Submit Your Article Forum Rules

Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Help! I think I'm under attack by a bot called startdedicated

  1. #1

    Angry Help! I think I'm under attack by a bot called startdedicated

    Hi everyone,
    I noticed in the last few days that I was getting a whole bunch of returned mail from mail daemons of all sorts. It appeared that my own email address was sending out emails to others that I knew nothing about and were being returned. So I assumed something had taken over my site. I had to disable my form sometime ago because it had been taken over.
    I checked my logs and was getting a massive amount of traffic from something called startdedicated.com which Trusted source calls malicioius. My problem is, how do I keep it out of my site? I have no idea how. Any pathetic attempts I might make are pretty much trying to use the robots.txt file, and I don't know how effective that would be.
    Should I contact my host? Can they block a malicious bot? Is there a way I can?

    Thanks for any help you can give me!

    wilderness
    A comprehensive site providing vacation information for the Anahim Lake and Nimpo Lake Communities and surrounding region. Hidden Content

  2. #2
    WebProWorld MVP danlefree's Avatar
    Join Date
    Jun 2005
    Posts
    387

    Re: Help! I think I'm under attack by a bot called startdedicated

    startdedicated.com WHOIS

    First, block the IP(s) associated with the bot or bots from accessing your mail daemon and webserver.

    Second, contact the abuse address at the host of the domain - malicious activity certainly qualifies as abuse.
    Hidden Content | Owner/Operator (Web development, marketing)

  3. #3
    Junior Member
    Join Date
    Nov 2005
    Posts
    8

    Re: Help! I think I'm under attack by a bot called startdedicated

    First of all, determine if the e-mails are "actually" being sent from your server.

    1) Look at the "raw data" view of one of the returned e-mails.
    2) Look right above where the original message says from and
    take note of the IP address in parentheses (ip).

    If this is NOT your ip address, then it is probable that the only
    thing that is going on is that your e-mail address has been forged
    as the "return" address for the crap that is going out. The spammer's
    sure don't want the returned e-mails, so they figure that it might
    as well be returned to you instead.

    This is a lot more common than you think. The only thing that
    you can do is to make sure that you have a SPF record on file
    for your domain (so it makes it harder for them to do this to you)
    and hope they skip your e-mail address after a while and move
    onto abusing someone else's.

  4. #4
    Junior Member
    Join Date
    Jul 2003
    Posts
    5

    Re: Help! I think I'm under attack by a bot called startdedicated

    It is likely that these are 2 separate problems. There has been an upswing in "backscatter" lately - quite a few clients on my server have been hit by it (myself included) - which is caused when spammers use your address as the return path so that you get all the bounced messages from their email blast. Here is a good article on backscatter:
    Dealing with Backscatter

  5. #5
    Member
    Join Date
    Jun 2007
    Posts
    76

    Re: Help! I think I'm under attack by a bot called startdedicated

    You might be victim of email spoofing. Google on how to set up SPF records for your email server.

  6. #6
    Rest in Peace 1946 - 2013 deepsand's Avatar
    Join Date
    May 2004
    Location
    State College, PA
    Posts
    16,376

    Re: Help! I think I'm under attack by a bot called startdedicated

    Quote Originally Posted by seo4china View Post
    You might be victim of email spoofing. Google on how to set up SPF records for your email server.
    SPF will not prevent spoofing, but only block delivery of spoofed missives to recipients whose e-mail systems use SPF to validate the sender, which will increase backscatter.

  7. #7
    Member
    Join Date
    Jun 2007
    Posts
    76

    Re: Help! I think I'm under attack by a bot called startdedicated

    Quote Originally Posted by deepsand View Post
    SPF will not prevent spoofing, but only block delivery of spoofed missives to recipients whose e-mail systems use SPF to validate the sender, which will increase backscatter.
    Which includes if I am not wrong all the major free email providers, and therefore can definitely reduce the amount of spoofing. While improving the deliverability of your own emails as well.

  8. #8
    Junior Member
    Join Date
    May 2006
    Posts
    28

    Re: Help! I think I'm under attack by a bot called startdedicated

    Hi,

    I've recently had the same problem. I had a php script I wrote that was too open. I ended up changing the code to Mat Cutt's formmail.pl script. It stopped the email relaying. I don't understand how they were doing it but a vulnerability in my form handler allowed the spammers to send email using my script without it sending me an email. The only way I found out was the flood of error messages my server was returning to me.

    Best of luck.
    Daphne
    Daphne Talbot
    Hidden Content
    Website marketing & design

  9. #9
    Junior Member
    Join Date
    Oct 2005
    Posts
    16

    Re: Help! I think I'm under attack by a bot called startdedicated

    Quote Originally Posted by dtalbot View Post
    Hi,

    I've recently had the same problem. I had a php script I wrote that was too open. I ended up changing the code to Mat Cutt's formmail.pl script. It stopped the email relaying. I don't understand how they were doing it but a vulnerability in my form handler allowed the spammers to send email using my script without it sending me an email. The only way I found out was the flood of error messages my server was returning to me.

