Spamhuntress

Many users of P2P networks (Kazaa, Gnutella etc) unwittingly share their whole hard drives. In addition to confidential information, you’d then be exposing your friends’ e-mail addresses to spammers. Because they do look for those kinds of files and download them, resulting in a shitload of spam for those on your list.

Read the story

Be careful with the last paragraph on the page there. Any kind of opt-out registry can be misused by spammers, unless certain requirements are met.

Via Anti spam blog

Jay Allen has a notice on his site about a Joe Job done in his name.

Want to see the spam e-mail?

The spammer seems to be thinking MT-Blacklist is responsible for his domain being banned by search enginse. What the spammer doesn’t understand, is that it’s a cost of doing business if you blogspam!

Via Weblogtools collection

I got a number of trackback spams today. Later I also found comments from the same spammer.

The spammer posted so many pieces of spam, my mailserver had a bit of trouble. He didn’t keep it going more than a few minutes, but it was pretty intense. I saw samples on another blog earlier today, so he’s probably sending spam to one server at a time until he’s through the list.

These accessed wp-trackback.php directly, which is unusual these days. That’s behavior you wouldn’t see from a real blog, and can be blocked with a Wordpress plugin. It can probably be blocked with an .htaccess block specifically targetting that file as well.

He’s also accessing wp-comments-post.php directly. That’s how it usually happens, but most browsers also leave a referrer. Not all, though. Hmm, hard to block without also blocking legitimate comments.

The trackbacks are part nonsense, part real domain names. One of the domains were probably entered by fluke. The two first pages on 1bc.com were last modified in 1999.

free-online-poker-000.biz on the other hand, belongs to the spammer:

Administrative Contact Name: Yukkii
Administrative Contact Organization: e-leave
Administrative Contact Address1: 3 Connell Dr.
Administrative Contact City: Berkeley Heights
Administrative Contact State/Province: NY
Administrative Contact Postal Code: 07922
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.9082342243
Administrative Contact Email: yukkikunikkennen@yahoo.com

Old acquaintance…

The website isn’t served right now, probably just standard MO. It should be up in less than a week.

Here are the proxy servers:

202.224.241.14
218.199.97.152
61.56.158.158
61.195.167.151
68.85.163.73
216.65.116.18
62.37.236.193

All of them with this header:
[CONTENT_TYPE] => application/x-www-form-urlencoded
Which I’ve also found with genuine trackbacks: MovableType/2.65 and more.

Many of them sporting this header:
[HTTP_MAX_FORWARDS] => 10

And some with VIA headers:
205.132.32.10
[HTTP_VIA] => 1.0 webmail

148.244.223.236
[HTTP_VIA] => webshield.daltile.com.mx

217.97.16.1
[HTTP_VIA] => 1.0 szuwarek.tpnet.pl

Guestbook spam info

I’ve got a guestbook spammer hitting me regularly. My guestbook is moderated, so it was only a minor annoyance, until today. Today I found out that somehow my guestbook ate itself. Thousands of pages with junk - virtually nothing on them. I restored an old backup, so it works again. But now I need to keep an eye on that guestbook, and that’s when I noticed the spammer without a user agent.

I’ve got a similar block for trackbacks, so I can use that one:
trackback spam htaccess block

I’m probably going to use it without limiting it to specific files. The guestbook directory has its own .htaccess.

I’m subscribing to some comment feeds of spammed blogs. Two of them had fresh comments today.

One was for a viagra spammer. Whois info:

NA
NA Donald (Kirkkirkdonald2003@yahoo.com)
+1.5554235234
South Brooklyn, 29th str. 34
New York, NY 10002
US

That e-mail address doesn’t exist, BTW. I think it was misspelled. kirkdonald2003@yahoo.com is an address I’ve seen in this context before..

I checked the website, like I often do, and found that it had a 403 error disguised as a 404 error, when checking in Sam Spade. I rechecked the spam, and I had the right URL. So, what was wrong?

The whois info reveals that the domain is suspended for abuse. It had these name servers:
ns1.suspended-for-abuse.com
ns2.suspended-for-abuse.com

But I’m suspicious by nature, so I digged a bit further. Whois info for that domain:

Andy Hoffman (andyhoffman2005@yahoo.com)
+2.6524513646
Fax: +2.6524513646
Malibu dr. 19
Panama, UR 98532
UY

Hmmm, known spammer. So, the suspended for abuse thingy is just for show. BTW, I’ve never seen a 403 error when an account has been suspended.

You know, I tried that page in my browser, and THEN it works! I think they’ve blocked Sam Spade! Yep, switch the user agent, and I get access to the page!

I think they’ve devised a tactic to keep me and people like me in the dark…

Update
I found one domain registered to this spammer that had this e-mail address:
kollins_fill@yahoo.com
That connects this spammer with at least some of the domains on the server I’m talking about in the Genaholincorporated post. I also noted that I found genaholincorporated spam on the same posts as this spammer. Making it probably that it’s the same guy.

