Lots of user registrations with @gawab.com email addy

I have just had one add to my WP2 – Ronan. As my website is hardly the most visited and is essentially for our family, and the name is prisonin2mate@gawab.com this is rather suspicious. Gawab.com is apparently a very popular free email provider in N.Africa and the middle east. So I am going to switch the guy’s password.
Like you say – something is afoot.

Just had same person register agin with different email address – but they have been disabled for 2 many incoming emails! So this looks like a harvesting tool for a spam robot in the making?
<<
—– The following addresses had permanent fatal errors —–
<prisonimat@gawab.com>
(reason: 550 5.1.1 Account disabled temporarly for exceeding receiving
limits)

—– Transcript of session follows —–
… while talking to mx2.gawab.com.:
>>> DATA
<<< 550 5.1.1 Account disabled temporarly for exceeding receiving
limits
550 5.1.1 <prisonimat@gawab.com>… User unknown
<<< 503 RCPT first (#5.5.1)
>>
I have disabled user self-registration on the website as a result. In my case it is not a big deal.

you can do a cpl things, that wont stop this sort of behaviour alltogether but will help to decrease it.

1. If you use an .htaccess, make sure that your signup can only be called with a referer that matches your site:

RewriteCond %{HTTP_REFERER} !^http://([^.]+.)?www.trentadams.ca/.*$ [NC]
RewriteCond %{REQUEST_URI} ".*wp-register.php$"
RewriteRule .* - [F]

2. If you have mod_security available, you can use post payload checking and block that string:

SecFilterEngine On
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:412"
SecFilterSelective "POST_PAYLOAD" "gawab"

3. Since there’s a very good chance theyre using a proxy IP, you can use a proxy checker script, or something that performs a DNSBL lookup before allowing the page to load.

My own recent implementation of #3 on my “email this post” form has proven invaluable. For instance,

I got this email (i want the emails):

date: Thu, 23 Nov 2006 17:25:23 -0500
ip: 222.96.24.64

The above is an attempt by someone/something behind a proxy to load my “email this post” form. They were sent away 🙂

and thank god they were.

http://www.google.com/search?hl=en&q=222.96.24.64&btnG=Google+Search

Seconds later, they tried again:

2006-11-23 17:25:35
Detected proxy server: webshield.ingcomfin.pl (195.95.154.9)
trigger HTTP_VIA: 1.1 webshield.ingcomfin.pl
trigger HTTP_PROXY_CONNECTION: close

Proxies CAN be stopped 🙂

Thanks for that! I added the info to my .htaccess file. Don’t really understand the 2 and 3rd points, but they sound a little over my head!

But thanks!

Trent

here is 1 of them …JessicaLin – loginnen@gawab.com

peace ;o)

actually yes, I do have a DNSBL lookup plugin written, but I shelved it for sharing since Bad Behaviour 2.0.7 has one.

Heres what Ive learned though, in that regard.

I was not able to get BB to do the proper DNSBL lookup on my site, which is hosted at ASO.

So my own DNSBL lookup plugin works very well for me,

Last night, spencer installed the latest BB, and my own plugin.

BB does do the DNSBL lookups for him just fine. We tested exactly the way I had tested on my site.

The end result is that theres a possibilty that ppl that are using BB might not even know if the DNSBL lookups are even being done. I wouldnt have had I not tested it.

My plugin sends emails.. and spencer was getting them, which means my plugin was working as needed, but that was before he turned on strict checking in BB’s configuration.

My plugin loads after BB, so hopefully spencer has stopped getting emails and BB is doing all the work.

My long winded point is that BB’s DNSBL lookup works on some boxes (spencer is proof) but not on others (i’m proof), and if someone has enabled strict checking in BB but is still seeing hits from IP’s that are entered into spamhaus thhen they might want to try my plugin.

you want a copy? ill zip it up and send it off to you.

Just give me a little bit, like an hour — my real life is a tad overwhelming right now.

Here’s another way of stopping spam registrations. I feel a bit like a spambot myself, trying to put this on all the threads where people have asked about it….