Spamhuntress

I found a backup of a database belonging to a referrer spammer. There are 61768961 records in that database. I’m assuming they’ve referrer spammed the majority of those domains! I noticed that some sites have multiple addresses in the database, while some have just one. So the total number of sites is less than the number of records.

Check it out yourself:

http://70.85.193.178/

Maybe you should all download the backup, to help rack up the bandwidth charges? Using a download manager would heighten the effect, of course…

Webhost The Planet has been notified.

This is the spammer:
Manila Industries

I suspect Genaholincorporated/Tigerspice of being behind the current comment spam run, followed by a massive trackback run. The MO is very similar, but we can’t be sure of course. What I do know, is that genaholincorporated.com was respammed a little over a week ago. So he’s active.

Sites are on these IP numbers:
216.32.82.51
216.32.82.52
72.36.161.180

Proxies used to spam from.

I’ve gotten quite a few referrers lately from sites I know I don’t link to. Mainly referrer scripts. One of them had a referrer from http://www.spamhuntress.com/.

Try it yourself, and you can see that it must be fake. I’ve got a 301 (that’s permanent redirect) in effect, because I don’t use the www on this site. So that leads me to believe there’s some hanky panky going on. And considering the threat I referenced in my previous post, I just wonder if maybe the hits with my referrer has the same IP number as the spammer in this post - 65.50.141.2 ?

Update
I’ve confirmed that the IP number used on two sites was:
148.223.216.169
Mexican IP number, used for spamming before.

Got a sort of threat today. Not sure what to make of it. If you guys would help me speculate?

Vinnie’s spammer

Check the first comment there, and my responses.

I do occasional sweeps for spam submitters, just in case I find stuff that should be removed.

Here’s one that I hope will be gone in a few days:

Spam submitter

After MCI had to boot Send-Safe, there are fewer and fewer spam submitters left on the net. Even ESThost booted Eugene Blagodarny’s spam submitter!

The IP of the site is:
69.93.251.68
And as far as I know, complaints should go to abuse at theplanet.com
If they don’t respond favorably, we need to step up the pressure.

This one has been widely spamvertized as well. From among others these IP numbers:
194.242.118.198
194.242.118.82
213.227.198.216

I found a new spammer on my internet trawls:

Alseo

Has the dubious honor of having a few domains suspended by ESTdomains/Directi!

Writeup: OEM Software spammer

————

I caught a new spammer on annelisabeth today.

During the normal tracing process, I found that this guy is an old hand at spamming. He was caught on NANAS repeatedly in 2003 for mail spamming.

Here’s a sampler of his X-mailer lines:
X-Mailer: commit pray deprivation5459
X-Mailer: The Bat! (v1.49)
X-Mailer: olefin amazon manageable6571
X-Mailer: Holdit Mailer 4.04
X-Mailer: ChinHuan MaoZun 5.09
X-Mailer: Microsoft Outlook Express 5.50.4522.1200

He spammed from
195.206.123.33

And the domain (cheap-computer-software.com) is at:
195.206.123.59

I’m pretty sure he’s using a spambot. That seems the new weapon of choice for many spammers.

The IP block is from telecompoint-net in Russia, and is owned (according to RIPE) by Konstantin Melnikov.

Just got a trackback spam on annelisabeth.

This one’s interesting, in that it appears to be a blog. It looked valid on the face of it.

When you open the page, you get a Server Error message.

But since I opened it in a text-browser, I saw a bunch of table junk beneath it and got suspicious enough to scroll to the bottom. Turns out there are lots of porn links…

I’m still unsure who this spammer is, but keep an eye out for trackbacks that lead to pages with server error. That could be clever concealed spam!

I also noticed that the IP number the spam was entered from is that of the server hosting the site. But even the front of the site has a Server Error message. But even though the page insists there’s a 500 error, the status code is actually 200…

Looks like the Zaharievs are on low flame at the moment. They haven’t stopped spamming, but we find a LOT less of the spam now than we used to.

We’re left guessing what they’re up to.