GooglePray
I was chasing a rampant guestbook spammer. In the source of one of his pages, I found a funny meta tag:
This spammer uses baikalguide, and a variant of Umaxsearch as domain names. Looks like he’s already banned in Google.
whois info:
owner: Dmitriy Soldatenko
organization: Sid Wongvorakul
email: sidfeehit@yahoo.com
address: 979 Rutland Dr
city: Memphis
state: TN
postal-code: 78243
country: US
phone: +49 221 88585850
BTW, dialing code 49 is Germany.
Other posts about this spammer:
Bobonit, Buffoons 1 Buffoons 2 Buffoons 3
In one of these posts, one of the commenters mentioned that the pages spammed by this spammer contains code that creates new posts on guestbooks, that will carry the IP address of the person that visits the page. I found that to be very credible. I’ll include one such chunk of code that I found. (Eh, I don’t think it’s wise to display this one in an iframe, considering IE could execute it…)
However, some of the pages display as source in Firefox, so won’t execute every time.
I found one IP address was responsible for all posts and attempted posts to my guestbook:
216.127.68.15
user agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
This is however a webserver. A spammy website at that. Site owned by:
romas
romas (a-romas@lycos.com)
Tarasovskaya St. 40
Kiyv
null,54566
UA
Tel. +38.0677412714
Another whois info often used by this spammer:
rex
jet rex (jetrex@gmail.com)
Ukraine, lviv pb 4317
lviv
null,76224756
UA
Tel. +067.7412714
—————
Update
Joe and I had a look at his spamming technique, and he’s attempting to understand the exploit, where the spammer tricks visitors into spamming for him.
Hey, thanks for linking to my articles regarding Umax PPC spam.
You’ve done a very good write-up here. Hopefully this will help raise awareness of the problem.
I contacted their hosting company but they’ve been absolutely useless. I did contact google though to report the method that Sid is using to get his sites in to google’s database.
I’ve given up complaining to the host but I would urge anyone who is angry with the spam to contact the hosting company (which is currently Everyone’s internet). Their email address is abuse@ev1.net. Maybe if they keep getting complaints and bad press, they will do something.
Thanks for a very useful article. Here’s another link to a forum where they’re discussing this the problem.
http://forum.ev1servers.net/showthread.php?t=54275
Sorry, forgot to add this link as well
http://www.sitepoint.com/forums/showthread.php?t=249037
In this thread, someone else confirms what I believe. It does look like these UmaxPPC sites are javascripts designed to spam guestbooks and forums.
If you visit the sites using Internet Explorer, you yourself will become a spammer. Your browser will run a script that will spam a guestbook. This is why, when I looked at my server logs, the range of IPs that were spamming me are so diverse.
HI.
I wrote that I just ADD COMMENTS.
And It not my problem tha YOUR stu[id script not have protect for add easy message. and it not my problem that YOUR script on taylor-arts.com - SEND TO YOUR Email a letter.
If you soo stupid and have no any idea to protect / update YOUR guestbook script - it`s JUST ONLY YOUR problem.
NO ANY LAW WRITE THAT GUESTBOOK IS PRAVATE LIKE SMSM OR EMAIL.
Guys, that’s the GooglePray spammer above here. I chongqed his domain name, because I don’t want to link to any of his sites.
His attitude is typical of spammers. I’ll write more in a post later.
[...] dump GooglePray spammer hits back Here’s the comment the GooglePray spammer posted to my first post about him. # romas Says: April 29th, 2005 at 1:15 am [...]
Neil Taylor (neilt@ihug.com.au) - taylor-arts.com
You IDIOT
1.just adds a random number in a box that the user has to type into another box to validate human input.
2.Since these spambots probably got the url to your guestbook from the search engines just by searching for “Guestbook”, it is also important (whether or not you use junkeater) to rename the folder your guestbook is in and rename the guestbook files to something other than guestbook. Then make sure you put in a robots.txt file in your web root directory that contains this:
User-agent: *
Disallow: /myguestfolder/
This will stop the search engines from indexing your new url to your guestbook, (since you renamed it) then the spambots have a harder time to find it. Don’t forget to change the link on your main page to the renamed directory as well.
This will immediately stop the spambots. Adding Junkeater to your guestbook will be prudent as well, because it validates that a human is filling out the form by requiring them to enter a random number as well.
