Spamhuntress

I get so many links from various sources, linking to stories I do. Thought I’d link to some other good stories today.

I get my best stories from my referrers. Here’s some stuff

And now another spam hunter has bought a spammed domain out from under another spammer’s nose…

Boakes - MyNiceMailAt.com

I notified Syllable (see this story), and they’ve posted their outrage on their front page:

Syllable joe jobbed

Then there’s bloglines. Get some good stuff there too

Dirk caught a swede living in Thailand spamming. I did a little hoofing myself, and caught him talking about Sweden on newsgroups. Yep, he’s a Swede alright. I’m ashamed yet another Scandinavian is spamming.

Mike caught a phish for Katrina/Red Cross in his inbox. Be wary, people!

And then there’s regular haunts

The chongqed people have been talking about Oleg Popov (September 14 entry), the wiki spammer who put up a wiki directory. Halz had his post on the wiki deleted! Good comeback, Halz…

And finally e-mail tips:

Cary had his whole site framed by a ..scammer?. Yep, framed. As in the scammer provided the frames - with Adsense on them, and Cary provided the content. Very easy to spot if you’ve got referrer logs, but very hard to do something about, unless webhosts play ball. This story had a happy ending, fortunately. Hmmm, he said the guy took down his site. To me it looks more like the site is still there, but the database is gone? Hmmm…

Michael Pollitt had a similar story. This time it was a splogger who used an old article he’d done. Similar to rss abusing sploggers, in other words. Being Michael, he went one further, and researched the topic of splogs.

I got my first referrer from Google blogsearch.

Maybe I missed the announcement?

Anyway, enjoy:

http://blogsearch.google.com/

And yes, Joe, I forgot to hyperlink it…

Got some comment spam on spamhuntress.

At first it looked like spam for syllable.org. But I realized there was something looking a bit like a redirect inside the URL. And after running it through a decoder, it appears there was a lot of code inside the URL. Effectively several URL’s within the URL. The links won’t redirect to the spammy site, so getting direct clicks isnt’ the object.

Each comment had a different patsy link, with trailing spam links.

And when you click on the link, you end up on a page at a respectable site that is entitled Texas Holdem or somesuch. A slur on the site in question, I would say.

And the spammy content was on emistry.com

In fact, they have a partial explanation on emistry.com/Online_poker/
They call it an ongoing experiment. Probably wanting to find out if Googlebot et al will read the URL’s within URL’s as backlinks? And also gaming people to think respectable sites spammed them?

Anyway, the spam is entered through many IP numbers, and many user agents. Including anonymizer.com.

emistry.com
84.204.54.116
84.204.54.116.colo.piter.peterhost.ru

NA
NA NA (kipp.rexroat@gmail.com)
+1.10938661164
Fax: +1.5555555555
NA
null
Na, NONE 19857
PG

The only payoff I’ve found so far is Adsense:
pub-7003516765187668
And considering the amount of fun and games on that site, I wouldn’t trust that to even be the spammer’s Adsense code. Maybe Google could find out?

Have anyone else dug deeper than I did?

Update
The emistry spammer appears to be a regular reader of spamhuntress, at least since April.

83.102.193.130

I first caught him searching for emistry and spam on Russian Google. I then looked at the IP number. Someone using that IP number has been reading my blog for some time, usually pulling in the feed. There might be more than one person on that IP number (home network?), or it may be a local proxy, because I saw several user agents:

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.9) Gecko/20050722 Firefox/1.0.5
Mozilla/5.0 (compatible; Konqueror/3.4; Linux 2.6.13-rc6; X11; i686; en_US) KHTML/3.4.1 (like Gecko)
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050805 Firefox/1.0.6

They’ve all been present for some time though, except for the last one (upgraded linux, would be my guess). I didn’t see the Linux machine(s) until recently.

And yes, I verified independently that it’s the spammer. That IP number spammed guestbooks. Without the URL within URL trick. In fact, I accessed one guestbook, and was redirected to his emistry human created page. He’d used javascript, like what spammers usually uses to redirect human users from their landing pages.

And I found other domains spamvertized by that IP number:
medicine-mall.net

I came upon an ad. I don’t know where I “picked it up”. But I thought it was cute enough I wanted to show it to you. It presumed to know something about my computer, that it couldn’t possibly know:

My apologies if the image gets shrinked. Just click on the image to view it at full size.

The point is that most of these ads will load a spyware scanner that gives fraudulent results. The scan may be free, but the cure isn’t. There ARE so called spyware scanners that are fronts for actual spyware as well.

NEVER run spyware scanners that you know nothing about. ONLY run spyware scanners that are considered the real deal. Examples are “Spybot Search And Destroy” and “Adaware”.

Check Spywareblog for more about spyware.

I upgraded annelisabeth.com to MT 3.2 yesterday. In the process, I didn’t transfer the .htaccess over, so my blocks have been off for half a day.

I did wonder why I suddenly got so many trackbacks. One of the spammers is someone I hadn’t seen before.

Spambot:
203.116.214.2

This is an IIS server from Singapore. I obviously don’t know if it’s compromised or leased.

User agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

IP numbers:
69.50.175.93
69.50.175.94
80.77.82.193
80.77.88.232

I’m in the middle of tracing, so I expect there are more IP numbers.

The whois info on the domains on his servers is fake. He goes by several names. Not sure it’s even worth including. And the sites he has on those domains are seemingly legit. At the bottom he includes some dyndns subdomain sites with filthy names. So the domains are there just to give links to the subdomain pages.

