Tracking the bad guys


I'm looking at a different problem, spam-over-http. Here's one event, 406
inserts of the URL from a single attack node in a
weblog. The insert times and numbers of inserts/minute are below.

07:17 1
09:22 4
09:23 45
09:24 30
09:25 32
09:26 38
09:27 22
09:28 24
09:29 8
09:30 20
09:31 14
09:32 32
09:33 31
09:34 32
09:35 22
09:36 34
09:37 17

The targeted site (my wife's political weblog) is provisioned at 128kb/s,
on a dual-processor 1GHz PIII running Freebsd 5.2.1, so the rate limiting
factor is b/w, and the upper-bound on the number of writes is the number
of posts with "open" comments.

The attack node is (IUnet, Italy dhcp-spam-swamp).

The Afilias whois data for is redily available, the
salient points are:
        a. the registrant Jerry Buckheimer claims domicile in American Samoa,
        and is the tech-c and admin-c,
        b. the registrar is Wild West Domains [R213-LRMS],
        c. the nameservers are ns{1,2}, [67.15.0.{62,191}]
          The registrant Tunahan Korkmaz claims domicile in Turkey.
          These servers are in the address block [CIDR:]
          allocated by ARIN to Everyones Internet of Houston TX, and
          the registrar is (also tech-c).

As a class (I've got more, I'm sure everyone who hosts blogs has too), the
attack node(s) are not interesting. Some blogware vendors offer the bandaide
of ip address (/32) blocking, and "wait" times between comments to foil robo
insertion engines, and so on. More interesting is the benefitting URL, and
the NS and registration providers that provide the persistant infrastructure
for this form of theft-of-advertizing.

The economics of the registration and ns/webhosting business are not so
different from the access-isp market, leading to the abuse-desk-vacant
syndrome, or worse -- I've got three complaints of this size or larger out
to my competitors and they are taking the fill-in-the-web-form approach to

Other folks with data, or insight, drop me a line. I'll summarize.