It is very easy to set up, nothing to download, just a couple lines of html code to add to your guestbook, and its free.
3.These websites just need to implement new ways of protection.
That last comment was added from someone with an IP address from Russia. Somehow I doubt that’s really Neil Turner, although he’s added some of his details. Could be an oversight, of course, meaning to use his own website address? He originally came here April 9, searching for UmaxSearch fraud.
The text of his post is from Ivan’s post on EV1 forum.
Ah, I wondered how the spammer was able to write so clearly. English is obviously not one of his skills. If that wasn’t the spammer (and in reply to the original post):
We do not have guestbooks so don’t have this problem. The problem is these spammers are ruining the internet. Many people who run guestbooks don’t clean them, don’t look at them, or just don’t care anymore because they can’t keep up with the spammers. I really don’t see any point in guestbooks anymore since >90% of posts to them are spammers and the remaining posts are rarely important. But many people still have them and even some new sites are adding them.
The text of his post is from Ivan’s post on EV1 forum.
IVAN this russian name:) ВАНЯ
Neil Taylor (neilt@ihug.com.au) - taylor-arts.com
IDIOT abuse spamer
Geez, quit embarassing yourself, eh?
That’s either the spammer or some other joker, coming in through an Alestra proxy, trying to convince people Neil Taylor is a spammer.
Hey joker, do you really think Neil would be able to write Russian? That name you’re writing in Russian would be pronounced Vanya in English. That’s not how Ivan is spelled in Russian.
This guy comes in from:
80.237.115.119
inetnum: 80.237.114.0 - 80.237.115.255
netname: ISB-NET
descr: (IR000220) Informational Systems of Buryatia
descr: Ulan-Ude city, Republic of Buryatia, Russia.
User agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
He’s also the guy behind the comment from Sid on this same page.
I don’t know if he’s connected to the spammer.
Burytia and Ulan-Ude is right north of China and Mongolia, while Ukraine is north of the Black Sea. Quite far apart, yet the behavior is similarly juvenile. Don’t know what to think…
I did some digging. The guy who left messages as Sid and 2 admin originally came in to this site through a search for Dmitry Soldatenko. His IP address can be seen (check Google) as spamming for umaxsearch and pornographic domains.
He occasionally uses the name
Sid Wongvorakul
He likes the Joker registrar, and has his own server on EV1. Hmm, might even be Ivan?
Looks like Sid is upset about something. Someone with the IP address 80.237.115.119 (the same one used by Sid in this forum) has been decided to personally spam my guestbook with 26 entries today.
Ha Sid (if that’s your real name), bring it on. The only reason this test version of the guestbook was published was to gather information on the spammers. Thanks for the data.
What kind of spam did he leave? Was it the usual or is he just going for vandalism now?
Hi Joe,
It was simple mindless vandalism. He posted 26 identical entries consisting of my URL. I’m glad he didn’t try to write any original text because his English is baffling. I wish he had a kid in the house who could do the writing for him
Within a minute, I cleared out all of his spam and added some additional protection to my guestbook.
Here’s a guestbook owner who appears to have had enough:
http://www.berduszek.art.pl/guestbook/addentry.php
I love Pitr and his comrades, BTW.
I think:
1) there are JS scripts at Sid’s Wongvorakul sites.
2) entering his sites with IE wil cause spam to third party guestbooks.
3) IP in apache logs belongs to innocent people who accidentialy entered spammers sites.
Prevention:
send complaints to abuse@ev1 every month/week about this spammer
4) use non-standard PHP guestbook scripts, addentry.php & ardguest.php names are exploited by this spammer.
5) use Turing test - an image to read or a problem to solve (1+5=?)
6) use well secured browser
7) use rel=”nofollow” link attribute or meta noindex,nofollow
9) complain to Google or other search engines.
I went further:
My addentry.php script changes behaviour if you POST any data into it. Script will display endless loop in javascript with several alert() warnings. That will certainly warn users (3), that caused spam to my guestbook.
Thanks to Google guys for blowing his sites rankings!
You know, this is all well and good Lemat. But the technical stuff doesn’t solve the problem. It solves the problem for a clueful minority, most of whom wouldn’t use a guestbook anyway. And definitely not an unmoderated one.
