One of my sites had this very odd entry in it’s log from overnight: (actual URL changed)

http://www.example.com/2005/06/24/title-in-here/%2B%25255bPLM=0%25255d%2BGET%2Bhttp:///2005/06/24/title-in-here/%2B%25255b0,16925,26735%25255d%2B-%25253e%2B%25255bN%25255d%2BPOST%2Bhttp:/wp-comments-post.php%2B%25255b0,0,349%25255d

If you do the hexadecimal recoding a couple times you end up with:

http://www.example.com/2005/06/24/title-in-here/+[PLM=0]+GET+http:///2005/06/24/title-in-here/+[0,16925,26735]+->+[N]+POST+http:/wp-comments-post.php+[0,0,349]

And if you assume the plus marks are actually spaces:

http://www.example.com/2005/06/24/title-in-here/ [PLM=0] GET http:///2005/06/24/title-in-here/ [0,16925,26735] -> [N] POST http:/wp-comments-post.php [0,0,349]

What is this trying to do? The only software I can find referring to PLM is Fred’s ImageMagick Scripts, which I don’t think is right.

Updated information 2008-03-29 11:55am

There have been a lot of requests like this. The first request was on March 7th, 2008 at 11:39:46, and the most recent (the one listed above) was March 29, 2008 at 03:43:01. From these IP addresses:
1 125.93.180.155
1 198.136.32.82
2 212.35.107.52
1 216.171.98.77
1 218.75.120.75
1 24.179.9.153
1 60.247.100.2
1 61.180.239.250
1 71.107.24.99
3 75.127.78.171
1 77.108.76.170
1 78.39.204.114
1 82.198.250.80
1 82.236.218.101
1 85.5.237.228
1 98.25.110.0

The user agent is also varied:
3 “Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.1.4322)”
5 “Mozilla/4.0 (compatible; Powermarks/3.5; Windows 95/98/2000/NT)”
6 “Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050224 Firefox/1.0+”
4 “Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5″
1 “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0″

Is this actually not an attack, but just some web browsing tool or toolbar that is doing funky things?

Updated information 2008-03-29 12:05pm

Hmmm, another of of my sites also has this type of request in its log.

If you're new here, you may want to subscribe to my RSS feed. This allows you to read my newer articles without having to visit the site again. Thanks for visiting! Mike

While checking my logs from overnight, I saw a huge increase in the amount of spam attempts coming in. Generally I have between 50 and 100 spam attempts per hour coming in. Yesterday, the number started increasing, and is currently running at around 3,000 rejected attempts per hour. Here’s the chart of the number of blocked attempts over the past three days:

And here is the data just for Friday, March 21, showing the botnet was activated at 8:50pm Eastern time:

A few years ago, there was some spam scam outfit that would send out emails proclaiming “An individual at our website at our website is looking for information regarding: (your email address)” You’d go to the site, pay some money, and find out they really didn’t have any info about you.

I received a spam very much like that today, from EHB126.com. Links inside the scam all refer to ehb125.com. Whois lookups show that all numbers from EHB101.com to EHB136.com are registered to the same outfit: ConsumerBase LLC, 1007 Church St. 5th Floor, Evanston, IL 60201, at (847) 866-9600.

From the spam footer:

We support ethical practices. This email was sent to -address- by ConsumerBase LLC because you have not previously unsubscribed to our email solicitations. By clicking on any link in this email, except the unsubscribe one below, you are reaffirming your interest in receiving future emails. Please know that we respect your right to be taken off our email lists. Removal is automatic through our system. Please click here to start that process.

Well, let’s see how much is wrong with that statement. (1) They’ve not mailed me before. (2) They confirm they use opt-out to gather their spam lists, not opt-in. (3) Removal is automatic, yet the unsubscribe link only starts the process?

I also have never gave “Affirmative Consent” that my email address could be used by this company. In fact the address they sent their garbage to has never been used for any kind of subscription. And interestingly enough, “Affirmative Consent” is exactly 180 degrees backwards from what the footer of this messages seems to proclaim. “Affirmative Consent” sounds like confirmed opt-in, not opt-out.

Andy Sernovitz has also run across ConsumerBase before: ConsumerBase, ethics aren’t a game.

