Have a look at a rescue of a real live zombie:

The Tweezer’s Edge

No, not the conductor.

This is a 20 year old kid from Ukraine.

He’s spamming among others:
hostforblog.com

Note the condition: Accounts can only be cancelled by e-mail or fax.

He’s spamming from the webhost where he has that domain and others that he’s also spamming. Including a porn site and a site selling printer stuff. He has an older site offering cheap hosting. Well, that’s what he says. I say it’s hideously expensive!

OK, what little I’ve got on this spammer:

He spams refer scripts.
He uses his webhost to spam from (one machine). IP:
67.18.251.186

whois info, several versions:

Skripka, Sergey adulter@temptinggirls.com
Chaykovskiy str., 68., 43 apt.
Odessa, Odessa region 65084
Ukraine
380509101568

Skripka, Sergey adulter@temptinggirls.com
Fontanskaya doroga str.,
12-a bld., 43 apt.
Odessa, Odessa region 65009
UA
482 639273×380

I’ve noticed that the Zaharievs (Bulgarians) really like the Alestra proxies. Blocking those would probably cut down on referrer spam from them to a degree.

Ban these, and please tell me if there are others:

148.244.150.52 (new October 2005)
148.244.150.58
148.244.150.57
207.248.240.119

I’m roaming the net looking for spam now and then.

Lately I’ve found that PHP-nuke is extremely targeted by porn spammers.

If you’ve got an installation of PHP-nuke, please get it under control. It can get really ugly!

Hmmm, looks like the nuke people have discovered this problem.

I got a comment from Connie Perkins on annelisabeth:

It’s May 21st, and William Lu is “listening” on my computer right now, switching between IP numbers 69.50.161.126 and 69.50.171.146, both coming in on my port #1160. Does anyone know what this maggot wants???!!!! Can someone tell me how to manually close ports, and how to find out what has one opened in the first place? I keep getting spam e-mail everyday now, and I have it automatically set up to go straight to the trash can, but when I go to delete the “deleted” files, they are not there, but others are. Can this Wiliam Lu person be ratted out to anyone that will make him stop getting on my computer, I mean…isn’t there something called the “Privacy Act?” I have nothing this guy wants, unless he gets a thrill watching what I read about breast cancer!!? Ughhh!

I believe it’s a trojan, as described by McAfee.

Geekstogo has a discussion on removing it.

What’s interesting is that both machines and a third are hosted on Atrivo. One is on ESThost. I’ve sent mails to both Abuse at Atrivo and a guy at ESThost. Let’s see if they terminate this one…

If there are any programmers out there who’d consider helping me figure out what’s in a chm file, please let me know. That’s a file dropped by 69.50.188.110, which is part of this scheme.

I got this as a comment in my blog at annelisabeth. The e-mail address given is a Yahoo one, and there’s no profile under that name. So it’s probably fake.

IP number :
80.248.64.59
limitation.cafe.tg

I believe this is a 419 scam. You see, I’ve heard of very similar occurrences before. A missionary got an e-mail like this. Her son saved her from falling for it.

Here’s the text of the comment, with the contact info munged:

Dearest Ann Elisabeth,
My greetings to you in the name of our Lord Jesus
Christ.I am Mrs.Josephine Quarcoopome,from South Africa.I am married to Archdeacon.James Quarcoopome, whom untill his death served as an archdeacon in the
xxxxxxx’s archdeaconry Togo,for nine years before he died in the year 2003.
We were married for eleven years without a child. He died after a brief illness that lasted for only four days. Before his death we were both born again Christian. Since his death I decided not to re-marry or get a child outside my matrimonial home which the Bible is against.
When my late husband was alive he deposited the sum of $3.1.Million under suspense account in one of the famouse banks here in Lome Togo capital, for safe keeping.
Presently,my Doctor confirmed to me that I have serious sickness which is cancer problem.
The one that disturbs me most is my stroke sickness.Haven known my condition I decided to donate this fund to a church or individual that will utilize this money the way I am going to instruct herein. I want a church that will use this fund for, orphanages,helping the widows, propagating the word of God and to endeavor that the house of God is maintained.
The Bible made us to understand that“Blessed is the hand that giveth”. I took this decision because I don’t have any child that will inherit this money and my husband relatives are not Christians and I don’t want my husband’s efforts to be used by unbelievers. I don’t want a situation where this money will be used in an ungodly way.
This is why I am taking this decision. I am not afraid of death hence I know where I am going. I know that I am going to be in the bosom of the Lord. Exodus 14 VS 14 says that“the lord will fight my case and I shall hold my peace”. I don’t need any telephone communication in this regard because of my health hence the presence of my husband’s relatives around me always. I don’t want them to know about this development. With God all things are possible. As soon as I receive your reply I will give you the contact of the bank here in Lome.
I want you and the church to always pray for me
because the lord is my shephard. My happiness is
that I lived a life of a worthy Christian. Whoever that
Wants to serve the Lord must serve him in spirit and
Truth. Please always be prayerful all through your
life.Any delay in your reply will give me room in
sourcing another church or individual for this same purpose. Please assure me that you will act accordingly as I Stated herein. Hoping to receive
your reply. Due to present condition of my health,I was
warned by my doctor to avoid receiving or making any
call.
For that you can contact pastor Daniel Koffi,on my beharf.CONTACTS:are Phone:xxxxx Church Address:xxxxxxxx Togo capital. I have also submitted the imformation of the deposite to an Lome based lawyer.As soon as I hear from you I will forward to you the lawyer’s contact.

Remain blessed in the Lord.
Yours in Christ,
Mrs.Josephine Quarcoopome,

I found a post on Careless Thought that detailed an exploit.

I got curious and loaded the link. Luckily I did it in Sam Spade, because although that link looks innocuous enough (a .txt document), there’s a redirect to auto.pl within that page…

And she’s right, it points back to the Umax search spammer.

I can’t tell for sure what it’s doing. It does activate ActiveX applets…

I see the Adsense ID:
pub-6579018274503073

But I don’t have a clue what it does.

Analysis of Omni-Explorer

Had a really bad spike in bandwidth, and chased down the cause. Veerry aggressive spider. Here’s what Webmasterworld has on it.

Short version: Possible bot used for building scraper directories. In other words, search engine spam.

A reader from Finland decided to see how long it would take me to see what he/she wrote:

He used Wget and left three fake referrers:
1) Heh, nice to hear someone else has this habit (of following the access logs) too.
2) http://i.am.actually.curious.to.see/what.happens.when.a.fake.referer.is.given/
3) http://i.see.nothing./doh

Heh, guess he was disappointed nothing happened right away…

Say hi to a spammer I used to find very confusing. Still do, but I’m putting up what I have. And a pattern is emerging:

Angelsfucked