Most site owners who use guestbooks have absolutely no way of adding your solutions. They’re generally clueless.
The only thing that really works is shutting the spammer down.
And as for the IP addresses. I can only tell you that the entries in my guestbook are all from the same IP number. Not an innocent third party, but the spammer using a bot of some kind. However, other people might be unlucky enough to have their guestbooks in those scripts, and regularly get innocent third party IP addresses in their logs.
There is a way to check whether there is a bot or zombie. Put an image in the HTML, bots won’t bother to download it. Browsers will, and there will be a trace in the logs.
However if there are bots, I wonder if they have any vulnerabilities like buffer overflow…
Yes, Lemat, he’s using bots.
But I don’t know what kind of bot.
It might be home made, or it may be any of a number of bots of that type.
An idea just came into my head: if the search engine can ban some sites for spam, maybe they could play with the rating of spam-friendly or abuse-less ISPs ? Imagine: entering keyword “Everyones Internet” in google would display 100 entries “ev1 is a spam-friendly ISP” and at 101st “ev1 - Provides cable, high-speed…”
That would do the trick, search engine is a powerfull weapon these days…
His bot seems to have been booted by EV1. Check my latest post. Unfortunately they still haven’t booted him from his other EV1 servers.
Here’s an interesting development. Sid (80.237.115.119) just tried to post a comment on my guestbook. It was stopped by the spam filter but here’s what was attempted.
“Comment: ok. you site delite our database. senks and sorry:).”
I think what he’s saying is that my site has been removed from his spam database. Definitely good news if it’s true. Now, he just needs to remove all the other sites from his database and the world will once more be a happy place.
Ah, seems that Sid is not only a bottom-feeder, he’s a liar as well. His Umax and Baikal sites are continuing to spam my guestbook.
Good grief, but this guy does get around. He’s at above.net now, and I just had the most interesting discussion with a guy there. His take was that umax is probably there via a reseller, but strongly encouraged me to send an abuse@ email so he could officially get started on the problem. I did.
I’ve been getting a lot of different URLs pointing to this hoser’s “search” site the past couple of weeks. Time somoene took a physical LART upside his head. 2×4 is probably not thick enough. Anyone reading this from the Ukraine wanna help out?
His spambot is still at 216.127.68.15. And the latest URL he spammed my guestbook with (today), is on EV1. Check my page on him here:
http://spamhuntress.com/wiki/The_Umax-search_spammer
If you’ve got more data to add (IP addresses etc), please do.
Thanks for that. I found umaxsearch was at above.net, but he’s probably still got some business at EV1.
Anyhow, here are my most-recent (3 days or less) referral catches:
208.226.76.62
80.53.47.142
213.35.136.178
24.101.41.9
140.122.77.8
209.200.82.222
82.112.196.50
218.28.135.196
212.117.151.85
196.203.64.2
196.44.142.203
Cheers
Currently Sid/Dmitriy is pissed enough to start a “DOS attack” *) from 64.246.26.137 against my site, abuse@ev1.net was notified, they promised to “start investigation” - bullshit, they were notified about this spammer more that 3 months ago and haven’t kicked him yet…
*) Don’t worry it isn’t as destructive as Dmitriy thinks - as you see I’m alive
Sid/Dmitriy has been spamming my guestbook, all from the same EV1.NET IP.
Contacting abuse@ev1.net, admin@ev1.net, admin2@ev1.net - all bounced back.
I have emailed support@ev1.net - with a list of *26* dates/times that the same IP was used.
I’m even considering ‘phoning them up to talk to them (I’m in the UK, so I need to get a time when I can phone during their opening hours).
However… I’m guessing from the number of references to this b*****d online that they aren’t willing to do anything…
What is the legal situation with regard to Everyone’s Internet hosting a spammer… they have to *know* about him, as they have had a lot of emails to their abuse department….
So, does anyone know how the law in the US can be used against Everyone’s Internet… we all know that if they are shut down then Sid/Dimitriy will move to somewhere else… but if they think the only way not to get shut down is to co-operate with Sid’s address (real, not the TN one), phone number, bank details, etc etc….
My guestbook (which I am re-coding/re-naming/etc) has *two* options which have to be changed (one is a tick box which is on by default but if it is ticked, the entry is automatically flagged as spam; the other is a drop down box which defaults to a “I am a spamming b******d”) - and both of these *are* getting changed. I dunno how a bot can do that, but it must be happening, because none of his entries have *ever* been flagged as spam.
