October 29, 2008Spammer Techniques: Are You a Zombie? Part I
I will start this post with a brief recap for new visitors or for those that have not been following my phpBB2 honey pot experiment. Several months ago (August) I set up an unprotected phpBB2 board. By “unprotected” I mean I did not install any MODs to keep spammers from registering or posting on the board. I did make a few code changes:
- Log IP address on registration
- Added “nofollow” to all links
- Created a cron (scheduled) job to move all posts into a hidden forum every ten minutes
Other than those changes, the board was completely unmodified. Note that the changes made were either to capture more information (IP address on registration) or protect my domain. I posted some statistics after about a month of activity and they weren’t pretty. I posted a few bits of information about patterns that I observed in the registration data a bit later.
Where am I going next? I am going to compare the IP addresses used to register with the IP addresses used to post. There are some interesting patterns that I can share, plus I will get to talk about zombies for a bit. That’s always fun. 
Posting IP != Registration IP
One of the very interesting things I noted is that a percentage of posts do not come from the same IP address that was used to register. I do realize that many people do not have a static IP address, or that they might register from home (or work) and then post from somewhere else. But this is different. Here are some numbers.
At this time I have 24119 posts and 3195 users to analyze. 22716 of the posts were made from the same IP address used by the user to register. Those posts come from 1720 of my users. I have 1356 users with zero posts. (They must have just joined to spam their web site, location, and other profile fields.) But I also have users that have posted from an IP address that is different from their registration location. That is the set of users that requires a closer look.
Some User Statistics
I have 148 users that have posted at least once from an IP address that is different from their registration IP address. The most prolific of these users has 485 posts from 62 different IP addresses! 
His close cousin has 812 posts from 24 different IP addresses. Here are some of the locations for the posting IP address for the poster with 62 different locations:
- Phoenix (Arizona)
- Mumbai (India)
- New Delhi (India)
- Beijing (China)
- Rome (Italy)
- Medelin (Columbia)
- France
- Aman (Jordan)
- Bankok (Thailand)
- …and the number one location for spammer posts was an IP address assigned to Saudia Arabia
Both of the users (user_id 20 and 21) registered from an IP address assigned to Frankfurt, Germany. They certainly get around. These two users registered about an hour apart and so far are responsible for about 1300 posts or just over 5% of my total board traffic, erm, spam. Obviously they don’t travel around the globe (Phoenix? Rome?) just to spam my board, so how are they doing it?
Before I ask that question, I’m going to look at their posting frequency and see if I find what I expect.
Posting Frequency
I am going to start with just one of my two globe-trotting spammers and see what a day of posting activity looks like. Here is the raw data, which includes the posting IP address (encoded) and the post time. I have sorted it by posting IP address rather than time to look for a pattern that I expect to see…
+-----------+---------------------+ | poster_ip | post_time | +-----------+---------------------+ | 3b5d4bd4 | 2008-08-25 03:58:48 | | 3b5fbb07 | 2008-08-25 04:04:18 | | 3b5fbb07 | 2008-08-25 04:05:51 | | 3d98dd85 | 2008-08-25 12:29:58 | (Shanghai, China) | 3d98dd85 | 2008-08-25 12:31:01 | | 3d98dd85 | 2008-08-25 12:32:35 | | 3dea693d | 2008-08-25 10:34:44 | | 3dea693d | 2008-08-25 10:35:32 | | 3dea693d | 2008-08-25 10:36:16 | | 3e954331 | 2008-08-25 01:27:38 | (Riyadh, Saudia Arabia) | 3e954331 | 2008-08-25 01:28:20 | | 3e954331 | 2008-08-25 01:28:59 | | 3e954331 | 2008-08-25 02:39:20 | | 3e954331 | 2008-08-25 02:39:57 | | 3e954331 | 2008-08-25 02:40:32 | | 3e954331 | 2008-08-25 09:12:27 | | 3e954331 | 2008-08-25 09:13:07 | | 3e954331 | 2008-08-25 09:13:41 | | 3e954331 | 2008-08-25 15:13:22 | | 3e954331 | 2008-08-25 15:14:07 | | 3e954331 | 2008-08-25 15:14:44 | | 3e954331 | 2008-08-25 19:30:41 | | 3e954331 | 2008-08-25 19:31:29 | | 3e954331 | 2008-08-25 19:32:02 | | 455dfa4a | 2008-08-25 09:54:50 | (Houston, Texas, USA) | 455dfa4a | 2008-08-25 09:56:05 | | 455dfa4a | 2008-08-25 09:56:53 | | 50537102 | 2008-08-25 05:52:31 | (Germany) | 50537102 | 2008-08-25 05:53:03 | | 50537102 | 2008-08-25 05:53:30 | | 5995fddf | 2008-08-25 00:10:47 | | 5995fddf | 2008-08-25 00:11:12 | (Germany) | 5995fddf | 2008-08-25 00:11:37 | | 5995fddf | 2008-08-25 05:14:38 | | 5995fddf | 2008-08-25 05:15:05 | | 5995fddf | 2008-08-25 05:15:30 | | 5995fddf | 2008-08-25 18:28:24 | | 5995fddf | 2008-08-25 18:28:51 | | 5995fddf | 2008-08-25 18:29:16 | | 5995fddf | 2008-08-25 