[conspire] Web spam and yandex forms

[Rick Moen]

Quoting Akkana Peck (akkana at shallowsky.com):

> I'm having a security issue with a website I run, and I'm hoping
> some of the security experts here might be able to help me
> understand what's happening.

I concur with Ivan.  Add some sort of CAPTCHA, or just a check that asks
the answer to a simple arithmetic or word-problem question.

The fact of the matter is that ports 80/tcp and 443/tcp, along with an
astonishing variety of others, on all publicly exposed IPs, are being
blanketed 24x7 with rather dumb "comment spam", seeking anything that
can be induced to record junk or (better) reflect and retransmit junk to
others.

Any Web page that has a publicly reachable form is getting blitzed with
that garbage.  Weeding it out doesn't scale.  You need something that
prevents its registration by requiring exercise of per-site intelligent
problem-solving.  Otherwise, you end up getting personally DoSed.

Some years ago, I cast my attention around, for a while, seeking an
open-source, simple-HTML-or-similar implementation of a widget that
could be added to arbitary HTML "form" (method = GET or POST) pages 
defining, asking, and checking the answer to a simple arithmetic or word
problem, that could be written in a site-speciic way, e.g., "What was
Faye W. Moen's given name?"[1], whih would need to be correctly solved
before the form data was accepted at all.  The idea would be to ask a
dead-simple question that, sure, certainly could be scripted by the bad
guys, but they're astronomically unlikely to do that separately for
_each_ of innumerable Web sites.  Plus, you could change it as often as
required, e.g., to ask "Back when I lived at Flat 19A, 7B Bowen Road,
Victoria, Hong Kong R.C.C., did I live in China or in Japan?"
Practitioners of comment spam don't want to _work_ at it; their motto is
"We're dumb, but we make it up in volume."

Malheureusement (unfortunately), all I've found that answer to that
description are overenginered solutions such as Drupal / Joomla /
WordPress / IPBoard / xenFora / vBulletin plugins.

On the other hand this one seems less baroque than most, and can be used
free of charge allegedly on any Web page, albeit it's proprietry:
http://dice-captcha.com/

More stuff here:
https://curlie.org/Computers/Internet/Abuse/CAPTCHA/

It's probably not that dificult a thing to code; I just haven't spent
time on it.

Long ago, I had "respond-auto at linuxmafia.com" set up as an
/etc/aliases entry that ran a Perl script to send autoresponse text back
to people.  This was for my author contact line in "How to Ask Questions
the Smart Way", something I set up to send people a first-level response
saying "Hey, this is an automailer for Rick Moen, checking on a few 
misconceptions people often have reading my and Eric Raymond's essay,
before getting you in touch with Rick...."  In other words, I was
try to cut down the 99.9% erroneous inquiries where some net.random
assumes I'm a helpdesk for one of thousands of technical projects, most
of which I've never even heard of.

The problem was that there were a number of security problem with
pipelines in /etc/alias entries, which were exploited to death by the
bad guys -- including finding ways to use them as spam reflectors.
(So, I disabled the autoresponder; these days, it's just a straight 
alias.)

And that _sort_ of failure mode is one reason these types of
comment-spam barrages are still ubiquitous.


> And is there any point in looking for some sort of abuse at yandex
> address to send an alert to? 

Rare is the abuse@ address that's even human-attended at _all_ any more,
lot alone to any useful effect.  Victims of abuse, naturally.


[1] The correct answer, technically, was "Gail Jacqueline Dawn Laverne
Dororthy Lee Opal Faye" -- as Mom's parents apparently aimed to give her
a lot of choices, but "Faye" would be deemed an acceptble answer for
form-validation purposes.