Could Spam Bots be from Amazon.com???

Posted on December 16th, 2007 by wilson

My server was running sluggishly so i took a peek at what was causing memory to be over utilized. MYSQL and Apache were consuming 90% of the resources. Are we under attack? It looks like heavy spam blog activity to me.

A look at the /var/logs/httpd access_log reveals a few of the hundreds of similar entries from the same IP address:
======================================================

67.202.28.3 – – [16/Dec/2007:09:32:57 +0800] “GET /index.php?_m=core&_a=addcomment&do=captcha&randomhash= 0a774101eaf512406 4d8ab0e018e5be6&sessionid= HTTP/1.0” 200 1793 “http://support.*****.ph/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=79&nav=0,5,7” “Mozilla/5.0 (compatible; heritrix/1.12.1 +http://www.page-store.com) [email:paul@page-store.com]”

67.202.28.3 – – [16/Dec/2007:09:33:46 +0800] “GET /index.php?_m=core&_a=addcomment&do=captcha&randomhash= bbe257ee59e243ae7 04ba4b54bcd0156&sessionid= HTTP/1.0” 200 1666 “http://support.*****.ph/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=541&nav=0,5,7” “Mozilla/5.0 (compatible; heritrix/1.12.1 +http://www.page-store.com) [email:paul@page-store.com]”

67.202.28.3 – – [16/Dec/2007:09:35:56 +0800] “GET /index.php?_m=core&_a=addcomment&do=captcha&randomhash= 354fcf9d0d52fb33cd 186daf97149bdc&sessionid= HTTP/1.0” 200 1834 “http://support.******.ph/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=397&nav=0,5,7” “Mozilla/5.0 (compatible; heritrix/1.12.1 +http://www.page-store.com) [email:paul@page-store.com]”

======================================================

Research shows that the IP address 67.202.28.3 was registered to:

OrgName: Amazon.com, Inc.
OrgID: AMAZO-4
Address: Amazon Development Centre South Africa
Address: 1200 12th Avenue South
City: Seattle
StateProv: WA
PostalCode: 98144
Country: US

NetRange: 67.202.0.0 – 67.202.63.255
CIDR: 67.202.0.0/18
NetName: AMAZON-EC2-3
NetHandle: NET-67-202-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Assignment
NameServer: PDNS1.ULTRADNS.NET
NameServer: PDNS2.ULTRADNS.NET
NameServer: PDNS3.ULTRADNS.ORG
Comment: http://www.amazonaws.com/
RegDate: 2007-08-02
Updated: 2007-08-02

OrgTechHandle: ANO24-ARIN
OrgTechName: Amazon EC2 Network Operations
OrgTechPhone: +1-206-266-2187
OrgTechEmail: *******@amazon.com

======================================================

Is this a good bot? or a bad bot? or a human being? (NOtice we already have captchas):

A look at the ‘trail’ => page-store.com reveals:

Page-store can provide selected page feeds based on deep web crawls
page metadata
black-box filters
anchor text results

link information
Please contact us at

sales@page-store.com
(650) 369-5490 pacific

Here is a sample posting on our site:

hgdg http://groups.google.com/***************webcam

======================================================

Which leads me to ask security professionals out the followoing questions :

1. Are these related? I dont see the actual ‘post’ that contains the spam blog to correlate the IP to the spam comments.
2. If the above suspicion is correct, why would a big company like Amazon.com be doing such obnoxious activies?

Filed under: Computing, Security

« »