Macrotone Blogs

Macrotone blogs upon Joomla, our products and other matters.

Web access URL’s containing ‘RK=0/RS=’ string

We have noticed over the past few months an increase in the number of web access upon various URL addresses upon our site with a string starting ‘/RK=0/RS=’, followed by strings of other characters.  To us they are obviously some attempt to get access to information but we were a little puzzled as to how they might possibly work. The URL’s they are attached to are varied but seem to be upon a lot of Blog addresses. The RS= looks like it could be a regular expression for a pattern match of sorts, since some(but not all) are sometimes followed by a caret ^ but that is speculative.

They look to be a form of  SSI injection with the header, with the attempt to try and pass tokens into the URL for some purpose..

Apparently we are not alone and there is much discussion upon the web as to exactly what it is trying to achieve and who might be behind it, but no clear answer is currently known.

One way to remove them might be a simple .htaccess rule similar to the following:

RewriteRule ^(.*)RK=0/RS= /$1 [L,NC,R=301]

An alternative would be to block the IP addresses from which they are coming, but if they are not ‘hard addresses’ in the sense that they are not reusable,  then the risk is that you may end up blocking legitimate traffic.

Recent Comments
Guest — Gadgets
I believe the culprit may be scripts, bots or people 'scraping' the search results of Yahoo, and then attempting to access the url... Read More
Tuesday, 06 May 2014 17:44
Geoffrey Chapman
You could well be correct, just not quite what they are trying to achieve/access. We currently see up to 100 attempts with these ... Read More
Wednesday, 07 May 2014 08:57
Guest — chatterb0x
The first comment is correct. bots scraping yahoo search results.
Wednesday, 31 December 2014 06:43
  2858 Hits
  3 Comments

Chinese Domain Name Scam

We received the following email yesterday and were immediately suspicious and did a search on the Web to see what we could find.  We immediately hit upon this blog article which matched what we had received.  Reading the blog post we could see that although our email had a nice looking logo and a slightly different registry name it was the same thing just dressed up a little differently.  The General manager has also got a new first name, perhaps he is the brother of the previous incumbents?

Looking a little further we wonder why an Office Supplies company would want to give IT consultancy services?

For those interested the blog article, describes it very well and we will not repeat it here.  Suffice to say, I also do not consider it worth while going into what I will be doing with the emails.

Just another example of the types of scams that we see so often these days!

=== Email follows ===========

(Please forward this to your CEO, because this is urgent. Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China. On Nov 26, 2013, we received an application from Huamai Ltd requested "macrotoneconsulting" as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in China?

Kind regards
Scott Zhang

***************************************************

Scott Zhang
General Manager 
Shanghai Office (Headquarters)
Tel: +86-21-6191-8696
Mobile: +86-182-2195-1605
Fax: +86-21-6191-8697

 cnregistry

============ End of Email =============

Tags:
  1818 Hits
  0 Comments

Web slow down?

spamI have previously posted an entry on the latest version of Firefox 19.0.2 where I mentioned that there were speed problems accessing certain web sites, including but not restricted to the BBC web sites.

The following article was posted the other day which may go some way to explaining my observations. Access to the article may be slow, but it describes how a row between a spam-fighting group (Spamhaus) and hosting firm (Cyberbunker) has sparked retaliation attacks affecting the wider internet.

  1472 Hits
  0 Comments

Now we have BACN in addition to SPAM

spamA new term seems to have entered usage used to describe nuisance emails. Bacn is the term used for all those reminders, newsletters, notifications, limited offers, alerts and other ephemera sent by websites, e-tailers and other services you have used ever since you made your first mouse clicks on the web.

It takes its name 'bacn' because it tries to describe those messages that sit in the middle of a short continuum between which technical folks call spam (fake meat/junk mail) and ham (real meat/real mail). These messages are bacn because they are not quite real messages but are not quite junk either.

It is classed as a problem because it is something you probably want to read, yet not quite yet, and it masks the real email messages you want to read now.

The BBC web site has an article expanding upon the topic you might or might not want to read.

 

 

Tags:
  2641 Hits
  0 Comments

SPAM and IP blocking

spamSince we started mapping IP addresses of persistent attempts to submit SPAM on our live site, it is obvious that Miami in the US is one of the most persistemt source. Already even though it is only the fourth day of the month we can see 128 attempts to submit SPAM messages.

This is annoying since it just increases the size of the server logs that are inspected for system problems and adds a lot of background noise.

