Yet Another Questionable Commenter

Here’s another example of how the Systems Admin’s “Spidey Sense” kicks in at times, and how ‘nslookup’ is your friend.

Comments here run on a complicated layering of filters, but include a general “white listing” action. WordPress has their own layer of filtering. Know bad actors get filtered out by them. Then they have some “rules” (ill defined but including things like “too many links” that help sort “SPAM” from valid comments. Some of those, like that link count, have a tuning ability where the site administrator can chose how many links is “too many”. (One spammer, at the moment, is sending 2 or 3 a day of a few pages of links…so they always go to the SPAM queue and you folks are not bothered by their offer of fake travel documents).

Then I can set up a list of key words causing postings to be moderated or trashed. It’s a very short list for both.

Finally, I can chose to have people put on a ‘white list’ and once their IP address / Username combo is approved out of moderation all future comments automatically “go up” and it’s up to me to read them all and toss out any that are bad, but after they have been published already.

This comes with the need to be Very Careful about letting the first comment from an unknown person “go up”, as it is also approving all FUTURE comments, sight unseen.

So you develop a sense of “something just isn’t quite right” and dig deeper on those.

So here’s a comment from an unknown, with a vaguely Hispanic name, and basically no content. Not only that, given my prolix nature, a comment of “What?” responding to my posting or comments, well, it’s extraordinarily unclear, seems designed to be inoffensive and “ordinary”, and just not quite right somehow. So a “Dig Here!” gets flagged.

Alexandra Tracy Chavarriaga
alexandra.tracy4@gmail.com
185.101.238.186	In reply to E.M.Smith.

What ?

Doing a simple “duckduckgo” search (or any web search) on the name gives a few folks in The West like these:

Alexandra Tracy Chavarriaga (@aletracy) • Instagram photos …

1,207 Followers, 749 Following, 255 Posts – See Instagram photos and videos from Alexandra Tracy Chavarriaga (@aletracy)
[Search domain {www.instagram.com}] [https://www.instagram.com/aletracy/]

Alexandra Tracy Chavarriaga (aletracy) on Pinterest
Alexandra Tracy Chavarriaga | Baila la, que de la buenas te cura.
[Search domain {www.pinterest.com}] [https://www.pinterest.com/aletracy/]

Alexandra Tracy – Community Economic Development – Peace …
See Alexandra Tracy’s profile on LinkedIn, the world’s largest professional community. Join LinkedIn to connect with Alexandra and others you may know. Also see Alexandra’s peers and jobs at similar companies.

[Search domain {www.linkedin.com}] [https://www.linkedin.com/in/aletracy]
Alexandra Tracy Chavarriaga from Ann Arbor, Michigan
Alexandra Tracy Chavarriaga of Travel Latina painted the perfect picture of why you need to put San Diego, California on your list. She lived their…

Michigan, San Diego… In particular, note "Travel Latina"

When we search on the email address, what do we get?

In the first few items returned by the search is this one:

https://contactout.com/Alexandra-Tracy-2494424

Friends COLOMBIA – Constant Contact
friends newsletter of the colombia returned peace corps volunteers letter from the president board of directors spring 2017 issue from the field . . . . . . . . . . .2
[Search domain files.constantcontact.com] files.constantcontact.com/7dcec582301/da3a52d7-b619-46a3-8dcd-65877…

Travellatina.org whois
According to “Whois Travellatina.org”, Travellatina is owned by Alexandra Tracy since 2016. Travellatina was registered with Public Interest Registry on February 23, 2016. …
[Search domain whois.easycounter.com] [https://whois.easycounter.com/travellatina.org]

404 – Запрашиваемый ресурс отсутствует, перемещен…
mariiachibireva@gmail.com.
[Search domain idbras.comcor.ru] idbras.comcor.ru/1

Alexandra Tracy Email & Phone# | Founder and… – ContactOut
Alexandra Tracy’s Email. *a.tracy4@gmail.com. Not the Alexandra Tracy you were looking for? Search 1.5 billion Email & Phone#. Browse to anyone’s Linkedin profile, and Contactout will find that person’s email address and phone number.
[Search domain contactout.com] [https://contactout.com/Alexandra-Tracy-2494424]

Easycounter is also pointing at Travel Latina. At this point one is tempted to think it might be an attempt to get a self promotion hook going for a travel site. But a bit more digging is still to be done. So let’s look at that contactout info first.

The photo of the person matches the thumbnail on the comment. She’s our girl, or someone is posing as her.

