Recent PM SPAM issue from arcadeengland
- Thread starter trm
- Start date
Very early Friday morning I received a helpful warning from a member reporting that they'd been spammed by Private Message. We always investigate spamming as we value the signal to noise ratio here, and we get the impression our members do too.
This is a long post, but please carry on reading it.
I was sent a copy of the offending PM and was rather surprised to see what it contained.
I found that quite a surprising PM for one of our members to receive. Normally it's dodgy DVDs or some 'man pills'
.
I continued with the investigation as normal to see exactly what was going on and whether this was a one-off, or something different.
Looking at the arcadeengland account I could see it was new, registered on the 21st July and had not made any forum posts. This is typical of a lot of the spam accounts we spot and kill, but the message was unusual to say the least.
We have never stopped people linking to other sites, nor censoring posts which contain links as we run ukvac.com to help people get the best out of the hobby and trying to restrict where people can learn doesn't help anybody. If somebody wants to point our members to another site and doesn't have any ulterior motive then why wouldn't they just post in Arcade? My interest was piqued.
Because the arcadeengland account had zero posts and was looking a lot like a throwaway account I took the unprecedented step of resetting the password so I was able to login as that user and see the PM inbox & sent items. To be clear: this is not something that I'm aware of ever happening before. We value your right to privacy as much as we value our own.
I found 25 PMs sent to various members.
The spam PM text seemed to be randomly selected from a pool of four, but after the first few spams the spammer must have gotten bored or lazy as they just sent the same message.
The spam bodies are copied below. I have once again mangled the URLs as leaving them intact would just help the spammer. All subject lines were J+ as above.
All of these spam PMs were sent between 12:14AM and 12:42AM Friday 22nd July. Looking at the recipients it's clear that arcadeengland simply sorted our memberlist by most recent join date and sent spam to each new member until the system blocked their sending limit.
Clearly a person or persons unknown was trying to tempt our recent members away. Why? It wasn't clear.
Once it became obvious that this wasn't just a one off spam and a degree of thought had gone into it, it was clear that this needed fully investigating and resolving so that we could stop people being PMd with stuff they'd not asked for nor may have had any interest in. Plus it struck me as very rude.
So I dug into the web server logs to see what I could find, and I was pretty upset by what I found for reasons which will become obvious.
The spams were all sent from the same user, on the same PC, from the same IP of 82.38.213.58. The web logs proved that it was the same PC as the User-Agent string is rather unique and was consistent for all PM submissions:
This sequence of events was repeated 24 more times and the target names matched exactly the list of most recently registered members.
So I did a reverse lookup on the IP 82.38.213.58 and found:
This indicates that the spammer was in the Barnsley Virgin Media area and was connected to the Wakefield concentrator.
Having this IP I then searched the logs to see whether it had been used in the past. I found that it had been logged from way back in 2010 and on a regular basis since then. I was able to prove that it wasn't a case of somebody being reallocated the IP address as the User-Agent string for each connection was identical and rather unique. Clearly this IP has been in use by one person & PC for many months as is common with Virgin Media broadband.
Looking into the thousands of log hits for that IP I was able to track down other activity from that IP and was able to find a login event which provided a ukvac.com username.
The key log entry is:
This doesn't really mean a huge amount unless you've spent more time poking inside WebWiz than is healthy, so I'll break down the details.
First, the URL part:
This shows that on the 30th March somebody from the spammers IP successfully sent a PM. You must be logged in to send a PM, obviously.
The next part is the User-Agent string which defines the browser's capabilities and isn't hugely relevant here, other than to show that it's the same User-Agent string seen on older web activity as well as Friday's spamming.
The final part:
This shows that a private message was sent successfully (the 200 on the end means 'success!') but the crucial information is the pm=2315 element. This indicates that the PM which was submitted was allocated PM number 2315 within the system.
I then queried the backend database and found the sender and recipient of PM 2315. I did not read the PM - I just needed two fields known as the author_id and the from_id. These two values let you see who sent the PM and who received it. The sender ID was 73.
