Due to a leak in my defences a spammer was able to plug a spam comment on my netlabel site. Nothing serious: as each new comment by a stranger requires moderation, the spam will not see the light of day anyway. I have already been wondering that it took so long, maybe my choice of troublesome hosting companies for the firewall was quite effective. Of course you can do little about hand crafted spams or bots harboured by smaller hosting companies. Let us not forget that firewalling has to be done carefully in order not to lock out valuable bots or legitimate corporate visitors. But in this case, to get back to the comment spammer, the hosting company was safe fodder for the filters:

At first there was a request for a particular article by a bot with a blank referrer from 65.23.153.40:
Arin lists this as the following:

OrgName:    Datarealm Internet Services, Inc.
OrgID:      DIS-91
Address:    PO Box 1616
City:       Hudson
StateProv:  WI
PostalCode: 54016
Country:    US

NetRange:   65.23.128.0 - 65.23.159.255
CIDR:       65.23.128.0/19
NetName:    SERVE-BLK-1
NetHandle:  NET-65-23-128-0-1
Parent:     NET-65-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.SERVE.COM
NameServer: NS2.SERVE.COM
Comment:
RegDate:    2003-03-14
Updated:    2004-07-29

The netname is a sure sign of a hosting company and that means that the entire AS will wind up in my filter rules except for port 25. Why that? There is no reason for a server to visit my pages, however the server may well be used for sending legitimate email. So unless I came across a spam hydrant, I prefer to leave that communication channel open. Anyway, after this initial data fetch, just a mere five seconds later, someone from the home cable address 24.40.134.7 and using the same blank user agent tried to post his spam comment to my blog. This cable block belongs to:

CustName:   EARTHLINK, INC
Address:    1375 PEACHTREE STREET, LEVEL A
City:       ATLANTA
StateProv:  GA
PostalCode: 30309
Country:    US
RegDate:    2005-10-10
Updated:    2005-10-10

NetRange:   24.40.128.0 - 24.40.143.255
CIDR:       24.40.128.0/20
NetName:    ERLK-TW-RALEIGH12
NetHandle:  NET-24-40-128-0-2
Parent:     NET-24-40-128-0-1
NetType:    Reassigned
Comment:
RegDate:    2005-10-10
Updated:    2005-10-10

That’s a rather small segment with 4096 addresses, so it is safe to assume that customers in Atlanta/Georgia are served from this pool. Clear evidence? Not so fast… If I search for the ip address 24.40.134.7 in Google combined with the term “proxy”, several sites are returned who list this address as open socks proxy listening on non standard ports for a couple of months(!) already. Usually socks proxies on kinky ports are utilised for botnet spamming, thus the odds are quite high this could be a compromised Windows machine. This assertion would also be supported by the spam which was pointing to Eastern European resources. Perhaps it still was the server itself which first collects data and uses a proxy shield for planting spams only, so the activity will not violate the hosting company’s Terms of Services.