RunningWithBulls.com - The curse of Sanfermin

Tom pointed me in the direction of a post on PhotoMatt’s blog about strange spam, involving url=http://yahoo.com.

On Monday, 4th of April, I got 7 spam comments (3 posted at 14:03, and another 4 posted at 14:06), each with the URL=http://yahoo.com. Firstly I thought they were just muppets posting random rubbish.

The original post was about the Pope, and to be honest, the poster was some kinda crazy, as their “e-mail address” was mailto=celtic_babe_2004_newlodgeroad. New Lodge Road is a Catholic area in Belfast. I thought originally it was some attempt at sectarian/religious graffiti. Meh, dunno why….whatever.

Then I was talking to Tom again about it, and we came to the conclusion it looked more like someone testing some new blog comment spam-bot. In fact thats what a number of comments on Matt’s blog seem to be suggesting.
Again, that would have been more believeable, except for the HTTP referral data.

After greping around the apache logs, I found the source IP information. The IP first arrived in February on the 18th, and this is the entry in the logs:

217.33.82.4 - - [18/Feb/2005:15:12:49 +0000] “GET / HTTP/1.0″ 200 416 “http://www.google.co.uk/search?q=Sanfermin&hl=en&lr=&start=10&sa=N” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)”

So, it looks like “they” actually searched for a string in Google, and got referred to my site. Thats fine, runningwithbulls.com always shows up in searches for sanfermin.
So the muppets arrived via Google. And their UserAgent looks pretty real also. The last section of the UA “.NET CLR 1.1.4322″, I am not too sure about, but it seems to be a real browser UA 1.1.4322 being the .NET version, and CLR meaning Common Language Runtime.

The next time it arrived (different date) was the 4th of April @ 13:59, Monday. That entry was:

217.33.82.4 - - [04/Apr/2005:14:59:12 +0100] “GET /blog?p=47 HTTP/1.0″ 301 327 “http://uk.search.yahoo.com/search?p=pope+john+paul+the+2nd.com&ei=UTF-8&fr=fp-tab
-web-t-1&fl=0&vc=&x=wrt&meta=vc%3D” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

So, they have searched for “pope john paul the 2nd.com”, this time via yahoo.com. This time no mention of .NET. So…..same machine? Web proxy? Different machine? Hmm….

So they then get:

217.33.82.4 - - [04/Apr/2005:15:06:01 +0100] “POST /blog/wp-comments-post.php HTTP/1.0″ 302 0 “http://www.runningwithbulls.com/blog/?p=47″ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

They have started posting to the blog. And they left their second funny message.

Finally today, they arrive back, again with a search for “The life of Pope John Paul 2nd”:

217.33.82.4 - - [05/Apr/2005:14:21:25 +0100] “GET /blog?p=47 HTTP/1.0″ 301 327 “http://sea.search.msn.co.uk/spresults.aspx?q=++++++++The+life+of+Pope+John+Paul+2nd
&FORM=IE4″ “Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)”

So, nothing is posted today…hmm.

So the outcome of it all, unless its a really smart, and intelligent SPAM-BOT, I think its more likely just a bunch of trolls.

I’ll post a comment to Matt’s blog and see if he can see similar patterns in his logfiles.

So, is it automated spam or is it someone having a laugh? Dunno, and I don’t really mind, because they aren’t really wasting any of my time. They are in fact, giving me something to learn about….

Anyway, back to my book….;)