Spamhuntress

I’ve got a spammer from Germany who keeps coming back. This time he’s on Arcor. Their abuse e-mail is: abuse at arcor-ip.de

He keeps spamming an affiliate ID directly, and the ID is camfun2

What’s interesting this time around (apart from doing it sparingly so to avoid detection), is that he’s using user agents that might be legit. They look ALMOST legit. Have a look:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Epiphany/1.2.

Yahoo-VerticalCrawler-FormerWebCrawler/3.9 crawler at trd dot overture dot com; http://www.alltheweb.com/help/webmaster/crawler

LEIA/3.01pr (LEIAcrawler; [SNIP])

Update June 12
He keeps coming.

Recent IP numbers:
84.60.204.29
84.60.196.23
84.60.197.58

I got a referrer in my log. A link that didn’t work. But it led me to this domain:

umaxforum.com

It’s a forum where Russian webmasters talk. If ever there was a time I wished I’d paid more attention in Russian class….

Do we have anyone here who speaks Russian? Apart from the spammers, I mean? I’m so curious if this is a black hat forum, or if it’s relatively innocent…

Got a poker comment spam, spamvertizing:
mylosoft.com
which pings: 216.195.51.27

That IP number loads searchmeup.com, which belongs to the umaxsearch.com outfit (not to be confused with the umax search spammer). It’s a pay per click outfit.

The payoff is also umaxsearch, ID 31629

Registrant:
Admin support@xmix.net +41.356807670
Enterprise Corp.
katsushika-ku, tokyo 15
tokyo,jp,JP 99999

Administrator:
name: Admin
mail: support@xmix.net tel: +41.356807670
org: Enterprise Corp.

address: katsushika-ku, tokyo 15
city: tokyo
,province: jp
,country: JP
postcode: 99999

Notice how the e-mail address is from xmix.net? That’s (according to their site) a free webhost, so it’s possible the domain was registered through them, and that some of the info is some sort of whois protection. Very weird though, because the registration for xmix.net is very different, including address and phone number.

I got a referrer on annelisabeth from:

thesecuritypro

There IS a link to my site from that page. But the site itself is nothing but a search engine scraper page. It appears Google has banned the domain. It’s mostly linked from other scraper sites. Like:
howtopaks.com
divedch.de

Two payoffs:

1) A numbered link to anrdoezrs.net advertizing the “Spam X-Terminator”. The root domain redirects to Commission Junction.
2) Google Adsense:
pub-7164896056230752

Time to pull the plug for Adsense on all those search scraper sites, Google?

Dirk found that the Omniexplorer bot IP addresses suddenly emanated referrer spam, and investigated.

I thought I’d explore the areas he hadn’t covered yet.

I found more domains on the IP addresses mentioned. One of the domains was used in a December 2004 guestbook spam run. I’m sure I’ll find more with time.

I also found that Google had blocked a significant number of the domains. The spam run now is for domains they’ve spammed before. Maybe they think they’ll be able to force them into Google? Sorry, that’s a lost cause. They’re not going to relax those bans!

The only thing they can hope for is direct clicks and placement in MSN and Yahoo.

The payoff is a porn network, not sure which (probably adultprovide). The affiliate ID is:
promote

I’ve had some referrer spam from this IP number today:
80.77.86.247

It’s most likely a proxy, and since the IP block is thoroughly infested with spammers, I’m denying the whole thing access to my blog.

inetnum: 80.77.86.0 - 80.77.86.255
netname: uaonline-hqhost-cluster
descr: hqhost web/app hosting for US
country: US
admin-c: MS9776-ripe
tech-c: VK1045-ripe
status: ASSIGNED PA
mnt-by: uaonline
source: RIPE # Filtered

person: Soldatov Maxim
address: London, United Kingdom
phone: +380 50 4985406
e-mail: makc@ipipe.net
nic-hdl: MS9776-ripe
source: ripe # Filtered

person: Vladimir Klenov
address: London, United Kingdom
phone: +380 50 4985406
e-mail: maple@ipipe.net
nic-hdl: VK1045-ripe
source: ripe # Filtered

It’s spring in Norway, and we have a bit of an ant problem right now. Just as I was turning the computer on, I saw an ant darting into the computer.

As most geeks, I usually don’t screw the top on completely, so there was room to sneak in there. I just hope the ant gets out of there before something unfortunate happens, to both computer and ant.

