I just had a previously spam free guestbook hit by the Bulgarians:

ca-america.com

That guestbook is on a free service (dreambook), and the only measures you can put in is IP banning. Which means I may have to abandon it, unless they stop…

Hey Bulgarians, you can blacklist anything containing nativecelebs - anywhere in the URL. You know how much I enjoy coming up with ways to foil you. If I have to abandon that guestbook, I’ll get even more set to see your spamming efforts fail…

And for the readers here: You MUST check your guestbooks every day, or have e-mail notification of posting turned on.

I complained about a trackback spamrun, and the dynamic DNS company put a redirect in to my expose of the spammer instead of shutting the address down.

I still get lots of accesses from people clicking on the link, though not as much as the first few days.

I’ve been wondering about the direct effects of a spamrun. Who are the people clicking on those links? Bloggers investigating what the links are, or people actually interested in beastiality porn? I still don’t have an answer to that.

But let me tell you, I get a few accesses from people searching for it. 9 hits on the last Awstats run. I don’t rank on it at all with Google (the whitebear URL is banned there), but here are the search terms used for other search engines:
preteen bestiality (yahoo)
animalsex (yahoo, twice)
beastiality movies (yahoo)
Sex+Animal+Dog+Movie (yahoo)
beastiality (yahoo, blogsearchengine, msn - four times)
Beastiality dog Movies (yahoo)
danish beastiality (msn)

And usually I’m ranking because of that whitebear address, not under my own URL.

Also, have a look at my Alexa rankings.

The site is pretty new, and doesn’t have that high rankings. The last few days it’s gotten more unique hits, and the Alexa rankings are climbing. I’ve watched that happen for the Bulgarian spamruns as well.

I don’t think getting the spammers’ domains banned in Google is enough. We need to hit them faster (hosting companies and free hosts need to get their collective fingers out). And we need more clout.

Inseosite - Richard Bracam

They’re at it again. I’ve blogged about this spammer several times before:

• A German referrer spammer
• Whois trickery
• Hammering German
• Affiliate spammer with free domains

This time he’s got dynamic DNS services loaded with links. When you click on one of those links, you get a page with an iframe with some tricky redirects.

Bottom line, porn video and a site with affiliate links to other porn sites. The affiliate network he’s pushing right now has whois info from:

Tech Name………… Eric Zaandam
Tech Address……… Scheeps Timmermanslaan 5B
Tech Address……… Rotterdam
Tech Address……… 3016
Tech Address……… NETHERLANDS
Tech Email……….. novonet_bv@yahoo.com
Tech Phone……….. +31.104364039
Tech Fax…………. +31.102251973
Name Server………. ns1.novonet-bv.net
Name Server………. ns2.novonet-bv.net

There’s also a pop-up that (in German) advertizes:
Sexexplorer Download Version 1.5

They say it’s no dialer and no spyware, and that it gives free access to member areas. That they finance it by infusing one ad in the frame, nothing more. But tell me one thing, would YOU trust a spammer?

Update
Dyndns have terminated those accounts.

I had a visit from a bot from the African IP number
81.91.227.195

user agent:
Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent

He sucked down every file on annelisabeth.com, including all posts on the blog. I’ve got a nice fat 200 K spike on my bandwidth meter from the sucker. 18.67 MB total in less than 20 minutes

But he came in from a cached page on Google, with this search term:
09 tag 2005 update monica hotmail com

And the user agent of his browser was:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Ban with extreme prejudice! He’s already accessed spamhuntress, and I’ve got a spike there too, though I don’t know if it’s him - yet.

———–

I’ve had several visits from the same user agent. A few different IP addresses, and mostly accesses to my blog and the About Me page on annelisabeth.com

I had some accesses in my log today from gizmo.org

IP address:
81.57.108.63 (car75-1-81-57-108-63.fbx.proxad.net)

User agent:
Schizozilla/666 (GNU Hurd 0.2)

The machine is running thttpd, which is a small webserver, and the bot is fetching HEAD, then GET requests. Proxad is in France.

The owner, Dag Spicer, was working in California in 2004. There’s lots of stuff on the server. Papers he’s written, etc.