22:58:15 | | 5995fddf | 2008-08-25 22:58:40 | | 5995fddf | 2008-08-25 22:59:04 | | 76afff0a | 2008-08-25 17:59:16 | (Bangkok, Thailand) | 76afff0a | 2008-08-25 17:59:53 | | 76afff0a | 2008-08-25 18:00:25 | | 7d1f9129 | 2008-08-25 11:13:22 | | ca46cd16 | 2008-08-25 08:35:22 | | ca46cd16 | 2008-08-25 08:36:16 | | cf9d7482 | 2008-08-25 06:36:41 | | d2134756 | 2008-08-25 17:34:17 | | d2330c3a | 2008-08-25 16:21:39 | | d2330c3a | 2008-08-25 16:22:25 | | d2330c3a | 2008-08-25 16:23:02 | | db8974ce | 2008-08-25 21:50:58 | | db8974ce | 2008-08-25 21:51:38 | | db8974ce | 2008-08-25 21:52:25 | | dd05b604 | 2008-08-25 11:50:25 | | dd05b604 | 2008-08-25 11:51:32 | | dd05b604 | 2008-08-25 11:55:57 | | dd0bac5b | 2008-08-25 00:49:24 | +-----------+---------------------+
So there is the data. I have included the lookup values for the assigned countries for a few of the IP addresses just to show the geographical diversity. But that’s not the pattern I was looking for. What I wanted to see was the posting intervals for individual IP addresses. Within a single IP address based on my suspicions I expected posts to come in small batches at a time. Sure enough, they do, as shown here if I focus in on one specific IP address from Germany:
| 5995fddf | 2008-08-25 00:10:47 | | 5995fddf | 2008-08-25 00:11:12 | 25 seconds | 5995fddf | 2008-08-25 00:11:37 | 25 seconds | 5995fddf | 2008-08-25 05:14:38 | | 5995fddf | 2008-08-25 05:15:05 | 27 seconds | 5995fddf | 2008-08-25 05:15:30 | 25 seconds | 5995fddf | 2008-08-25 18:28:24 | | 5995fddf | 2008-08-25 18:28:51 | 27 seconds | 5995fddf | 2008-08-25 18:29:16 | 25 seconds | 5995fddf | 2008-08-25 22:58:15 | | 5995fddf | 2008-08-25 22:58:40 | 25 seconds | 5995fddf | 2008-08-25 22:59:04 | 24 seconds
The first batch of posts came in a few minutes after midnight. The next batch at 5:15 am. A third batch at 18:28 (6:28 pm) and the last batch for the day at almost 11 pm. The same sort of pattern is repeated throughout the data. Each batch – in this case – contains three posts before that IP goes quiet again for some period of time. I have included the interval between posts within each batch. Notice how nice and regular it is? That’s not human behavior, that’s a posting bot.
For the record, the default value for posting flood control for phpBB2 is 15 seconds. I think in a few days I am going to change my posting flood limit to 45 seconds and see what happens to my posting volume on my honey pot.
Zombie Computers
It’s rather convenient that this post is coming out right now, as it is getting close to the Halloween holiday. Why is this appropriate? Because I think I am dealing with a bunch of zombies. 
The behavior exhibited by my spammer friends is exactly what I would expect to see from a batch of zombie computers, and I will explain more in my next post in this series which is coming out in a few days.
Related Links
- Whois Database used to look up IP address information
- And just for fun, Wikipedia on Halloween
Comments (7)
Hi Dave,
Another nice post, I like your analytical approach, you do seem to find the important points.
Lookin’ forward to the next post…
Comment by dogs and things — October 30, 2008 @ 2:55 am
I liked the zombie animation. That was the best part of it all.
Comment by Dog Cow — October 30, 2008 @ 10:52 am
I should have credited the source for the smiley with a link.
I will fix that now:
http://www.sml-world.com/
Comment by Dave Rathbun — October 30, 2008 @ 2:51 pm
So, I think I see a potential solution… and that is to prevent users from posting from insanely different IP addresses: either range-wise, or geo-location-wise.
Comment by Dog Cow — October 30, 2008 @ 6:24 pm
It’s an interesting idea, but it would catch some legitimate users.
For example, I have personally posted on my board from all four time zones in the US. I have also posted from London and Berlin. I don’t think I posted from Moscow while I was there, but I might have. Altogether I have posted from 234 different IP addresses in six+ years. If I drop the last octet of the IP address (so I only count 0.0.0.x as unique) the number only drops to 216. If I drop the last two octets I still have posted from 123 different IP ranges. Even checking only the first octet I have posted from 41 completely different locations.
And I have users that travel even more than I do. Here is a list of the first octet of any IP address that I have posted from:
Comment by Dave Rathbun — October 31, 2008 @ 8:45 am
Ok, well here’s the rest of my idea which popped into my brain after I had clicked Submit yesterday:
A minimum post count, or minimum registration period! Everyone loves those! Where the first post you make, you have to make 10 more posts in that range before you can globe hop, else the first post you make, you have to wait X amount of days before you can globe-hop.
Comment by Dog Cow — October 31, 2008 @ 11:19 am
That is an interesting thought!
/me goes off to run some queries…
Comment by Dave Rathbun — October 31, 2008 @ 11:45 am