Spamhuntress

Remember the Bulgarians (chief texas holdem spammer) quit spamming my blog after one of them found his name on my blog? And then it started up again after a few days?

I wonder…

What if he removed my site from the queue. But if the software is configured to pick up new blogs from Google or Technorati or another feed place, then chances are my site got picked up automatically again.

So even though the spammer didn’t want to stay my human lab rat, his software isn’t sophisticated enough to include a blacklist.

I’m coming up with this theory because of something another blogger said. He’d e-mailed some spammer, and the spam stopped for a while, only to start up again, slowly.

I found another server, that has even more domains on it. And possibly all of the domains are advertising pills:
http://whois.webhosting.info/64.234.220.141

Looks to me like these spammers are consolidating their domains according to topic?

Netaloid has put up a petition we can sign, that he’ll send to the IGC and the casinos. Looks like less of a hassle than sending our own e-mails or letters. Let’s all sign it!

Cindy noticed a movement of Bulgarian owned domains. From (I assume) the Chinese spamhost to a US owned and located one.

What she didn’t notice, is that of the ones she’d seen moved, all but one domain have been banned by Google. And of the domains they’re currently spamvertizing, one is banned, and the other is not. One was banned even the first time I tested, and that was relatively early. So it may have been banned even before they started flogging it? Not sure.

Anyway, the domains they’ve moved are the most recent spamvertized ones but two.

———

UPDATE:

I was relying on Cindy’s intel when I wrote this. The funny thing is, that one of the domains is now pinging a comcast machine. I doubt it’s even a server. It looks and acts like a regular computer. The webserver reports to be running Apache, but no version number, and no OS. Very fishy.

nutzu - 67.184.17.116

The other domains are still pinging the machine she was talking about. But there’s a more precise ownership info for it than she gave:

OrgName: Uplink Systems
OrgID: UPLIN
Address: 3520 Fairmont Blvd
City: Yorba Linda
StateProv: CA
PostalCode: 92886
Country: US

NetRange: 64.27.27.0 - 64.27.27.255
CIDR: 64.27.27.0/24
NetName: UPLIN-NET
NetHandle: NET-64-27-27-0-1
Parent: NET-64-27-0-0-1
NetType: Reassigned
NameServer: NS1.CALPOP.COM
NameServer: NS2.CALPOP.COM
Comment:
RegDate: 2004-04-12
Updated: 2004-04-12

OrgTechHandle: MAS148-ARIN
OrgTechName: Shader, Michael Allen
OrgTechPhone: +1-714-693-1710
OrgTechEmail: mike at uplinksys dot net

This server also has the weird Apache webserver headers. I tell you, it’s seriously screwy compared to normal server headers!

And the server has a dns name of qwestdez.com. Problem is, that domain doesn’t ping anything. Although it’s registered, it’s not operational. Which is typical of these guys. The names of the servers are usually never correct.

Interesting little tidbit: The webhosting company behind that server has paid for whoisprotection of their domain name. Pretty pointless since the IP block contains that info, but whatever.

Their spam policy is outdated. It does not contain any language about webspam. I think we should make them aware of their precarious position on that, eh?

Remember we were fuming about 161.58.59.8 a while ago? We were successful in getting the Bulgarians off the server, as far as we know. But the server is still full of spam.

Check the domains on the server:
http://whois.webhosting.info/161.58.59.8

Then ping the domain you want to check further, to make sure the information is accurate today.

Then search for the domain in Google. Check if there’s blogspam or other webspam, then complain to Verio. As before, abuse at verio-hosting dot com is the right address to complain to. One domain I checked, was spamvertized Novembe 22, 2004. Probably before we really organized…

I’ve saved a number of pages from that list. So far I’m not sure one single domain is non-spam related. Netaloid should have a FIELD day with this! If anyone wants the list, just let me know. No sense duplicating the work. If I give up (there are 2021 domains on that server, so I just might), I’ll let you know which page was the last I saved. Eh, got as far as 1450 domains before the site timed out way too much.

Verio has a history with spam, alright. Even whois spam.

I’ve verified one of the domains on that server now. It’s being served, on that site, and it belongs to the Bulgarians. It’s serving one of the affiliate ID’s I’d made a note of earlier. The site is: best-deals-online-gambling dot info. That domain landed in my referrer log December 9, 2004.

http://www.webhosting.info/

Just enter the IP address in the form, and double check that Domain name is ticked, then click Go.

I thought I’d see which bots are checking out a brand new blog. A few pings have gone out to pingomatic, and it’s linked from my old blog, which pings a few services as well.

I see quite a few searching for technoratibot:
That one makes your posts available for bloggers. You can search for keywords and such.

Here’s what I found:

• 216.52.237.214 with user agent: geourl/2.0b4 - http://geourl.org/bot
• 198.87.83.123 with user agent: Syndic8/1.0 (http://www.syndic8.com/)
• 213.239.211.101 with user agent: A2B Location-Based Search Engine (+http://www.a2b.cc)
• 170.224.8.126 was seen on my old blog February 6th. But on this one it’s accessed with two different user agents: 1) libwww-perl/5.65 (which also checks robots.txt) 2) Java/1.4.2_06 goes straight for the feed, and then individual posts.
• Alexander Morozov’s bot was one of the first to reach it. Block 69.50.170.122 before you bring a new blog live to hopefully avoid his trackbacks.
• A human with a Firefox browser leaves the user agent Sage in one of the accesses - the feed.
• 66.151.189.7 with user agent: Feedster Crawler/1.0; Feedster, Inc. Checks several different feed types
• A human with Firefox leaves the user agent Straw/0.25.1 when fetching the feed
• 216.148.212.180 with user agent: Bloglines/2.0 (http://www.bloglines.com). And subscribers clicking on links follow right behind.
• A human sets up his feed software. User agent: NetNewsWire/2.0b25(Mac OS X; http://ranchero.com/netnewswire/)
• Googlebot comes sniffing for the root and robots.txt
• Raggle/0.3.1 (i386-linux; Ruby/1.8.2) comes for the feed. Unsure if this is a bot or a human.
• My first referrer spam, I believe? 61.210.180.74 http://www.dela-grante.net/ and user agent: Mozilla/4.0 (compatible; MSIE 6.0)
• 66.250.128.131 with user agent: ping.blo.gs/2.0 and referrer: http://blo.gs/ping.php
• 64.26.171.196 with empty user agent. Two different feeds. It’s all over my old blog as well
• 209.237.230.104 with user agent: Technoratibot/0.6
• 205.147.9.200 with user agent: blogsnowbot (+http://www.blogsnow.com/bot.html)
• A human comes with a Linux version of Firefox, then sends an aggregator back for the feed: Liferea/0.9.0b (Linux; fr_FR@euro; http://liferea.sf.net/)
• Ask Jeeves/Teoma have been by

Phew! Quite a few bots and aggregators!

I went through Latest Visitors - couldn’t sleep tonight.

Found a user agent that looked like Alexander Morozov, and checked nslookup, it’s from esthost.

69.50.170.122

Date stamp: Feb 24 19:56:27 (I assume -6 time zone).

There’s a collection of other bots too. Even ones I never saw on annelisabeth.com. Might be because this one pings pingomatic?

UPDATE: I checked that IP number with the tool that finds websites associated with the IP number. None at all. Which is really bad news. It means that server does nothing but botting…

I’ve been thinking about design. I could have used some sort of badge. Any ideas on something I can use that won’t get me arrested?