Spamhuntress

John from Benzoblog caught Netomedia blog spamming, and wants everybody to know that

Netomedia are blog spammers

Nice piece of sleuthing!

I got a comment on my How I tracked down a spammer post today:

# Tony (Bulgarian) Says:
July 19th, 2005 at 2:34 pm e

Like many others I came to this site googling for something containing “bulgarian”…

After reading the way you track spammers, I can only say:
Guys, what a shame! You absolutelly do not know and do not undersrtand the spamming techniques and still you have the bravery of labeling the whole Bulgarian nation as spammers!

Let me give you some explanations:
- no spammer uses its own IP address
- all spammers use forged IP addresses
- the IP addresses the spammers use are usually IPs of vulnerable un-pached servers and workstations on the internet, thus allowing the spammer to use it.

Well, let me ask you some questions:
- how exactly you are tracking a forged IP address? If you have a real answer for this, you can become very rich by pattenting this, your first client will be FBI…

Best (Bulgarian) regards…

So I replied. You guys are of course free to get your two cents in as well:

# Administrator Says:
July 19th, 2005 at 4:04 pm e

Well, Tony, I guess it’s you who don’t understand spam tracking.

Forget what you learned about tracking mail spammers. Linkspammers are a different breed entirely. Currently their favored method is using a server they lease or colocate as their spambot. Most of them don’t even layer a proxy on top of that spambot.

Why? Because webhosts don’t understand linkspam, and some of the big colocation/leasing facilities are spam supporters when it comes to linkspam.

Also, while linkspammers learn, they often use their own ISP connections when spamming.

I stand by my conclusions. And no, I don’t think Bulgarians are all spammers. In fact, there are extremely few Bulgarian spammers. Most are Russians…

I complained about dorank.com to ESThost. Remember that site? Submitter software in Russian. Probably responsible for a good deal of comment spam - to forums, blogs etc.

I got several replies from ESThost. First that they were taking care of it. Then I asked why they hadn’t done anything, after seeing some new spam from their customer. Then finally they asked me to talk to the registrar about terminating the domain. Godaddy said the contents of the website had nothing to do with them, that was the responsibility of the webhost. So I told ESThost that Godaddy had kicked the ball back to them, and got this response:

————-

Vitali (abuse desk employee at ESThost):

Hello,

listen why should we block our customer? If he is having many domains on his account, and we will block this? Tell that to godaddy, this is their domain, from which it was spammed so they can suspend it. We are also company of domains and we suspend domains for spam.

———

Update, July 20: Vitali says they suspend domains for spamming. Since they’re also a registrar through Directi, I suppose that’s what he means. But if they wouldn’t even consider terminating hosting customers for spam, then they’re seriously in need of a good blocklisting!

———

This was Godaddy’s initial response:

We are not hosting this site. We are the domain name registrar only. We have neither access to, nor jurisdiction over the content on this site. The hosting provider is the company responsible for this content and provides the registered name servers that this site is housed on. The name servers for all domain names are public knowledge and can be accessed from any WhoIs lookup. Please submit your complaint to this company based on their AUP.

There’s a spammer who just keeps sending trackbacks for a dead site:

ceixnoirs.dyndns.org

It was taken out by dyndns.org on Sunday, and I got a fresh batch of trackbacks this morning. This has to be a new guy? I mean, most spammers at least figure out quickly that their dyndns sites are gone!

And he keeps using that same IP number: 203.116.214.2

I notified the owners about the abuse, but nothing’s happened.

I first saw this spammer (that I know of) July 13, when he was pushing an orgfree.com subdomain. They terminated him, and he moved on to dyndns July 16, after having taken a day off spamming.

I found a mention in Wikipedia relating to anonymous proxies. Netaholic used the list in Zahariev’s list of proxies to create a list of proxies for blocking.

Some linkspammers use lists of proxies that are still not entered into the big lists of open proxies, so poaching their lists can be of use, if combined with the lists of open proxies. Maybe we could get some kind of script or software for making lists of IP numbers (sorting, removing duplicates) for such lists? You’d start with a grepped log file, grepped for some kind of parameters.

So, what do you think? Those lists could of course later be submitted to some open proxy RBL.

I was reading up on recent usenet threads regarding ESThost, when I came upon this little nugget:

(There is a lot of money to be made in spam support — as the $DAYJOB
network administrator, I’ve been offered $1000/month for connectivity on
a /24 and all abuse reports routed, not acted on, to the customer. Per
server. The guy wanted four. That’s not to sneeze at, if you don’t
care about your reputation on the Internet.)

And I remembered Moniker’s regular behavior of forwarding complaints about Zahariev domains to the Zaharievs themselves. Wonder what happened with Kelly’s complaints regarding that?

I’ve gotten a LOT of trackbacks lately. But with temperatures hovering in the low eighties, I’ve avoided the computer as much as possible. Now, with a rainy day, it’s time to expose some spammers.

One of the latest, who may be a new one, is now spamvertizing dynamic IP subdomains hosted on 69.50.170.18.

Earlier he was pushing an orgfree.com subdomain, but they booted him. Either for spamming or for having adult content - either is against their rules.

The spam is always coming through 203.116.214.2, which is an open proxy.

User agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.

Payoff:
searchadv.com ID: 10092

There are no domains associated with this spammer, so I can’t track him further yet. I’ll update if/when I get more.

Rojisan got hit by referrer spam from indiatimes.com

I did too, but I didn’t blog about it, because it could theoretically be revenge spam. It’s of course possible. But they should get back to Rojisan if that’s the case.

Anyway, here’s his writeup about Indiatimes

Remember that post about Full confession?

That was about VI-TI-KA.

I’ve had quite a flood of referrer spam the last few days. All subdomains of a free adult webhost.

If you’re linking in from somewhere they’ve spammed, you’re redirected to:

http://j-rx.com/tds/in.cgi?10&group=casino&parameter=404

The way they’re doing that is novel. They look for triggers in the referrer. Typical words like guestbook, refer, blog etc. Very similar to what they did before.

Those that don’t trigger the 404 response, gets a redirect to the payoff:
imlive ID: 123680715705

Rojisan is griping about a trackback spam run. I got it too. Irritating buggers.

The domain that forwards to cheapmp3 is also owned by the spammers, as far as I can tell:

u5srv.com
212.158.165.202
“Global Metal”, abuse addresses at caravan.ru

Kruger Store Inc
Michelle Frankson (michellefrankson@gmail.com)
1059 Mineral Wells Ave
Paris
null,38242
US
Tel. +91.7316441070

Domain servers in listed order:
ns1.u5srv.com
ns2.u5srv.com

Registration Service Provided By: ESTDOMAINS