I’ve deviced a block that will block many proxy servers. Not all, but many. Problem is, it also blocks regular people who use a proxy as part of their ISP setup.
This block could be useful for dropping in during a prolonged comment spam run, like the one I had yesterday.
But Spam Karma would probably do a better job. Or even the built in blacklist in WP!
So, given the disclaimers, and warnings, here it is:
The spammer from yesterday is at it again. This time it’s trackback, and the domain is shaffelrecords.com
——————
I strongly suggest having a look at my trackback solutions. The WP trackback block contains a line that blocks the majority of his attempts, since he’s still using a list of collected user agents - only a few will slip through. I’ve added one more line that will block a few more. The two first Setenvif lines should take care of this spammer for now.
Another approach is blocking direct POST to the trackback script. Works for WP.
————-
whois info for that domain name:
NA
NA NA (shaffelrecords.com@gmail.com)
Str. 6 Bay Pkwy
Brooklyn, NY 11204
US
DNS servers:
Name Server: NS1.SUSPENDED-FOR-ABUSE.COM
Name Server: NS2.SUSPENDED-FOR-ABUSE.COM
ns1.dns2007.net
ns2.dns2007.net
Registrar: Enom/NameCheap
This marks the spammer as the same we’ve seen earlier. The e-mail convention is also the same as we’ve seen this past week. This spammer used Yahoo mail before - only a few different accounts. He seems to be trying to hide his tracks now.
I had a visitor from Missigua Locator 1.9 over the weekend.
Came from 67.159.3.190 on April 24. Kept going for 8 hours, without being too aggressive. It displayed typical bot behavior, including trying to load
my feed without removing feed: in front of the URL, triggering a 404.
I loaded the IP number as a website. Title is:
Top 10 Search engine placement _ Need Web Traffic?
But the only visible content is a green background and a simple form field/submit with this text above it:
To be removed, enter your email address below and click REMOVE
My guess would be - e-mail harvesters.
Someone else also had a visit from such a bot around that time, but from 69.115.135.243 (offline right now).
I would guess the bot has gobbled up all the spammer addresses by now?
For the first time, I’ve found a misused proxy server on the EV1 datacenter. That’s highly unusual. Probably a colocated server. Owner and webhost notified. Will post IP address if it isn’t secured quickly.
We need to get a bit more awareness started here. Journalists, how about writing some articles if we can track down some servers in your ‘jurisdictions’?
Update
There’s a DSL line in the UK, housing a webserver. It’s been misused for the trackback spam run (which seems to be over on my site). I haven’t seen it for the comment run so far - it’s still running.
Those who use DSL lines for webservers, mailservers etc. Chances are excellent you’ll misconfigure the software, and consequently aid and abet spammers. They scan for systems to misuse!
Update
207.107.115.6 is being misused by the spammer while comment spamming. It belongs to http://www.freedom.net/, who are providing anonymizing services. My guess would be that they failed to secure their services so it only could be used with their software. Tsk, tsk…
Judging by my error log, there’s a pretty huge trackback run currently underway.
I’ve blocked certain untypical user agents, so they’re not getting through. Except for one that circumvented the block.
It’s the spammer below. Accessing wp-trackback.php directly. Looks like the same script as Yukkii used before.
I’m getting a rash of comment spam to this site. They trip the auto-moderation feature of WP, because of all the links. Update: Trackback run just started as well.
Second update: The comment spam run is still going. They’re pacing it, so it won’t trigger any bans based on frequency. I’ve received 32 comments so far (all moderated), because I can’t figure out how to ban this one! If he doesn’t give it up, I’ll have to install Spam Karma! Uh, looks like he’s hitting every one of my posts, starting a month ago. He’s up to April 14 now, so I expect this to keep going for a while. Grrr…
Random IP addresses and user agents.
Sites are on:
land.ru
newmail.ru
I found ONE link on one of those sites, and it belongs to:
Donald, Kirk
NA NA (mamugs.net@gmail.com)
NA
South Brooklyn, 29th str. 34
New York, NY 10002
US
Registered on Enom, with name servers from:
PROJECTX7.COM
The first name server is on the same IP number as the website:
205.234.145.232
That domain name is owned by:
Stilman, Bred bredstilman@yahoo.com
Novodvorska 13
Ljubljana, SI 1000
Slovenia
12301274
All IP numbers are on scnet.net, which is in HostForWeb Inc.’s IP block.
