eclecticism

I’ve got a fan!

Website 02/25/2004 |

In January of 2003, I put up a post pointing out Jakob Nielsen’s ‘Top ten web design mistakes’. Though his advice is generally aimed more at commercial sites than personal sites, many of the concepts will cary over from one to the other, so I used the list to evaluate my own site and see how I was doing.

That March, a visitor by the name of ‘Deakster’ [Deakster’s site may come up with a ‘403 forbidden’ error if you attempt clicking on his link, as I think he may be denying any visitors referred by my website.] came by the page and left a mildly snide comment about Nielsen and his company. Not in itself a big deal, but when I visited the URL left by Deakster, I found that his own site was coded in such a way as to require Internet Explorer, and would not load for me using Safari on my Mac or Mozilla on my PC. I mentioned this in a reply comment, that was that, and I didn’t think any more of it.

Last week, almost a year since he left his original comment, Deakster came back. This time, apparently incensed by my reply to his first comment, he took it upon himself to critique myself and one of my sites (specifically, what little is left at djwudi.com) in two comments left back-to-back.

Needless to say, I was a little amused by this (not just that he attempted to take me to task, and that he did so quite poorly, but mostly that he came back nearly a full year after his last and only previous comment to my site), and responded in turn. Again, Deakster wasn’t thrilled, started to leave more comments, but soon requested that I remove all of his comments from the page, declaring that he “no longer wanted to be associated with the site.”

Unfortunately, I wasn’t actually at my computer when his request first came through, so twenty minutes later he made the same request again.

It wasn’t long after that that I did get the message, however, and while I didn’t remove the comment placeholders from the page (I saw no reason to remove my comments, and as they were replies to his, I didn’t like the idea of out-and-out deleting his comments and ‘orphaning’ mine). I did, however, remove the text of his comments, indicating that I had done so at his request.

Apparently that wasn’t good enough.

I now have 75 bogus trackback pings on that post, courtesy of my new friend, with messages such as “Michael is a first class prick and should keep his mouth shut,” “Take on a haxor an end up with an app that autopost shit to yer crap site,” “Your blog aint sexy and neither is your bald spot,” “Why are yanks such fools — cause they are all like Michael,” and his final ultimatum, “Had enough Michael — i will leave it if you delete everything I want deleting and I mean everything.”

Why, I do believe I’m being harassed, ladies and gentlemen.

All of Deakster’s comments over the past few days and every one of the bogus TrackBack pings has come from IP address 81.152.149.121. Unfortunately, while I could ban that IP address from commenting, I don’t believe that there is currently a way to ban TrackBack pings by IP.

So what now?

Obviously, I certainly could “delete-everything-i-want-deleting-and-i-mean-everything” all of Deakster’s comments (and TrackBack pings) easily enough, but something tells me that he’ll likely not be satisfied until I also expunge my reply (which contains quotes from his comments) also, which I’m in no great hurry to do (hey, I had fun responding to his attacks…). Besides, giving in to script kiddies (a category I wouldn’t have put Deakster in until I got the TrackBack ping flood) isn’t my idea of a good time.

« Biosphere | Irony, copyright, and site design »

36 Responses to “I’ve got a fan!”

Firas Says:
February 25th, 2004 at 5:33 pm
You’ve got other sorts of fans, too, apparently… http://www.scamcity.co.uk/journal. Oh man, I’m just itching for the day I’m famous enough to be cyber-harassed and have style stolen!!
Chas Redmond Says:
February 25th, 2004 at 5:35 pm
Traceroute has started …

