Spamhuntress

I’ve got a regular wikispammer, who likes spamming his own profile page.

I traced his latest spam URL to
69.50.188.132

Just check the history tab for the constant ballet of spammer edits and spamhunter reverts.

It’s part of the Intercage IP block. I also found nameservers belonging to ESThost in that range:
69.50.188.130
69.50.188.131

I don’t know? Maybe there’s a migration happening? I haven’t seen dyndns spam domains in that range in the past. I’ve copied both Intercage and ESThost on the abuse mail. Update: The user account seems to have been suspended.

And about the IP address he was spamming from. It was on a socks proxy list a while ago, as having a proxy port of 8790. It’s a small list, and most of the machines on it have high number proxy ports. And many of them do not appear to be webservers. So I’m wondering if maybe they are compromised in some way? I also found that particular IP address on a spam list that appear to be tallying spam mail received (the site is in German, and I didn’t read the whole thing).

BTW, I guess you guys are tired of my sudden obsession with mail spam, eh?

Update October 15:

Even newer: I sent a complaint about the bots to Linford at Spamhaus. His team had already detected the same bots (I was told they normally toss submissions, though). Here are the listings:

69.31.76.134/32
70.86.174.58/32
70.86.175.202/32
70.86.175.162/32
69.67.65.18/32
69.67.65.14/32
69.67.65.12/32
67.159.22.0/24 (there’s even a comment: Dirty block: FDC needs to step up and deal with abusers)

I got that list off the SBL Latest Listings. I’ve been obsessively monitoring it today… What’s also interesting is that one IP block is linked to a ROKSO spammer named Michael Lindsay.

Judging from data I found today, it looks as though the FDCserver IP numbers were from a company running an IRC net, the blazin-irc.net. They own the C-block those IP numbers were coming from (according to rwhois at fdcservers, that spamhaus found). But something’s fishy. The pages don’t appear to have been updated in quite a while, and there are few links to it. When Searchirc last indexed it, there were 282 users in 10 channels. Certainly not enough to warrant a whole C-block? 67.159.22.0/24.

OK, I heard back from the owner of the IRC servers. He at one time had the whole C-block, but right now has the following:
67.159.22.2 - 67.159.22.84
67.159.22.198 - 67.159.22.224
67.159.23.x
In other words, he does not control the IP numbers involved in the spamming.
FDC then reassigned the IP numbers to another customer, but hasn’t updated the rwhois.

—————

I came up close and personal to a netstat during a spamrun misusing a webserver. And no, I won’t tell you any details about that server (where it is, who owns it), other than that it was a windows2000 server, and not exactly patched at that moment in time (no, I didn’t set it up, nor maintain it!).

I saw several port numbers used by the bad guys:

22413
1029
and finally, a LOT of action on port
17349

Update: I found trojans on the machine that could allow the badguys to connect to any port. So those may not be ports that need to be closed in particular.

And the bad guys were:

67.159.22.187 (fdcservers.net - repeat offenders, and Spamhaus record)
67.159.22.188 (and look at the rwhois record for this C-block)
67.159.22.189 (oh, brand new Spamhaus block. Maybe from my complaint?)
67.159.22.191
67.159.22.192
67.159.22.193
67.159.22.194
67.159.22.195
67.159.22.196
69.31.76.134 (already nulled)
69.67.65.12 (new Spamhaus listing today)
69.67.65.14
69.67.65.18
69.50.160.178 (already nulled)
69.50.160.179 (already nulled)
69.50.160.180 (already nulled)
70.86.175.162
70.86.175.202
70.86.174.58
204.11.98.2

What’s interesting, is that (possibly due to my interactions with Russell before. When does that guy sleep anyway?), Intercage were the most responsive. I didn’t even get a response from The Planet, nor any of the others.

OK, what happened was, the bad guys were connecting to the server, and the server was sending spam out every which way. Disabling the SMTP service wasn’t easy. It was so busy it wasn’t stoppable. But setting it to be disabled on startup, and then restarting the server fixed it. After that, it no longer used “our” mail servers to send out spam. But it sent directly to end users through the web server, until we got that last port number blocked in our firewall.

The first warning you get, unless you have proper monitoring in place, would be when users call you to complain that their mails haven’t reached the recipients. There’s a queue in the mailserver because of all the mail. The queue can jump from say a 100 or less in the queue to around 5000 in a short while.

Don’t forget to remove as much spam from the queue and retry queue of your mail servers as well.

I’d appreciate heads up about the particular hole they crawled through. And some feedback from other server admins. And some action from the webhosts!!!!

After writing the previous post, I got to thinking about ways to cut down on the number of zombies. Here’s what I came up with:

If some biggie could organize a blacklist that could be used by as many ISP’s as possible, then we could firewall the addresses to the places where the botnets are controlled. If some big players were in on this, it would SERIOUSLY hamper the botnets’ efficiency, if the blacklist is updated frequently enough. Bigger companies with their own networks would probably like this as well (Google, anyone?)

Please let me know if this gets off the ground! And I’d love the credit for the idea, of course.

