Spamhuntress

I’ve seen on many forums and blogs, that upstream web providers are blamed for what their downstream providers do.

Case in point: Atrivo leases space to ESThost.

I’m not saying Atrivo is innocent. I have sent abuse complaints to both them and ESThost. I’ve only seen them spring to action once (ESThost).

But I’ll share with you some ways you can figure out exactly who is behind the IP addresses.

Tools: Whois on the domain name.

Method 1: If it’s a regular domain name, check the name server in the whois data. Sometimes it tells you who the provider is.

Minus: Increasingly, however, the spammer utilizes vanity name servers, which can be basically any server anywhere.

Tools: Ping the domain name. That gives you the IP number it’s hosted on.

Method 2: Use NSlookup on the IP number to find the name of the server

Minus: Often doesn’t work. No reverse DNS.

Method 3: Use DIG on the IP number. Gives you server name and or name server

Minus: Isn’t always reliable. Might give you the name server of upstream provider. And the name of the server may be tied to upstream provider, but actually be under the control of downstream

Method 4: Use service scan on the IP number, as found on Domain Whitepages. The SMTP scan may give you the name of the webhost.

Method 5: Use the SMTP verify tool in Sam Spade. Very useful for instance with dynamic IP provider domain names. Use an address for instance on this format: root@subdomain.maindoman.com.

Minus: I have only tested a small subset of addresses. Don’t know if it’ll work at all times. But so far (with ESThost), this seems to be the most reliable method.

I just saw one of the most damning javascripts I’ve ever seen! Not necessarily a smart javascript, but …definitely damning.

I was researching some referrer spam I got a few days ago. Referrers from these domains:
ad-services.info (69.31.91.162)
liveplaynow.com (69.31.91.162)
todayonlinecasino.com (209.66.123.233)

I was following a trail from the first one. Figured I’d get more interesting affiliates by checking the gambling section.

But that’s not what I found…

I found a javascript that would show a regular scraper site with affiliate links if you accessed the page with no referrer, or a referrer that didn’t trip the payload of the script.

The payload was tripped if you had a referrer containing one of these words:
board
wwwboard
forum
guest
book
archive
ugb
comment

The payload goes through several redirects, and ends up at a porn section of a video chat network.

The owner of that site may just as well go right out and say it: I’m a spammer!

The redirect goes through
j-rx.com (69.31.93.126)

I found another spammer on that webserver: Almenix.

Whois for j-rx.com:

VI-TI-KA
Vadim (jrx@fromru.com)
Rentgena 6/89
St.-Petersburg
null,191187
RU
Tel. +812.5689472

Back to the spamvertizing:

IP: constantly revolving proxies
UA: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7

Pages hit: The referrer spam category, and Refer script: spam magnet.

In fact, I wonder if this was the Google search the spammer came in on:
script refer spam
IP: 217.76.184.47 ( 217-76-184-47.olympus.ru )

Steve Linford from Spamhaus reported on NANAE that the former bullet proof spam hosting companies in China have had enough and are working with them on clearing out the spam.

I guess now would be a good time to complain about link spammers in China?

Someone suggested that the move by Chinese authorities to order all websites and blogs to register may have something to do with spammers moving out of China.

Have a look:

Omni-Explorer

Dirk is perhaps the most prolific at updating the new Zahariev domains page I set up. The old one was getting too big, and I wanted help in updating.

Today he put two new ones up there that I started suspecting I’d seen before:
newclassicalguitar.com
gardenaccentsllc.com

So I checked the old page of domains, and found them at April 12 and 18.

Looks like they’re respamming. Of course, it’s unlikely to help (in Google, can’t speak for MSN or Yahoo), because those domains look like they’ve been banned for a long time.

When do spammers get a grip?

You can always tell what background a spammer (excuse me, SEO) is from.

A mail spammer will have ad copy with links interspersed between paragraphs. Easy to read, easy to click. They’re after human eyeballs and clicks.

A link spammer will use subdomains or file names that are keyword stuffed. And anchor text with the same keyword stuffing. Lots of links to various pages on the same domains. The “ads” aren’t pretty, and aren’t meant for human eyeballs. It’s all about getting their sites to rank for their chosen keywords in Google.

Lately I’ve seen blog posts with several hundred mail spam copy type comments, and non working hyperlinks.

Heh…

Guestbook spam info

I have a few old guestbooks on Dreambook.

Now and then I’ve received notification that spam comments have been posted. But before I manage to come by and clean them, they’ve been removed.

I can only guess that the Dreambook admins are on top of the spam problem and has a centralized system for removing spam. Blocking and removing, most likely.