It is (as you might gather) a moderated guestbook… so none of these entries have ever got into the guestbook.
Keep up the good work!
Regards,
Steve
Well, if EV1 gets shut down, you won’t be able to read news about it here. Because this site will disappear as well. Spamhuntress is hosted on a webhost that has servers on EV1.
But to answer your question, EV1 knows about the spammer, and tells nobody anything about their plans. I saw spam from the EV1 spam bot just a few days ago, so I don’t think he’s been terminated.
[...] he Legal action against EV1? PhantomSteve is commenting on the Googlepray post about the umax search spammer. Sid/Dmitriy has been spamming my guestbook, all f [...]
I finally got a reply from EV1 who said they are dealing with it, but that they would be unable to let me know the outcome for reasons of privacy.
On a connected issue… I have a couple of very simple (and easily fooled) spam guards… a tick box defaulting to “yes i am a spammer” and a drop down which defaults to a similar message…. my problem is…
If you change the options on the page and submit, it says thanks… but if they then click on “back”, the page won’t refresh, causing the options to stay the same… is there any way to force the page to refresh every time it is on the screen, even when it’s the result of a “back” click?
I’ve got the following in the header of my submission page:
Guestbook
Any ideas?
oops… missed the header details off that one…
(I’ve put
Try again….
<HEAD>
<META HTTP-EQUIV=”Content-Type” CONTENT=”text/html; charset=ISO-8859-1″>
<META HTTP-EQUIV=”Cache-Control” content=”no-cache, must-revalidate”>
<META HTTP-EQUIV=”Pragma” content=”no-cache”>
<META HTTP-EQUIV=”Expires” content=”0″>
</HEAD>
Bloody hell… I didn’t mean to leave the TITLE on those…. any SysAdmins able to cut off the title from the last 2 posts?
Wordpress is useless if you try to paste in code. If you want to show us some code, please upload a txt file to your own site, then include the link here.
If you use ardguest PHP guestbook, just use the last version (ardguest 1.7). It already has verification code to prevent automatic submission.
Thanks for all the great work you guys are doing
I have recently noticed Idiot Sid/joe/Dmitriy has taken our reports personally he is now spamming with a message saying that myself and others such as spamhuntress are spamming!
Here is an example of his post on a guestbook (http://www.lightfeather.net/guestbook.html) which was attacked = Wiki Spammers: bobonit.com, wiki.chongqed.org, spamhuntress.com, spam.gunters.org,
buffoons.blogspot.com, have been spamming wikis, blogs, or guest books
I will be adding links to this page and others at my blog story about this problem child: http://www.bobonit.com/html/2005/04/boycott-umax-umax-search-problem.html
Found this interesting site which has a database full of the idiots comments maybe you guys can figure out the significance? http://fullup.org/gb.dat This is the google cache of the site http://72.14.207.104/search?q=cache:n5qsreJOAToJ:fullup.org/gb.dat+bobonit&hl=en&lr=lang_en
I do not have the skills you guys have but this looks like a database of remarks the idiots bot refers too?
The attention seems to be affecting him which is a very good thing thanks again for helping to get rid of this childish pest.
Bob
I am getting hit every 30 seconds by sites looking for my addentry.php guestbook entry page. I deleted my guestbook over 5 months ago but I am getting hit every 30 seconds…what can I do?
Thanks
Why don’t you get a real life and stop posting PROXIED ip address’, I should sue you for slander, these people did NOT spam your blog, and you’re putting their information out their on purpose. You’ve been warned… and just try putting my IP addy out there…
For those who are curious - he’s on shawcable. Unusually enough. Usually those who start off with that particular phrase are from Eastern Europe.
I’ve also been suffering from some guestbook spammers lately (understatement of the year…) and have no qualms about posting any IP addresses involved. Firstly, people with compromised/abused systems want to know so they can clean them up. We all realise that spammers will take advantage of any vulnerable IP they can. Secondly, there are some hosts out there that, sadly, seem to host spammers and ignore complaints. Thirdly, many people like to block such addresses, at least until the problem goes away. And as for using that particular phrase, coarse language never helps your case.
