Saturday, August 28, 2021
A most persistent spam, part III
Earlier this month I nuked two email addresses being spammed by Alekandr and wanted to wait to see how things go. Two weeks later and Aleksandr (all “his” emails came from the same domain but from different subdomains) are still being sent, still being delayed by my greylist daemon only to be rejected because the destination email address no longer exists. I'm surprised that they are still attempting to deliver the emails. Is it that Aleksandr doesn't care if the emails make it or not? I noticed that the IP addresses are changing more often now—is it a test to see if the IP address being used is blocked? Is it a smear campaign against Aleksandr? What is the end game here?
The script kiddies have come to Gemini
Logging of just about anything on a Gemini server is, within the Gemini community, a contentious issue. Most people using Gemini dislike the web and the intensive logging of everything done with in, so of course they go overboard in the other direction. I've never agreed with that viewpoint and I do log information, even potentially personally identifiable information like IP addresses, because of crap like 5.252.227.126 is doing—repeated (and quite maliciously) trying to crawl my Gemini server for exploits.
And it would be one thing if it were well written,
did a single scan,
not find anything and move on.
But it's not well written
(hell,
even commercial bots aren't well written and well behaved)
and it repeately requests the same page over and over again.
Until I blocked it,
it had requested /index.php over 700 times.
A sample:
| count | request |
|---|---|
| 722 | gemini://gemini.conman.org/index.php |
| 721 | gemini://gemini.conman.org/test/torture/index.php |
| 86 | gemini://gemini.conman.org/login.php |
| 86 | gemini://gemini.conman.org/test/torture/login.php |
Among other requests.
And even now, several hours after I blocked it, it's still trying to make requests even though it's now getting the “no such port” error from the server. I just have to wonder if it's just too cheap to run these bots that it doesn't matter if they don't work all that well. Just enough to keep going and finding exploits. And hey, just becuase now we can't get that page doesn't mean it won't exist in 20 minutes, so keep making those requests.
Sigh. This is why we can't have nice things on the Internet.
More broadly though, I'm not sure what this heralds for Gemini. On the one hand, it's popular enough to attract the script kiddies to check for exploits. On the other hand, there's a large number of different servers so exploits for one server won't necessarily imply a globally workable exploit. And on the gripping hand, the fact that it's easy to write a server means the likelihood of an exploitable server is high.
But hey! Gemini hit a milestone! Script kiddies have hit the scene and now we have to contend with their crap! Woot!
