I just deleted my 30,000th comment spam. I have no idea how high the count would have been had I not put into place several techniques that automatically block bad commenters. Those that fall into my traps don’t even get entered into the Akismet system, and so aren’t counted.

(Addendum 9:32pm: The count is now up to 30,447. That comes to one new spam comment every 63 seconds.)

If you're new here, you may want to subscribe to my RSS feed. This allows you to read my newer articles without having to visit the site again. Thanks for visiting! Mike

One of my sites had this very odd entry in it’s log from overnight: (actual URL changed)

http://www.example.com/2005/06/24/title-in-here/%2B%25255bPLM=0%25255d%2BGET%2Bhttp:///2005/06/24/title-in-here/%2B%25255b0,16925,26735%25255d%2B-%25253e%2B%25255bN%25255d%2BPOST%2Bhttp:/wp-comments-post.php%2B%25255b0,0,349%25255d

If you do the hexadecimal recoding a couple times you end up with:

http://www.example.com/2005/06/24/title-in-here/+[PLM=0]+GET+http:///2005/06/24/title-in-here/+[0,16925,26735]+->+[N]+POST+http:/wp-comments-post.php+[0,0,349]

And if you assume the plus marks are actually spaces:

http://www.example.com/2005/06/24/title-in-here/ [PLM=0] GET http:///2005/06/24/title-in-here/ [0,16925,26735] -> [N] POST http:/wp-comments-post.php [0,0,349]

What is this trying to do? The only software I can find referring to PLM is Fred’s ImageMagick Scripts, which I don’t think is right.

Updated information 2008-03-29 11:55am

There have been a lot of requests like this. The first request was on March 7th, 2008 at 11:39:46, and the most recent (the one listed above) was March 29, 2008 at 03:43:01. From these IP addresses:
1 125.93.180.155
1 198.136.32.82
2 212.35.107.52
1 216.171.98.77
1 218.75.120.75
1 24.179.9.153
1 60.247.100.2
1 61.180.239.250
1 71.107.24.99
3 75.127.78.171
1 77.108.76.170
1 78.39.204.114
1 82.198.250.80
1 82.236.218.101
1 85.5.237.228
1 98.25.110.0

The user agent is also varied:
3 “Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.1.4322)”
5 “Mozilla/4.0 (compatible; Powermarks/3.5; Windows 95/98/2000/NT)”
6 “Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050224 Firefox/1.0+”
4 “Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5″
1 “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0″

Is this actually not an attack, but just some web browsing tool or toolbar that is doing funky things?

Updated information 2008-03-29 12:05pm

Hmmm, another of of my sites also has this type of request in its log.

I’ve been exploring the WordPress 2.5 Release Candidate 1. I found a few bugs that are probably related to AJAX or javascript under Safari 3.04. I made a few suggestions and comments for part of the new design aspect of the Administrative section. But one interesting thing I haven’t seen mentioned anywhere is WP 2.5’s “Secret Key.”

When you set up WordPress, you put your database settings in the wp-config.php file. There is a new line there:

// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

While I’m not sure what the “secret key” is used for, I prefer using my own pass phrases and passwords. I generally use the pwgen program to generate my passwords. This command
pwgen --numerals --capitalize --symbols --secure 64


entered in my PowerBook’s Terminal gave me a good password. You can install pwgen for OS X with these instructions: Building pwgen on Mac OS X. Why use pwgen over grc.com? Why not? It’s good to have options.

While perusing my apache logs, I ran across a lot of requests from a bot with the user-agent of “ShablastBot 1.0″ and all came from the IP address of 67.228.100.141. Reverse IP shows that 67.228.100.138 67.228.100.139 67.228.100.140
and 67.228.100.142 also resolve to shablast.com. One significant problem appears to be it doesn’t correctly parse out feed: URLs, so I have dozens of bad requests for things like “HEAD /2008/02/feed:http:/www.example.com/feed”

The other major problem is it sent out many many requests in a very short amount of time. Luckily, the server throttled the connections before any damage could be done. But for now I’ve blocked both the ShaBlastBot user-agent and the known IP addresses of that agent from my server.