I’ve written him and asked for an explanation. The whole thing is weird. The page seems to have been online for a long time, and not spammy in nature. So why is a bot advertizing that page?

A contact sent me an e-mail he’d gotten last night.

It was a phishing attempt, written in English, but for a Norwegian bank:

https://www.dnbnor.no/update-clients/

The actual address under that, was:

http://assist.uta.edu/.update/en/personal/index.html

That’s a hidden folder, and is hard to find on a server, unless you know it’s there, or use ls -lf or say cpanel’s file browser.

The University already removed the files (also included a graphic), and the bank has a notice on their front page, asking customers who fell for it to contact them.

My contact is Norwegian, and immediately thought this was fishy…

An affiliate spammer is using free subdomains to spamvertize his affiliate ID.

He’s using referrer spam, and is very aggressive about it. Until citykom (his ISP) gets their heads out of the sand, I’d say ban the whole IP range: 82.207. It does shut out quite a lot of people from your site, but since he’s using dynamic IP addresses, there isn’t much else we can do?

The scam is that he creates subdomains on http://www.d4f.de/

That service works the following way:
They have a basic frameset that serves an ad at the top and the customer’s website in the bottom frame.

It’s just that this spammer is lazy, and enters his affiliate ID as the bottom frame address. And the affiliate programs he’s spamvertizing are all porn related.

This is a spammer I’ve written about before:
Whois trickery
Hammering German

IP numbers captured:
82.207.224.134
82.207.211.97
82.207.233.92

User agent:
Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)

The Daily Rant has an article about a spyware program called WareOut and Atrivo. He’s speculating about possible connections between players, botnets and spamming.

Update

OK…

Miscalculation on my part…

Yesterday, I notified the website hosting company and asked them to take down
http://whitebear.lir.dk/

This is a Danish company, and since it’s a dynamic IP service, they had the means to thumb THEIR nose at the spammer.

The did a 302 redirect to my post about the spamrun instead.

Actually, now that I get used to the idea, it’s brilliant…

———-

The whitebear trackback spammer I mentioned yesterday is having fun with me.

I’ve got LOADS of referrers from that address today, and also lots of referrers from other sites that have been spammed by that spammer. My guess is he’s found a way to make Apache think they’re linking to me, when in reality he’s got some sort of clever redirect to my site in one of his spammy links.

ALL the referrers are to the post about that spammer, and some to nonexisten URL’s like this:
2005/03/16/beastiality-trackbacks/68.html

Update: The weird URL’s are because when the spammer entered subpages in the trackback spams, then those relative paths get transferred as a request for that subpage on what’s now the root of the site:
http://spamhuntress.com/2005/03/16/beastiality-trackbacks/
Those don’t exist on my site, so they result in 404 errors.

My logs are completely useless this morning!

The frame spammer is at it again. And this time it represents more of a conundrum.

The spamvertized site is:
vaterschaftstest.dl.ag/

The frame contains:
v.g.cx/

And that 302 redirects to:
partners.webmasterplan.com/click.asp?ref=6618&site=2936&type=text&tnb=2

Which in turn 302 redirects to:
http://www.avgenetix.de/affiliate
With a cookie like this:
Set-Cookie: fritz2936=hnb=&tnb=2&type=text&formid=&cltime=3%2F17%2F2005+2%3A50%3A42+PM&date=3%2F17%2F2005&subid=&bnb=&ref=6618; expires=Fri, 15-Apr-2005 22:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDQQTSTBSA=GDJHHKGDCMMMFNCMHEDPKLBH; path=/

webmasterplan.com has this text on it’s site:

Optimize, Promote and Monitor your Website with our suite of tools and services designed to maximize the success of your Internet presence.

But, checking the German language version, they do say they’re not using spam to promote the sites, and they say it’s a long process. So either they’re not doing as they say, or this is someone else spamming.

They also have an affiliate program, and this might be where the spamming scoundrel comes in. I’ll notify the owner of the site reaping the benefits, complete with the affiliate ID of the spammer (see the cookie for that), and we’ll see.