Spamhuntress

This is rather unusual. Here’s a Swedish spammer.

He referrer spammed my log (munged slightly):

193.109.173.79 - - [09/Aug/2005:02:12:36 -0500] “GET / HTTP/1.0″ 200 26146 “h*tp://www.webbshop.co.uk” “IE 5.0″

The domain has this owner:

Peter Sandgren
Besökaregränd 2E
Ystad
Ystad
27142
SE

Registered on: 01-Aug-2005

The address doesn’t actually exist in Ystad.

The IP address puts him on a broadband connection in Skåne in Sweden: Teleservice Bredband Skane AB

Payoffs:
Tradedoubler - 882536
A refresh redirect to a Swedish dating site that belongs to the same guy?
Google Adsense: pub-9166886050951199
A cafepress site, provokat

Update October 7: He had a different IP number when he commented here than the spam was entered from.

Svdb’s wiki got spammed, and he started unraveling the trail of the spammer, whom he named

Mike Tison

I joined into the fun, and within a day I got spammed too.

Turns out this guy is well known for CWS (start page hijackers) ladened sites and other not so nice things. He’s offered traffic from dialers (as far as I could tell) on Russian forums…

Here’s another from the safelist/blaster community. It’s the referrer spammer I discovered August 4.

Tom Horn and his two compadres are pushing their company 3marketeersproductions.com via referrer spam. Kinda weird, considering they’re pushing programs that they say are so revolutionary. And one of their buzzwords is SPAM FREE!!!

I got five accesses within seconds of each other on August 4, referrer spamming five different pages on 3marketeersproductions.com. And a repeat of that the day after on another site. And just so we’re clear, the IP number is from the same town they’re based in, Pontiac, Michigan:
68.61.235.225
A comcast address, which normally means home or business broadband connectivity.

Tom has been marketing his site on safelists/safeboards, using short URL’s to disguise his addresses. One of the sites he promoted was thetoolman.net/blog/. It now has DomainByProxy whois protection. But that was done after he got tagged by two parties on NANAS for e-mail spamming. One included the whois information as it was around June 27:

Administrative Contact:
Horn, Tom tapperlada@3marketeersproductions.com
485 Central
Pontiac, MI 48341
US
+1.2484568009

The toolman site advertizes a blog blaster, and says it’s powered by yourfreeworldscripst. That’s a site owned by Rohit Seth, the guy I talked about in the previous post.

A demo of the tool shows that it can be used as a pure spam tool:

Click on the image to see it in the original resolution.

Despite this, the promo page for the tool states that it’s 100 % permission based. Also note that it refers specifically to getfreeblogs. They admit straight out those are the blogs in their network!

I’ve found ads from Tom on Rohit’s ad-blogsite.

I think it’s time to do something drastic, so these web based outgrowths of safelists no longer make it into search engines. Google, are you listening?

While tracking the blaster networks, I came across a specific player that turned out to be a bit more interesting than most.

Meet Rohit Kumar Seth aka Rohit Seth.

He’s a guestbook spammer, but before he started spamming guestbooks, he’s been the owner of a free scripts site. He’s been plugged into the ad blaster networks for some time too. But looking at a recent list of commissioned scripts will give you an idea of what he’s currently into. I’ll quote a few more interesting script descriptions:
Guest book autoposter (July 4)
wordpress blog auto submit script (June 30)

The guestbook spamming was done around July 8-11…, for this site: getfreeblogs.com

I found the spam while checking a blog that had a suspicious number of typical blaster comments.

What I eventually found, was a list of all the users. Note in the middle of the page, there are a lot of names with no info on them. And the names are listed almost alphabetically. Lots of variations of similar name. Those are, I believe, fake blogs, designed to blend in with the real users. The fake blogs are there to receive blaster ads… Right now most of them have ONE blog post (a welcome post entered by the system), and 191 comments.

So, although the site does have legitimate users, the INTENT of the whole site and service is to have lots of fake blogs with blaster comments. In other words, the whole site was conceived to hold search engine spam. And it was spammed from the get go.

Very interesting how the blaster people are more and more doing spam now to cut through the noise…

I found a few more blaster programs today. Patterned after Maryanne Myers’ program. One doesn’t specify that the blogs and forums are opt-in, so we’ll have to find out. The other is owned by an outfit that referrer spammed my site today. That’s how I found all of these. The referrer spammer also posted some ads on some forums, with the same (home ISP, I assume) IP number that he used when spamming my site. And he used some URL shortening service to keep his site from being penalized, I guess. One of the URL’s didn’t work, and I had a look at the ads instead. That’s where I found one of the blaster programs.

The one outfit that spammed my site specifies that the program is permission based.
Well, guess what, the same person who advertized for that (separate URL) program, is the same person who spammed my site - without permission.

I’ll have more on this tomorrow.