traceroute to 81.152.149.121 (81.152.149.121), 30 hops max, 40 byte packets 1 c-67-170-71-1 (67.170.71.1) 59.037 ms 39.126 ms 12.956 ms 2 c-67-170-71-1 (67.170.71.1) 15.656 ms 12.244.82.129 (12.244.82.129) 13.575 ms 12.611 ms 3 12.118.106.5 (12.118.106.5) 21.08 ms 15.713 ms 13.8 ms 4 tbr2-p013802.st6wa.ip.att.net (12.122.5.158) 13.894 ms 40.43 ms 14.61 ms 5 tbr2-cl1.cgcil.ip.att.net (12.122.10.61) 59.634 ms 56.864 ms 56.387 ms 6 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 70.276 ms 70.694 ms 69.503 ms 7 tbr1-cl2.sl9mo.ip.att.net (12.122.9.141) 67.898 ms 74.546 ms 66.607 ms 8 tbr1-cl4.wswdc.ip.att.net (12.122.10.29) 83.272 ms 80.177 ms 79.759 ms 9 gar1-p340.abnva.ip.att.net (12.123.217.10) 86.984 ms 90.161 ms 93.569 ms 10 12.119.141.34 (12.119.141.34) 84.786 ms 81.5 ms 84.714 ms 11 t2c2-ge6-1.us-ash.eu.bt.net (166.49.208.218) 161.252 ms 164.926 ms 159.903 ms 12 t2c2-p4-0.uk-eal.eu.bt.net (166.49.164.21) 158.162 ms 157.321 ms 156.903 ms 13 t2c1-ge6-0.uk-eal.eu.bt.net (166.49.208.33) 158.473 ms 154.602 ms 155.674 ms 14 166-49-168-14.eu.bt.net (166.49.168.14) 162.908 ms 162.201 ms 162.439 ms 15 core1-pos4-2.ealing.ukcore.bt.net (194.72.9.233) 157.441 ms 155.028 ms 155.141 ms 16 core1-pos15-1.bletchley.ukcore.bt.net (194.74.16.154) 159.129 ms 160.105 ms 157.31 ms 17 core1-pos5-2.manchester.ukcore.bt.net (195.99.120.222) 164.321 ms 171.338 ms 173.361 ms 18 bar1-pos8-0.manchester.broadband.bt.net (194.72.2.194) 163.89 ms 161.587 ms 160.351 ms 19 81.146.241.163 (81.146.241.163) 164.753 ms 173.262 ms 166.146 ms 20 rase3nrp3.manchester.broadband.bt.net (217.32.9.76) 160.712 ms 161.356 ms 162.226 ms

It looks like the bloke is from Manchester. They’re known pranksters and known also to have vile tempers and be very close to the missing link. I wouldn’t do anything he wants, would leave all the original messages up and ask everyone to just start synflooding the guy. Why are you being kind to this throwback?
Stacy Says:
February 25th, 2004 at 6:02 pm
Didn’t somebody try to steal your site design not too long ago? Some people are just so unoriginal. Anyways, Deakster (forevermore known as the Mad Mr. Manchester-ite) is a buffoon. Yes, I just used to word buffoon. I say leave his stuff on. This is your website, it is your content, and if folks decide to leave comments in your blog, it becomes your property. After he clicks that submit button, whatever he spewed belongs to you. It is entirely up to you whether whether you can stand the icepick-under-toenail-like irritation that our Mad Mr. Manchesterite has to offer…it’s not even very good irritation. Eurotrash imitation: He iz like ze buzzing of flies!
Julian Says:
February 25th, 2004 at 6:28 pm
Seems to me he’s in violation of his domain registrar easily.co.uk. From their terms, and I quote:

1.1 The Customer shall not use any domain name registered by Easily on behalf of the Customer to communicate, reproduce, transmit, store or knowingly receive any material that is offensive, abusive, indecent, defamatory, obscene, menacing or in breach of confidence or which infringes the Intellectual Property Rights of any third party.

