Via Micro Persuasion
Meet Red Herring, supposedly from a communications company.
Early April Fool’s joke?
whois info shows the owner to be:
NA
Pete Majarich (petemaj AT hotmail.com)
21 Macleay St
Bradbury
NSW,2560
AU
Tel. +61.401929690
Creation Date: 14-Mar-2005
Update
Is this the guy? Just wondering.
Matt, the creator of Wordpress, was caught using shady tactics. I’ll let Arve explain the tactics.
End result: GoogleGuy saw the discussion, and wordpress.org got banned in Google in no seconds flat.
So, no get out of jail free card for otherwise respected sites if you willfully break the rules.
There’s a lot of bitterness going on at Threadwatch over this. Kinda different viewpoint to bloggers in general?
Update: Although the hidden links are still at the bottom of the Wordpress site, the pages the links point to have been removed.
I haven’t done any spam hunting today, so not much to write about. I’ll fill this post up with some bookkeeping and other stuff:
Notice the Pages on the left here:
Pinappleproxy domains
The Bulgarians are still at it. I keep a list of the spamvertized domains and the date they start spamming. On that page you’ll also find the cure for that particular spammer. Enjoy!
Javascript redirect
I noticed that some of my readers had a hard time understanding the significance of javascript redirects. Why search engine spiders and humans see those differently. So I’ve tried to explain it on that page. Let me know if there are some errors or if I need to write it out more clearly.
And… I bought some new earplugs for my MP3 player today. You can find my review of the Sony MDR-EX71SL Fonotopia Headphones on my old site, along with a cure for itchy ears.
I’ve been seeing some spam for pages with the same green and blue design
The stuff spammed is usually never one of the top three: porn, gambling, pills
I’ve puzzled over it, until today, when I decided to get the names of the graphics, to see if that could be used as exclusion parameters. Found out some of the pages are in frames…
And on the framed site, I found code with redirection if you’re coming from a search engine. That loads a page on elegant-choice.com, which doesn’t seem to use affiliate codes. So, it probably belongs to the spammer. It contains encoded URL’s, one of which 302 redirected to a page on umaxsearch.com, with affiliate ID 28. So, that’s one of the affiliate schemes, and the end store is connected to that scheme…
whois info for elegant-choice.com
Nova
Nova (nova@nova.ws)
Marks st6 ap56
Kharkov
null,50140
UA
Tel. +380.6331134
And nameservers are from Alexander Morozov’s favorite:
3fn.net
And the images?
012_01.jpg
012_02.jpg
IP addresses spammed from include:
12.170.99.234
I’ve come across more and more spam from sites on tblog.com lately.
So I decided to find an abuse address. Only to find there is none. The only address on their site is an address for advertising. And their mail is of the catch all type…
That’s after a cursory examination. The kind you’d do if you came there only to find an abuse address.
But, in a blog I found far down the page, there’s an e-mail address given for notifying them of spam: support at tblog dot com. Looks like they’ve discovered that the RX sites are spamming them to death
Meanwhile, even their recently updated blogs list is full of spam!
One address I tried redirected to the main page of tblog.com. The spamblog is actually still there, but a redirect in the headers whisks you to the main page (That redirect doesn’t work in a text only browser like Sam Spade, though).
One of the worst offenders in opening multiple spam blogs right now is pickyourpharmacy.com.
They’re just asking to be blacklisted, right?
I checked some other stuff, and there’s plenty of URL’s and codes they could filter for, and terminate users who use them. I mean, any kind of location replace should be banned, as well as overuse of a single URL in links or redirects within a blog.
Here’s some code I found on a tblog:
I liked seo-blog’s turn, when they’ve terminated a spam blog. They display a page about combatting comment spam.
Tom Raftery sent me a comment spam. Very weird piece.
The e-mail address entered is not valid (norman at chick.com).
The site spamvertized with this text is 11say.com
I came to your site accidentially, but found it very good to read. Thanks
The site contains a good deal of nonsensical text. Snipped from somewhere, and doesn’t make sense.
It’s got some relief organizations at the top. Possibly to avoid being thrown out, and to appear legit. The organizations are for different sections of humanity depending on the domain peddled.
The spam links go to long coded URL’s, which then go to long coded URL’s at feed.peakclick.com before they resolve to some affiliate scheme.
The domain name has whois protection.
Domain registered March 9, 2005
I checked the IP number of the server:
70.85.62.24
and found a few more domains, with a different decor, but similar scheme. Enough so I believe they’re owned by the same outfit:
orangeyogi.net
Ash, Benjamin sylviocate@yahoo.com
74 Underpass Rd.
Columbus, GA 31901
US
+1.3247265341
Domain registered February 11, 2005
POTATOLAND.BIZ
Registrant Name: Jonathan Armstrong
Registrant Address1: 989 Annex St.
Registrant City: Phoenix
Registrant State/Province: AZ
Registrant Postal Code: 85043
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.2161043785
Registrant Email: sylviocate@yahoo.com
Domain registered February 11, 2005
Spamvertized by:
IP number:
205.242.0.93
a WebSTAR/3.0.2 ID/66178 proxy on the Netalliance IP block.
User agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
———–
Some Googleing later, I found other sites spamvertized by the same outfit.
I’ll detail those with whois info:
oxgm.com - 70.85.62.33
Lisle, Seth sylviocate@yahoo.com
389 Isle Rd
New York, NY 10039
US
+1.635330708
makedeal.net - 70.85.62.33
Koch, Jose Maria sylviocate@yahoo.com
899 Turnpike Rd.
San Diego, CA 92140
US
+1.2102144507
———-
Did some more searching. This one’s got quite a lot of domains, and spamming quite a bit. Sort of, not laying all your eggs in the same blog? Nevermind…
I found a URL somewhere, that had an interesting mechanism for throwing bloggers and forum visitors off.
