Not the sharpest knife in the drawer...

RJM62 · Dec 16, 2007

I got an email from a Web client of mine. He had received a hundred emails with death threats through the contact form on his site, and I had to try to track down who they came from.

After poring through the raw server logs for a while, I found the record. The individual had used some mail flood application for MacOS and just had it send the same message a hundred times. (Reminder to myself: Add that User Agent to the banned list in the .htaccess file and find out why the mail flood protection didn't kick in.)

The IP was a dynamic IP belonging to Charter, so I sent the messages and that portion of the logs to abuse @ Charter and to my client in case he wanted to go to the cops with it. But then I looked at the logs again and found that the individual had arrived on the site by doing a Google search for his own name, which led to an old customer testimonial about him on my client's site.

As it happens, it turns out he was a disgruntled ex-employee with an ax to grind. I guess he didn't know that the server logs reveal not only which site referred a visitor, but also what search terms were used if the referrer was a search engine. Long story short, not only his IP, but also his name are in the server log.

I doubt anything will come of it. My client's kind of a laid back sort of guy, and the ex-employee probably just got home drunk from a bar when he decided to do it (it happened around midnight last night). I don't know if Charter will do anything, either. Still, were it not for the threatening nature of the messages, it would have been mildly amusing that he left a trail to himself in the server logs.

Rich

jwriteclub · Dec 16, 2007

I think I just puked from laughter.

So many people don't understand just how much information is saved when you visit a site, etc.

What was the spam user agent (so the rest of us know).

~ Christopher

RJM62 · Dec 16, 2007

I really don't know, Chris. I deduced that it was a bot because the timing was faster than a human could reload the page and re-send the mails (several times per second).

I figured I'd identify it from the logs and block it by it's user agent string, but it may not be that easy. Apparently it's some plug-in for Safari, not a freestanding program.

The logs say:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/523.12 (KHTML, like Gecko) Version/3.0.4 Safari/523.12

Which looks like a normal Safari browser to me, unless I'm missing something. Any ideas?

Rich

jwriteclub · Dec 16, 2007

I don't have any brilliant ideas about that.

~ Christopher

silver-eagle · Dec 16, 2007

I'd still turn his name and all the data over to the police. These days, it's not our job to judge "pranks" from drunks or otherwise. Local shooting involved a disgruntled employee. It's no joke any more.

RJM62 · Dec 16, 2007

That was my recommendation to the client, but he shrugged it off. I'll try again tomorrow. He's located in another state, so I would have to either file there, I guess. Although it was sent over the Internet, so maybe FBI...

Thanks,

Rich

flyingcheesehead · Dec 19, 2007

RJM62 said:
I really don't know, Chris. I deduced that it was a bot because the timing was faster than a human could reload the page and re-send the mails (several times per second).

I figured I'd identify it from the logs and block it by it's user agent string, but it may not be that easy. Apparently it's some plug-in for Safari, not a freestanding program.

The logs say:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/523.12 (KHTML, like Gecko) Version/3.0.4 Safari/523.12

Which looks like a normal Safari browser to me, unless I'm missing something. Any ideas?

Rich,

I bet anything it's simply normal Safari. Looking at the User Agent you posted, that is the version of Safari that comes with Mac OS X 10.5 "Leopard."

How did they "reload" so fast? They didn't. They typed the message in the form, and then held the command key while clicking "Submit" repeatedly, which would open each results page into a new tab. He could send them as fast as he could click.

RJM62 · Dec 20, 2007

flyingcheesehead said:
Rich,

I bet anything it's simply normal Safari. Looking at the User Agent you posted, that is the version of Safari that comes with Mac OS X 10.5 "Leopard."

How did they "reload" so fast? They didn't. They typed the message in the form, and then held the command key while clicking "Submit" repeatedly, which would open each results page into a new tab. He could send them as fast as he could click.

Thanks. I rarely use Macs (nothing against them; I just like Linux better), so I didn't know that.

Incidentally, the client said he would turn over all the information to his local police, and Charter called me the other day to let me know they were "taking care of it." What that means, I don't know. I imagine they'll probably suspend his service until he promises not to do that any more.

Rich

jwriteclub · Dec 23, 2007

Charter will block all e-mail, "for network quality"

~ Christopher

Not the sharpest knife in the drawer...

RJM62

Touchdown! Greaser!

jwriteclub

Line Up and Wait

RJM62

Touchdown! Greaser!

jwriteclub

Line Up and Wait

silver-eagle

En-Route

RJM62

Touchdown! Greaser!

flyingcheesehead

Touchdown! Greaser!

RJM62

Touchdown! Greaser!

jwriteclub

Line Up and Wait