I also found some other variants:

no-one
Mister Simpson (imsmith173@yahoo.com)
North Brooklyn, 29th str. 34
no-one
New York, NY 10002
US

Same spammer, same name servers.

ruinn
kate ruinn (kate_ruinn@yahoo.com)
11 chemin du Pla: 11190 Montazels - France - EU
Montazels,
FR

This one’s on the genaholincorporated server.

Please read this article about a new bill up for a vote any time now. According to the article writer, it adds an excemption that basically lets anyone send you as many junk faxes as he/she wants. If this thing passes, you might as well turn your fax off NOW!

Junk Fax Prevention Bill of 2005 will LEGALIZE junk faxes!

via de.lirio.us

A pill supplier has been arrested, along with some distributors and affiliates.

So Brian at Spam Kings is asking if there are
No more refills for pill spammers?

I was chasing a referrer spammer I’d never seen before. Looked like he was spamming from home:

IP address: 82.46.90.238
82-46-90-238.cable.ubr01.chap.blueyonder.co.uk

He’s been spamming loans and porn. I’ll keep the porn URL’s to myself, but here’s a loan site he’s been spamming:
loanfinderuk.com

Always using anonymous whois services. But I found a .us domain, and when I found whois info that appeared more legit, I had something in the back of my mind:

No More Anonymous .us Domains

I bet the spammer never intended for that info to become public:

Registrant Name: elevated enterprises
Registrant Address1: elevated house
Registrant Address2: 33 warden road
Registrant City: bristol
Registrant Postal Code: bs3 1bu
Registrant Country: Great Britain (UK)
Registrant Country Code: GB
Registrant Phone Number: +1.07787572089
Registrant Email: d.rods@eidosnet.co.uk

With some digging, I found an address next door, 31 Warden Road. That part of town is called Bedminster.

One of the affiliate ID’s (eh, something like that, anyway) I found in the source of one of his sites was this one: djdrrods. Yuk, the boy’s been busy! Search google to see what I mean.

By checking out a server he had 28 domains on, I found another version of his contact info (.us domains again):

Registrant Name: m rodwell
Registrant Address1: 15 firework close
Registrant City: bristol
Registrant State/Province: s glos
Registrant Postal Code: bs15 4lt
Registrant Country: Great Britain (UK)
Registrant Country Code: GB
Registrant Phone Number: +1.1173305048
Registrant Email: me@drods.com

The domain he got his e-mail address from belongs to a webdesign firm. And I also found referrer spam for a directory on that domain.

owner: Patrick Hart
organization: Elevation
email: admin at elevationmedia dot com
address: 342-344 Two mile hill rd
address: Kingswood
city: Bristol
postal-code: BS15 1AJ
country: GB
phone: +44 117 9497720

Update
I’ve been wondering about who the actual offender was. What I’ve found since, is that the owner Patrick Hart also runs an organization working with troubled teens

Jon Stokes is the manager of a band, that has Patrick Hart as the spokesman.
Rods or Dj Drods is also a member. I believe this guy is the spammer. Here are photos of him and the others.

There is reason to believe Patrick Hart knew nothing about the spamming, and is concerned about it. He has something to protect, after all.

Second Update
I found the name Mikie Rods on a list of ’suppliers’ on a page owned by Hostmaster, Adultbouncer, which I’ve seen among the sites the spammer was affiliated with. When I first saw that site, I concluded he had a subdomain, but didn’t own the domain itself. The subdomain was most likely an affiliate deal of some sort. The website I found is not responding right now, but the Google cache I accessed was last updated April 21.

I got an e-mail from Etanisla with a comment spam. She got two of these.

cheappaxil.biz
IP: 65.75.189.160
user agent: Mozilla/3.0 (compatible)

I don’t know if they cycle IP addresses and user agents.

I checked Google, and it was spamvertized February 2 this year. So probably doing a second round. What’s weird is that I couldn’t find even one hit on MSN. Usually MSN indexes far faster than Google, which was very evident the day the NeverEverNoSanity worm hit. So I wonder what the explanation is?

A spammer (I presume), is targetting Rojisan, who’s behind the push-back website. He’s mostly blogging about webspammers.

So, someone has put up an anti-site and referrer spammed it.

How clever…

Ah, and they’ve even put his details in the whois fields.

Roger, I suggest you transfer the domain out and take control of the domain… They’ve essentially given you the domain name by doing what they did.

I wonder if the one behind the sophomoric prank is Greg Svolos? You wrote about them in this post from February? His site is on that exact same server as the anti-site.

Update April 22
The whois info for the anti-site has been changed. The domain is not in the zone (ie, not served). The whois info is phony, possibly except for the phone number. A PCS number from New York. I wouldn’t count on it being correct, though.