The subdomain pages generally load a javascript named in.js. It redirects to another page that opens popup hell. Porn popups.

The spammer seems experienced on some fronts, and like a noob on others. My guess is it’s a new spammer.

Og vær forsiktig. Det er rapporter om malware fra en av domenene.

I would advise anyone running dynamic IP services to ban the entire IP block assigned to ESThost from Atrivo/Intercage:

69.50.160.0 - 69.50.191.255

At the very least ban anyone from pointing subdomains to any IP number in that range from now on.

There’s very little legitimate content on dyndns subdomains from that IP range. Maybe nothing. It’s possible some sites haven’t been spamvertized, or was spamvertized so long ago it’s fallen out of Google. It’s also possible some were not spamvertized, but has links from other sites that have been spamvertized. Either way, the content is bound to be spammy, ie: Porn, pills, gambling, search.

Any subdomain provider who’s willing to do this, will have significantly less spammy subdomains. It’s not going to stop spam, but will at least harm the bottom line for spammers, for a while.

Russell from Atrivo is talking about the spam situation on Atrivo on NANAB. And he addresses the ESThost problem.

Unfortunately, ESThost won’t be cut by Atrivo. Here’s what Russell says:

If I had the ability… I would cut Esthost as a client… But, in
doing so, it causes nearly a quarter if not half of the company’s
monthly revenue to be cut. That is not too good of a move nor
reasonably possible

So I suggest blackholing the whole of ESThost at major internet joints. That would really help!

Searching ARIN for the IP block of esthost.com kicks this back:
69.50.160.0 - 69.50.191.255

I suggest all serious dns providers and dyndns providers block that IP block. So that it’s impossible to point your services to that block.

I found an interesting document at DNS Made Easy. It’s essentially a rant about Spews.

I don’t agree with everything they say. But they have a very interesting point. It’s something that we as spam hunters should take more seriously. More pressure needs to be applied.

Neither Spews nor anyone else is going after registrars as spam supporters. Because the sad fact is that they often are. Think about Moniker’s sending on complaints to the spammer instead of terminating domains? That’s spam support, plain and simple.

Anyway, the point DME is making, is that when a spammer gets caught (for e-mail spam), every service except registrars will get grief from that. Blacklistings etc. Apparently DME has been on the receiving end of quite a bit of blacklistings.

And that is fine, if the provider is a spam supporter. But DME’s main point is that the only thing they control, is if their DNS servers allow the domains to be served. They can (and say they will) terminate service to spamvertized domains. BUT, they are unable to remove their DNS servers from the whois records of the spamvertized domains, because that can only be done by the domain owner or the registrar. So the domains are quite often stuck pointing to DNS servers that won’t resolve the domain. But Spews will punish DME for something they are unable to control. And Spews won’t go after the registrar.

For us, as spamfighters, the point isn’t Spews nor DME. The point is that most registrars are spam supporters. What can we do about that? Most of us have at one time or another rammed our head into that collective wall, to no avail. I think I’ve gotten fewer than 5 domains terminated total, and that’s not for lack of trying! ESTdomains (ESThost’s registrar) actually terminated some domains. GoDaddy was TOTALLY insensitive. And I thought GoDaddy was one of the good guys? Shakes head…

What we need, is some way to compel the registrars to actually terminate spammer’s domains.

I don’t know how, but somehow, something needs to be done. I’m thinking legislation or political pressure?

Got a new spammer in my little blog honeypot at annelisabeth.com

Spambot:
69.30.208.61

Domains:
blackjack4u.com
texasholdempokernet.com
roulettefinder.com
crapsadvice.com
slots-guide.com

Webhost IP numbers:
69.30.208.62
69.30.208.63
69.30.208.66

Whois:

Administrative Contact:
Duncan, R dns@intergaming.ltd.uk
Intergaming Ltd.
5 Jupiter House
Calleva Park
Reading, Berks RG7 8NN
United Kingdom
0870910050 Fax —

Update September 4:
The spammer is still at it. I’m getting brand new comments today.

————-

I got a slew of comments spamvertizing a post from Cosmicbuddha along with two other blog posts.

I checked it out with Sam Spade, and caught this sentence:

NOTE FROM SITE OWNER: It has come to my attention that the link to this page has recently been included in several blog spams. I am in no way related to the spammer and have no idea why he is including my link in his spam. I do apologize for any inconvenience it has caused you. For backgound info on this situation, please see the comments to this post, below.

I noticed that the commenters hadn’t figured out who the spammer was, so I thought I’d mine my log for any hints of who he is.

He’s using different user agents:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.78 (TuringOS; Turing Machine; 0.0) - this happens when he’s using anonymizer.com
Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1)

The IP numbers are all over the place. Typical open proxies.

The commenters have already speculated on why:

Polluting automatic blacklists
Make automatic blacklisting bots unusable
Use for seeding blogs. Wherever the links stay, the blog is not well moderated
Personal attacks
Google bowling - drowning out specific search terms so previously ranking sites no longer rank.

I did find previous spams with similar wording and anchor text, for different domains. Including pcmcourseware.com and drneils.com.au. The question is if the spammer was working for or against those sites. Not sure. They’re not too spammy looking, though.

fish4less.net was also spamvertized. It does look spammy, but they’ve also used Google adwords extensively.

I don’t know. Any ideas?