Alexandra Tracy’s Email and Phone
Founder and Freelance Consultant @ Travel Latina
Alexandra Tracy’s Email

a****4@gmail.com
a****y@umich.edu

Location Greater San Diego Area
Work
Founder and Freelance Consultant @ Travel Latina
Project Coordinator @ Cultural Edge Consulting
Spanish Teaching Assistant @ University of California, San Diego
Researcher @ Adapta Sertão
Education
B.A., Political Science and French @ University of Michigan
Masters, Pacific International Affairs (MPIA) @ University of California, San Diego – School of International Relations and Pacific Studies (IR/PS)
CEP, International Relations @ Institut d’Etudes politiques d’Aix-en-Provence
High School Diploma @ Lake Orion High School
Elementary School @ Colegio Americano de Saltillo

Looks like a typical American Kid of Latin Origin making a success of life. Now someone with that level of skill and education posting a cryptic one word comment is possible but unlikely.

Let’s take a look at the “whois” output on her IP address of origin. If it is San Diego or even Michigan or similar, well, likely no worries.

There are “whois” web pages, so I just put “whois 185.101.238.186″ into my search engine then picked the 3rd choice down (since the first one had changed the number and the second one was just an ‘enter your number” page):

http://ipaddress.is/185.101.238.186

A detailed IP address report for 185.101.238.186 is below. The timezone of 185.101.238.186 is Asia/Baghdad. The current local time of 185.101.238.186 is Sunday 20th of May 2018 06:05:28 PM.

IP Address	185.101.238.186
Host	185.101.238.186
Country	Iraq
Latitude	33°00'00" N
Longitude	44°00'00" E

So either our American Latina is presently residing in Baghdad, or is using a dodgy VPN to there, or she is not there at all and someone is playing games with her identity. Now if the comment had some relevant substance, I’d likely let it through, but given this particular constellation of oddities, it’s gone past my acceptance limits.

Effectively NULL content.
Content appears unrelated to actual text above it.
Unknown person.
IP address in conflict with what is known about the person, their public profile.
IP address from a known problem area.

So at that point, the comment gets deleted.

NOTE TO Travel Latina Alexandra: If, in fact, your comment was really you and valid, please accept my apologies and please avoid triggering the kind of Bogosity Flags shown above and try again.

NOTE TO Guy in a hovel in Baghdad pretending to be Travel Latina: Nice try, but no. Not interesting in playing. Even if you “pick up your game” and get something through, eventually you will demonstrate you are not Alexandra and then you will just get tossed into the SPAM queue. Better to spend your time somewhere else.

UPDATE:

Now sooner had I posted this and gone over to deal with the SPAM queue, with 25 in it, when I discovered ample evidence the things a bot of some kind. A whole load of:

 WWW.ХХХ.КУWVW.ХУZ
lburton2.wordpress.comx
lburton2@mail.usf.edu
218.93.143.91	In reply to philjourdan.

What ?

Not Spam | History | Delete Permanently
	
WWW.ХХХ.LFRZRI.ХУZ
swee@digilab.com.sg
185.212.190.150	In reply to E.M.Smith.

What ?

Not Spam | History | Delete Permanently

As all the User IDs are clearly bogus, and the emails go to someone else, I’m not seeing the point. So some idiot can demonstrate he can make a bot to random post crap? Generally be annoying to the world? Exercise WordPress SPAM learning? As of now it looks like about 20 out of 21 were already flagged as SPAM before I een saw the ONE that got through. I’m now going to pull it back from TRASH and mark IT SPAM too. (I’m pretty sure that’s how WordPress learns what is SPAM – from the collective markings of all the admins.)

Usually these things run their course quickly. I get one like this every few months and they it seems that script kiddie discovers WordPress is no fun…

Subscribe to feed

Advertisements

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , . Bookmark the permalink.

10 Responses to Yet Another Questionable Commenter

  1. jim2 says:

    What? :)

  2. H.R. says:

    Dangit, jim2!
    You beat a bunch of us to the punch.😆

    Interesting post, E.M. I’m glad you don’t have to fuss with these issues more often.

  3. Larry Ledwick says:

    That kind of comment was often the opening gambit to get past moderation by posting a few inoffensive comments, until the user had accumulated enough posts to be automatically shifted to unmoderated. (some boards used to moderate all posts until you got to a certain post count.)

  4. I always wondered. Why? Just why? So much work. Do these people have nothing better to do with their time? Thanks for your insight.

  5. ossqss says:

    Bots and Drones coming to a future near you! Oh the Pain!

  6. Chris in Calgary says:

    Script kiddies don’t bother me so much, unless they lose interest in plain old internet tech and become CRISPR/Biohacker script kiddies.

    Even worse, they could couple CRISPR to a machine learning script and then go away for the weekend and forget they left it running. Only to return Sunday night and find the house overrun with a completely original life form…. :)

  7. E.M.Smith says:

    @Chris in Calgary:

    Just wait until we have automated “Gene Printers”. Once the library of genes and interactions is large enough, you will be able to enter a set of traits into a question form, then have the automated gene editor print up a cell made to order; and then grow it into a being.

