Spamhuntress

Krin aka Romzes has been all over annelisabeth.com comment lately. To the point where I got fed up.

Here’s their user agent. Malconfigured, so pretty easy to block:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

I’m not kidding, that’s how it appears in the log. That User-Agent: is in front of a normal user agent. So block for User-Agent, and that should work, unless that breaks something else?

I also found their spambot a little later today:
205.177.122.162

This is a leased machine, that only does GET requests, interestingly enough, AFTER a comment has been posted. It also carries the same user agent.

Here’s a guy who does a lot of linkspam, and releases an album under the same name.

As if it wouldn’t come back to haunt him some day?

Pete Bragansa

Or, Pete Brag, as he’s known as a musician.

How do I know they’re one and the same? Same e-mail address as on the whois info…

I found KC Tipton’s blog in my referrers (yes, THAT dmoz editor), and he had a link to a really good blog post about the SERPS and good content.

Or rather, why you should ignore the SERPS and build good content.

Long term goals.

The EXACT OPPOSITE of what spammers do, in other words…

Yesterday I wrote about Oleg Popov, who spammed my wiki.

Today I did some more digging, and found a wikispam he’d done while logged in as a user (Xx, a user name he often uses). Turns out he’s spamming by hand. While checking the user page, I noticed there was a user named OlegPopov. Heh, he’s been very busy.

He’d written a nice bio, and included a link to his wiki…

His wiki is a good idea and well executed. He’s even attracted very capable users.

The problem is the concept of a wiki spammer owning a directory of wikis…

http://wiki4all.com/

I’m sure you guys can see the possible ramifications of that?

Got some wiki spam here on spamhuntress today. Managed to get the writeup done right away:

Oleg Popov

I did see a Google cache of a page from Evgheni Tariuc (another wiki spammer) where one of Oleg’s domains was present, but that was either an error in Google’s database, or the content had been switched.

Remember the referrer spammer who spamvertized affiliate ID’s directly, from (we assumed) at home in Canada?

Well, looks like he’s come of age:

Inicient

There’s a connection to a local Canadian internet company with an airy sales pitch on their website, and a webserver full of porn on other domains. Either they offer hosting and registered the domain for the spammer, or they themselves are the spammer. I can’t wait to find out.

I’ve written up a spammer that’s been around for a while:

Romzes

I haven’t included everything yet. There’s more, if I have the time. If you know more about this guy, please contribute.

There’s a connection to Krin. If you know what that connection is, please let me know.

I caught a post on Spam Kings about Microsoft retiring the abuse e-mail address.

In reporting that story, Brian told us about a blocklist dealing with rfc ignorant networks. This could be potentially very useful for us, as we quite often come across non-working abuse addresses.

Microsoft retired abuse address

I tracked a spammer I hadn’t noticed before today. The identifying pattern is that the domains have name servers from webtouch.info

Webtouch

Found a comment spam on annelisabeth today. Not sure this spammer deserves his own wiki page, so here goes:

Spamming IP is from Portugal. The search that brought him to my blog is from the Bulgarian version of Google. I don’t have a clue how he landed on my blog from that search, which looked like:
безплатни книги
Looks like this spammer builds lists for each spam run.

User agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MSIECrawler)

Known domains:
lendingtree-online.com
ameriquest-online.com
dealsgalore.com

Webhost IP: 209.216.205.25
That server has several hundred sites on it, most of them unrelated.

Payoffs:
anrdoezrs.net, jdoqocy.com ID: 1488858
partypoker ID: 2530888
Adsense: pub-1003407529366060

Whois info:

dealsgalore.com

Domain Name: DEALSGALORE.COM
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.HOSTDNS4U.COM
Name Server: NS2.HOSTDNS4U.COM
Status: ACTIVE
Updated Date: 12-jun-2005
Creation Date: 20-nov-2000
Expiration Date: 20-nov-2006

Administrative Contact:
Stevens, Lewis lew2020@yahoo.com
dealsgalore.com
5744 Chino Ave.
Chino, California 91710
United States
9095995555 Fax —

lendingtree-online.com

Creation Date…….. 2005-04-14
Registration Date…. 2005-04-14
Expiry Date………. 2006-04-14
Organisation Name…. Lewis J Stevens
Organisation Address. Anakash
Organisation Address. Samiar
Organisation Address. Bombay
Organisation Address. 91710
Organisation Address. Marashshi
Organisation Address. INDIA

Admin Name……….. Anakash Samiar
Admin Address…….. Kankutor 3453 Route 42
Admin Address……..
Admin Address…….. Bombay
Admin Address…….. 91710
Admin Address…….. CA
Admin Address…….. INDIA
Admin Email………. lew2020@yahoo.com
Admin Phone………. +1.5514444
Admin Fax…………

The e-mail address was registered in 1999, and was at one time activated for Yahoo IM.

Found only one previous reference to this spammer