Spamhuntress

I checked a proxy, trying to access Yahoo. This is what I got:

Is the proxy pooped from serving spammers?

Just asking…

I just switched e-mail accounts (no, not the ones from annelisabeth.com, but what they forward to).

And discovered that the new e-mail provider had Spam Assasin. Complete with headers I can filter by, but they won’t remove the mails.

Way to go!

Of course, the bad thing is that somewhere in the last week or so, I’ve registered somewhere, or signed a blog who then sold my address. Quite a few spams this last day, and I got absolutely zilch before.

Found this via The War on Spam:

Online Spam Fighting Tools

There’s a spammer out there that’s spamvertizing an address on a free webhost from Slovenia.

When you as a user accesses that address, you’ll be redirected by javascript to
http://dmoz.org/, the original link directory out there, and not something that would need any sort of spamvertizing.

The search engines will however see a number of subdirectories, ending up on a free website (shoot, had hoped for one owned by the spammer).

And a user clicking on one of the pages far down in the site structure, would eventually end up with an affiliate link to a dirty site.

This one owned by:

[owner-c] handle: 274488
[owner-c] fname: Markus
[owner-c] lname: Schimautz
[owner-c] address: GUZMAN EL BUENO 10
[owner-c] city: Stockern
[owner-c] pcode: 3744
[owner-c] country: AT
[owner-c] phone: +43-699-10112244
[owner-c] fax: +49-000-000
[owner-c] email: office@maxolution.at
[owner-c] protection: B
[owner-c] updated: 2004-05-18 12:36:09

[zone-c] handle: 221630
[zone-c] type: PERSON
[zone-c] fname: Markus
[zone-c] lname: Pass
[zone-c] org: MAXOLUTION Internet Services GmbH
[zone-c] address: Stockern 47
[zone-c] city: Stockern
[zone-c] pcode: 3744
[zone-c] country: AT
[zone-c] state: NOE
[zone-c] phone: +43-298-3271616
[zone-c] fax: +43-298-3271619
[zone-c] email: domains@maxolution.at
[zone-c] protection: B
[zone-c] updated: 2004-07-28 02:31:15

Back to the spammer.

IP number:
80.185.27.7
80.185.3.180
80.185.26.19
80.185.11.69

User agent:
Mozilla/5.0

He’s got a history of spamvertizing free sites with javascript redirects to innocent sites, including a German Wikipedia and what looked like a newspaper at a casual glance.

There are a number of bots using Sun’s java implementation. I found one of the IP numbers on a list of honeypot trapped IP numbers for e-mail harvesting.

So I’m banning the suckers.

Here’s how you can do it, in .htaccess:

SetEnvIfNoCase User-Agent Java/1.4. spambot=yes
SetEnvIfNoCase User-Agent Java/1.5. spambot=yes
deny from env=spambot

The reason I’m not banning Java and be done with it, is that it might be used for legitimate bots as well. For more background, read the Webmasterworld thread on this.

Update April 18
I found an entry in my log that had been blocked. Not a good thing, because it was a link checker from Dmoz. User agent (in this case)
TulipChain/6.03 (http://ostermiller.org/tulipchain) Java/1.4.2_05 (http://apple.com/) Mac_OS_X/10.3.9
I’ve been put in the bookmarks section of an editor there, so that’s why the link checker came by. I think I need to change the .htaccess. I’ll see what I can figure out.

Just had a visit from what I dubbed the German spammer.

Whois info: Stefan Koralewski.

He was searching for inseosite and his name on German Google. And came in here with the same unusual user agent he used when he built his spamming list March 10.

I of course don’t know what his real name is. Inseosite is usually connected with Richard Bracam.

Poor spammer, he seems to have trouble with the English language, and had to use Babelfish to translate one of my posts, in order to get the full gist of it. Didn’t use Babelfish for more than one, though.

CSS Spam is Out of Control discussion on WebProWorld

I came upon a forum post that suddenly redirected to a dirty site.

So I had to investigate, of course. Took me a while to find the offending code.

Found it below the post itself:

The code was added to a post below the one I was looking for in the list, and it was added to the subject field.

End result - everything above it gets redirected to THIS spammer’s site.

This was a wwwboard forum, probably an early version, by Matt Wright. The most insecure forum on the internet.

I just had a referrer from Google, searching for
atrivo phishing

The IP number was from the
United States Department of the Treasury

Hmmm, a phishing attempt from Atrivo?

I wouldn’t be surprised…

I suggest that Google use pattern exclusion to remove statistics and referrer pages.

Here’s one that could be used:

This would exclude all the Textism refer pages. Considering those pages are overutilized by referrer spammers, that would be a very good move.

Of course, getting the maker of the software to change it to include rel=”nofollow” is also a good idea, but since he hasn’t updated it since 2003, I don’t know how realistic that is.