WordPress Trackback Spam Technique for Content Spamming

      No Comments on WordPress Trackback Spam Technique for Content Spamming

Recently I have been observing a different WordPress spam technique that uses WP trackbacks. This technique has some interesting characteristics that are unlike other types of spam, so my usual clues as to origin and banning method did not work. Fortunately this technique also has some unique characteristics that can be used to ban them. Fortunately.

WordPress Trackbacks
When one WP site links to another WP site, the WP sites communicate with each other using a method called trackbacks. The first site sends a trackback request to the second site. The second site posts the trackback as a special comment, which invites the user to click through to the first site. These trackbacks are automated, making it convenient for both sites.

Trackbacks are automated, meaning the first site’s daemon submits the request to the second site. Because the second site’s URL is already known, there is no need for the daemon to do a physical GET in order to verify the site, but only do the POST, with the trackback suffix. For example:

POST /wp/2010/06/03/does-motorcycle-mesh-gear-melt-in-a-crash/trackback/

Not only is there no GET request, because this WP to WP, there is also no need to render the web page. This means that in the raw access log of the second WP site there is no GET request nor is there a request header from a page render. The request simply pops up a single, unique IP for the POST. The IP could be spoofed, as there is no need for the second server to return anything to the first site. Without the GET request, verifying the POST request is difficult.

Here is an example of this request:

37.18.42.190 [28/Aug/2018:11:55:29 POST /wp/2010/06/03/does-motorcycle-mesh-gear-melt-in-a-crash/trackback/ HTTP/1.1 200 78 – Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36

Wordpress Trackback spam technique: How the request looks in the WP admin console

WordPress Trackback spam technique: How the request looks in the WP admin console

The trackback request looks just like a typical comment request, except that it did not need a GET to verify the input page, and did not need to render the request page, thereby not leaving request header info. Brilliant!

Detection
Looking at the user agents (UA)s, you notice that for each request the UA is unique, differing just slightly from other UAs. There is obvious automated variation of version numbers. This makes banning by UA challenging. Within a single request the UA is duplicated. This is unique. “Mozilla/5…., Mozilla/5…”. Use this.

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML like Gecko) Chrome/26.0.1410.64 Safari/537.31, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/34.0.1847.137 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.152 Safari/537.22, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML like Gecko) Chrome/24.0.1312.57 Safari/537.17, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML like Gecko) Chrome/26.0.1410.64 Safari/537.31, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/31.0.1650.63 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/33.0.1750.117 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/29.0.1547.76 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML like Gecko) Chrome/23.0.1271.91 Safari/537.11, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML like Gecko) Chrome/32.0.1700.102 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C), Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML like Gecko) Chrome/30.0.1599.69 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/34.0.1847.137 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/29.0.1547.57 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/32.0.1700.76 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/30.0.1599.69 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12 Version/12.14, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML like Gecko) Chrome/32.0.1700.107 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.172 Safari/537.22, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36

IP Address Lookup
Here are the IP addresses and their origins. An automated whois lookup for their domain name reveals that most are obfuscated, forcing me to verify each of the IP addresses. This is on purpose. You notice that a significant portion of the IPs are Russia, Ukraine, and Eastern Europe. I would guess that the attack was headed by QUALYTYNETWORK in the UA. There are a few US-based IPs, as are Europe (Netherlands, Italy, Switzerland, Spain), and South America (Chile, Brazil). Who is missing? China, Japan, Australia and Asia are missing.

178.159.100.247 QUALITYNETWORK TR
178.57.68.89 QUALYTYNETWORK UA
181.191.216.6 dns error, not found
185.131.240.96 host-185-131-240-96.mk-net.info MK-NET via CYFROTEL Poland
185.252.219.97 CN-QN-20180428 QualityNetwork Estonia
187.111.91.189 189.91.111.187.intexnet.com.br
188.166.7.183 EU-DIGITALOCEAN-NL1
188.72.127.213 QUALITYNETWORK Trusov Ilya Igorevych RU
191.101.54.86 ffmhv.host1dns.com Digital Energy Technologies Chile
191.101.55.193 fblsa.host1dns.com Depo Data Center Ilya Trusov Switzerland Chile
37.18.42.190 QUALITYNETWORK RU
5.101.222.115 QUALITYNETWORK Yerevan Network Trusov Ilya Igorevych Armenia
5.57.233.18 RU-TTC-NET-20120605 AO Transtelecom Russia
62.43.201.40 62.43.201.40.static.user.ono.com ONO.ES VODAFONE ONO Spain
66.110.216.105 GEORGIA-PUBLIC-WEB USA
80.211.180.201 host201-180-211-80.serverdedicati.aruba.it ARUBA-NET Aruba S.p.A. IT
83.219.159.137 ppp-static2-137.tis-dialog.ru TIS-DIALOG RU
8.42.71.254 mtnbb.com Level 3 US
91.206.30.205 d976979.freehost.com.ua FREEHOST UA

No related posts.

Leave a Reply

Your email address will not be published. Required fields are marked *