The name Kirk Donald has been used by spammers before. Can’t say for sure that it’s the same spammer. Time will tell, I guess.
Update
It’s the same spammer that Nick from Threadwatch was bitching about a few days ago, according to the whois info patterns.
A good friend asked me yesterday to help him write a how to text in English on salvation. So I said sure, what are you going to use it for? Maybe an existing text could be used, if this was for a friend?
So he tells me that he’s going to send it to people all over the world. By now my ears are getting peaked, and I ask exactly how he’s going to send them. So he says by e-mail. And I ask how he’s getting the addresses? He says he’ll be collecting them on the internet.
Uh oh!
At this point I tell him I can’t do it, and then I launch into explaining that it would be spam, no matter that his intentions are good. And he says he won’t do it, and thank you for explaining it.
After this experience, I can easily imagine how a lot of people might rationalize spamming to themselves. They may not realize what they’re doing is criminal, and even after they’ve been told it is wrong, they tell themselves it’s for a good cause.
I mean, getting people in touch with God could be argued as a very good cause!
But I had a few lightbulb moments in ethics class at uni (I have a masters in theology), and one of the main points is that ‘the ends justify the means’, won’t hold up. Doesn’t matter how good the cause is, if you have to make yourself a criminal to do it. Just look at Roy Giles for an example of how slippery that slope is. He starts out as a preacher, starts spamming, and ends up asking for criminal software in forums. Tsk tsk.
But for this guy, I feel obligated to figure out a way for him to do exactly what he wanted to do, but not via e-mail, and within ethical guidelines. I have figured out a way, a way that wouldn’t work for anything but an extremely good cause. If he goes for it (huh, I’m sure I’d have to do most of the work, but it’s a good cause..), I’m sure I’ll write about it here.
Update: Haven’t heard more from him. Either he’s forgotten about it, or done it without my help.
Got hit by a trackback spammer on annelisabeth today. Just one. And he’s left a few comments before. Not enough to be a nuisance, but enough to establish a pattern.
IP addresses:
first: 81.218.241.143
bzq-218-241-143.red.bezeqint.net
now: 82.80.40.210
bzq-80-40-210.red.bezeqint.net
Those servers are in Israel
He’s using blogspot, and one domain with whoisprotection (GoDaddy). The domain name is not in the zone (ie, not served).
He appears to have yet another website (images hosted on a domain name), web-tfx.com. That site is on a bezeqint server:
82.80.252.53
bzq-80-252-53.dcenter.bezeqint.net
It appears to be for sale. Javascript reveals the minimum price is over 10.000 dollars. I’d consider that a joke. Or rather, a fake for sale sign.
Another site is on:
62.219.82.1
cust-219-82-1.cust.bezeqint.net
The posts on one of this blogs are entered by Ertha Kitt.
User agents:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
trackback:
Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Header: HTTP_VIA=1.1 DRP-CACHE-7-B (NetCache NetApp/5.6.1D21)
This spammer has many domains. Many of the domains end in this: -tfx.com
Any idea why? I did find one domain on a server that appears to have sites only belonging to the spammer.
Gehl, Chaim support@trafix-ltd.com
Trafix-Computing Services LTD
6th Uri
Tel Aviv 64684
Israel
0544573249 Fax — 035223077
The dialing prefix given on another domain was: +972
Hmm, I guess now I know what tfx stands for…
They’re moonlighting as SEO professionals as well:
http://www.trafix-ltd.com/
I guess prospective customers should be aware that they’re also spammers?
Another Israeli site says about them:
This young company is moving forward in the area of Web Site Marketing, particularly in the area of Online Gambling. The site provides visitors with a clear path for understanding how the whole web site marketing process works.
BTW, here’s another spamrun from them today.
Remember the referrer spammer I talked about two days ago?
Meet Rods aka Dj Drods
Some more photos from a community radio for Bristol. The spammer goes under the name Mikie Rods.
Disclaimer: The spammer is using that same domain name, and using a version of his name as an affiliate ID. I can’t know for sure if it’s really him or someone abusing his identity.
Nick W. of Threadwatch got a massive trackback spam run that got him lusting for revenge.
If any of you got hit by a spammer spamvertizing ace-decoy-anchors.com and have more tracking data, please comment here or there. I doubt this one’s easy to track down, he’s been at it a bit too long for that. But any break would be appreciated, if only a way to nail him every time he tries (a good block for instance).
I’d also like to compare him to the trackback spammer I got hit by yesterday.