I have decided therefore to start blocking the persistent IP addresses being used. The effect is virtually immediate with the incidences which were occuring very 5 minutes or so having ceased. It is a pity that some individuals feel the need to insert advertisements for 'personal' products on sites where they are totally inappropriate.

We therefore apologise to anyone inadvertantly who may be refused site access because they are given an IP address in our blocked range.  If you are caught then please contact support who will investigate and if necessary 'unblock' the IP address.

Tags:
  1407 Hits
  0 Comments

Website Anti-Spam


A recent comment requested some additional anti-spam option in our Issue Tracker component. That triggered much though on a topic that obviously impact all website and their components, be it blogs, commenting systems etc.

There are a number of different parts to preventing spam on a website and this is to expand upon our own particular take on the subject.

Spam is one of the many problem that face web sites today. It is basically the proverbial ‘pain in the neck’ and if not handled correctly can be very time consuming. How often have you viewed web sites where there are totally unrelated comments /registrations/ forums posts which has to make one think about the site’s reputation and credibility.

Our site is not immune to this problem and the source is not restricted to any specific country although there does seem to be a preponderance from locations such as Turkey, China, Russian Federation and more recently Ukraine and Brazil.

Continue reading
  2841 Hits
  0 Comments

Anti-Spam measures

We received an interesting comment in the site the other day about the anti-spam options that we incorporate into the Issue Tracker component.   The main gist was that Recaptcha was the only anti-spam option that we use.   However we had to reply that there were also other features such as word filtering, IP blocking, checks on the number of links, and the ability to ban specified email addresses and URLs.

We have (and still are) considering other options but do wonder whether it is the best approach to build all of these tools into a specific product such as Issue Tracker.   A typical Joomla site will have a number of components such as a Blog, a forum, a general article commenting system, etc., installed.   Other web sites even if not based on Joomla will have similar constituents.  Is it wise to have all of these parts with their own separate anti-spam measures?  The likelihood is that they will all adopt slightly different approaches with different measures of success, and all requiring updates to keep up with new techniques and methods.

Continue reading
  2391 Hits
  0 Comments

Three Strokes and you are out

I have previously written about Spam entries on the web site and their elimination, but now I turn to 'Invalid Login attempts'.

I have been watching these with interest for a few weeks, and it is particularly interesting to see where they originate from.

Like the Spam entries a lot of these seem to originate from the Far East.  I am currently adopting a policy of immediately blocking 'Administrator Login attempts'.  No quarter given, I can think of no valid reasons why they should be tried by anyone other than those authorised to do so.

Turning to normal login attempts I have a policy of seeing how many different user names are tried from a specific IP address.  Once they have tried 3 different ones I immediately block them.  I must admit I am building up quite a long list.  Perhaps I should generate a graphical display of the souces, it could be quite interesting to see, and watch how it changes over time.

Given a single host country as being the source of a lot of these attempts, one could always block all the IP addresses assigned to that specific country but it does seem like 'using a sledge hammer to crack a nut' approach.  Possibly I will come round to that approach eventually.

The one single thing that I have not yet investigated is how accurate the IP address actually is.  Programs such as 'tor' generate anonymity of the IP address so do we actually know where they come from at all?  If its' use became widespread blocking of IP's might be a little bit of a waste of time anyway!

 

  1636 Hits
  0 Comments

Site Spam Protection

We have noticed for some time a steady stream of Spam Comments added to our Blog entries and articles.  We know that we are not alone in this and that it seems to be a ‘fact of life’ that certain individuals wish to waste their time in creating such trivia. 

To minimise the disruption and annoyance these cause, these have been kept under control using a variety of methods and we recently changed our Blogging tool as a step to minimising this problem.

However one thing we did notice was that there were still Spam comments being entered even for content items that were no longer visible on the site.

We are sure that the majority of our visitors are not that interested in goods that these Spam entries advertise so have decided to take another step to trap more of these entries and introduce a further step in our line of defences.

Akeeba Admin Tools Pro has a very useful tool in the ‘Web Access Filter’ that can be used to assist in this task.  [We are users of this product and recommend it to our users, as satisfied customers and for the excellent support provided.]

We hope that this will not create any problems to our visitors and will continue to monitor the situation as time goes by. 

Tags:
  1944 Hits
  0 Comments
Go To Top

The Macrotone Consulting Web site would like to use cookies to store information on your computer, to improve our website. Cookies used for the essential operation of the site have already been set. To find out more about the cookies we use and how to delete them, see our Privacy Policy.

I accept cookies from this site.