The Zaharievs came by a few months ago, but haven’t returned. Probably figured out quickly that it’s a spam unfriendly environment!

Guestbook spam info

I’ve been getting a lot of e-mails from my formmail script on nativecelebs lately. They look like probes to me. And they’re all from this IP:

62.213.73.92
ALLMP3Z.ru

So I thought I’d do a search for it, and found a guestbook spam:
rx-shop.info/vicodin-online
80.77.80.175
which is on ipipe/hqhost (remember them?)

I’ve also found numerous entries (with the dns name) in a guestbooklog, a few forum profiles with the link

The formmail attempts were all coming through my form page, so they might be manual attempts.

HTTP_ACCEPT=*/*
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Some of the other spammers have other weird headers, like this one:
204.186.159.229 - bess-proxy.csiu.org
HTTP_VIA=1.0 MAILSVRBACKUP

And they often just scan for scripts instead of going for the real (oddly named, and non standard code) script.

Anyway, I’ve got a honeypot script that catches quite a lot of fish. If you’re interested in one of your own, let me know. This one is incapable of sending mail, so the joke is on the spammers! I’ve got a trap on the real formmail script as well, just in case I catch something interesting.

What we do here is come up with blocks that prevents spam from defacing our blogs, guestbooks, forums and other public areas.

The site attracts geeks, and noobs are turned off because they don’t understand what we’re talking about.

But my goal is to prevent spam in the first place. And that doesn’t mean keeping mine and my friends’ blogs spam free. It means getting spammers to stop spamming. It means preventing them from getting the spam to stick. It means preventing the spam to work.

And in order to do that, we need solutions that work even for the noobs. Because noobs have guestbooks (do they ever!), blogs and forums as well.

I have another site, where the visitors come mainly in two flavors: Housewives and actors. There are men too, but many of them are in the biz in some way. And both groups are usually pretty clueless. There’s the occasional geek, but the browser statistics should give you a general idea of the non-geekiness of the visitors: about 85 % use IE, 6.5 % use Firefox. I’ve learned the hard way that anything remotely technical is very difficult. Even getting them to update a wiki page when they’re very motivated (as in helping their career) is beyond most, it seems.

Keep that in mind. Most of the users on the internet are hopelessly lost. They can’t keep their computer working, much less keep spam out of their public areas. Most have no way of putting up a webpage, it’s so beyond them. But even for those who managed to put up some public presence, it’s often beyond them to figure out how to keep it clean.

So solutions must eventually come that makes linkspam financially untenable. Or server side solutions that manage to differentiate totally between people and bots.

So when you hear me say: “That’s not a solution”

you know where I’m coming from?

And whenever a spammer says he will take me off his list, I get annoyed. Because that means he doesn’t want to annoy me, but he has no intention of stopping the spam.

I think three spammers have said they’d stop spamming so far, after having been busted by me and others. One of the spammers reorganized his operation and got others to spam for him instead (the Norwegian). Let’s just say I’m pretty disgusted about that. I’m happy about every spammer that stops, but I’m not happy about the statistics. It’s still way too attractive to spam. And we need to turn the tides, somehow.

Kelly McNeill got spammed by the Zahariev’s.

He’s running post-Nuke, which isn’t too easily cleaned at the moment. Understandably, he got irritated, so he sent (a very polite) e-mail to the support address at Moniker, their registrar.

And was very confused when he received a reply from Doris Young at tqiopi@yahoo.com. Magnetic Ink once sent an e-mail to the whois contact of one of the domains and got a reply from the same Doris Young, at the same Israeli IP address. She offered to have him removed from their list.

What confused Kelly, was that the quoted text was from the e-mail sent to the registrar. Although he’d sent one e-mail to the spammer, it was different. We did some investigation, and the message ID of the message she replied to was from an e-mail sent to Moniker.

So what happened? You’ll excuse Kelly for believing the worst just about then. I tend to look for less dramatic possible explanations, and found one ..possible:

When you bounce forward a message to a new recipient, the original message ID is preserved (at least my results show that), and the message that’s sent hardly shows any signs of having been received by someone else first. That option isn’t present in all mail programs (I haven’t seen it in Outlook Express), so we probably don’t see much of it these days. But it’s still in use in some programs, and probably by some early adopters (it was an easily accessible feature of Eudora 9 years ago).

So, barring any more …spectacular explanations, Moniker just bounce forwarded the abuse complaint to the spammer instead of even acknowledging having received the mail.

You see, Kelly, smelling a rat, called Moniker and demanded an explanation. And was told they’d never received that e-mail.

Hmmm, something to think about next time you write abuse…