Spamhuntress

There was a new trackback run tonight. Lots of 403’s in my log, and two managed to punch through. I’ll delete them tonight.

Anyway, the specifics:

Rolling user agents and proxies.

URL:
illcom.com

pings:
193.124.133.138

Registered at Namecheap by:

NA NA (denise.yeager@gmail.com)
NA
Fax:
NA
null
New York, NY 10002
US

Name Servers:
ns1.the-dns.net
ns2.the-dns.net

I’m unsure what the payoff is. Can anyone help me figure that out?

I’ve found a new spammer. A very careful one. Not tracked him down, but hopefully caused some grief…

Best Info

I read Rojisan’s blog regularly, and one thing stuck out in his post today:

He’s apparently buying my (and your) sites on a target list from a Bulgarian outfit

I just wonder if these are “our” Bulgarians, the Zaharievs? I don’t know of any other Bulgarian blog spammers, so that’s technically a distinct possibility?

TMC Financial Services

Update: So far I don’t know if there’s any connection between the list sellers and our guys. Unless I can uncover something, probably not. And the software appears to be off the market for now.

I’ve noticed that some PHP-nuke sites have word filters. And when those filters get tripped, they break URL’s.

So my suggestion is to load those puppies up with as many rude words and permuations of rude words you can, to at least break some links while you clean up the mess left by the spammers.

Shutting down comments for the duration would work too (note, I haven’t used PHP-nuke, so don’t know what that would take).

I’m starting to wonder if maybe there’s a lull in blogspam right now. We’ve gone after the spammers relentlessly for a while, and at the same time the spammers have gone after PHP-nuke installations really badly.

I obviously can’t use myself as a gauge for this, because of what I do.

So I’m asking you guys. How does it look on your end? Different software, different types of blogs?

Analysis of Omni-Explorer

I had the Omni Explorer on one of my sites a few days ago, and thought it was aggressive.

Unfortunately I didn’t do anything about it.

Yesterday it hit NativeCelebs. That’s a HUGE site, and the bot proceeded to gobble up (According to Awstats) 304.24 MB.

I checked the raw log, and that IP number didn’t hit my site until
[22/May/2005:09:17:08 -0400]
and stopped
[22/May/2005:10:37:26 -0400]

IP number:
64.71.131.121 (nativecelebs)
64.71.131.120 (spamhuntress)
User agent:
OmniExplorer_Bot/1.07 (+http://www.omni-explorer.com) Internet Categorizer

If you’ve got a large site, block it fast!

I had similar hits before (just a few)
64.62.175.131
OmniExplorer_Bot/1.09 (+http://www.omni-explorer.com) Cars Crawler

I’ve had one access from that IP block before:
64.71.131.107
A normal browser UA, but didn’t load any extra files. Had a referrer from a site that links to me and went after the spampop page. Must have been a bot.

On NativeCelebs I’ve had a number of accesses from both Omni Explorer UA and normal browser UA from that IP block. I’ll find them and collate them here. All of the bots have full normal referrers. Wherever they came in from, that’s the referrer they leave. The same IP number can have the Omni UA one day and a normal browser UA another day. And apart from the gorge fest yesterday, I find the accesses one at a time, or a few at a time, starting May 16, 2005

64.71.131.107
64.71.131.108
64.71.131.109
64.71.131.110
64.71.131.111
64.71.131.112
64.71.131.114
64.71.131.115
64.71.131.120
64.71.131.121

In April I also had visits from this family of bots. And back then they came from a different IP block:
64.62.175.133-64.62.175.137

Earlier post about this bot

Here’s the info on Evgheni Tariuc, or maybe it’s Tariuc Evgheni.

Anyway, I have two wikis, and he managed to hit both at approximately the same time.

And he keeps going. I think I need to install a block content plugin. Will look into that in the next few days. I believe there is one for Mediawiki.

I’ve got a writeup about a (for me) new spammer:

Krin

Update

Eh, this is so stupid…

Google has a program called Domainpark. So their Adsense policies tell us straightforward that Adsense on domain parking pages are not allowed, yet they have a program for just that? And no word of that on the policies page?

