I’ll put bots I find that I haven’t found an explanation for here. These are mostly recent hits to my sites:

IP address
203.144.160.242
caching1-true.asianet.co.th
User agents:
Shockwave Flash
Mozilla/4.0 (compatible;)

—————-

IP Address:
217.159.201.143
User agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; (R1 1.5))

Fetched 100 pages from a friend’s site in less than 2 minutes. Kept going after being banned.

The IP number only has one site on it, that’s got a password protected home page: bulletrehosting.com

The dns server is on Atrivo’s net, no known sites on the same IP number. The e-mail address in the whois info doesn’t work - domain name inactive. And finally, the address in the whois info suggests the company is incorporated in a tax haven. What are they doing? No clue.

Guestbook spam info

I caught an IP address from Atrivo accessing a non-existent page in my guestbook on annelisabeth. Wondered why on earth. But it soon became clear when I checked my logs for that file. It had been accessed three times.

1) Googlebot
Google then put it in the index, even though the page is blank.

2)69.50.176.146
On Atrivo’s network. Which usually means spammer’s lair.
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.20 [en]

3)80.227.56.42
On dubaiinternetcity.net’s net, which practically guarantee’s it’s an open proxy
User Agent: Opera 7.51

My guess: The second access was a spambot searching Google for possible guestbook spam targets.

The Atrivo bot returned the next day and downloaded my cat diary category and the January archives over and over.

I’ve been keeping an eye on some porn spammers. Some usually leave trackbacks with sites on dynamic dns servers. This one however used comments.

I followed the trail of one such site (from dyndns site to site it redirects to via javacript), and ended up on the same server as Eugene Blagodarny’s advanced-submitter. It’s exactly the kind of software used for spamming the blogs.

So, my question is, do all the sites on that server belong to Eugene Blagodarny, or just the two connected with his submitter software?

Oh yes, he’s got something to do with it. Might even be his. The e-mail address used for registering the porn domains use an e-mail address from a domain registered by Eugene.

Mark Bosner is often the name associated with the domains, when there’s someone associated with them at all.

But since the e-mail address given for those domain names resolves to Eugene’s own e-mail address (VRFY is disabled on most mail servers, but this one was sloppy…), I think we can bypass Mark Bosner easily:

Yep, unless Eugene is fronting for someone else, he’s a spammer himself.

I trust that wasn’t a big surprise?

Posts in other blogs about the same topic:
1, 2, 3, 4

I found a forum that had been spammed to pieces. It’s one of those old wwwboard forums that should be wiped off the face of the net. They’re way too insecure, way too hard to moderate, and favored by spammers. And here’s one of the reasons.

When I accessed posts on that forum, I’d usually be redirected to some smutty page. In fact, I’ve seen one such forum that had the redirect code in the subject field of one of the posts. So just loading the forum index itself would get you transported to a smutty page.

Anyway, I’ll detail some of the code here. Since Wordpress tend to munge the code, I’ll use a text file in an iframe:

Update
I discovered some that tried to load one of the pages referenced in the text file. Turns out some versions of Internet Explorer tries to execute at least some of the code in the text file when it’s served within an iframe. That can’t be good! I mean, in an html file, sure, but not from a TEXT file! Good thing I substituted the real URL’s for examplesite - they won’t work.

If you have this problem, you’ll see the frame where the text file should have been as empty space. Solution? Go download Firefox, and switch to that browser.

Remember I was fuming over the blatant Yahoo groups spam from Ardice.com?

They haven’t been banned from Google, and I think they should…

But imagine my surprise when I found ads on my blog from Ardice! I’ve got adsense running, and happened to check the URL of one of them. I didn’t notice until I’d right clicked and copied the URL of one of them (so I don’t trip a click, don’t want to defraud Adsense). There was no URL visible in the ad. It was an ad for free blogs.

Well, I’ll add them to the ads I don’t want displayed.

And Google, how about that ban?

I started tracking a spammer that primarily uses dynamic IP (also called dynamic dns) services for his spampages. Those then feed his primary pages with proper domains, which in turn feed affiliate schemes.

While tracking this I came upon other spam also using dynamic IP services.

The problem is rampant!

Some providers are on the ball and disable all subdomains they come across. Others are useless. And all shades in between.

So I’m going to suggest something for the providers:

Set aside at least a day each month, or a few hours a week to go after spammers. Use Google and search for your domain names. Add blog after the domain name, and then look at what you get. As you find prolific spammers, exclude those subdomains from the next search and keep going. Check if the subdomains are active, then put those that are on a list for deactivation. Keep a log of what you do so it’s easy for someone else to get up to speed.

Then, the next phase would be to try and identify spammers based on user agent, IP number etc. Try and block them from opening new accounts, or keep a trace on them and disable as fast as they open. You could also feed them a poisoned cookie. There’s a lot you can do…

Here’s an example of forum profile spam in action:
play pool

The spammer registers user names in the beginning of the alphabet, populates the URL field with his spam, then leaves.

And of course even better for the spammer, the forum has been closed because they couldn’t moderate it effectively enough.

Another example from the same spammer:
macmerc.com.
Update: I noticed a referer from macmerc and rechecked the page I’d linked to. The profile is gone! Not only that, but the admin seems to have removed any other profiles left by the same spammer!

This is the same spammer that’s behind that whitebear nonsense that redirects to this site.

Forums and other sites that let people create profiles need to use captchas. Not only that, but making the profile pages and member pages unavailable to search engines might also help keep the spammers away.

Gunters has a good writeup on Spamlookup, a plugin with impressive features for MT.

It basically does a lot of checks on comments and trackbacks. It’s been said that some ideas may have come from WP’s Spam Karma.

Also look at Brad Choate’s writeup on it.

In one of the posts there was a mention of Ask Bjørn Hansen’s Blog Spam Blocklist. Sounds Scandinavian?

Most of us regularly get referrer spam for a certain dvd copying software site. BTW, don’t ever pay for that product, it’s allegedly a knockoff of a free tool. If you need something in that vein, go with DVD Shrink. Free, and it works.

Anyway, the last week or so, the referrers have gotten increasingly weird. First it revealed what looked like the path to the script, then that changed. All of these produce 404 errors, BTW.

Then, finally, it not only tells the path to the script (cgi-bin/cloaker.pl), but also keeps repeating a directory structure ad nauseam.

Excuse me while I gloat…

I was searching for something, and came across a post mentioning a tool suspected for spamming. That site is actually no more than a few videos detailing a rather simple process (for us bloggers).

I did some checking on it, and finally found another tool that says it’s automating this process. I’ve renamed it:

How to get your blog banned for spamming

Blogging IS a great way to get your stuff indexed by search engines. They love blog content. It gets updated often, so the robots come check every day.

But making spammy blog posts is something that’s getting more and more risky these days. You could get your blog yanked by Blogger, or your domain banned by Google.