That IP address
192.18.8.1 is in the StopForum database only once so a frequency filter would have prevented this from registering for site admins that are more sensitive to the risk of a "false positive"
That being said, a quick
Google search on 192.18.8.1 makes it very clear that IP address, while it may be registered to Sun MicroSystems, is not being used just for business purposes. Given the multiple users that appear to be posting from that IP address to various social forums, my guess was that it is a Proxy server or shell server.
Then I started looking into some of the posts:
Luzhou Guestbook Spam
Quote:
|
Originally Posted by tolqxkmuksg IP:192.18.8.1 2010-1-16 15:33:59
zL81L8 <a href="http://snmljcfzmtft.com/">snmljcfzmtft</a>, url=http://gzvucjsmhtut.com/]gzvucjsmhtut, =http://kuwbknfzbuwl.com/]kuwbknfzbuwl, nbyroolbkvfc.com
|
Korean University Forum Spam
Quote:
|
Originally Posted by (192.18.8.1) 2010-1-19 2:48:35 acomplia
comment6, zyprexa, viagra, phentermine blue, levitra, zyprexa 5mg, protonix pricing, buy lipitor, discount cigarette, advair diskus generic, cheap american cigarettes, exact replica watches,
|
Thailand Message Board Spam
Quote:
|
Originally Posted by ความคิดเห็นที่ 2010-01-18 16:13 from 192.18.8.1
zoloft, zyprexa, phentermine diet aid, pfizer viagra, acomplia, buy effexor, cialis, herbal replacement for plavix, klonopin, singulair, advair, rimonabant 180 pills, nexium cost, pill propecia,
|
Shopping Site Feedback Spam
Quote:
|
Originally Posted by exact replica watches 2010-01-18 10:56:20 (192.18.8.1)
reductil, buy zoloft, doxycycline online, who makes meridia in mexico, lipitor, cialis bloody nose, plavix, buy discount cialis, discount cigarette, singulair, accutane
|
...and the list goes on for pages.
And in case you're wondering *why* or *how* this could be happening to an IP address that is registered by Sun MicroSystems and whose employees confirm this?
That is because this is a shell server that was compromised in November 2009 and access to various "Premium Accounts" on it are being sold online to spammers, including the root account.
http://www.neararsan.org/karisik-pre...-t266276.html?
Quote:
root SUN-0E4C8F148DB 2009-05-26 16:47:26 192.18.8.1
darinjanke SUN-0E4C8F148DB 2009-05-26 16:47:26 192.18.8.1
darinjanke SUN-0E4C8F148DB 2009-05-26 16:47:26 192.18.8.1
hd226724 SUN-0E4C8F148DB 2009-05-26 16:47:25 192.18.8.1
....etc
|
This took roughly 2 minutes of investigation to find this using just Google
Quote:
|
Originally Posted by imported_skillroad
We apologized and disabled IP checking. I doubt we will turn it on again, and may consider de-installing the mod. False positive blocks are not acceptable to us. The Stop Forum Spam db is polluted.
|
As I said in previous posts, there is a chance that someone maliciously or accidentally enters a legitimate IP address. There are existing tools to help reduce the risk of false positive on an Admin as well as more long term things such as the reputation system that Pedigree eluded to.
That being said, it is a community of Admins. It is give and take. For the thousands of spammers that don't make it on your site (and the time you save not having to clean up their mess) we ask that you add spammers that do make it back to the database. While there are other sources of the data (honeypots, etc) If Admins deinstalled the mod every time a spammer wasn't in the database the service would shut down and the spammers will have won (oh the humanity!).
The same is true for invalid IP addresses in the database (should there be any). If an admin identifies an erroneous IP, the hope is that they should report it back to Stop Forum Spam to help clean the database up for everyone. While we're working to make that an easier process (and automated validation, etc), again the time you save NOT having to clean up thousands of spammers should more than make up for the time it takes to report a false positive.
More Information