by   November 02 2011   
Tracking the Tracker appid: domaintraker. When Traker meets XCtM Tracking with ease. Today let's take a quick look at how to identify a bad appengine app and / or an appengine app that can be abused without the owner / creator of the app knowing. There is a report abuse form but until we can post using an app... It offers training...

Tracking the Tracker appid: domaintraker.

Today let's take a quick look at how to identify a bad appengine app and / or an appengine app that can be abused without the owner / creator of the app knowing. There is a report abuse form but until we can post using an app... It offers training...

appid: domaintraker

Not to be confused with the dot com version. At least I don't think they are the same.

Is it appid: domaintraker or is it a spoofed useragent?

In my book it doesn't matter because monitoring starts at the last IP address.

SPAM comes in and spam goes out, monitor your outbound content and you might decrease the amount of spam your server actually delivers.

Google AppEngine doesn't promote SPAM and it is against their terms of service. But, spoofed or not the last IP address was a Google IP address.

So what do you do in a case like this? Do you ban the community shared IP address from the AppEngine server? Do you ban only the useragent? What would be the best method to use?

In my case it's always the last hop in the IP channel.

Before I get into more questions of "How" and "Why" let me share with you what the spammer actually did on my site using the AppEngine server as it's connection location.


Here's the first report the XCtM Project 2.0 monitored and recorded.

-----

Report Date: 8/7/2011 4:32:41 AM

XCtM Triggered by IP: 209.85.224.84

1. First Trigger: .splinder.com (Known for Spam advertisements)

Next we checked to see what useragent was used and what location in the world the connecting IP address was located in.

2. Useragent: mozillawindows nt 5.1; sv1) appengine-google; (+http://code.google.com/appengine; appid: domaintraker)

3. Referrer: 209.85.224.84

Report Date: 8/7/2011 4:32:45 AM

Just 4 seconds later we have another spam attempt from the same IP address.

Now the XCtM Scripts have banned this connection and report follow up information.

Useragent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1) appengine-google; (+http://code.google.com/appengine; appid: domaintraker)

The useragent is different when compared to the first spam posting attempt.

This should give you a good idea that it's not really the application domaintraker spamming your site but, the actual appengine server seems to be allowing a spammer spam via proxy.

I know, the wording I used isn't the best but it works for now. I can't point a finger at the coders app at this point. It's pointed at a proxy type access issue on the server network the appengine runs from. (In my opinion)

Next.

Report Date: 8/18/2011 1:33:25 AM

Now 11 days later one early morning the IP and Useragent once again match our banned list.

Useragent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1) appengine-google; (+http://code.google.com/appengine; appid: domaintraker)

The query post wasn't the typical Pharma Spam we see but a search using our sites search by company field. The posts are normally complete with spam content but this time it wasn't.

The 8/18 post attempt actually could be someone using a mobile application. But because it was still the domain traker appid from the same IP the odds are better this was once again a spam attempt but the XCtM script blocked the attempt on arrival.

I still feel the servers can monitor better without major issues with the apps.

I would suggest registered apps be asigned static IPs. I believe that is actually a discussion topic in the Coders Group forums.

During the research no proxy using standard ports was detected.

The How and Why questions may only be answered when I develop an app and host it on the appengine server and attempt to spam myself. If only I had more time.

XCtM 1.9 non commerical version for commerical sites.

XCtM 2.0 commercial version we use on many sites to gather spam reports is managed by us, cleared and checked often and non repeat over 180 days spam listings removed.

 

 

 

Tracking the Tracker appid: domaintraker. When Traker meets XCtM Tracking with ease. Today let's take a quick look at how to identify a bad appengine app and / or an appengine app that can be abused without the owner / creator of the app knowing. There is a report abuse form but until we can post using an app... It offers training...