From some of the trackbacks, I’d say if you get annoyed by him, they’re the ones to contact.
Jonas M Luster Says:
February 25th, 2004 at 6:33 pm
You’ve got other sorts of fans, too, apparently… Hey, I think I’ll rip off Michael’s design, too. How about an annual “look like michaelhanscom.com” day? Should be fun. I’ll even play Depeche Mode while I rip the design
Nikonius Blog Says:
February 25th, 2004 at 8:38 pm
Net Biscuit Heads

There is only one thing I hate more than Script Kiddies. It is elitist hacker wannabes who know a little code and think they are a fear inspiring force on the net. One such creature has been a guy who goes by FS HOTharassing a friend of mine, Michael H…
Royce Says:
February 25th, 2004 at 9:04 pm
I’m sure that BT would be very interested to hear from you about Deakster’s behavior, especially considering that you’ve got some nice timestamped logs with his IP address in them.
```
$ whois -h whois.ripe.net 81.152.149.121 | grep abuse | head -1
remarks:      * Please send abuse reports to abuse@bt.net  *
```
Not to mention the fact that their acceptable use policy clearly indicates that harassment and profanity are right out.

Be sure to tell them what time zone you’re in so they look in their authentication logs to match up a login with that IP at that time.
Dan Says:
February 26th, 2004 at 6:31 am
Got .htaccess? Just ban him from there. It’s certainly an easy approach. Instructions.
Andy Glover Says:
February 26th, 2004 at 6:31 am
Been reading for a while, but this is the first comment WOO-HOO.

It’s not just YOUR referres he’s blocking but anyone not using IE 4.0 and up. From his site: News: Non IE 4 and above are banned from my site: February 23rd 2004: If some lamer tries to access FS HOT’s site with a browser such as SnideScape; usually found on Apple macs; then they will be greeted with the following message:-

Stop!

You are Unauthorised to view this website due to your inferior browser.

Download IE6 for PC | Download IE5 for MAC

This is because I am sick to death of people from the W3 crowd moaning about my site having layers, style sheets and java-script, so I have banned every single one of the brain dead backward morons by simply redirecting their browsers to a simple web page that even their sad browsers can read. ______________

Think he may have been thinking of you when he made that change?
Dan Says:
February 26th, 2004 at 6:36 am
Having just read Andy Glover’s comment, I’m itching to try visiting Deakster’s site from my home PC running Fedora and the Konqueror browser!
Royce Says:
February 26th, 2004 at 7:52 am
The Deakster (whose name may be Phil Debin or possibly Antony/Anthony Brown — though this may just be a buddy of his) appears to be about 26 and is apparently pretty bitter about Jakob Nielsen’s work for good reason. In this thread he gets raked over the coals a bit for the poor web design of his “DEDICATED TO DOS” site back in 2000. Someone had the gall to mention useit.com to support their argument. Voila! Instant jihad!

Checking out his site for myself, I found things getting better (or worse, depending upon your perspective) at every turn, and just had to ignore the “DO NOT FEED THE TROLL” sign. It’s not to correct him; he will continue to build thicker and thicker walls to keep reality at bay. I just got fixated on finding the holes. A couple of juicy bits:

You need an updated CODEC […]

Traditionally, the all-caps form indicates that each letter stands for a different word. I wonder what “CODEC” stands for? Maybe he means codec. Maybe he could download a new “CODEC” for his “MODEM.”

FS HOT’s latest online tool “What`s My IP” […] new online tools […] that aren’t found anywhere else on the web

This made me laugh out loud. This great “tool” that can’t be found anywhere else on the web (cough) has a pretty goofy URL. I don’t think I’ve ever seen a URL that ended with “.exe” before. I can’t tell from here if it’s actually a compiled .EXE or just a CGI that returns REMOTE_ADDR. Either way, it’s funny.

I now host FS HOT on my own PC. Watch me freak this!

Well, sort of. There appear to be two boxes serving up fshot.co.uk via DNS A-record round-robin. One is hosted by easynet.com on RedHat/Apache at 217.206.221.212 and the other by easily.co.uk at 213.161.76.87 (Apache on Trustix). Looks like neither of them is in the business of providing connectivity, but at least it’s Apache.