    Best of luck.
    Daphne
    I think you meant Matt Wright. Matt Cutt is the Google guru...

  10. #10
    WebProWorld MVP Webnauts's Avatar
    Join Date
    Aug 2003
    Location
    European Community
    Posts
    8,934

    Re: Help! I think I'm under attack by a bot called startdedicated

    If you are on Apache, and .htaccess modules are activated, keep bad bots out of your site, adding the following rules:
    Code:
    ### Deny Fake Bots ###
    BrowserMatch "^Java/?[1-9_\.]*" bad_bot
    BrowserMatch "^MJ12bot/?[1-9_\.]*" bad_bot
    SetEnvIfNoCase User-Agent "8484 Boston Project v 1.0" bad_bot
    SetEnvIfNoCase User-Agent "charlotte/" bad_bot
    SetEnvIfNoCase User-Agent "curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5" bad_bot
    SetEnvifNoCase User-Agent "ISC Systems iRc Search 2.1" bad_bot
    SetEnvIfNoCase User-Agent "^Jakarta\ Commons-HttpClient/" bad_bot
    SetEnvIfNoCase User-Agent "larbin/" bad-bot
    SetEnvIfNoCase User-Agent "libwww-perl/" bad_bot
    SetEnvIfNoCase User-Agent "^libcurl-agent/" bad_bot
    SetEnvIfNoCase User-Agent "^Microsoft\ URL\ Control.*$" bad_bot
    SetEnvIfNoCase User-Agent "MJ12bot/v1.0.8" bad_bot
    SetEnvIfNoCase User-Agent "^Missigua" bad_bot
    SetEnvIfNoCase User-Agent "^Mozilla/4\.0\ .*Win\ 9x\ 4\.90.*$" bad_bot
    SetEnvIfNoCase User-Agent "Nutch" bad_bot
    SetEnvIfNoCase User-Agent "phpversion" bad_bot
    SetEnvIfNoCase User-Agent "TencentTraveler" bad_bot
    SetEnvIfNoCase User-Agent "^Web Downloader" bad_bot
    <FilesMatch "(.*)">
    Order Allow,Deny
    Allow from all
    Deny from env=bad_bot
    </FilesMatch>
    and

