Spamhuntress

I got a comment spam on annelisabeth.com today and started running it down. First of all, there’s no obvious payoff. None at all. So it might be a future bait and switch.

The spam came in from (spambot):
85.250.204.98
217.132.186.33
Both are Netvision broadband IP numbers in Israel.

All pages are currently hosted on
192.117.97.56
which is an Actcom broadband IP number in Israel.

Some pages still point to
212.143.91.115
A Netvision IP address in Israel
Those pages are not served, so I’m guessing the IP number was lost somehow.

But the really interesting part is that the root domain, every single one of them, point somewhere else. The most recent ones point to various webhost providers, but earlier domains point to IANA reserved IP space, and one even pointed to an IP number in a DoD (Department of Defense) IP block!

All spam from this spammer is preceded by the letters
mn
and then the domain name of the hour, with no space between them. So finding the spam is easy. He spams guestbooks, forums and wikis.

Whois info is obviously fake, but I’ll include a recent one:

tsahal
24 rashborn ave.
yorkshier, NA 441456
GB

jordan, tomner tomberd@yahoo.com
24 rashborn ave.
yorkshier, NA 441456
GB
+41556623456

Another little wrinkle concerns the name servers. Some are a bit fishy:

This is one of the name servers:
NS.BROWSE-DNS-ONLINE.COM.NS-NOT-IN-SERVICE.COM

I removed this part, because it no longer resolves. But it did earlier today. And it had the IP number: 62.219.224.168. The domain itself has been terminated by the registrar, so it’s weird that it pinged earlier on.

In fact, you can look for NS.FREE-TV-DNS.COM as well. It’s also on bezeqint.net, and is used by this spammer as a name server.

This entry was posted on Sunday, July 24th, 2005 at 2:48 pm and is filed under Comment spam, Wiki spam, Forum spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.