The spammer is targetting these search engines:
google, yahoo, aol, msn, altavista, web.ask.com, ask.co.uk, dogpile, excite, teoma, earthlink, hotbot.
If you’re accessing the spamvertized page from any other referrer, the script throws up a 404 error page, leading you to believe the page has already been yanked by the webhost.
That’s not true, because if you access it with a referrer from one of those domains, you’ll see the actual intended end page, which is entirely different.
The trail is complex, and goes through a few well known (to me) domains.
It eventually ends up with an affiliate ID to a pay for porn site, probably unrelated to the spammer, except he’s making money off it.
One of the domains has this whois info:
Registrant
Andrey Shchegolikhin
Servibox, buzon N 442, Patrisio Ferrandiz 40
Denia, Alicante 03700
Spain
email: dyakon@mail.ru
phone: 1-800-342-4243
That e-mail address connects it to the spammer I described in this post.
This spammer is using the exact same domains for cutout addresses before reaching the final destinations.
One of the cutout domains has this whois info:
Fethard
Andrey Shchegolikhin (dyakon@mail.ru)
1-800-342-6424
Servibox, buzon N 442,
Patrisio Ferrandiz 40
Denia, - 03700
ES
Another cutout domain has this whois info:
Crutop
Alexander Morozov (webmaster@se-traf.com)
Varvarka, 6
Moscow
null,128037
RU
Tel. +11.2345234655
Another cutout domain also belongs to Alexander
Update
This spammer also did some referrer spamming, and targeted webalizer pages.
I got an e-mail from Tom Raftery about some referrer spam. I found that there were two domains spamvertized by the same outfit:
genaholincorporated.com
firsthorizonmtg.com
Different whois info, but same webhost and IP number:
81.3.150.161
Russian webhost
abuse at peterstar.net
genaholincorporated.com
Chuck Tracy (chucktrcy@yahoo.com)
Adis-Abeba
New York, NY 10002
US
firsthorizonmtg.com
dave borgisson
NA NA (daveborgisson@yahoo.com)
South Brooklyn, 29th str. 34
New York, NY 10002
US
Both domains use nameservers from
nextimedns.com
Ded Moroz Company
Ded Moroz (nextimedns@yahoo.com)
Severniy Polus 2-15
Velikiy Ustug
null,123456
RU
Tel. +912.4325432
If you access the website for that domain name, it has the same content as genaholincorporated. The name is also interesting. Resembles Morozov, although that may not mean anything.
One of them has the same IP number as the webhost, while the other points to another machine at the same webhost.
Also, a Google search reveals that the nameservers are used also for andrewsaluk.com, which has been spamvertized forever. It’s hosted on the same Russian webhost.
Update
I found lots of other domains hosted on that same server, and also some new spam comments for many variations of poker/gambling domains. These domains were on the same machine also, and had this whois info:
home
Fill Kollins (kollins_fill@yahoo.com)
+2.6513713646
Fax: +2.6513713646
Marabu st. 15
Panama, ST 98532
UY
Many of us got a bunch of referrer spam from a site dealing with transvestite porn today or earlier.
The site has links on it, but also a javascript that redirects human visitors to another site with images and lots of links to different transvestite porn affiliate schemes. The links on the first site are to other perversions.
The websites are both hosted at sunwave.com
66.172.66.42
66.172.92.51
The hosting company gives each site it’s own static IP number, so the sites could well be on the same server, just at different IP numbers.
The spammer has opted to anonymize the whois info on both domains.
Spammer’s IP number:
222.152.118.197
222-152-118-197.adsl.ihug.co.nz
User agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
If you’ve seen this URL spamvertized from other IP numbers, please let me know.
If you’re here because you found a link to my blog in a comment or trackback, please read this post.
I’ve been impersonated.
Please delete any fake comments or trackbacks supposedly from me in your blog
—————–
I just got an e-mail. A failure notice.
It was a notification of a comment posted to a blog, that was sent back to the address entered in the from field. Mine.
The comment was:
*********
Comment spam is destroying
the web! Please visit my website and help me fight against evil spammers!!
*************
And…
I didn’t post it.
IP numbers of poster:
207.248.240.119
204.169.235.108
62.68.251.67
168.12.253.66
203.172.255.253
207.232.181.5
(all open proxies)
I’d like user agent info and any extra headers possible, if anyone sees this post and has been hit. Especially HTTP headers, for those anal enough to collect them. That may help me pinpoint the software the spammer i using.
My name was entered differently than I normally do, as Spam Hunter. And the e-mail address is the one I’ve got on my website, not the one I use for posting comments.
The blog was on a topic I would never have gone near. Really dirty stuff. So far it looks like the comments got stuck in a moderating queue. Hope they get deleted on sight by the owner.
Looks like a campaign over several blogs.
—————
Update. Just tipped over into March 25, my time
This is no longer just a prank. It’s now harassment.
This is the text of his latest offering that I found in my referrers:
***************
Looking for great lesbian movies?
Posted by: lesbian movies at March 25, 2005 05:54 AM
*************
He’s trying to Google bomb my site into ranking for lesbian movies. Two links in the same post.
Update March 25
And now he’s doing trackbacks as well.
——–
To the spammer:
If the goal is to get me blacklisted in Google, you can forget it. I’m sure there’s a whitelist as well as a blacklist. If anyone’s on that whitelist, it’s me.