Spamhuntress

I got ONE referrer in my log that looked fairly clean.

multipointlocks.co.uk

No link back to me, so I investigated further.

Turns out the owner has hired a freelancer for SEO and other things, from one of those freelancer coding sites. I suppose the hired help is a blackhat.

I’ve notified the owner of the site. I’m sitting there with the finger over the trigger of reporting that domain to Google for blacklisting.

Why am I even talking about this? Do NOT hire freelancers to do SEO for your valuable domains, without knowing what they’re doing. If they talk about link building, you need to know EXACTLY what they’re doing. No linkspam of any sort, or you may find me on a cranky or bored day, where I report everything I find for blacklisting on Google.

And the blackhat SEO, oh excuse me, spammer?

67.19.96.34
34.67-19-96.reverse.theplanet.com

An IIS-6 server that has a history of spamming, at least since July 24.
There’s one active site on there that I can find: shaadioffice.com

Whois:
Citycircles International asim@asimbaig.com
186-8120 #2 Road Suite 328
Richmond, BC V7C 5J8
Richmond, BC V7C 5J8, BC V7C 5J8
Canada
+604.5372339
Fax- +604.5372339

However, that IP number spammed for this site:

indianelite.com

Whois:
indianelite
Ray, Ajit [AA-402]
11111111
calcutta, Westbengal 700107, IN
Phone: 1111111111111111
Email: webmaster@indianelite.com

The guy who owns that domain also put his e-mail address on other forum comment spam runs from that IP address.

And this one is talking about putting ONE ping or comment on other people’s blogs. Hmmmm….

Thus trying to avoid getting penalized by Google.

Sounds vaguely different than Maryann Myer’s scheme. Her massive comment bonanzas were easy to spot and devalue.

If he’s indeed talking about posting to blogs that didn’t agree to participate, he’s breaking the ethical code (no law against it yet, unless you want to stretch existing law).

And according to Search Engines Web, who tipped me with a comment on Grab Bag, he received an e-mail with this thing. He didn’t say if it was a spam e-mail, but the sender has been caught e-mail spamming before. Just search for his e-mail address and you’ll find lots of affiliate schemes he’s been trying to hawk. He’s got a few NANAS records dating back to 2000 and 2002!

At any rate, I thought I’d dissect the sample (minus the headers. Remember munged headers next time, SEW).

The URL in the e-mail was
newera2000.net/blogsubmitter/
which has a meta refresh to
hop.clickbank.net/?juareze/satcom&l=2
which does a 302 redirect to
www.spagack.com/flex/cape.php?l=1&hop=juareze&l=2
Which then ends up at
http://www.holygrailofadvertising.com/

What this means, is that the guy who sent SEW the e-mail, is an affiliate of the program hawker. Both spagack and holygrailofadvertising belongs to the same outfit and sits on the same server. And they both have whois protection. Not taking any chances, eh?

IP: 216.171.218.222
It’s on MARKETRENDS PRODUCTIONS at marketrends.net’s IP block.

The affiliate, on the other end, isn’t quite as careful.

The domain is sitting on a DSL line in Mexico!
And it allegedly belongs to this guy:

Trujillo, Alex webmaster@newera2000.com
Marcelino Davalos
No. 72
Col. Algarin. Delegacion Cuauhtemoc
Distrito Federal, 06880
MX
52 55301543

Update:
Winxp sp2 has program access choices (firewall). I found it right under the control panel in the startmenu. You can choose non-Microsoft, and then (provided Mozilla Firefox and Thunderbird are installed) all shortcuts to Internet Explorer and Outlook Express are removed.

That may be a better choice for some than my rather drastic way…

——————–

I’ve been irritated over the fact that Internet Explorer would access sites and make a thumbnail image of the site, if I even so much as clicked on a saved file with the base href in it. Considering I sometimes examine dangerous sites, and sometimes use Google’s cache, the risk is I could get infected with something nasty that way.

And add the fact that I work with end-user support, and sometimes I’d like to disable Internet Explorer for particularly clueless users. Download Firefox, then disable Internet Explorer.

