just in the last couple of days I have noticed a huge increase in the number of spambots hitting my site. They are coming in from all different IP addresses, which resolve to dialup, cable or DSL accounts. And they all give the same browser signature: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)". Also, they all come in directly to a guestbook or forum on the site (and then promptly fall into the trap). These things put together makes me think that this is some kind of virus that is spreading and turning the host computers into spambots, working via search engines to find likely looking pages for email address and/or posting guestbook spam (a few of them have been trying to post, but are stymied by the preview step). You can see a number of the latest log snapshots here: <snip>

This is a little scary because it's getting worse - today my block list has over 180 addresses. They will fall off over time, since the trap adapts to how many times a given ip address falls into the trap (the block time rises as the number of offences to the power of 2). But the steady increase makes me concerned about how far this will go. I think the server can handle it, but I don't know what effect hundreds or thousands of blocks has on server performance (using iptables on AMD64 linux, dual Opteron 265, so plenty of CPU horsepower to spare in theory) I don't think they are specifically targetting my site, since there would be far more effective ways to attack a specific host, using DDoS SYN packet methods. So I really believe they are using search engines and simply blitzing the place looking for guestbooks and forums.

I am wondering if anybody else is experiencing this on their websites?

Thanks,

/Neil

[edited by: trillianjedi at 1:29 pm (utc) on Oct. 20, 2006]
[edit reason] No specifics or URL's please... [/edit]