STATEMENT: Unusual Event At PP Blog

At approximately 1:05 a.m. (EDT) today, the PP Blog began to experience unusually high traffic volume and a highly unusual traffic pattern. The source of the traffic is unclear. What is clear is that IPs from all over the world suddenly began to pull “old” stories, meaning that the URLs being pulled existed in the Blog’s archives — not in its current, front-page editorial well.

The pattern strongly suggests the event was engineered robotically. It does not appear likely that the visitors were actual readers. Along with URLs for individual “old” stories, the URLs of archived files for certain dates in 2009 and 2010 were pulled. There appears to have been no follow-up clicks to the archived files, which strongly suggests the visitors did not intend to engage in any actual reading. No spam was received during the period, which suggests the visitors had a purpose other than spamming.

Most of the visitors (the vast, vast majority, meaning on the order of 95 percent) displayed non-U.S. IPs. Dozens of international IPs making their first visit to the Blog sought virtually simultaneously to pull dozens of story links and links to archives.  Logs suggest that most of the IPs  had not been at the PP Blog prior to this morning’s event.

The event appears to have reached its peak at 2:08 a.m.  Traffic to the Blog during the unusual event is preliminarily estimated at 10 to 20 times the normal volume.

A similar event occurred at the Blog on March 9, although this morning’s event was much broader in scope. The March 9 incident involved about nine IPs;  today’s event involved dozens and dozens, with unusually large traffic volume from Europe, Asia, the South Pacific, Africa and South America. The Blog also recorded first-time visits from IPs in the Middle East.

A server snapshot taken at 1:20 a.m. shows 17 “live” IPs pulling stories or archives exclusively from 2009 and 2010. Only one U.S. IP is present in the snapshot, and the U.S. IP was making its first visit to the Blog. The PP Blog is published in the United States. Most of its traffic originates in the United States.

One of several maps that show a sudden burst of international traffic at the PP Blog on March 22, 2011. The pattern developed shortly after 1 a.m. (EDT) in the United States.

About the Author

5 Responses to “STATEMENT: Unusual Event At PP Blog”

  1. For what it’s worth, I wrote a reply to a post last night around midnight and it was a little klunky with me, and the post disappeared when I hit the submit button. It was a long post and it was late so I didn’t bother to try again.

  2. Gregg Evans: For what it’s worth, I wrote a reply to a post last night around midnight and it was a little klunky with me, and the post disappeared when I hit the submit button. It was a long post and it was late so I didn’t bother to try again.

    Hi Gregg,

    My guess is that your intended post coincided with a flood of calls to the database, and that you were unable to make a connection.

    One of the things that supports this theory is that no post from you appears in a holding queue or a spam queue. As I’ve noted before, the software sometimes will “hold” even legitimate comments if they contain links or phases the software associates with illegitimate bids to post.

    That your post neither published successfully nor appeared in a queue strongly suggests you could not connect to the database. That’s what the attackers want, of course.

    As always, the question is why certain people want to disrupt the operations of this Blog, which is a speck in the grand scheme of things.

    Take care, Gregg.


  3. Quick stats note: So far this month, the software has blocked 3,004 spams, an average of about 136 per day. Efforts to spam the Blog are virtually relentless.

    Separately, any number of folks have sought to spoof the Blog’s email address — i.e., send spam that appears to originate from the Blog but actually originates elsewhere.

    The clear aim of that is to provide cover for the spammers who are duping people into believing the spam is originating here.

    Shortly after midnight today, the Blog received an email that implied it was from the government of Hong Kong. This email appeared to be a bid to dupe the Blog into paying a fee to prevent a possible “dispute.” The email had a whiff of a protection racket — i.e., it implied that a company in Asia affiliated with an unspecified Asian government could protect against a third party in Europe trading on the Blog’s name — if only the Blog would pay a fee.


  4. Patrick, I get those emails a lot, too.. from some Prince in Nigeria….. he wants to give me money.

  5. Proof that you are stepping on scumbag toes and arches too! Keep up the good work!