Americablog is under attack, and needs help

But a techie I am not.

Will help with a k&r.

on what to say in an e-mail to the sites posted at link?

Unsure of what to say, but would like to help out - thats a great blog.

I'm very willing to email this place, but not sure what to say.

Thanks for the heads-up, Will.

Free Republic is doing this?

He created a scalable data base template for business record keeping long
before platform based applications were available. He doesn't hide his activities.
It's all here: http://www.psnw.com/~jimrob/resume.htm

PSNW is an ISP and Web Solutions company and he has developed sites for members of
Congress.

When he banned me from FR, I was also banned from Free Dominion at the same time without
cause. He traced my IP address and got me banned from FD.

Even my Yahoo account was flagged.

FD IMO has been taken over by FR. It's no longer a Canadian conservative website. It's an
FR clone.

So, yes I think he could be doing DOS attacks against America blog using automated posting
through off shore servers and be able to hide his tracks. Spam and DOS is standard
operating procedure for FR.

They're tracking the person and have contacted the proper authorities. Maybe Agent Mike can give 'em a hand? You out there Agent Mike?

RIPE is not going to help though. RIPE the European equivalent of AIRN who are just the top IP assignment agency and they only deal with ISPs, so they are not going to do anything at all.

84.19.182.23 = ns.km20749-20.keymachine.de

This IP address has been blocked because it is believed to be an open proxy or zombie computer.
http://en.wikipedia.org/wiki/User:84.19.182.23

137.148.5.13 = imta1.csuohio.edu

This IP address has been blocked because it is believed to be an open proxy or zombie computer.
http://en.wikipedia.org/wiki/User:137.148.5.13

195.169.149.213 = wg213.waag.org

This IP address has been blocked because it is believed to be an open proxy or zombie computer.
http://en.wikipedia.org/wiki/User:195.169.149.213

They all appear to be open proxies. The only solution might be to get proxycheck which is russian open source software which can check for open proxies and zombie computer, however you need access to the server to install that software.

...if it's just a comment popping up every 2 minutes, it seems like it should be pretty straightforware to write a 'bot that would seek out those comments posted from suspect servers and automatically delete them. Clunky, but if you don't have access to the servers it would probably be good enough to take care of this yahoo.

So they probably have no access to the server or the software. The easiest way is to install proxycheck ( http://www.corpit.ru/mjt/proxycheck.html ) or a similar program and call that program with the IP and if it is an open proxy, deny the request.

Testing and complaining about the IP has no use whatsoever since they all appear to be open proxies, so the freeper will have a different IP everytime.

We have someone trying to interfere with the operation of the blog. He's repeatedly posting the same message in the comments, at a rate of 2 a minute, to flood the comments and make them unusable. He has been doing this for at least a week now. My computer geeks have advised me to write this public notice to let this person know that this a crime, he's being tracked, and he's being reported to the FBI and the appropriate tech folks abroad.

<snip>

I'd appreciate any tech folks and political folks who can help me put pressure on the RIPE NCC folks in Amsterdam, they pretty much control all the blocks of IPs the attacker is using. RIPE Network Coordination Centre is the administrative and technical coordinator for the ISPs and other networks in the region from which this attack is very likely originating. They need to be told what's going on through IPs in their blocks. I'm told they're going to act like it's not their problem. Feel free to let them know it will be their problem as soon as I talk to the FBI.

Postal Address:
RIPE NCC
P.O. Box 10096
1001EB Amsterdam
The Netherlands

MORE at Americablog... Link in the OP.

On Edit: The replies to this post suggest that we not email... :shrug:

Please read my reply. RIPE is like ARIN. They are the top registars and they only carve up the IPs for the ISPs. They already send the reply that they can't help anybody. The reason why they ended up with RIPE is because they used a cheap whois which couldn't resolve the address. If you use http://whois.sc or http://samspade.org it'll tell you the ISP to which an address is registered.

It's very simple. The top of the internet consists of RIPE (Europe), ARIN (Americas) and APNIC (Asia) and those companies only give out the IPs to individual ISPs and that's all they do.

Is John wrong? You might want to contact him and email your suggestions then...

It is a mistake which probably happens a lot, but organisations like ARIN, RIPE, APNIC and LAPNIC (I forgot that one) are pretty useless. You can write to the ISP however the first IP is from Germany, the second IP is from Ohio and the third one is from The Netherlands, so it's already clear that they are intermediate IPs (and wikipedia has already blocked all those IPs and determined them to be open proxies or zombies). You can write to the individual ISPs and demand that they close the open proxies, however it won't stop the freeper since there are millions of open proxies and zombies on the internet.

In short, either install an open proxy blocker however that probably won't be possible with Blogger.com.

