On 15 juil. 2013, at 03:20, Ramiro Morales <[email protected]> wrote: > Would it be worth look at the web server log to see if these comments > were effectively created by HTTP POST requests at all?
As far as I can tell, the spammer is using regular requests. While he has a browser-like user-agent, he's using HTTP/1.0, which shows he's scripted the requests. He's doing a GET, a POST and a GET every time. The first GET is necessary to get the CSRF token. The POST sends the spam. The last GET is probably just his HTTP library following the redirect. Here are three such sequences from the Apache log. Note how the page gets a bit longer each time :) [13/Jul/2013:15:34:13 -0500] "GET /ticket/542 HTTP/1.0" 200 51651 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)" [13/Jul/2013:15:34:14 -0500] "POST /ticket/542 HTTP/1.0" 303 - "https://code.djangoproject.com/ticket/542"; "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)" [13/Jul/2013:15:34:14 -0500] "GET /ticket/542 HTTP/1.0" 200 54977 "https://code.djangoproject.com/ticket/542"; "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)" [13/Jul/2013:15:42:11 -0500] "GET /ticket/542 HTTP/1.0" 200 54978 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" [13/Jul/2013:15:42:12 -0500] "POST /ticket/542 HTTP/1.0" 303 - "https://code.djangoproject.com/ticket/542"; "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" [13/Jul/2013:15:42:14 -0500] "GET /ticket/542 HTTP/1.0" 200 58257 "https://code.djangoproject.com/ticket/542"; "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" [13/Jul/2013:16:14:40 -0500] "GET /ticket/542 HTTP/1.0" 200 47935 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)" [13/Jul/2013:16:14:41 -0500] "POST /ticket/542 HTTP/1.0" 303 - "https://code.djangoproject.com/ticket/542"; "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)" [13/Jul/2013:16:14:42 -0500] "GET /ticket/542 HTTP/1.0" 200 50487 "https://code.djangoproject.com/ticket/542"; "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)" The times strictly match the following messages on django-updates: Re: [Django] #542: zefmqsxrqktt (was: imcnwbmqlnwi) Re: [Django] #542: rvlapxtbimtb (was: zefmqsxrqktt) Re: [Django] #542: lkzeinjqusly (was: [patch] Add an "or cancel" link to add, edit, and delete admin views.) To sum up, I've reached roughly the same conclusions as you and I'm out of ideas. -- Aymeric. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
