Re: Denial of service attack from "imagelock.com"

[Roger Marquis <marquis () roble com>]

On Sat, May 22, 1999 at 06:40:20PM -0700, David Babler wrote:
> > On Sat, May 22, 1999 at 11:05:28AM -0600, Brett Glass wrote:
> > > This morning, someone at the domain "imagelock.com" apparently launched a 
> > > denial of service attack against a Web server I administer. The abuser was 
> > imagelock.com has been banned from my web servers ever since they 
> > initiated a DoS attack against me a few months ago.  Basically, they
> > download every accessible file on a website.  The company's MO is to
>
> Their web client also gleefully ignores robots.txt as well, and spent 2
> hours here chasing web poisoned pages - apparently quitting only when it
> didn't find any images to fingerprint. So they're now blocked here at the
> firewall too - thanks for the heads-up. Wonder how much they can sell
> their service for when they find they don't have access to poke around?

Great information!  Thanks Brett.  I checked our httpd logs and
immediately found several thousand hits from this subnet, which is now
filtered.

Imagelock could be another name for Cyveillance.com.  We saw an
identical pattern 2 months ago from another IP which had/has no reverse
DNS.  The domain turned out to be Cyveillance and their ISP was (at the
time) Digex.net who forwarded our complaint and followed up twice.
Thank you Digex!

After 3 complaints to Digex and Cyveillance we finally received this
response from Cyveillance:

> Recently Digex, our internet provider, forwarded your inquiry regarding
> visits to your site from 207.87.178.66.
>
> We provide companies with brand protection services on the internet. To
> accomplish this goal we employ search engines / web crawlers to scan the
> internet. We are in no way involved with the creation of unsolicited
> commercial email. Please see our web site at http://www.cyveillance.com
> where you can learn more about our company and what we do.
>
> It appears we crawled your web site as part of our general web search, and
> crawled your mailto directories as part of that search. We hope we didn't
> cause you any inconvenience.
>
> If you have any questions, don't hesitate to contact me.
>
> Paul K. Witting
> Manager of Information Systems
> Cyveillance - Intelligent Internet Surveillance
> PWitting () Cyveillance com
> (703) 519-4212

However they never did stop scanning our subnets until we filtered
their subnet at 207.87.178.

This subnet still has no reverse DNS however `whois` shows Cyveillance
is now a customer of imaphost.com and namesecure.com.  "imaphost.com"
is already in our IP filter list (all 27 lines of it) for previous HTTP
abuses however namesecure.com is not.  

Call me paraniod but it sure looks like another Cyveillance attempt to
cover their tracks.

--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/