I have proactively blocked email from all domains in the range of EHB101.com through EHB136.com from abusing my server. IP addresses include: 69.30.254.114 to .125; and 69.30.202.18 to .44 (but not some in the .30 range)
ehb101.com has address 69.30.254.120
ehb101.com has address 69.30.254.118
ehb101.com has address 69.30.254.114
ehb101.com has address 69.30.254.119
ehb101.com has address 69.30.254.116
ehb101.com has address 69.30.254.117
ehb101.com has address 69.30.254.115
ehb101.com has address 69.30.254.121
ehb101.com mail is handled by 10 ehb101.com.
ehb102.com has address 69.30.254.115
ehb102.com mail is handled by 10 ehb102.com.
ehb103.com has address 69.30.254.116
ehb103.com mail is handled by 10 ehb103.com.
ehb104.com has address 69.30.254.117
ehb104.com mail is handled by 10 ehb104.com.
ehb105.com has address 69.30.254.118
ehb105.com mail is handled by 10 ehb105.com.
ehb106.com has address 69.30.254.119
ehb106.com mail is handled by 10 ehb106.com.
ehb107.com has address 69.30.254.120
ehb107.com mail is handled by 10 ehb107.com.
ehb108.com has address 69.30.254.121
ehb108.com mail is handled by 10 ehb108.com.
ehb109.com has address 69.30.254.122
ehb109.com mail is handled by 10 ehb109.com.
ehb110.com has address 69.30.254.123
ehb110.com mail is handled by 10 ehb110.com.
ehb111.com has address 69.30.254.124
ehb111.com mail is handled by 10 ehb111.com.
ehb112.com has address 69.30.254.125
ehb112.com mail is handled by 10 ehb112.com.
ehb113.com has address 69.30.202.43
ehb113.com mail is handled by 10 ehb113.com.
ehb114.com has address 69.30.202.18
ehb114.com mail is handled by 10 ehb114.com.
ehb115.com has address 69.30.202.19
ehb115.com mail is handled by 10 ehb115.com.
ehb116.com has address 69.30.202.20
ehb116.com mail is handled by 10 ehb116.com.
ehb117.com has address 69.30.202.21
ehb117.com mail is handled by 10 ehb117.com.
ehb118.com has address 69.30.202.22
ehb118.com mail is handled by 10 ehb118.com.
ehb119.com has address 69.30.202.23
ehb119.com mail is handled by 10 ehb119.com.
ehb120.com has address 69.30.202.24
ehb120.com mail is handled by 10 ehb120.com.
ehb121.com has address 69.30.202.25
ehb121.com mail is handled by 10 ehb121.com.
ehb122.com has address 69.30.202.26
ehb122.com mail is handled by 10 ehb122.com.
ehb123.com has address 69.30.202.27
ehb123.com mail is handled by 10 ehb123.com.
ehb124.com has address 69.30.202.28
ehb124.com mail is handled by 10 ehb124.com.
ehb125.com has address 69.30.202.29
ehb125.com mail is handled by 10 ehb125.com.
ehb126.com has address 69.30.202.30
ehb126.com mail is handled by 10 ehb126.com.
ehb127.com has address 69.30.202.44
ehb127.com mail is handled by 10 ehb127.com.
ehb128.com has address 69.30.202.34
ehb128.com mail is handled by 10 ehb128.com.
ehb129.com has address 69.30.202.35
ehb129.com mail is handled by 10 ehb129.com.
ehb130.com has address 69.30.202.36
ehb130.com mail is handled by 10 ehb130.com.
ehb131.com has address 69.30.202.37
ehb131.com mail is handled by 10 ehb131.com.
ehb132.com has address 69.30.202.38
ehb132.com mail is handled by 10 ehb132.com.
ehb133.com has address 69.30.202.39
ehb133.com mail is handled by 10 ehb133.com.
ehb134.com has address 69.30.202.40
ehb134.com mail is handled by 10 ehb134.com.
ehb135.com has address 69.30.202.41
ehb135.com mail is handled by 10 ehb135.com.
ehb136.com has address 69.30.202.42
ehb136.com mail is handled by 10 ehb136.com.

The IP addresses are all assigned to Wholesaleinternet.com. Abuse report filed with them.

I still watch TV using regular old rabbit ears. We have two TVs in the house, one in the living room, and one in the basement. They work fine, and are each over 15 years old. So a couple months ago when the U.S. Department of Commerce allowed people to apply for up to two $40 coupons for a digital to analog converter for older TV sets, I applied. The coupons are only good for three months, and there is a limited supply of them. I received the coupons today, but they expire on June 6, 2008. It took the government nearly two weeks to get them shipped out. Bizarre. Or government efficiency, you decide.

The “coupons” look like gift cards (or credit cards). They are bright red and are labeled “TV Converter Box Coupon Program.” There is a hologram on the front that says “Security” in a circle, with an eagle’s head in the center, and the letter “s” repeated in the background. The back of the coupon says “It is illegal to sell, duplicate or tamper with this coupon. This coupon will not be replaced if lost or stolen. Retailer Support Center: www.ntiadtv.gov.