So I came up with something that hopefully doesn’t break my operating system…

(Disclaimer: I’ve got the Norwegian version, so I may not guess the correct English terms)
Open Tools in the top menu. Go to Internet Options. Click on the Connections tab. Click on LAN settings. Tick the Proxy server box. Enter 127.0.0.1 as the IP number. Then maybe 8080 for the port. Click on OK, and you should have rendered Internet Explorer harmless.

Did I mention i consider Internet Explorer malware? Along with Outlook Express, of course. They’re leaking every which way. Your Windows XP computer will be infected with various parasites within half an hour of using Internet Explorer - they say.

If you’re still using either one of these, go to
http://www.mozilla.org/
Download and install Firefox (to replace Internet Esxplorer as your internet browser) and Thunderbird (to replace Outlook Express as your mail program).

——–

Updates:
Since Manni expressed concern about other apps that use IE’s internet settings, I’ll post my findings here:

* Windows Update. Probably doesn’t work.
* MSN messenger - doesn’t work with localhost as proxy in IE. The program itself has a Connections tab, with the possibility of entering a proxy. So I assume it could be massaged to work?

Please post your findings below if you use the proxy settings and something breaks.

Just thought I’d link to a few posts done by others.

Etanisla has a few domains she advises to block

John Graham-Cumming has written The Spammer’s compendium. Mainly about mail spam.

There’s a WP plugin at The Daily Irrelevant. Scanning contents of posts against a database of bad URLs, if I understood correctly.

The Register talks about a spam map from Mailinator.

And I just thought I should mention something about MediaWiki. Some users have been complaining that they can’t save edits. When they click on Save Page, they just get the preview instead. They can click that save page multiple times, and each time they get the preview. Some edits may be lost that way. On the other hand, if you’re NOT logged in, you are able to save your edits. If that problem suddenly appears, there’s one thing you may want to check…

It just MIGHT be caused by a website account with no free space. Free up some space, and see if that problem gets solved… It tracks with the reason the geeks give for why this problem occurs…

You guys should block 84.240.28.167 right away. VERY aggressive referrer spammer.

I just checked my referrer script (and no, it can’t be indexed by Google. Got .htaccess blocks in place).

And I had a few pages of hits from a bot at 84.240.28.167. It was referrer spamming
9.klikni-suka.com/linkshare.html
Which has a simple 302 redirect to searchadv.com affiliate code: 35575.

Guys, block this one in your .htaccess files. It requested my index page, which means quite a bit of kb. And every request gets a 200 code, which means he/she loads the entire page each time. I had 80 instances in my raw log when I checked it. On the other hand, I see two distinctly different patterns in the log. For some accesses, the index page has around 10136 bytes, while for others it has around 32867. For this “user”, it’s the lighter version.

The user agent used by the script is:
Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)

That same IP number checked my site a few hours earlier, and the day before, using this user agent:
Mozilla/4.0 (compatible; MSIE 6.0; Win32)

It looks to me like the domain belongs to the spammer. Have a look:

individual
Konstantin Benkunskij (K.BENKUNSKIJ@POST.SKYNET.LT)
+370.68094867
Fax: +370.68094867
Seskines 35-12
Vilnius, none 2010 LT
LT

Note, he’s had that phone number for years!

Registration Service Provided By:
Contact: domain@nswebhost.com

Name Servers:
NS1.HOSTINGZOOM.COM
NS2.HOSTINGZOOM.COM

Creation date: 09 Aug 2005 13:58:00
Expiration date: 09 Aug 2006 13:58:00

It’s on The Planet, at
70.84.135.3

And I believe 84.240.28.167 is his home or work connection. It’s at:
lan-84-240-28-167.vln.skynet.lt

Ah, yes, he apparently has a history as a mail spammer:
Linux NMR mailing list - from August 2004. And two NANAS sightings.

I was chasing a wiki spammer, and came upon another wiki spammer.

One who does invisible wiki spam.

69.31.82.66
colo-69-31-82-66.pilosoft.com

Pilosoft has been increasingly known for linkspam lately.

The root site on that server is TakeYourBucks.com. It’s a Russian site dedicated to traffic - and they’re not shy about what kind of traffic. It’s a likely owner of a bot. In this case I’m guessing the owner of the site is also operating the spambot.