It looks like he's having one of his hissyfits and doing a lot of blustering. The FBI isn't going to lift a finger to help him. They aren't going to drop what they are doing and help him with his website. I'm also concerned about all the misinfo that's propagating on his site. He's got people railing against EFF and Tor now. EFF is a good organisation that is helping to keep the internet open and free. And Tor is an onionskin router- it doesn't use compromised proxy servers. I don't know why he hasn't taken down the link to RIPE yet since he must know by now that that is just dumb. This is a tech problem that requires a tech solution.

The FBI won't help, RIPE won't help and EFF won't help either. All three organisations will simply laugh at him. It's very sad, but that's the way it is...

Tor doesn't use open proxies and of the address listed 3 out of 4 are in spam databases as well, so they are 100% sure open proxies and waag.org fails proxycheck so it's probably either a zombie or an open webhost proxies. The other three address have been listed as spam hosts for quite some time now, so the ISP has simply ignored all abuse request concerning those addresses. The fourth IP is a uunet and they will ignore all complaints of course ;)

He should try to solve it technically.

I'm not a big fan of his since his "I don't necessarily have a problem bombing Iran" comments so I don't go to his site any more but I do remember when he got his laptop infected and jumped up and down and demanded that everybody contact Sony to get him a new one. It was pretty laughable. Then people convinced him to buy a mac and he shut up about it. He imagines himself pretty tech savvy but if he was he'd be running his own site and not have blogspot do it for him.
And yeah uunet, the blackhole of spam complaints.

who thought "why the hell is he bothering RIPE?"

That's like complaining to Ford or Chevy because someone knocked over your mailbox with a car.

They aren't the problem. The guy is using anonymous proxy servers. That is computers that are compromised in some way to act as open proxies. Haloscan needs to block open proxies from connecting to their servers. Obviously they aren't. Aravosis and his "geeks" are wasting time and hassling the wrong people.

I've mentioned in threads before but nobody seemed to take any notice. It more commonly know as electronic civil disobience. Was used to shut down the Mexican Governments site for a month or so some years back. It's software which repeatedly hits refresh. Chances are that more than one person is using it in this instance. I'd mentioned it only in the context that if search engines were being watched then repeated use of that word would put the fear the fear of God up whoever was watching as they would anticipate the Pentagon site being shut down.

Search "floodnet" for more details. The generaL rule is if you use it then you must be responsible for your own actions.

Target: 84.19.182.23
Date: 5/13/2006 (Saturday), 7:06:40 PM
Nodes: 18


Node Data
Node Net Reg IP Address Location Node Name
18 1 1 84.19.182.23 Erfurt ns.km20749-20.keymachine.de


Packet Data
Node High Low Avg Tot Lost
18 136 136 136 1 0


Network Data
Network id#: 1

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 84.0.0.0 - 84.255.255.255
CIDR: 84.0.0.0/8
NetName: 84-RIPE
NetHandle: NET-84-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS3.NIC.FR
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2003-11-17
Updated: 2004-03-16

ARIN WHOIS database, last updated 2006-05-12 19:10


Registrant Data
Registrant id#: 1
Domain: keymachine.de

Target: 137.148.5.13
Date: 5/13/2006 (Saturday), 7:18:07 PM
Nodes: 16


Node Data
Node Net Reg IP Address Location Node Name
16 1 1 137.148.5.13 Cleveland imta1.csuohio.edu


Packet Data
Node High Low Avg Tot Lost
16 ---- ---- ---- 2 2


Network Data
Network id#: 1

OrgName: Cleveland State University Computer Services
OrgID: CSUCS
Address: 2121 Euclid Ave
Address: Information Services and Technology
City: Cleveland
StateProv: OH
PostalCode: 44115
Country: US

NetRange: 137.148.0.0 - 137.148.255.255
CIDR: 137.148.0.0/16
NetName: CSUOHIO
NetHandle: NET-137-148-0-0-1
Parent: NET-137-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.CSUOHIO.EDU
NameServer: NS2.CSUOHIO.EDU
NameServer: NS1.OAR.NET
Comment:
RegDate: 1989-12-01
Updated: 2004-02-03

RTechHandle: ND8-ARIN
RTechName: Daher, Nemtallah
RTechPhone: +1-216-687-5345
RTechEmail: n.daher@csuohio.edu

OrgAbuseHandle: MHO82-ARIN
OrgAbuseName: Holstein, Michael
OrgAbusePhone: +1-216-687-2000
OrgAbuseEmail: michael.holstein@csuohio.edu

OrgTechHandle: ND8-ARIN
OrgTechName: Daher, Nemtallah
OrgTechPhone: +1-216-687-5345
OrgTechEmail: n.daher@csuohio.edu

ARIN WHOIS database, last updated 2006-05-12 19:10


Registrant Data
Registrant id#: 1


http://www.networksolutions.com

_____

Target: 195.169.149.213
Date: 5/13/2006 (Saturday), 7:20:23 PM
Nodes: 16


Node Data
Node Net Reg IP Address Location Node Name
16 1 1 195.169.149.213 AMSTERDAM wg213.waag.org


Packet Data
Node High Low Avg Tot Lost
16 122 122 122 1 0


Network Data
Network id#: 1
This is the RIPE Whois query server 2.
The objects are in RPSL format.

