Tuesday, June 27, 2006

First Look - Pussycat from India

No clue what this critter is up to as it only attempted 2 page requests and went away.

202.65.156.23 "PussyCat 1.0, Murzillo compatible"
Anyone else spotted this "Murzillo" compatible cat?

Update -

Definitely a spammer as it's trying to hit my submit page but the idiot is using a GET instead of a POST so it would always be rejected, not to mention I don't allow his user agent to get onto the site in the first place.

This slimeball tried to hit again from a new location and this time I noticed it's coming via a proxy server:
200.36.112.92 "PussyCat 1.0, Murzillo compatible"
Forwarded IP -> 85.255.117.218
So I looked up the original hit and it was also via proxy server:
202.65.156.23 "PussyCat 1.0, Murzillo compatible"
Forwarded IP -> 69.50.175.91
Looks like the spammer is trying to cover his tracks routing thru various proxy servers but he's stupid and keeps using the same user agent which is so easily blocked.

Nobody claimed spammers were smart and this one just proves it.

8 comments:

Anonymous said...

I received a call from this one today:

62.87.211.2 [29/Jun/2006:17:17:54 -0700] "GET /davidbu/micro_solar/bar_light.html HTTP/1.0" 200 16396 "PussyCat 1.0, Murzillo compatible"
62.87.211.2 [29/Jun/2006:17:18:01 -0700] "POST /cgi-bin/mailers/davidbu HTTP/1.0" 200 104 "PussyCat 1.0, Murzillo compatible"

Note the second access - it posted! The mail it sent had a unsername, and was just a bunch of HTML Hotlinks. I think this may be a roboposter trying to spam me through form inputs.

Anonymous said...

Try a traceroute on this one too:

203.160.1.37 - - [26/Jun/2006:19:33:13 -0700] "GET /davidbu/micro_solar/bar_light.html HTTP/1.1" 200 16396
203.160.1.37 - - [26/Jun/2006:19:33:16 -0700] "GET /davidbu/micro_solar/bar_light.html HTTP/1.1" 304 -
203.160.1.37 - - [26/Jun/2006:19:33:20 -0700] "POST /cgi-bin/mailers/davidbu HTTP/1.1" 200 116

Intentional? Or ignorance?

Amy said...

I also got two spams:

203.160.1.48 - - [29/Jun/2006:16:49:43 -0400] "GET /about/contact.shtml HTTP/1.1" 200 7322 "" "PussyCat 1.0, Murzillo compatible"
203.160.1.48 - - [29/Jun/2006:16:49:46 -0400] "GET /about/contact.shtml HTTP/1.1" 200 7322 "" "PussyCat 1.0, Murzillo compatible"
203.160.1.48 - - [29/Jun/2006:16:50:04 -0400] "POST /cgi-bin/procform.pl HTTP/1.1" 302 5 "http://www.jtsa.edu/about/contact.shtml" "PussyCat 1.0, Murzillo compatible"
165.228.133.11 - - [29/Jun/2006:16:50:06 -0400] "POST /cgi-bin/procform.pl HTTP/1.1" 302 5 "http://www.jtsa.edu/about/contact.shtml" "PussyCat 1.0, Murzillo compatible"
165.228.133.11 - - [29/Jun/2006:16:50:08 -0400] "GET /about/confirm.shtml HTTP/1.1" 200 5067 "http://www.jtsa.edu/about/contact.shtml" "PussyCat 1.0, Murzillo compatible"

Any ideas on how to stop these things?

Anonymous said...

A bad robot hit /bot-trap/ 2006-07-04 (Tue) 19:01:03
address is 85.255.117.218, agent is PussyCat 1.0, Murzillo compatible

and it times in with 27! contact for posts

Anonymous said...

Yeah, I got the usual porn & pills spam from it on a contact form, came in via multiple IP adresses, all look like open proxies:

85.249.131.170
200.225.194.49
85.255.117.218
165.228.131.11
125.244.146.130
203.160.1.39
200.88.125.3
203.115.1.135
195.175.37.8

Pussy Cat - meet Mr Firewall.

Anonymous said...

It also hit me...

A bad robot hit /bad-bot/ 2006-07-10 (Mon) 20:25:28
address is 85.255.117.222, agent is PussyCat 1.0, Murzillo compatible

Anonymous said...

Don't give the cat ideas:

"not to mention I don't allow his user agent to get onto the site in the first place."

Anonymous said...

On your list of ip's used by this "signature" add this one:
85.255.117.222... Apparently it comes from Ukraine! It ain't no surprise...