Joe wrote a great post with advice for new spam hunters. He’s gotten into splog fighting lately, and a lot of the guys reading his stuff will probably be splog hunters.
In fact, Joe and I must have found Fightsplog at about the same time - in our referrers. I already had a link on my Other blogs page since earlier today.
Someone from 69.50.165.186 created a new page named Chem on another wiki I maintain. The page had one word: Hello.
I believe it’s a test to see how well maintained wikis are. Remove that page. I may be used to enter spam later on.
The IP address is on Atrivo/Intercage. The mailserver identifies itself as sysguardian.com, which is on that same IP address, and allegedly owned by a Max Tiper.
The domain name was registered at ESThost. I don’t have to tell you guys that the chances this is a spammer is overwhelmingly obvious?
On other wikis, the text has been different, and the poster’s command of English seems poor. Some sentences are in Russian without the cyrrilic alphabet.
On one wiki, I found this text:
Dear site owner! If my pages will be deleted your site will be deleted too. If you have any questions please contact me: no.content.spam@gmail.com Sorry for intrusion.
When searching for that, I find even more instances of this pointless wiki editor, planting Chem pages. I see a similar IP address connected to some edits that Richard’s WikiMinion subsequently cleaned:
69.50.182.10
193.22.84.7 is also connected with that sentence. Black Sea TV Company in the Ukraine…
The Chongqed regulars has been discussing this one quite a while ago, but this was the first time I’d come across him. The interesting part here is that they’ve named him the HyipInvestment spammer. HYIP is a term occurring on sysguardian. I’d be interested in some info on why he was given that name. Guys?
Michael Pollit asked me to hold back some information about Mikie Rods when that case hit. He was going to write a story for an English newspaper, and wanted some info to come out then - Mikie lost his broadband internet connection. That part of the story was something Michael had ferreted out, so it was his to release.
Now, finally - after many delays, the story is out:
Michael Pollitt enters the murky world of referrer spam.
Moral maze
From loans and ringtones to pornography: Michael Pollitt enters the murky world of referrer spam
I’m actually surprised he held back when it came to M0nkey. I know who the guy is. That may be why he more and more hid behind other people, changed the name of the software and eventually sold it.
Old stories about Mikie Rods:
Suddenly, my e-mail spam was spiking on one of my domain accounts. I’d been extremely careful with that address. It was NOWHERE to be found on the web. I still got the occasional spam. Probably hand harvested, but probably not sold yet.
So, suddenly I get a lot of “spam”.
I didn’t understand it. Some of them even have my name (which isn’t visible in my e-mail address) and an IP address. It looked as though this company was keeping track of how the address was harvested, and that somebody had subscribed me to something.
So I start trying to trace the number. Couldn’t find anything. Silly me, I should have searched my harddrive, because I would have found it…
Today I got a bounced message I didn’t send. And the content of said message solved the mystery. It was sent out through a service called tafmaster.com. And the contents of the mail was from a sweet old lady I know, who’s been having repeated issues with spam on her machine. She’s quite often had trouble cleaning it. So my first hunch is that she has some kind of malware on it.
Tafmaster is a service that earns money for people who send out stuff to their friends, so it’s possible someone sent out a virus or trojan to mass send mail to contacts of his/her victims.
The mail looked as though it was sent by me, and sent to someone I don’t know, but x-sender and sender was typical of the service. The mail contents looked as though it was from the sent mail folder of my friend. It contained enough identifying information I knew at once who it was. And the IP address noted in the spam I’d received matched as well.
I haven’t heard back from my friend, and in the meantime, the spam keeps pouring in. I suspect most of it is actually mailing lists, but I’ve even had some 411 spam (multiples from the same name even).
So my question here is: Assuming this sweet old lady hasn’t misconfigured her computer so it sends out e-mail as me? What could it be that she has on her computer? It could be some old malware, but since this became a problem just a few days ago, it might be a new strain.
Yeah, he says so himself:
http://mattcutts.com/blog/bloglines
BTW, I’d love to see his traffic stats. The readership on his blog has increased exponentially, considering he just started blogging a few months ago! He’s sending me loads of referrers today.
I’ve had requests for links to blogs on my blogroll. That thing is hopelessly out of date. But since I’m so slow, I’ve opened up another place for you guys to add your links, in waiting for a link on the blogroll.
This one is open for blogs dealing with e-mail spam as well. I recently got a writeup on Emailbattles, which seems associated with Trimmail. I get referrers from both places these days.
I’m sure there are more blogs out there. Self serve, guys! Spam will of course be removed by yours truly and the other sysops (thanks, guys!).
One of the recent linkspammers seems to be using zombies. I can’t find any other explanation for it. The machines are often on Comcast or other large US ISP’s.
I’ve seen the same type of IP numbers on wikis as well as comments.
Here are some of these numbers, most recent first:
70.245.74.149
ppp-70-245-74-149.dsl.hstntx.swbell.net
24.19.139.71
c-24-19-139-71.hsd1.wa.comcast.net
24.6.208.195
c-24-6-208-195.hsd1.ca.comcast.net
70.249.154.22
ppp-70-249-154-22.dsl.rcsntx.swbell.net
67.163.194.6
Comcast, but no reverse DNS
206.116.77.45
d206-116-77-45.bchsia.telus.net
24.200.233.83
modemcable083.233-200-24.mc.videotron.ca
69.247.99.209
pcp0012235515pcs.gadsdn01.al.comcast.net
68.232.231.254
68-232-231-254.losaca.adelphia.net
68.73.52.227
adsl-68-73-52-227.dsl.sfldmi.ameritech.net
24.60.90.194
c-24-60-90-194.hsd1.ma.comcast.net
69.247.99.209
pcp0012235515pcs.gadsdn01.al.comcast.net
I only went back as far as August 22. There’s more earlier on.
Joe at Chonqed.org happened on what he termed a “Spam Game”. Check out his report.
I found a link in my referrer stats today and checked it out. It was a project page for an Indian company. Sort of a resume.
chrisranjana.com/projects-showcase.html
The referrer came in from 70.85.237.66. Guess what? That’s their IP number on The Planet.
I guess an example needs to be set. Try referrer spamming, just once, and kiss your Google standing goodbye!
Well, at least to me, this is a new wiki spam technique. I had a spammer (apparently Mike Tison) editing the first section of the Mike Tison page, replacing the contents with his spam.
That’s a first, as far as I can tell.
What’s even weirder, is that just moments before, attempts were made to post changes to exactly that first section, with a POST instead of a GET fetching the page. That seemed to have failed, and the next attempt (different IP number) included a get of the page first.
This particular spammer appears to be using a zombie army, something that’s very unusual.
This was the first attempt to spam the Mike Tison page. He’s been concentrating on *redacted* in the past.