I found a referrer in my log for a domain I hadn’t seen before:

tammynishijima

Right now it’s connected to the oingo parked domain program. And it’s owned by Kalin Stamenov, with Todor’s e-mail address attached. But that was the last thing I checked.

When I saw the IP number it was spamvertized from, I had this uh oh feeling. I guess my subconscious is better at this than my conscious:

82.103.65.225

inetnum: 82.103.65.224 - 82.103.65.239
netname: ZAHARIEV-BG
descr: Todor Zahariev
country: BG
admin-c: TZ32-RIPE
tech-c: TZ32-RIPE
tech-c: TD939-RIPE
rev-srv: ns.spnet.net
rev-srv: purgatory.spnet.net
status: ASSIGNED PA
mnt-by: SPNET-MNT
source: RIPE # Filtered

person: Todor Zahariev
address: Sofia, Bulgaria
phone: +359 2
e-mail: todor@twins-bg.com
nic-hdl: TZ32-RIPE
source: RIPE # Filtered

person: Tatiana Dimitrova
address: Spectrum Net
address: 36, G.M.Dimitrov blvd.
address: BG 1797 Sofia
address: Bulgaria
phone: +359 2 9867481
fax-no: +359 2 9657646
e-mail: taniad@spnet.net
nic-hdl: TD939-RIPE
mnt-by: SPNET-MNT
source: RIPE # Filtered

% Information related to ‘82.103.64.0/18AS8717′

route: 82.103.64.0/18
descr: Spectrum NET PA space
origin: AS8717
mnt-by: SPNET-MNT
source: RIPE # Filtered

I found a number of accesses from that IP number, starting from May 13. Not spam, but clearly a bot. Then yesterday there was a fake Google referrer, and the user agent changed to:
MSIE 5.0

And there are no identifying marks at all on the headers.

Block the IP number.

I found a comment spam on a PHP-nuke site that had a typical dynamic IP site owned by Angelsfucked on this domain:

unixbrewers.org

When I loaded it, it was a Microsoft site!

So I checked the IP number:
207.46.20.30
Update June 15: 207.46.199.30
Within the official Microsoft IP block.

But, the whois info does not look like Microsoft:

Domain ID:D106126546-LROR
Domain Name:UNIXBREWERS.ORG
Created On:20-Apr-2005 23:48:03 UTC
Last Updated On:25-May-2005 06:52:44 UTC
Expiration Date:20-Apr-2006 23:48:03 UTC
Sponsoring Registrar:Direct Information PVT Ltd. (R27-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:DI_1375975
Registrant Name:Nudilov, Aleksey
Registrant Organization:Nudilov
Registrant Street1:Dnepropetrovsk, Dn 45201
Registrant Street2:
Registrant Street3:
Registrant City:Dnepropetrovsk
Registrant State/Province:
Registrant Postal Code:2323434245
Registrant Country:UA
Registrant Phone:+076.34323871
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: nudilov@eblja.com

Name Server:NS.KYED.COM
Name Server:NS.PEYTZ.COM

(The name servers belong to a Danish dns service. I’ll contact them and ask them to cut him from the zone. I know they don’t like spammers any more than I do… Update Jun 15. Unfortunately, the server is still using their services. Can’t believe it, but it’s true. Get a clue, boys! )

Created On:20-Apr-2005 23:48:03 UTC
Last Updated On:25-May-2005 06:52:44 UTC
Expiration Date:20-Apr-2006 23:48:03 UTC
Sponsoring Registrar:Direct Information PVT Ltd. (R27-LROR)

You know what I think?

I think this is a reverse hijacking! The owner of the domain name want people to think it’s an honorable site, so he’s redirected it to a Microsoft page. But it’s not. It’s owned by a spammer!

Google’s cache of that site (the root site) contains links to dynamic IP sites within IP numbers used by Angelsfucked.

Search google for that domain, and you’ll see that the spammer has been VERY busy spamming his fake dynamic DNS sites lately!

Rojisan dug up some new stuff that worries me. Check out the solicitation for a blog submitter.

If you click on one of the bidders who already had software suited for that, you can see some rather disturbing other bids.

Apparently, what we’re doing isn’t enough. We’re not getting through to the webmasters who are looking to get this done. Do you guys have any ideas as to how we could educate prospective black hat webmaster so they don’t go down that road?

I see new spammers crop up all the time. The worst ones are those who continually barrage the internet with porn, gambling and pills, but there are spammers within other areas as well. I mean, spamming for Adsense? Come on! But, it happens…