There isn’t any obvious way to contact any one at ShaBlast about the problems, although I did leave a comment on the site’s blog.

I’ve started watching my web server logs more closely, and found several requests for /_vti_bin/owssvr.dll and /MSOffice/cltreq.asp. Examples:

/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0
/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0

Apparently, these requests are caused by someone using IE with the Discussion Bar turned on. I wonder why IE isn’t smart enough to read the headers to see that I’m not running a Microsoft web server. Or maybe MS has fixed this with version 7 of their browser, since all of the requests I see are IE6.

This is 2008. Why in the world does WordPress not know how to shift it’s internal clock when Daylight Savings Time starts or ends? If the server itself can do it, why can’t WordPress? Heck, my VCR can even automagically adjust by an hour twice a year.

I was going to write a plugin to do this, but Kimmo Suominen has already done it. In February 2005! Matt Mullenweg or someone at Automattic, send Kimmo a check for a few hundred bucks and incorporate his code into the core WP system for 2.5.

The plugin is available at Time Zone plugin for WordPress.

I recently discovered that one of my active web sites’ domain names has attracted the attention of a cybersquatter. I emailed the address on the page, which bounced. So I poked around a bit and found another email address. I emailed that address and got a polite note back. I asked if I could purchase the domain name for $75, which should cover their registration expenses for the 4 years they’ve had it. I got back a note telling me that only serious inquiries would be entertained. Their page now has the same keywords and text that is found on my site.

I think I can very easily show that the other domain has been registered in bad faith. He’s trying to make some money off of my hard work. And he’s causing confusion in the marketplace, if people accidentally go to his domain name instead of mine.

Under ICANN’s rules for Domain Name Dispute Resolution, I think I would win the domain if I filed a formal complaint. The catch is that would cost me $1,300 or $1,500, depending on which organization I file the complain with, The National Arbitration Forum (NAF) or World Intellectual Property Organization (WIPO).

I’d love to get some advice on how to proceed. My options are:

1. I could offer the cybersquatter (who has lost several of these cases, so he’s familiar with the process) a little more money, but that really galls me.
2. I could file a complaint, and be out at least $1,300. But I think I would prevail.
3. Or I could rebrand my site under a new domain name.

If anyone has any experience with this process, I’d love to get your feedback.

Here are a couple of good resources:

• Wikipedia entry on CyberSquatting
• Kevin J. Heller’s The Young Cybersquatter’s Handbook

I’ve started using a new system to fight comment spam. If you see any problems when trying to submit comments on the site, please let me know. Email of course, since you won’t be able to send a comment if you find a bug. mclark at planetmike.com. Thanks.

Currently most, and soon all, of the content at PlanetMike.com is related to technology and web design. So I took this opportunity to rename the site from “Michael Boyd Clark Journal/Blog” to “PlanetMike’s Technology Journal.” I am now adding new GoogleAlerts to monitor for the new name appearing in splogs (already found two!). I also tweaked the settings in my rss footer plugin.

Since the Google PageRank storm last October, I have changed how I place ads on my sites. Some of my sites, like here on PlanetMike.com, I don’t have advertising at all. Other, like ChristmasMusic247.com, do have advertising. But all ads on my sites now have the overly broad nofollow tag on them. In the past 6 months, three different ticket brokers have contacted me about adding ads to my site. And all of them backed away because they aren’t interested in sites that have the nofollow tag on ads. So if a search engine wants to prune out bad actors in the online ad space, all they need to is look at sites that are linking to the large ticket brokers. It’s also obvious that the ticket brokers aren’t really interested in supporting small web sites, or building their customer base from niche web sites. They want to game the search engines by the text in the links in the ads they would run. And that’s exactly what Google is trying to fight.