Guess Adsense is in violation of their own rules then, and just made a fool of me for actually believing what I read.

Not happy…

———–

Look at the post below this one. About Google and Prstorm.

The site I found was populinx.com, but the violator is the Sedo domain parking program.

Let’s look at how Sedo violated the Adsense policies:

No Google ad or Google search box may be displayed on any domain parking websites, pop-ups, pop-unders, or in any email.

Any AdSense ad code or search box code must be pasted directly into Web pages without modification. AdSense participants are not allowed to alter any portion of the ad code or change the layout, behaviour, or delivery of ads for any reason.

I also think the Adwords policies need to be updated, to specifically outlaw any form of spam software, not just e-mail spam. You could infer that it’s outlawed now, but you know the spammers. They’ll always try!

BTW, M0nkey told me by e-mail months ago that they didn’t need traffic from Google. That all he had to do in order to sell enough was to drop a note at his favorite adult webmaster forum. I guess something’s changed. My guess is, they’ve taken on a partner.

Update

Bottom line:
Prstorm aka Reffy is buying ads from Google via Adwords. Since this is spam software, I don’t think they should be allowed to. E-mail spam software is expressly forbidden in the Adwords policies, and I think that policy should either be amended to include any spam software, or the existing rules should be interpreted that way.

Dump prstorm from Google Adwords!

————

I was looking for prstorm in Google, and found populinx.com. It’s got links to link popularity sites.

What isn’t immediately clear, is that these are affiliate links. The real links are hidden in javascript.

So, here we go, tracing the path the clicks will take:

The link on the page is to:
/search/redirect.php?sid=5733eb3c3f25c04e2657&id=5165191&t=017320&forward=http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Ficlk%3Fsa%3Dl%26ai%3DBYmVzMn-QQtGoNbLOSYvmsbgFgJKACtDdhaoBwI23AfDIIRAIGAgg3fz3ASgKQMAVSIw5qgEGaXNwX3VzsgEEbnVsbMgBAdoBGGh0dHA6Ly9udWxsLy0yODQzNDMyNjQ3ZOgBAQ%26num%3D8%26adurl%3Dhttp%3A%2F%2Fwww.prstorm.com%2Faffiliates%2Fidevaffiliate.php%253Fid%253D119%26client%3Dca-sedo_xml&pos=8&r=0.03&surl=http%3A%2F%2Fwww.PRstorm.com
Which gives a 302 redirect to:
http://pagead2.googlesyndication.com/pagead/iclk?sa=l&ai=BYmVzMn-QQtGoNbLOSYvmsbgFgJKACtDdhaoBwI23AfDIIRAIGAgg3fz3ASgKQMAVSIw5qgEGaXNwX3VzsgEEbnVsbMgBAdoBGGh0dHA6Ly9udWxsLy0yODQzNDMyNjQ3ZOgBAQ&num=8&adurl=http://www.prstorm.com/affiliates/idevaffiliate.php%3Fid%3D119&client=ca-sedo_xml
Again a 302 redirect to:
http://pagead2.googlesyndication.com/pagead/adclick?sa=L&ai=BYmVzMn-QQtGoNbLOSYvmsbgFgJKACtDdhaoBwI23AfDIIRAIGAgg3fz3ASgKQMAVSIw5qgEGaXNwX3VzsgEEbnVsbMgBAdoBGGh0dHA6Ly9udWxsLy0yODQzNDMyNjQ3ZOgBAQ&num=8&adurl=http://www.prstorm.com/affiliates/idevaffiliate.php%3Fid%3D119&client=ca-sedo_xml
Which leads to a 302 redirect to
http://www.prstorm.com/affiliates/idevaffiliate.php?id=119
Which again does a 302 redirect to the index page of
prstorm.com

So my question is, why is there no communication between the different departments of Google? Because the search engine will waste absolutely no time banning all domains where Reffy or permutations of Reffy is advertised. It’s spam software, and Google dislikes spam immensely. But they allow spam software vendors to buy Adwords?

And why is there no Adsense publisher ID in those links?

GoogleGuy, where are you when we need you?