If you’d like to apply for your coupons, or learn more about this program, go to www.DTV2009.gov.

I’ve been exploring the WordPress 2.5 Release Candidate 1. I found a few bugs that are probably related to AJAX or javascript under Safari 3.04. I made a few suggestions and comments for part of the new design aspect of the Administrative section. But one interesting thing I haven’t seen mentioned anywhere is WP 2.5’s “Secret Key.”

When you set up WordPress, you put your database settings in the wp-config.php file. There is a new line there:

// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

While I’m not sure what the “secret key” is used for, I prefer using my own pass phrases and passwords. I generally use the pwgen program to generate my passwords. This command
pwgen --numerals --capitalize --symbols --secure 64


entered in my PowerBook’s Terminal gave me a good password. You can install pwgen for OS X with these instructions: Building pwgen on Mac OS X. Why use pwgen over grc.com? Why not? It’s good to have options.

While perusing my apache logs, I ran across a lot of requests from a bot with the user-agent of “ShablastBot 1.0″ and all came from the IP address of 67.228.100.141. Reverse IP shows that 67.228.100.138 67.228.100.139 67.228.100.140
and 67.228.100.142 also resolve to shablast.com. One significant problem appears to be it doesn’t correctly parse out feed: URLs, so I have dozens of bad requests for things like “HEAD /2008/02/feed:http:/www.example.com/feed”

The other major problem is it sent out many many requests in a very short amount of time. Luckily, the server throttled the connections before any damage could be done. But for now I’ve blocked both the ShaBlastBot user-agent and the known IP addresses of that agent from my server.

There isn’t any obvious way to contact any one at ShaBlast about the problems, although I did leave a comment on the site’s blog.

I’ve started watching my web server logs more closely, and found several requests for /_vti_bin/owssvr.dll and /MSOffice/cltreq.asp. Examples:

/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0

Apparently, these requests are caused by someone using IE with the Discussion Bar turned on. I wonder why IE isn’t smart enough to read the headers to see that I’m not running a Microsoft web server. Or maybe MS has fixed this with version 7 of their browser, since all of the requests I see are IE6.

This is 2008. Why in the world does WordPress not know how to shift it’s internal clock when Daylight Savings Time starts or ends? If the server itself can do it, why can’t WordPress? Heck, my VCR can even automagically adjust by an hour twice a year.

I was going to write a plugin to do this, but Kimmo Suominen has already done it. In February 2005! Matt Mullenweg or someone at Automattic, send Kimmo a check for a few hundred bucks and incorporate his code into the core WP system for 2.5.

The plugin is available at Time Zone plugin for WordPress.

Verizon emailed me on the 29th letting me know about their new terms of service for my DSL connection. The new terms go into effect on Tuesday, March the 4th. They can be found at http://www2.verizon.net/policies.

I hope no one wants to contribute to any adult sections of the Internet, you can’t do that according to sections 2(a) “Verizon reserves the right to deny Service to you, or immediately to terminate your Service for material breach, if your use of the Service or your use of an alias or the aliases of additional users on your account, whether explicitly or implicitly, and in the sole discretion of Verizon: (a) is … pornographic, … or of a sexually explicit or graphic nature;” and 3(b) “You may NOT use the Service as follows: … (b) to post or transmit information or communications that, whether explicitly stated, implied, or suggested through use of symbols, are … pornographic, … or of a sexually explicit or graphic nature;.” That seems to be too broad, as sexually explicit talk could include medical concerns.

And section 6 says “[y]ou agree that your name, UserID, and other identifying information may be placed in our user directory.” What user directory? Is that open to the public? Or just the internal one that Verizon maintains of their customers? It seems that they wouldn’t need to put in their Acceptable Use Policy that Verizon is keeping a copy of their customer’s information.

Section 7 seems to let Verizon share your info and surfing habits if they even suspect you of doing anything wrong. “Verizon reserves the right to cooperate with legal authorities and/or injured third parties in the investigation of any suspected crime or civil wrong. Such cooperation may include, but not be limited to, provision of account or user information or email as well as monitoring of the Verizon network.” It also seems to say that Verizon won’t stand up for your rights, but will instead simply roll over for any complaints about one of their customers.

I realize that the terms of any ISP are more to cover their butt than to be effective, and that 99% of their customers won’t care what is in these agreements. But they still give a lot of power to the company, and none to their customer.