October 9, 2008Panama Dropped By… to Spam
I’ve been running a “honey pot” board for almost 60 days now. Tonight I took my first action against some of the spammers that are attacking. I used the iptables command to revoke access to an entire range of IP addresses… from Panama.
This range of IP addresses is responsible for:
- 105 user registrations
- 10,312 posts
That’s almost 6% of my users, and over 55% of my posts. 
Where are these Panamanian spammers coming from? What sort of patterns (or “tells”) are they exhibiting?
There are three email domains used by these 105 spammers: gmail.com is by far the number one choice. Thanks, Google. Second place is gmx.us and third place is mymail-in.net. Their favorite date to register is Wednesday with 23% of the activity.
+-----------+---------------------+---------+ | Reg Day | Daily Registrations | Percent | +-----------+---------------------+---------+ | Wednesday | 24 | 22.86 | | Thursday | 20 | 19.05 | | Sunday | 17 | 16.19 | | Tuesday | 14 | 13.33 | | Monday | 12 | 11.43 | | Saturday | 12 | 11.43 | | Friday | 6 | 5.71 | +-----------+---------------------+---------+
They’ve been fairly steady at registering new users. They started slow and were building up on a weekly basis.
+----------+----------------------+---------+ | Reg Week | Weekly Registrations | Percent | +----------+----------------------+---------+ | 2008-33 | 9 | 8.57 | | 2008-34 | 9 | 8.57 | | 2008-35 | 18 | 17.14 | | 2008-36 | 11 | 10.48 | | 2008-37 | 9 | 8.57 | | 2008-38 | 8 | 7.62 | | 2008-39 | 17 | 16.19 | | 2008-40 | 24 | 22.86 | +----------+----------------------+---------+
Their favorite day to post is Thursday, with Tuesday coming in second.
+-----------+-------------+---------+ | Post Day | Daily Posts | Percent | +-----------+-------------+---------+ | Thursday | 1809 | 17.54 | | Tuesday | 1684 | 16.33 | | Wednesday | 1636 | 15.87 | | Saturday | 1422 | 13.79 | | Sunday | 1361 | 13.20 | | Monday | 1243 | 12.05 | | Friday | 1157 | 11.22 | +-----------+-------------+---------+
Posting activity was interesting. They started really slow with only 5 posts in their first two weeks. Then the onslaught began and ran for 3 weeks, followed by a breather, then another massive influx of posts started.
+-----------+--------------+---------+ | Post Week | Weekly Posts | Percent | +-----------+--------------+---------+ | 2008-32 | 1 | 0.01 | | 2008-33 | 4 | 0.04 | | 2008-34 | 1103 | 10.70 | | 2008-35 | 3978 | 38.58 | | 2008-36 | 2952 | 28.63 | | 2008-37 | 15 | 0.15 | | 2008-38 | 10 | 0.10 | | 2008-39 | 1138 | 11.04 | | 2008-40 | 1111 | 10.77 | +-----------+--------------+---------+
Are you bored yet? 
I love looking at this stuff and looking for trends or patterns that I can use against future spammers. In this case I won’t be seeing any more activity from these folks as I’ve dropped all traffic from their IP range.
Which brings up the next question… are there any users that posted from Panama but didn’t register from the same IP range? What I mean is, are there users that posted from Panama but registered from somewhere else? Here is the SQL I ran to check that:
select username, user_email, count(p.post_id) from phpbb_posts p, phpbb_users u where p.poster_ip like 'c83f2a%' and u.user_reg_ip not like 'c83f2a%' and u.user_id = p.poster_id group by 1, 2
I got one matching row, implying that there is one poster that registered from some other IP address but still managed to post from Panama. When I investigated further it turned out that this person registered before I started capturing the IP address during registration. Their registration IP address was NULL and could not be compared.
How about turning the question around 180 degrees? Are there any users that registered from Panama but posted from somewhere else? Again, I got one matching row. This time the data is much more interesting. There is one user that registered from Panama, posted from Panama, but also posted from the UK. Did they move? If they did, they moved really really fast, because here are the values for their seven posts:
+---------+-----------+------------------+ | post_id | poster_ip | post_time | +---------+-----------+------------------+ | 9651 | c83f2a57 | 2008-09-10 01:06 | | 9684 | c83f2a57 | 2008-09-10 01:51 | | 10063 | 4e6eaf0c | 2008-09-10 13:49 | | 10065 | 4e6eaf0c | 2008-09-10 13:51 | | 10066 | 4e6eaf0c | 2008-09-10 13:52 | | 10067 | 4e6eaf0c | 2008-09-10 13:53 | | 10068 | 4e6eaf0c | 2008-09-10 13:54 | +---------+-----------+------------------+
Here is the timeline for all of this users activity:
- 2008-09-09 21:53 – Register on my honey pot board from a Panamanian IP address
- 2008-09-10 01:06 – Make their first spam post a little over 3 hours later from the same IP
- 2008-09-10 13:49 – Make their third spam post from the UK … just under 13 hours from their last spam from Panama
Is that even physically possible? Just for my own personal amusement I checked American Airlines for non-stop flights from Los Angeles, California to London. I found a flight that leaves at 8:10 PM (local time CA) and arrives at 1:30 PM (local time UK). The flight is 10 hours and 20 minutes long. So… if my spammer was a real person, and there is a non-stop flight from Panama to the UK, it actually is physically possible for them to have packed up their laptop, made the trip, popped open their laptop, logged on to the Heathrow wireless network, and started spamming me again. Really. It’s possible.
Nah. I doubt it. 
Yes, in this one case it does appear to be physically possible, but there’s no way I think that’s what really happened. For one thing, there would not be a flight leaving at the right time (about 2 AM in the morning, central time). But I will be tracking this specific user (I’m watching you, user_id 266) and see where they post from next.
So what do I think really happened? I think that…
… I think that I will save that for my next post. 
Comments (2)
So what do I think really happened? I think that… some proxy “action” was involved
Comment by Dog Cow — October 9, 2008 @ 10:11 pm
Interesting reading!
Comment by dogs and things — October 10, 2008 @ 3:01 am