Friday, November 9, 2007

All the buzz about Abe Torkelton: a followup

Since my post about "Abe Torkelton", a web form submission bot, we've had a lot of hits on the site and a few comments. I thought that a few of them were worth responding to here, as some of the details might be useful:

chuckn wrote:

"...[site] which doesn't have any linkage yet - so i'm not too sure how they found me."
The bot is likely either randomly or sequentially scanning IP space, or is checking registered hostnames via a registrar. In either case, even un-advertised system may be probed. Since the bot appears to look for web submission forms, the only way to hide from it will be to have some sort of human recognition system or pre-existing userID in place.

Thanks to Kate and Wes, we have IP addresses:
"The ID address I got was 64.5.40.122"
SamSpade.org resolves that to a ThePlanet IP range, which is different from what I originally saw. Kate posted and saw 66.232.97.32, which is a Hivelocity.net IP.

So we know that the Abe Torkelton bot is coming from multiple IPs. What we don't know is if it is tool, a bot, or the early stages of something more malicious. I have yet to see a report of the registrations being used for more than posting to a site.

How can you prevent it? Well, thus far it appears that human input required systems such as CAPTCHAs. Since the IP address is changing, you likely can't block it via IP, and blocking bots with derivations of "Abe Torkelton" will only save you until the name changes.

I'll keep tracking this here, so keep throwing what you find into the comments. Thanks folks!

4 comments:

B said...

I got hit by
jyjTorkelton2992@cape-mail.com
it's odd 'casue it filled in the form on my home page, but not my other "contact" form.

BigEasy said...

The volunteer registration page for my running clubs race got hit by Mr. T*rkelt*n

This bot knows enough to enter agpTorkelton0935@cape-mail.com into the text input field called "Email" and the phone number 617-507-5939 into the fields "HomePhone" "WorkPhone" and "CellPhone"

The downside is that I responded to his e-mail address from my own e-mail. Hopefully gmail will protect me from whatever Abe throws my way.

Unknown said...

Did a google search on general mail list form request from my website. Most of my folks are local, so when I saw the long distance area code I "googled" it. Found him listed on an architchtural website, a physicians website, a dance school website and more. Why are these websites listing "him" as a member if he's not real? I'm not an IT person, just a small business owner curious about who or what this is.

StonedChipmunk said...

@ spring

I wouldn't be worried about websites listing him as a real person. Chances are they just allow registration without verification - or maybe with verification, and the bot automatically clicks the first link in the response email, which is usually a confirmation link.

FYI, I ran a DNS lookup on the IP address and it threw a Spanish webhosting site at me:
122.40.5.64.in-addr.arpa name = server1.coninfo.net
I have no clue what this is, but I'm putting my money on a malicious bot.