Website Spam posing by appid: aking-741 using IP 64.233.172.1

[Murray W]

Hi all, I have a few questions about how to report and notify your group of a application abusing websites.

 

On the 28th and 29th I saw an interesting useragent and a Google IP address listed in my banned IP connections due to website abuse.

 

Abuse Report Date: 7/28/2011 1:49:31 PM PSTIP:  64.233.172.1 Net Block:  64.233.160.0 - 64.233.191.255

Application: http://aking-741.appspot.com/

Spam type: Pharmaceutical Link Spam Posted

UserAgent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1) appengine-google; (+http://code.google.com/appengine; appid: aking-741)

 

This application clearly ran from a Google AppEngine server and if the useragent appid can not be modify it would appear this is the offender (aking-741)

 

Q1: Can the appid be modified to show anothers application ID?

Q2: Can the AppEngine group create some type of abuse reporting API?

Q3: If IP addresses used by the AppEngine are banned by individual website owners will this have any effect on legitimate apps?

Q4: Are the IP addresses for the AppEngine used only for the appengine group or are these servers shared with other Google projects?

 

The main reason I'm asking your group is because I'm seeing more of the IP addresses in the block above listed in blacklists online. If the Applications are specific and having the IP banned does not effect valid applications then all is good in the world. If not, AppEngine, we may have a problem.

Thanks for your time.

 

[Robert Kluin]

On Sat, Jul 30, 2011 at 15:52, Murray W <murs...@gmail.com> wrote:
> Hi all, I have a few questions about how to report and notify your group of
> a application abusing websites.
>
> On the 28th and 29th I saw an interesting useragent and a Google IP address
> listed in my banned IP connections due to website abuse.
>
> Abuse Report Date: 7/28/2011 1:49:31 PM PSTIP:  64.233.172.1 Net Block:
> 64.233.160.0 - 64.233.191.255
> Application: http://aking-741.appspot.com/
> Spam type: Pharmaceutical Link Spam Posted
> UserAgent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1)
> appengine-google; (+http://code.google.com/appengine; appid: aking-741)
>
> This application clearly ran from a Google AppEngine server and if the
> useragent appid can not be modify it would appear this is the offender
> (aking-741)
>
> Q1: Can the appid be modified to show anothers application ID?

no.

> Q2: Can the AppEngine group create some type of abuse reporting API?

http://code.google.com/appengine/kb/general.html#violation

> Q3: If IP addresses used by the AppEngine are banned by individual website
> owners will this have any effect on legitimate apps?

yes.

> Q4: Are the IP addresses for the AppEngine used only for the appengine group
> or are these servers shared with other Google projects?
>
> The main reason I'm asking your group is because I'm seeing more of the IP
> addresses in the block above listed in blacklists online. If the
> Applications are specific and having the IP banned does not effect valid
> applications then all is good in the world. If not, AppEngine, we may have a
> problem.
> Thanks for your time.
>
>

> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/google-appengine/-/QVJCGP-iwy0J.
> To post to this group, send email to google-a...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-appengi...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-appengine?hl=en.
>

[Murray W]

I did find the abuse link.
It's nice but not practical for webmasters and developers to report network abuse manually.

 

Q1: Is there a way to lookup the applications author / developer using the appid: information from the useragent?

 

For every problem I believe a solution is just around the corner.

My thought: Based on the useragent appid: and IP network (Google) external applications could query for Abuse / Author email address for real-time abuse alert messaging.

 

[Robert Kluin]

On Tue, Aug 2, 2011 at 14:54, Murray W <murs...@gmail.com> wrote:
> I did find the abuse link.
> It's nice but not practical for webmasters and developers to report network
> abuse manually.

What do you want to do, monitor a site and if some app is hitting it
too frequently automatically report it to Google for abusing *your*
ToS?

>
> Q1: Is there a way to lookup the applications author / developer using the
> appid: information from the useragent?

No.

>
> For every problem I believe a solution is just around the corner.
> My thought: Based on the useragent appid: and IP network (Google) external
> applications could query for Abuse / Author email address for real-time
> abuse alert messaging.
>
>

> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/google-appengine/-/ze-nIq7riCsJ.

[Murray W]

What do you want to do, monitor a site and if some app is hitting it
too frequently automatically report it to Google for abusing *your*
ToS?

(Not sure what you mean by ToS, must be a AppEngine code word.)

Actually I do monitor my site. Doesn't everyone today monitor for pharmaceutical spam, SQL injection attempts and your classical bruteforce attacks? 

I'm not worry about an application hitting my sites. I see allot of good appid:'s . It's when an AppEngine application is used like an open proxy to spam sites. Then the scripts brings the hammer down.

Aren't your applications a SaaS? (Software as a Service)

Before you think, read what I have to say. 

If one of my sites picks up 20 or 30 spam posting attempts from a single AppEngine that's only my site. Add a few million other sites to the mix and your application just cost you a bundle in bandwidth to allow a spammer to use.  Not my bandwidth but your applications bandwidth.

I've read the "DDoS" and "Reached Quota" forum posts and my guess it's just spammers. They tend to flock 50 or so at a time averaging from what I detect 2 to 5 posts per second. 

I'm thinking if you all found a way to either get live abuse reports or updates it might actually save you money.

I'm just trying to help you all, but if you have it handled then I'll just watch the apps eat your bandwidth and get posted on popular blacklists. 

Today's list includes: 

appengine-google; (+http://code.google.com/appengine; appid: domaintraker)

IP: 209.85.224.84

Contents: http alonsoalic3 . splinder . com Percocet Dose (blah blah blah)

It's only spam to me. 

I wonder how much bandwidth that app is costing:

Remember, I'm only one in a million websites and it's clear I'm the only one to bring up an issue that is costing you money. 

The appid listed above was reported by one site I monitor:

First seen: Report Date: 8/7/2011 4:32:41 AM last visited Report Date: 8/18/2011 1:33:25 AM

Add 20 million and that's some good bandwidth for the appid: domaintraker. 

I'm sure there is a way to create a sub-routine to monitor POST / GET requests from your apps. 

I would believe that a "Human" wouldn't be sending "Post and Get" requests at 4 or more per second. 

I'd be glad to work with those that are willing to work on a application. 

I've opened up the NOC reports for visitors this week. You can find the Google IPs and Amazon listings. Look for the APPID: notice to see how often this happens. 

 XCtM Project v2 

Good luck and thanks for answering my questions. 

[Robert Kluin]

On Thu, Aug 18, 2011 at 20:32, Murray W <murs...@gmail.com> wrote:
> What do you want to do, monitor a site and if some app is hitting it
> too frequently automatically report it to Google for abusing *your*
> ToS?

terms-of-service

>
> (Not sure what you mean by ToS, must be a AppEngine code word.)
> Actually I do monitor my site. Doesn't everyone today monitor
> for pharmaceutical spam, SQL injection attempts and your classical
> bruteforce attacks?

Probably.

> I'm not worry about an application hitting my sites. I see allot of good
> appid:'s . It's when an AppEngine application is used like an open proxy to
> spam sites. Then the scripts brings the hammer down.

Yes, I personally very much agree with you on this. All of the proxy
sites on App Engine are extremely annoying, especially when they are
'spoofing' legitimate sites on App Engine. Excellent setup for a
phishing attack.

> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/google-appengine/-/ZuOOAgJ6VuUJ.

[Nadun Kulatunge]

wow cool fun stuff << http://j.gs/I9f >> i think you will like it

--
Bye TC