My guestbook was being spammed. I use Advanced Guestbook…of course after researching a little I will be upgrading it to Lazarus when I get the time. I also ran across this blog and found it an interesting read…so looked at the wiki etc. The main reason I want to keep my guestbook (because it was noted above somewhere…why even have a guestbook anymore..?) is rather than give in to the spammers and spambots and let them stop me from having a guestbook I would rather fight back a little. Nothing grand. I did add the code for http://www.auditmypc.com/freescan/antispam.html loop to the bottom of my guestbook. I was just curious if this actually works in gumming up a database with bad e-mail addys? Anyway I enjoyed reading about your dealings with some idjots.
Hello,
I’ve found that the best way to stay ahead of the spammers is to write your own custom scripts instead of using off-the-shelf guestbooks/wikis/etc.. I just finished writing my own blog! But even so, I still have to fight referral and guestbook spammers constantly. I even sometimes get spam submitted as feedback! I have a few anti-spammer rant pages of my own: http://www.weasel.net/refspammer and http://www.weasel.net/?page=blacklist (emptied recently so I can work on forensic/counteroffensive PHP script experiments).
I run my own custom version of “Spam Vampire” written in VB.NET, and it’s designed to leverage the very same open proxies the idiot spammers use. I’ve found it to be somewhat effective; I can suck 10+ gigs per day from the spamvertised sites. Fun! (NOTE: DO NOT TRY THIS AT HOME. I DO THIS UNDER THE FULL UNDERSTANDING THAT IT OF QUESTIONABLE LEGALITY AND IS THEREFORE DONE AT MY OWN RISK!) It should also be stated, for the record, that I am in no way DOS/DDOSing the sites. Simply downloading.. and downloading.. and downloading.. Hey, I’m simply using the HTTP service which they freely provide to the public!
Keep up the good work, SpamHuntress, TaupeHat, Preacher and everyone else! Someday these spammers will go and get a REAL job, like the rest of us.
–Adrian, Austin, Texas USA
Fuck You,
Anonymous cowards like you, that prefer to hide behind idiotic nick names and threaten people with legal actions based on very vague if not shaky grounds are unwillingly funny.
In case you have something like a brain, try using it for a minute and think about the question why it is a good thing to post open proxy servers. Right, because spammers will use more or less the same proxies. So just by blocking a recent collection of proxies you can make your life easier.
Regarding your threads: Where did anyone say the people running these servers are the actual spammers? No one did and therefore your “slander” fantasies are toast.
On another note: Normally I wouldn’t bother, but your multilation of the word address really hurts my eyes. The plural of address is addresses, even over in Canada. Perhaps a dictionary would help if you struggle that much with English grammar.
The phone number is located in Cologne. Lots of IT-Companies are there as well…
[...] Blog z?ego brata bli?niaka jest, jak nie trudno si? domy?li?, parodi? orgina?u. Tak wi?c na?laduje pewne schematy. Z?y Matt odpowiada wi?c na pytania webmasterw takie jak np. “Jak zidentyfikowa? Googlebota, zabi? go i upiec?”. Lub rozwija stary w?tek GooglePray: [...]
[...] Or may be you should pray to the Google Gods for their blessings like this guy did in his codes!! [...]
I found a way to block guestbook spammers and bite back at the same time. I plant a trap field that I tell real users to not use. The submit button checks this field to see if anything has been entered and cancels the submit if there is anything. Another defense is to force javascript in order to display the submit button. The last defense is a javascript for the javascript enabled bots that looks for the [/URL=] … [/URL] tags that they use in order to get Google to recognize their link. If they are present in any of the fields the submit is cancelled and the bot is thrown into an infinite loop that pops up an alert message. Spammers are unable to directly access my cgi script so they are only able to submit spam by acting like a real user. The bots have gotten smarter lately and I have found that this seems to work against them.
[...] Interestingly, we’re still buried in Ask, MSN, and Yahoo!. I guess it’s because I’ve been using the GooglePray tag, but have neglected to do my Ask devotions, MSN processionals, and Yahoo! incense. [...]
[...] Dal cilindro dei “the best meta tags ever used” ogni tanto mi piace tirar fuori qualche idea particolarmente originale. Una di queste è senz’altro il meta GooglePray, comparso nelle pagine di uno spammer finito sotto le oramai famose segnalazioni di Spamhuntress. [...]