Because I knew that the spammer IP had been able to send this PM I knew that the spammer must have logged into the system, so I could lookup the author_id and from_id and that would provide me with the username of the account used by that IP back in March.
Knowing who sent the PM on that date would lead me to find out who had created the throwaway arcadeengland.
Because the IP was consistent though-out the last 10 months I knew that even if somebody had registered 2, 10 or 100 accounts, as long as the web logs showed that IP then I was dealing with the same individual.
The user ID used to send the PM was 73. I was able to map this to a member account by looking at the Memberlist page and changing the PF=xx part of the URL to PF=73.
My member page is http://www.ukvac.com/forum/member_profile.asp?PF=531 so I changed the URL to read 73 instead of 531 and got this:
http://www.ukvac.com/forum/member_profile.asp?PF=73
So it turns out the spammer had previously been using the account belonging to dsyde, admin and owner of J+.
Of course, without actually being present and watching over the shoulder it's impossible to prove that Julian personally sent the messages, but unless he'd shared his password with somebody then it would be impossible for anybody to login to his account, from that IP and make all the pre-spam activity.
The IP used by arcadeengland for the spams telling people to join J+ was the same as the one Julian/dsyde had been using for many months with his own ukvac.com account.
Normally with spamming we just kill the account and bin any posts and nobody notices, but given that the spam message was trying to encourage new members to use a different forum we felt it was appropriate to post this investigation so that recipients would know what was going on.
I realise that many people are aware of a degree of ill-feeling from a few J+ staff towards some of us here, so I can see how some people may be sceptical at all of this. As such, I'm more than happy to provide full logs of this activity to anybody who wants to see them. Anyone who has read a web server log will be able to reproduce this investigation for themselves. We've also preserved the spam inbox and sent items and there are 25 members on this forum who can vouch for the spam contents.
This is a long post, but please carry on reading it.
I was sent a copy of the offending PM and was rather surprised to see what it contained.
Code:
Subject: J+
Sent: Today at 12:40am
Sent by: arcadeengland
Group: Newbie
Also go register at J+ [NOTE: the full URL was in the PM but I see no reason to provide link traffic]
The UK's leading arcade forumI found that quite a surprising PM for one of our members to receive. Normally it's dodgy DVDs or some 'man pills'
I continued with the investigation as normal to see exactly what was going on and whether this was a one-off, or something different.
Looking at the arcadeengland account I could see it was new, registered on the 21st July and had not made any forum posts. This is typical of a lot of the spam accounts we spot and kill, but the message was unusual to say the least.
We have never stopped people linking to other sites, nor censoring posts which contain links as we run ukvac.com to help people get the best out of the hobby and trying to restrict where people can learn doesn't help anybody. If somebody wants to point our members to another site and doesn't have any ulterior motive then why wouldn't they just post in Arcade? My interest was piqued.
Because the arcadeengland account had zero posts and was looking a lot like a throwaway account I took the unprecedented step of resetting the password so I was able to login as that user and see the PM inbox & sent items. To be clear: this is not something that I'm aware of ever happening before. We value your right to privacy as much as we value our own.
I found 25 PMs sent to various members.
The spam PM text seemed to be randomly selected from a pool of four, but after the first few spams the spammer must have gotten bored or lazy as they just sent the same message.
The spam bodies are copied below. I have once again mangled the URLs as leaving them intact would just help the spammer. All subject lines were J+ as above.
Code:
Try asking your question also at j+
J+ is the leading UK arcade forum.
-- -- --
Try also joining j+
J+ is the UK's leading arcade forum
-- -- --
Also sign up at j+
The UK's leading Arcade Forum
-- -- --
Also register at j+
The UK's leading arcade forum.All of these spam PMs were sent between 12:14AM and 12:42AM Friday 22nd July. Looking at the recipients it's clear that arcadeengland simply sorted our memberlist by most recent join date and sent spam to each new member until the system blocked their sending limit.
Clearly a person or persons unknown was trying to tempt our recent members away. Why? It wasn't clear.
Once it became obvious that this wasn't just a one off spam and a degree of thought had gone into it, it was clear that this needed fully investigating and resolving so that we could stop people being PMd with stuff they'd not asked for nor may have had any interest in. Plus it struck me as very rude.
So I dug into the web server logs to see what I could find, and I was pretty upset by what I found for reasons which will become obvious.
The spams were all sent from the same user, on the same PC, from the same IP of 82.38.213.58. The web logs proved that it was the same PC as the User-Agent string is rather unique and was consistent for all PM submissions:
Code:
2011-07-21 23:13:05 GET /forum/quick_search.asp FID=0 - [b]82.38.213.58[/b] HTTP/1.1 Mozilla/5.0+(Windows+NT+6.0)+AppleWebKit/534.30+KHTML,+like+Gecko)+Chrome/12.0.742.122+Safari/
534.30 http://www.ukvac.com/forum/[b]pm_new_message_form.asp[/b]?name=[b]<deleted for privacy>[/b]
200 1896This sequence of events was repeated 24 more times and the target names matched exactly the list of most recently registered members.
So I did a reverse lookup on the IP 82.38.213.58 and found:
Code:
Name: [b]cpc1-wake1-0-0-cust1337.barn.cable.virginmedia.com[/b]
Address: 82.38.213.58This indicates that the spammer was in the Barnsley Virgin Media area and was connected to the Wakefield concentrator.
Having this IP I then searched the logs to see whether it had been used in the past. I found that it had been logged from way back in 2010 and on a regular basis since then. I was able to prove that it wasn't a case of somebody being reallocated the IP address as the User-Agent string for each connection was identical and rather unique. Clearly this IP has been in use by one person & PC for many months as is common with Virgin Media broadband.
Looking into the thousands of log hits for that IP I was able to track down other activity from that IP and was able to find a login event which provided a ukvac.com username.
The key log entry is:
Code:
2011-03-30 21:05:15 POST /forum/pm_new_message.asp - - 82.38.213.58 HTTP/1.1 Mozilla/4.0+
(compatible;+MSIE+8.0;+Windows+NT+6.0;+Trident/4.0;+GTB6.6;+SLCC1;+.NET+CLR+2.0.50727
;+Media+Center+PC+5.0;+MDDC;+.NET+CLR+3.5.30729;+InfoPath.2;+.NET4.0C;+.NET+CLR+3.0.307
29) [url="http://www.ukvac.com/forum/pm_new_message_form.asp?code=reply&pm=2315"]http://www.ukvac.com/forum/pm_new_message_form.asp?code=reply&pm=2315[/url] 200
5998This doesn't really mean a huge amount unless you've spent more time poking inside WebWiz than is healthy, so I'll break down the details.
First, the URL part:
Code:
2011-03-30 21:05:15 POST /forum/pm_new_message.aspThis shows that on the 30th March somebody from the spammers IP successfully sent a PM. You must be logged in to send a PM, obviously.
The next part is the User-Agent string which defines the browser's capabilities and isn't hugely relevant here, other than to show that it's the same User-Agent string seen on older web activity as well as Friday's spamming.
The final part:
Code:
[url="http://www.ukvac.com/forum/pm_new_message_form.asp?code=reply&pm=2315"]http://www.ukvac.com/forum/pm_new_message_form.asp?code=reply&pm=2315[/url] 200This shows that a private message was sent successfully (the 200 on the end means 'success!') but the crucial information is the pm=2315 element. This indicates that the PM which was submitted was allocated PM number 2315 within the system.
I then queried the backend database and found the sender and recipient of PM 2315. I did not read the PM - I just needed two fields known as the author_id and the from_id. These two values let you see who sent the PM and who received it. The sender ID was 73.
Because I knew that the spammer IP had been able to send this PM I knew that the spammer must have logged into the system, so I could lookup the author_id and from_id and that would provide me with the username of the account used by that IP back in March.
Knowing who sent the PM on that date would lead me to find out who had created the throwaway arcadeengland.
Because the IP was consistent though-out the last 10 months I knew that even if somebody had registered 2, 10 or 100 accounts, as long as the web logs showed that IP then I was dealing with the same individual.
The user ID used to send the PM was 73. I was able to map this to a member account by looking at the Memberlist page and changing the PF=xx part of the URL to PF=73.
My member page is http://www.ukvac.com/forum/member_profile.asp?PF=531 so I changed the URL to read 73 instead of 531 and got this:
http://www.ukvac.com/forum/member_profile.asp?PF=73
So it turns out the spammer had previously been using the account belonging to dsyde, admin and owner of J+.
Of course, without actually being present and watching over the shoulder it's impossible to prove that Julian personally sent the messages, but unless he'd shared his password with somebody then it would be impossible for anybody to login to his account, from that IP and make all the pre-spam activity.
The IP used by arcadeengland for the spams telling people to join J+ was the same as the one Julian/dsyde had been using for many months with his own ukvac.com account.
Normally with spamming we just kill the account and bin any posts and nobody notices, but given that the spam message was trying to encourage new members to use a different forum we felt it was appropriate to post this investigation so that recipients would know what was going on.
I realise that many people are aware of a degree of ill-feeling from a few J+ staff towards some of us here, so I can see how some people may be sceptical at all of this. As such, I'm more than happy to provide full logs of this activity to anybody who wants to see them. Anyone who has read a web server log will be able to reproduce this investigation for themselves. We've also preserved the spam inbox and sent items and there are 25 members on this forum who can vouch for the spam contents.
New title for you, Inch High Private Eye, see what being on the dole does to you
Sad, sad, sad....................WTF goes on still, thought this was all finished. Again, all I want to do is collect 30 year old games and love them
No need for web logs, I've asked him straight, waiting for an answer
Andy.
andyman2011-07-24 17:26:44
Sad, sad, sad....................WTF goes on still, thought this was all finished. Again, all I want to do is collect 30 year old games and love them
No need for web logs, I've asked him straight, waiting for an answer
Andy.
andyman2011-07-24 17:26:44
It's very disappointing to read this. Like Andy, I was hoping the previous "incident" was going to be the last.
We are one community interested in collecting arcade machines. There is no need for any wars, or stupid childish behaviour
Purity2011-07-24 17:07:16
We are one community interested in collecting arcade machines. There is no need for any wars, or stupid childish behaviour
Purity2011-07-24 17:07:16
gridrunner
Ex-lurker!
I think this guy needs to get some help. Seriously.
stevearcade
The Trevor Horn of UKVAC
It's all f**king pathetic. All of it! The fact that people collecting smelly old wooden boxes with some faulty PCBs in them carry on as if they were the Israelis and the Palestinians or some sh*t. Seriously!
I first joined J+ just over a year ago, about the time some sh*t (I don't know the details of) kicked off and some guys were booted off that forum. I figured they were big players, as a lot of people were sad to see them go. I almost thought, forget all this, these guys are a bit too sad for my liking. But I persevered, am I'm glad as I've made some good mates, done ok on the cab front and stuff, but things between the two forums just keep happening, and it's really sad.
I've also joined this place obviously, and like it here too. I've had useful info, tried to help where possible, and received lots of help, as well as drooled over peoples collections and been inspired some innovative things people have done with their cabs/collections. Which I figure is what the point of forums about hobbies should be about
.
I don't know what started it all, or what any of it's really about but as far as I can see, there's bad sh*t and ill feeling from both sides and those few involved should all just grow the f**k up. Or at least get some pussy to help chill the f**k out and realise collecting arcade machine is not all there is to life. This kind of sh*t really puts me off the whole forum thing entirely. Not impressed
.
Edited: I was very angry when I first read this thread, and so posted in anger. Thought I'd tone it down (just slightly) and make sure it didn't read like I was taking sides - which I'm not. It's all just a lot of pants really isn't it!
stevearcade2011-07-24 22:52:58
I first joined J+ just over a year ago, about the time some sh*t (I don't know the details of) kicked off and some guys were booted off that forum. I figured they were big players, as a lot of people were sad to see them go. I almost thought, forget all this, these guys are a bit too sad for my liking. But I persevered, am I'm glad as I've made some good mates, done ok on the cab front and stuff, but things between the two forums just keep happening, and it's really sad.
I've also joined this place obviously, and like it here too. I've had useful info, tried to help where possible, and received lots of help, as well as drooled over peoples collections and been inspired some innovative things people have done with their cabs/collections. Which I figure is what the point of forums about hobbies should be about
I don't know what started it all, or what any of it's really about but as far as I can see, there's bad sh*t and ill feeling from both sides and those few involved should all just grow the f**k up. Or at least get some pussy to help chill the f**k out and realise collecting arcade machine is not all there is to life. This kind of sh*t really puts me off the whole forum thing entirely. Not impressed
Edited: I was very angry when I first read this thread, and so posted in anger. Thought I'd tone it down (just slightly) and make sure it didn't read like I was taking sides - which I'm not. It's all just a lot of pants really isn't it!
stevearcade2011-07-24 22:52:58
pooman2084
Be Attitude For Gains!
+! for Stevearcade, this is all very sad.
I mainly frequent J+ as it was the first arcade site I signed up for and it generally has more sales activity, but UKVAC is great too and I've started to try and post / trade on here as well.
I'm sure it is not the case, but please don't tar all J+ members with the same brush. The world is big enough to have 2 UK arcade collectors sites.
Is it beyond the pail for the offending parties to sit round a table and thrash out the remaining differences. How about genuine mediation through someone unrelated to the various incidents?
I mainly frequent J+ as it was the first arcade site I signed up for and it generally has more sales activity, but UKVAC is great too and I've started to try and post / trade on here as well.
I'm sure it is not the case, but please don't tar all J+ members with the same brush. The world is big enough to have 2 UK arcade collectors sites.
Is it beyond the pail for the offending parties to sit round a table and thrash out the remaining differences. How about genuine mediation through someone unrelated to the various incidents?
Can't we just agree to disagree chaps
I know its been done over and over but its like the kid at school who keeps calling you names, if you respond, it gets worse. If you ignore it goes away.
Or you just get your head kicked after school, but that's not something that can happen here is it ?
Or is it the plan to continually fuel this from both sides of the wall via snipes and snide comments. As said 2 UK sites is good, we have one for the 6 button bashers (you know who you are
) and the Jamma brigade and one for Tech, serious stuff & the Gorf Brigadeâ„¢ , completely different IMO
We all need to have a party UKVAC/J+ and sort this sh!t out once and for all
OK
Andy.
I know its been done over and over but its like the kid at school who keeps calling you names, if you respond, it gets worse. If you ignore it goes away.
Or you just get your head kicked after school, but that's not something that can happen here is it ?
Or is it the plan to continually fuel this from both sides of the wall via snipes and snide comments. As said 2 UK sites is good, we have one for the 6 button bashers (you know who you are
We all need to have a party UKVAC/J+ and sort this sh!t out once and for all
OK
Andy.
stevearcade
The Trevor Horn of UKVAC
What's next, bringing dusters to RePlay. Maybe you could all choreograph nancy boy dance routines too
!
Ditto Andy. Sit down all together at the next event and clear the bullsh*t. Kiss and make up. It's beyond silly!
Ditto Andy. Sit down all together at the next event and clear the bullsh*t. Kiss and make up. It's beyond silly!
I'm really entirely unsure what you lot are all going on about! We have presented the facts of an unprovoked spam attack on UKVAC which , in this case we have had to make our members aware of rather than just sweeping it under the carpet and ignoring it ever happened because it has meant we have had to introduce restrictions that we never really wanted to introduce. End of story.
guddler said:
Entirely agree but has it not been done by UKVAC members in the past. Both forums are for the same thing ffs, just run by different people who do not like the way each others forums are run and both are guilty of continuing the divide
Then certain members from both sides add more fuel to the fires and it continues.......
Its getting to a he said she said competition and just makes tings difficult for those on both sites (again said earlier)
No offense intended btw, its just how I see it. We all collect the same thing don't we Martin ?
Andy.
frothmeister
Active member
Andy you're far too chilled out about this whole affair. You're even speaking like a rasta now