    Code:
    RewriteEngine on
    RewriteBase /
    RewriteCond %{HTTP_USER_AGENT} ADSARobot|ah-ha|almaden|aktuelles|Anarchie|amzn_assoc|Arachmo|ASPSeek|ASSORT|ATHENS|Atomz|attach|attache|autoemailspider|BackWeb|Bandit|BatchFTP|bdfetch|BecomeBot|big.brother|BlackWidow|bmclient|Boston\ Project|bot/1.0|BravoBrian\ SpiderEngine\ MarcoPolo|Bot\ mailto:craftbot@yahoo.com|Buddy|Bullseye|bumblebee|capture|CherryPicker|ChinaClaw|CICC|clipping|Clushbot|Collector|Copier|Crescent|Crescent\ Internet\ ToolPak|Custo|cyberalert|Deweb|diagem|Digger|Digimarc|DIIbot|DISCo|DISCo\ Pump|DISCoFinder|Download\ Demon|Download\ Wonder|Downloader|Drip|DSurf15a|DTS.Agent|EasyDL|eCatch|ecollector|efp@gmx\.net|Email\ Extractor|EirGrabber|email|EmailCollector|EmailSiphon|EmailWolf|Express\ WebPictures|ExtractorPro|EyeNetIE|FavOrg|fastlwspider|Favorites\ Sweeper|Fetch|FEZhead|FileHound|FlashGet\ WebWasher|FlickBot|fluffy|FrontPage|GalaxyBot|Generic|Getleft|GetRight|GetSmart|GetWeb!|GetWebPage|gigabaz|Girafabot|Go\!Zilla|Go!Zilla|Go-Ahead-Got-It|GornKer|gotit|Grabber|GrabNet|Grafula|Green\ Research|grub-client|Harvest|hhjhj@yahoo|hloader|HMView|HomePageSearch|http\ generic|HTTrack|httpdown|httrack|ia_archiver|IBM_Planetwide|Image\ Stripper|Image\ Sucker|imagefetch|IncyWincy|Indy*Library|Indy\ Library|informant|Ingelin|InterGET|Internet\ Ninja|InternetLinkagent|Internet\ Ninja|InternetSeer\.com|Iria|Irvine|JBH*agent|JetCar|JOC|JOC\ Web\ Spider|JustView|kalooga|KWebGet|Lachesis|larbin|Leacher|LeechFTP|LexiBot|lftp|libwww|likse|Link|Link*Sleuth|LINKS\ ARoMATIZED|LinkWalker|LWP|lwp-trivial|Mag-Net|Magnet|Mac\ Finder|Mag-Net|Mass\ Downloader|MCspider|MJ12bot/v1\.0\.8|Memo|Microsoft.URL|MIDown\ tool|Mirror|Missigua\ Locator|Mister\ PiX|MMMtoCrawl\/UrlDispatcherLLL|^Mozilla$|Mozilla.*Indy|Mozilla.*NEWT|Mozilla*MSIECrawler|MS\ FrontPage*|MSFrontPage|MSIECrawler|MSProxy|MSR-ISRCCrawler|multithreaddb|my-heritrix-crawler|nationaldirectory|Navroad|NearSite|NetAnts|NetCarta|NetMechanic|netprospector|NetResearchServer|NetSpider|Net\ Vampire|NetZIP|NetZip\ Downloader|NetZippy|NEWT|NICErsPRO|Ninja|NPBot|NicheBot|noxtrumbot|Octopus|Offline\ Explorer|Offline\ Navigator|OpaL|Openfind|OpenTextSiteCrawler|OrangeBot|PageGrabber|Papa\ Foto|PackRat|pavuk|pcBrowser|PersonaPilot|Ping|PingALink|Pingdom|Pockey|POE-Component-Client-HTTP|Powermarks|Proxy|psbot|PSurf|psycheclone|puf|Pump|PushSite|QRVA|RealDownload|Reaper|Recorder|ReGet|replacer|RepoMonkey|Robozilla|Rover|RPT-HTTPClient|Rsync|Scooter|SearchExpress|searchhippo|searchterms\.it|Second\ Street\ Research|Seeker|Shai|Siphon|sitecheck|sitecheck.internetseer.com|SiteSnagger|SlySearch|SmartDownload|snagger|Snake|SpaceBison|Spegla|SpiderBot|sproose|SqWorm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|SurfWalker|Szukacz|tAkeOut|tarspider|Teleport\ Pro|Templeton|TrueRobot|TV33_Mercator|UIowaCrawler|UtilMind|URLSpiderPro|URL_Spider_Pro|Vacuum|vagabondo|vayala|visibilitygap|VoidEYE|vspider|Web\ Downloader|w3mir|Web\ Data\ Extractor|Web\ Image\ Collector|Web\ Sucker|Wweb|WebAuto|WebBandit|web\.by\.mail|Webclipping|webcollage|webcollector|WebCopier|webcraft@bea|webdevil|webdownloader|Webdup|WebEMailExtrac|WebFetch|WebGo\ IS|WebHook|Webinator|WebLeacher|WEBMASTERS|WebMiner|WebMirror|webmole|WebReaper|WebSauger|Website|Website\ eXtractor|Website\ Quester|WebSnake|Webster|WebStripper|websucker|webvac|webwalk|webweasel|WebWhacker|WebZIP|Wget|Whacker|whizbang|WhosTalking|Widow|WISEbot|WWWOFFLE|x-Tractor|^Xaldon\ WebSpider|WUMPUS|Xenu|XGET|Yeti|zermelo|Zeus.*Webster|Zeus [NC]
    RewriteRule ^.* - [F,L]
    Try both together. If you get a server error, test each one separately to see which works.

    I did not add the bot your mentioned here, since I did not investigate it yet.

    In addition, do yourself a favor and support us at Distributed Spam Harvester Tracking Network | Project Honey Pot (Free - No membeship fees).

    I can only tell that we have 98% less spambots attacks, and we catch some if not all of the left 2% with the help of the honeypot.

    You will be amazed.

    Good luck,

    John

    P.S. I am writing an article which I will publish soon on my site.
    Hidden Content Forensic SEO & Social Semantic Web Consultant | My personal blog Hidden Content

Similar Threads

  1. A new Trojan called Briz.A
    By Tim in forum Internet Security Discussion Forum
    Replies: 1
    Last Post: 03-15-2006, 07:25 AM
  2. RankAttack Called Out By SEO Professionals
    By jmiller in forum Search Engine Optimization Forum
    Replies: 1
    Last Post: 10-05-2005, 08:56 PM
  3. They have to be called something
    By coder in forum The Castle Breakroom (General: Any Topic)
    Replies: 12
    Last Post: 06-28-2005, 03:48 PM
  4. What's the called?
    By wbsweb in forum Web Programming Discussion Forum
    Replies: 3
    Last Post: 01-28-2004, 10:55 AM
  5. The So-Called Flash Killer (Say What?)
    By Brittany in forum Graphics & Design Discussion Forum
    Replies: 1
    Last Post: 11-05-2003, 02:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •