Could Spam Bots be from

My server was running sluggishly so i took a peek at what was causing memory to be over utilized. MYSQL and Apache were consuming 90% of the resources. Are we under attack? It looks like heavy spam blog activity to me.

A look at the /var/logs/httpd access_log reveals a few of the hundreds of similar entries from the same IP address:
====================================================== – – [16/Dec/2007:09:32:57 +0800] “GET /index.php?_m=core&_a=addcomment&do=captcha&randomhash= 0a774101eaf512406 4d8ab0e018e5be6&sessionid= HTTP/1.0” 200 1793 “http://support.*****.ph/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=79&nav=0,5,7” “Mozilla/5.0 (compatible; heritrix/1.12.1 + []” – – [16/Dec/2007:09:33:46 +0800] “GET /index.php?_m=core&_a=addcomment&do=captcha&randomhash= bbe257ee59e243ae7 04ba4b54bcd0156&sessionid= HTTP/1.0” 200 1666 “http://support.*****.ph/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=541&nav=0,5,7” “Mozilla/5.0 (compatible; heritrix/1.12.1 + []” – – [16/Dec/2007:09:35:56 +0800] “GET /index.php?_m=core&_a=addcomment&do=captcha&randomhash= 354fcf9d0d52fb33cd 186daf97149bdc&sessionid= HTTP/1.0” 200 1834 “http://support.******.ph/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=397&nav=0,5,7” “Mozilla/5.0 (compatible; heritrix/1.12.1 + []”


Research shows that the IP address was registered to:

OrgName:, Inc.
Address: Amazon Development Centre South Africa
Address: 1200 12th Avenue South
City: Seattle
StateProv: WA
PostalCode: 98144
Country: US

NetRange: –
NetName: AMAZON-EC2-3
NetHandle: NET-67-202-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Assignment
RegDate: 2007-08-02
Updated: 2007-08-02

OrgTechHandle: ANO24-ARIN
OrgTechName: Amazon EC2 Network Operations
OrgTechPhone: +1-206-266-2187
OrgTechEmail: *******


Is this a good bot? or a bad bot? or a human being? (NOtice we already have captchas):

A look at the ‘trail’ => reveals:

Page-store can provide selected page feeds based on deep web crawls
page metadata
black-box filters
anchor text results

link information
Please contact us at
(650) 369-5490 pacific

Here is a sample posting on our site:



Which leads me to ask security professionals out the followoing questions :

1. Are these related? I dont see the actual ‘post’ that contains the spam blog to correlate the IP to the spam comments.
2. If the above suspicion is correct, why would a big company like be doing such obnoxious activies?