Even though the top-level page isn’t being served up from Deaksterville, all of the links off of the main page do link straight to URLs with the naked IP address of 81.152.149.121 in them, which resolves to host81-152-149-121.range81-152.btcentralplus.com. Since The Deakster exists “in the world of free hosting and obscure URL’s [sic] that no one can remember”, I’d better write that down so I don’t miss any of the freakin’.

Hmm, looks like he’s got a relatively static IP, then — should be much easier to report to BT (not that that’s necessary; Deakster’s already competent enough to be helping out with evidence collection), which brings us to the coup de grâce:
```
Interesting ports on host81-152-149-121.range81-152.btcentralplus.com (81.152.149.121):
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS webserver 5.1
```
I’ll leave the significance of this information as an exercise for the reader.
a preponderance of evidence Says:
February 26th, 2004 at 9:31 am
Someone needs a good virtual beating

Hundreds of trackback pings at Michael’s weblog? Some stupid script kiddy finally realizing the power that is trackbacks without realizing…
Michael Hanscom Says:
February 26th, 2004 at 10:04 am
You all rock. Seriously. This is great.

I actually sent a letter to both abuse@bt.net and helpdesk@easily.co.uk (covering both is ISP and his domain registrar) last night with the information I had then — I’m almost wishing I’d waited until this morning to send it off (especially given that he’s now bragging about the ping flood on his site…truly amazing)!

I’ve yet to hear back from either BT or Easily, but I don’t know how long these things generally take.

Thanks so much for all the help — not only should all this help in solving this problem, but I’m getting a ton of good ideas/resources/tools in case anything similar happens in the future.
Cliff Cheney Says:
February 26th, 2004 at 10:35 am
I just don’t understand how a microsoft fanatic who can write simple GUI apps would get such a 1337 HaXOr god complex. I can write a shell script to do what he did on MacOS X in about half the time it took him.

Please keep us posted.

“Don’t hate the playa… Hate the OS.” Ahem.
Alan Says:
February 26th, 2004 at 10:54 am
I find that lynx reads his HaXoR PaGe rather well. Among the content now accessible to me is a nice set of “white papers” describing how to identify hack attempts, and send fake email. Elsewhere are a proud description of mailbombing “Scott from Tucows” and a staunch anti-spam statement. Man, wasn’t it great to be 14?
Ryan Waddell Says:
February 26th, 2004 at 11:31 am
Anybody that proclaims themselves to be “legendary” instantly gains the “wanker” tag in my books. Also, use of the word “lamer” - I believe this went out of style somewhere around 1994.
PV Says:
February 26th, 2004 at 12:21 pm
They blocked my firefox, what an ass :-p
Royce Says:
February 26th, 2004 at 9:25 pm
Huh. Phil’s diary has been redacted to remove his bragging about defacing Michael’s page. Now the old URL for that entry has a great photo of him flipping off the world. Oooh, that make me so mad, I don’t know what to do! You win, Phil!

But that’s OK — I’ve still got the original in all its glory.
Michael Hanscom Says:
February 27th, 2004 at 12:56 am
I’ve noticed that he’s also taken down the entry detailing his e-mail flood on Scott from TuCows. Trying to clean up his tracks after the fact, perhaps?
Cliff Cheney Says:
February 27th, 2004 at 6:41 am
Oh why oh why did I not mirror his site too? I usually do. I assume somebody got it all??? Royce?

It would be useful during the trial of this ‘über 1337 hacker’. Heheh.
Royce Says:
February 27th, 2004 at 7:59 am
Ok, I’ve now got a basic page with both of his redacted diary entries.
Michael Hanscom Says:
February 27th, 2004 at 9:41 am
Royce, you never cease to amaze me.

I’ve yet to hear back from BT, but I did just get a reply from Easily (his registrar), and they don’t believe that there is anything that they can do, since while he registered his site name through them, they are not actually hosting his site.