    I’d say in well under 50 years, but likely more than 20 (mostly from government interventions).

    Inevitably somebody will be printing a “steak” (think lab-meat for squeamish folks) and get it wrong, then find they have a strange critter looking at them from the grow box… or their steak is trying to crawl away…

    We’re already to the point where folks can assemble viruses from raw materials. Given the gene sequence of a 100% lethal plague, it can be manufactured as desired. This has made the “controversy” over keeping / destroying the last samples of Small Pox moot. It’s been sequenced, so makes no difference any more. Either way. Just a question of work load.

    Eventually I can envision a shipping crate full of machinery. It gets delivered somewhere, then when the GPS tells it that it is in the right place, starts fabricating a 100% lethal virus that self extinguishes after some number of replication. Kills off everyone for, oh, 10 hours, then ends. Attacker then just walks in and takes over. Yeah, not the kind of hackers I want to deal with…

    @ossqss:

    Yes, the “Oh Bother” of it all, in a Poo kind of way…

    @Larry:

    Well, somewhere along the line I guess I saw enough of those that I have a “relevance to above?” item on my checklist…

    @Jim2:

    Yes, really!
    ;-)

    @Norbert:

    It has to be either very bored kids, or somebody being paid to do it somehow…

    @H.R.:

    It goes in waves. There will be very little for a long time, then something new pops up, and eventually it fails to “work” and they move on to something else.

    Right now I’m getting about 1/2 dozen / day of these things that are about 2 pages long each. Mostly pushing cheap online drug sites (like I’d put anything inside me sold cheap on the internet by folks who SPAMed me…) but also a set pushing fake documents (passports, drivers licenses, etc).

    A new one has shown up that has a link to porn that looks benign. In the management panel, they do something I hate, in that the cursor moving over a link activates it for a “preview” (thus giving the folks a ‘hit’ report and activating who knows what code). It’s very hard to scroll the page and not occasionally have some link pop a preview. Well, the porn one popped a bunch of nude thumbnails in one top page image. I’d hate to be at work as the guy trying to delete these and have that happen. So it got deleted pronto and I’ve gotten more careful about where the cursor goes while scrolling the page. Needing to scroll down 2 pages to get to the delete button for the big ones had my cursor slide over this one and “Surprise!”…

    I’ll be very happy when the 2 pagers run out. 4 of them and I’ve got 8 pages of scrolling to do… or I get to check a box at the top, pick an action off a drop down, and then say ‘do action’ which is about as much added work as scrolling to the delete button…

    This was why I added an expiration date to comment ability. It takes these bots a while to find a new posting, so most of the SPAM shows up on older posts. Turning off comments after a few months of open dramatically reduced total SPAM. It’s now one of the things I look for. Is this comment on something 2 months old? Sometimes they do get legit comments from a newby, but usually old postings getting comments means SPAM. So in a few weeks or months, when the comments auto-close on the ones currently being hit, those 2 pagers will end. They will need to rescan the site then, and that usually takes a while.

    Long way of saying it comes in waves.

  8. philjourdan says:

    Back when I first got on the Internet (circa 1990), an EDU email ID was the golden ticket to ANYWHERE. (I was working in a State – sorry, “Commonwealth” – Dept of Ed). Now having worked in a college EDU, I find that an edu is virtually worthless. Why? Because you get them for LIFE! In fact, you do not have to take a single course or set foot into any hallowed halls! Just sign up for a college and the first thing you get is an email address!

    Needless to say, most people do not keep them up. They move on. That is why you can go to the dark web and find thousands of EDU email addresses for sale. Indeed we had one “Good Samaritan” who wanted to “warn” us that some of our email addresses were for sale (he was so proud of his discovery he revealed a lot about himself and his limited knowledge).

    So the EDU is almost worthless as an email ID (it will still get you a discount at Microsoft – but little else) and mine has gone the way of all those others out there for sale. But before going out and buying one for $5, just sign up at a local college! You do not have to actually complete any applications, or even pay a cent. But many will give you the ID so that you can complete the process and it will not cost you $5 (the idiot thought he was hot stuff because he actually bought one – we did not tell him he could get one for free).

  9. p.g.sharrow says:

    @EMSmith; I can imagine the volume of spam you must wade through. I get 4 times the spam numbers that I get in real comments, often on posts and pages that I know no one has looked at in years. There must be some kind of bot list that gets passed around as they all seem to claim to be comments on the same few pages…pg.

  10. E.M.Smith says:

    @P.G.:

    “no one has looked at in years”… Thus my blocking comments on old pages after something like 6 months… It cuts out all that spam.

Anything to say?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.