Skip to content
«
»
 

Extra Fields in Trackback Spam

25 January 2008, 9:59 am

One of my blogs just caught a spammer from 69.31.80.66 trying to submit trackbacks to the blog, with extra fields in the “Name” field.

Gen Drebery’,’deber@gmail.com’,”,’63.2.12.45′,’2008-01-25 13:43:30′,’2008-01-25 13:43:30′,”,’0′,’Internet Explorer’,’comment’,’0′,’0′),(’0′, ”, ”, ”, ”, ‘2008-01-26 13:43:30′, ‘2008-01-26 13:43:30′, ”, ’spam’, ”, ‘comment’, ‘0′,’0′ ) /*

The web server logs showed he was trying to hit a specific post, then tried to hit the first post. Could this be an attempt to fingerprint my blog?

69.31.80.66 – – [25/Jan/2008:08:43:28 -0500] “POST /2006/10/30/post-slug-here/wp-trackback.php HTTP/1.0” 404 19104 “-” “Python-urllib/1.17”
69.31.80.66 – – [25/Jan/2008:08:43:28 -0500] “POST /2006/10/30/wp-trackback.php HTTP/1.0” 404 19123 “-” “Python-urllib/1.17”
69.31.80.66 – – [25/Jan/2008:08:43:28 -0500] “POST /2006/10/wp-trackback.php HTTP/1.0” 404 19104 “-” “Python-urllib/1.17”
69.31.80.66 – – [25/Jan/2008:08:43:29 -0500] “POST /2006/wp-trackback.php HTTP/1.0” 404 19104 “-” “Python-urllib/1.17”
69.31.80.66 – – [25/Jan/2008:08:43:29 -0500] “POST /wp-trackback.php HTTP/1.0” 200 135 “-” “Python-urllib/1.17”
69.31.80.66 – – [25/Jan/2008:08:43:29 -0500] “GET /wp-trackback.php?p=1 HTTP/1.0” 302 – “-” “Python-urllib/1.17”
69.31.80.66 – – [25/Jan/2008:08:43:30 -0500] “GET /wp-login.php?action=logout HTTP/1.0” 302 – “-” “Python-urllib/1.17”
69.31.80.66 – – [25/Jan/2008:08:43:30 -0500] “POST /wp-trackback.php?p=1 HTTP/1.0” 200 78 “-” “Python-urllib/1.17”
69.31.80.66 – – [25/Jan/2008:08:43:31 -0500] “POST /wp-trackback.php?p=1 HTTP/1.0” 500 600 “-” “Python-urllib/1.17”
69.31.80.66 – – [25/Jan/2008:08:43:31 -0500] “POST /wp-trackback.php?p=1 HTTP/1.0” 500 600 “-” “Python-urllib/1.17”

Filed under Spam
Comments are closed  |  Permalink

3 Comments

  1. Johann Burkard says:
    February 9, 2008 at 2:18 pm

    I would strongly suggest that you block user agents containing urllib and other HTTP libraries.

  2. Michael Clark says:
    February 9, 2008 at 2:39 pm

    I’m getting to the point of getting a lot more aggressive in blocking. I do use wget and other command line functions on my own sites though, so I need to create my own user-agent for when I use those tools. You have a lot of great info on your site Johann.

  3. Johann says:
    February 9, 2008 at 2:54 pm

    Thanks Mike. I don’t see much abuse coming from wget and I use it myself for backup purposes.

«
»