Whois:

KLS Network Inc.
68-70 North End Road
London, UK W14 9EP
GB
+1.7755998336

Buckley, Joanne support@quickiesx.com
68-70 North End Road
London, UK W14 9EP
GB
+1.7755998336

Record expires on 01-10-2006
Record created on 01-10-2005

NS1.IDEASFORHOST.COM 209.25.147.9
NS2.IDEASFORHOST.COM 69.56.220.74

The nameservers have been implicated in guestbook spamming before.

Dyndns subdomains hosted on:
69.93.145.180

I found the wiki testing bot active on the same wiki, before the 69.31.82.66 bot showed up.
69.31.131.178

The syntax is remarkably similar. I’m guessing it’s either the same outfit or a copycat.
For a good list of edits showing this pattern.

Conclusion:
Block this IP number from wikis now.

Viruses and spammers will quite often ignore MX records.

The reasoning is that virus and spam checking happens at the point where the network meets the outside world.

But when there are two or more e-mail servers, and only the frontline server has virus and spam checking, then the users on the network are unprotected if the bad guys figure out how to access a machine that isn’t supposed to receive mail from the outside world.

I don’t know how they do it. I mean, some companies bleed that information via DNS records. But what if they don’t? Hmmm… If any of you know how they do it, please share.

I’ve heard say that you should have virus checking on your secondary server as well as the primary.

Or… firewall off port 25 on your pop3 server, leaving the bad guys the choice between NOT spamming you, or spamming the protected server.

I got a tip about a wiki spammer:
69.31.131.178

So far I’ve only seen wiki vandalism. And some is very subtle. IE, it isn’t visible. But some wiki users have complained that he’s deleted content off pages.

I see lots of instances of experimenting. He’s adding Disney links that turn out to be completely invisible. But they’re easy to find on Google, as you can see. The game may be to see which wiki moderators are sleeping on the job - not checking diffs.

But his changes are certainly excessive. Here’s an example of user contributions to one wiki.

The IP number loads a website belonging to 24-7-solutions.net.

One of the techs is apparently Russian. First name Sergey. Oh, and they have a Russian language version of their site. Just search for the ICQ numbers, and you’ll find it.

I thought I’d check if my rss feed on nativecelebs had been added to Google blogsearch. So I did a testdrive. What do I find? The search is topped by a number of splogs mentioning nativecelebs! OK, so there are a few legitimate blogs. Spamhuntress, nativeunity and one of my abandoned ones (nativepr)

Examples:
http://www.blogger.com/profile/13022932
http://computers-hbarry.blogspot.com/
http://education-lbarry.blogspot.com/
http://art-gbarry.blogspot.com/
http://education-kbarry.blogspot.com/
http://education-nbarry.blogspot.com/
http://runnerunners.blogspot.com/
http://native57iyk.blogspot.com/

Somebody please flag those?

I checked my own moderated comments, and it looks like the spammers are now spamvertizing MANY different blog posts. Always three addresses, and each new comment has a new set of addresses.

————

Remember my Pollution spamrun story?

I got an e-mail from Marco, who was on the receiving end of another spamrun. He was wondering if it was payback for him being involved in the anti-spam community, including writing anti-spam software.

What I found was that the spamrun was very similar to the spamrun that targeted Cosmicbuddha along with other sites. I’m guessing it’s the same outfit.

What’s the point? Maybe the spammers are afraid we’ll use automated tools for collecting spam and banning sites. Are they trying to muddy the waters?

——-

Update
I’ve found some earlier samples of this outfit’s spamming. One was on a rude website, so no link.

But you can search for these nonexistent domains:
dontevercallmyname2.com
dontevercallmyname3.org

Names that are used over and over:
Alexander Kolt
Peter Back
Nicolas Trumen
John Reed

I did find some spammy sites that MIGHT be associated with the spammer.
IP numbers around 69.90.xx.xx

Affiliate ID on one casino: itciia

Lots of intricate javascript on the pages.

The whois info on one domain points to Atlantida Marketing.

Remember that I’m speculating here. I don’t have proof that Atlantida Marketing is the spammer doing the nuisance spamming!