As you have correctly stated, the IP address 81.152.149.121 belongs to BT, and if that is where he is posting from, it is beyond our control. The fact that he has registered a domain through us and is re-directing it to this IP is not really relevant, since as far as we can see the domain itself is not involved in any abuse.
We can only intervene if our services are being actively mis-used in some way. A good test of this is to imagine what would happen if we switched off all our servers and ceased operations, and in this case I don’t think it would make any difference to the problem you are experiencing, so there is no basis on which we can get involved. I hope BT will be able to assist you to resolve the matter.

I thought that this might be the case, but it was worth at least alerting them.
Michael Hanscom Says:
February 27th, 2004 at 9:45 am
Amusingly enough, Royce, your mirrored copies of his individual pages render without a problem in Safari, as they don’t have that “spinning clock” pre-load animation included. The full site mirror ends up 404’ing for me — I think it’s trying to redirect to his “get a real browser” page after the preload animation.
Stacy Says:
February 27th, 2004 at 12:13 pm
As an IE user, not exactly by choice, it just comes with the workstation, his site appears to be down.
Cliff Cheney Says:
February 27th, 2004 at 11:59 pm
On Royce’s mirror, Deakster’s about page says,”I am an IT Technician for a local firm of solicitors.” Doesn’t that mean he works for lawyers? I wonder how his employer firm would feel if they knew he is a loose cannon wanna-be hacker? Just a thought.
Cliff Cheney Says:
February 28th, 2004 at 12:02 am
Oops. blink. blink. Delete the first one. heheh.
Royce Says:
March 1st, 2004 at 12:47 am
Michael — ever hear anything back from BT? Odd that he’s dropped off and never come back. Ironically, my mirror may now be inadvertently doing him some good.
Michael Hanscom Says:
March 1st, 2004 at 9:43 am
Nope — absolutely nothing so far. It could easily be that they killed his account and took him off the ‘net, but without anything from them, I’m not entirely sure.
Cliff Cheney Says:
March 1st, 2004 at 11:49 pm
His website is back online. It says ‘they’ have been upgrading the server.
Michael Hanscom Says:
March 1st, 2004 at 11:55 pm
Ah, well — as BT still hasn’t replied, it’s entirely possible that nothing else will come of this. At this point, I suppose I’ll be fine with that.

(shrugs)

Royce Says:
March 3rd, 2004 at 9:41 pm

Ah. Read “upgrading” as “I got another dynamic IP, so I’d better update my hosting front-end”.

$ lynx -dump http://www.fshot.co.uk/ | grep 81.152
   FRAME: [1]http://81.152.254.203/
   1. http://81.152.254.203/
   2. http://81.152.254.203/

kallia Says:
March 12th, 2004 at 3:54 pm
nothing to say
Royce Says:
June 25th, 2008 at 2:18 pm
Say what you want about the guy, but he can play the piano a heck of a lot better than I can.
Michael Hanscom Says:
June 25th, 2008 at 2:26 pm
Hrm. Was there supposed to be a link on that comment?
Royce Says:
June 25th, 2008 at 2:39 pm
I swear that I tried to leave one! Let’s try again, both plain and with HTML tags.

http://www.youtube.com/watch?v=6ca61lMeZ8E (or http://www.youtube.com/watch?v=6ca61lMeZ8E.
Michael Hanscom Says:
June 25th, 2008 at 2:47 pm
What a bizarre find. You’re right, though, he’s got me beat for piano playing!

Cheryl: Actually, bloggers who are interested can join the Chapeau Blog Awards affiliate program which gives each...
Bertamum: We were down to $2.97 today in Anchorage.
Michael Hanscom: One of these days I need to find some spare time, sit down, and actually update my scores. Been a...
Snail_5: I’m a big fan of the purity tests. The 500 question one is my fave too; I’ve declared it the...
Bob: I am SOOOOOOOOOOO sick of seeing Brooke Shields in the “Routon” commercials! It’s TOTALLY...

I’ve got a fan!

36 Responses to “I’ve got a fan!”

Leave a Reply

Search

Archives

Categories

Recent Photos

Recent Comments

Upcoming

Reading

Sponsorship

Advertising

Meta

Recent Posts

Recent Comments

About