Confessions of a G33k

Spammers doing it by hand....

Host: 203.115.12.41
Url: /blog/archives/001245.html
Http Code : 200

Date: May 10 19:42:06
Http Version: HTTP/1.0"
Size in Bytes: 10375

Referer: http://www.cleverhack.com/blog/archives/001245.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

------------------------------------------------------------------------------

Host: 64.124.222.172
Url: /blog/archives/001245.html
Http Code : 200

Date: May 10 19:41:49
Http Version: HTTP/1.1"
Size in Bytes: 8505

-----------------------------------------------------------------------------

Host: 217.117.14.167
Url: /blog/archives/001258.html
Http Code : 200

Date: May 10 19:41:45
Http Version: HTTP/1.0"
Size in Bytes: 9985

Referer: http://www.cleverhack.com/blog/archives/001258.html
Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

What you see above are three entries from my logs. Two are comment spams and the middle entry, sans user agent info, is what I think is a probe. (My "recent visitors listing" only shows the last page someone requested.) You see, yesterday, I renamed my mt-comments.cgi file to something more prosaic in hopes of killing off the automated comment spam. As you can see, that move lasted all of 24 hours, with the spammers apparently probing (the WHOIS for the probe machine) to find out the new filename.

Anyway, renaming mt-comments.cgi doesn't work. And aside from IP banning the client machines posting the comment, I can't think of anything more creative to do at the moment.