Note: the default output of the RIPE Whois server
is changed. Your tools may need to be adjusted. See
http://www.ripe.net/db/news/abuse-proposal-20050331.html
for more details.

Rights restricted by copyright.
See http://www.ripe.net/db/copyright.html

Note: This output has been filtered.
To receive output for a database update, use the -B flag

Information related to '195.169.148.0 - 195.169.149.255'

inetnum: 195.169.148.0 - 195.169.149.255
netname: WAAG
descr: WAAG - Maatschappij voor oude en nieuwe media
country: NL
admin-c: JV3941-RIPE
tech-c: JV3941-RIPE
status: ASSIGNED PA
mnt-by: SN-LIR-MNT
mnt-irt: irt-SURFnet-CERT
source: RIPE Filtered

person: Jaap Vermaas
address: Nieuwmarkt 4
address: 1012 CR
address: Amsterdam
address: NL
phone: +31 20 5579898
fax-no: +31 20 5579880
e-mail: beheer@waag.org
nic-hdl: JV3941-RIPE
mnt-by: SN-LIR-MNT
source: RIPE Filtered

Information related to '195.169.0.0/16AS1103'

route: 195.169.0.0/16
descr: SURFnet CIDR Block VI
origin: AS1103
mnt-by: AS1103-MNT


Registrant Data
Registrant id#: 1


Registrant:
Society for Old and New Media
Nieuwmarkt 4
Amsterdam 1012CR
NL

Domain Name: WAAG.ORG

Administrative Contact:
Waag Labs/Society for Old and New Media administratie@WAAG.ORG
Nieuwmarkt 4
Amsterdam, NH 1012CR
NL
+31 20 557 9898 fax: +31 20 557 9880

Technical Contact:
Waag Labs/Society for Old and New Media domeinbeheer@WAAG.ORG
Nieuwmarkt 4
Amsterdam, NH 1012CR
NL
+31 20 557 9898 fax: +31 20 557 9880

Record expires on 02-Mar-2011.
Record created on 13-Sep-2002.
Database last updated on 13-May-2006 19:18:21 EDT.

Domain servers in listed order:

NS.WAAG.ORG 212.204.235.170
_

Target: 65.214.33.71
Date: 5/13/2006 (Saturday), 7:29:00 PM
Nodes: 14


Node Data
Node Net Reg IP Address Location Node Name
14 1 - 65.214.33.71 43.067N, 70.800W


Packet Data
Node High Low Avg Tot Lost
14 ---- ---- ---- 2 2


Network Data
Network id#: 1
UUNET Technologies, Inc. UUNET65 (NET-65-192-0-0-1)
65.192.0.0 - 65.223.255.255
Franchise Solutions Corp UU-65-214-33-64 (NET-65-214-33-64-1)
65.214.33.64 - 65.214.33.79

ARIN WHOIS database, last updated 2006-05-12 19:10


Registrant Data
_____

http://whois.domaintools.com/84.19.182.23

Record Type:
IP Address

Cached Whois:
2006-05-13

IP Location:
Germany - Keyweb Ag Ip Network

Reverse DNS:
ns.km20749-20.keymachine.de

Blacklist Status:
Currently Listed (history)

inetnum: 84.19.176.0 - 84.19.191.255
netname: DE-KEYWEB-II
descr: Keyweb AG IP Network
country: DE
admin-c: MERO-RIPE
tech-c: MERO-RIPE
status: ASSIGNED PA
mnt-by: KEYWEB-MNT
source: RIPE # Filtered

person: Holger Amberg
address: Keyweb AG
address: Neuwerkstrasse 45/46
address: 99084 Erfurt
address: Germany
abuse-mailbox:
phone: +49 361 658530
fax-no: +49 361 6585366
nic-hdl: MERO-RIPE
mnt-by: KEYWEB-MNT
source: RIPE # Filtered

attacks. Now you'll have a fuckload of DU referrer IPs logged by the ISP.

automatically into his haloscan threads twice a minute. It's disrupting conversation but not the actual blog itself.