Update October 15: Users want ISPs to filter spyware. Related topic.

I’ve been looking up botnet information today. After chasing the invisible wiki spammer around for a while, I realized he’d been using a botnet at least since September 20, possibly longer.

I’m interested in logging infected computers, and finally found an article that was a bit more meaty than most:

SANS: Mitglieder hell

He’s absolutely right in that certain URL’s should be null routed on your network - especially if you’re an ISP or a large company.

Some of you remember how an 82 year old friend got a virus and sent out lots of e-mail in my name and address. It still rankles me, and I’ve been thinking a lot about it. I see so many compromised machines doing so much mischief, and their owners are clueless about how to stop it.

Soo….

How about you give Granny a Linux system?

With a Linux system, she’ll be spared the typical Microsoft vulnerabilities. Less chance of being infected!

Of course, it may not be your grandmother. It could be your father, mother, grandfather, uncle, sister, the neighbor next door.

But for those users who are less likely to use bleeding edge technology, chances are a userfriendly linux system would run on their (maybe aging) computer. If all Granny needs is Mozilla/Firefox (instead of Internet Explorer), Thunderbird (instead of Outlook Express) and Open Office (instead of Microsoft Office - yes, Word looks almost completely the same as the Open Office version, and documents are compatible), then she could use one of those Linux distributions geared towards less clueful users.

Examples are:
*Skolelinux. Install as standalone. It works on ancient computers! (the network card on my current test system didn’t seem to like it - update: I had two network cards, and didn’t notice the first one, that’s why I had troubles. But an older machine liked it just fine - on just 64 megabyte RAM!). I’ve also seen other Debian based systems on meager machines (think 500 to 600 MHz processors).
*Ubuntu. Won’t run on systems with under 256 megabyte RAM, and will run sluggishly on older systems.
*Mepis. The current darling. Also prefers 256 megabyte RAM, but will run on older systems. Especially SimplyMepis.

Those distributions are complete systems, with stuff built in from the get go. And install is userfriendly, especially for linux. Well, barring hardware conflicts. But try another distribution if it bombs. Knoppix doesn’t run on my test system. Seems to be the graphics card…

I did install Ubuntu on a 400 MHz 256 RAM system that I loaned to a friend…

———

Update: I couldn’t get the network card to work with many distros on my test system. Only Damn Small Linux worked out of the box (but with appalling colors. Looked like about 16 or 256 colors?). In SimplyMepis I had easy access to the network settings, and decided to try eth1. Turns out I had two network cards, but had only noticed eth1…. I ended up connecting the cable to eth0, and no more problems, though I initially toyed with setting up eth1 instead. I never found a GUI for network configuration in Skolelinux, though it’s easy enough to set up using command line. I just never thought to try eth1 in there. Still, SimplyMepis is easier for those coming from Windows.

My “other” wiki got a visit from our invisible wiki spammer. He uses tags that make his spam invisible on Mediawiki. And then he adds one or more edits afterwards, often just adding a few blank lines. Sometimes he removes the content of the pages.

I don’t know if the page he spammed is someone else’s page (ie he’s still experimenting), or if this is an actual spam. The spammed pages are identical in syntax to the Disney spam before, and goes to the coolhost.biz domain. It’s on a zedo domain parking system.

Mediawiki owners, add that domain to your blacklist, or you may have to clean up after this spammer.

These IP addresses were involved:

24.148.43.54
64.168.100.7
66.61.58.31
66.188.130.109
67.80.191.127
67.160.229.235
67.170.199.253
68.5.163.13
68.23.184.40
68.23.189.107
68.75.169.94
68.198.157.71
68.205.11.49
68.221.109.36
69.112.249.223
69.146.19.127
69.211.99.233
69.253.243.193
70.250.194.196
71.130.59.182
71.192.177.5
72.224.16.4
83.17.52.210
83.83.122.12
216.165.247.195

These IP numbers appear to be regular home computers? They might be part of a botnet.

I found another user of these numbers:
66.188.130.109
67.80.191.127
216.165.247.195

He uses a subdomain on lamer.la (it’s been nulled), and one on ehttp.cc. Those COULD be two different spammers. Doing guestbook spam.

I checked my logs, and noticed that the referrers were faked. Most were from my own site, but I caught a few others. One looked like this:
“developers.feedster.com”

User agent was a pretty standard:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

I had a rash of comment spam on annelisabeth from a spammer using subdomains on v3.com’s service. So like any responsible spam hunter, I went in search of an abuse address.

None could be found on their website. There was no way to contact them unless you were a customer, or wanted to contact them for a sales question. And when I broke down and used that sales option (for lack of a better way), the script DOESN’T WORK! It leads to answerhelp.com, and times out.

There IS an abuse form on FortuneCity, but few would go far enough to find it:

http://www.fortunecity.com/contact-abuse.shtml

Wouldn’t you know, it times out too. OK, here’s what I was planning on sending them, verbatim:

There’s no abuse contact anywhere on the v3.com site, and it’s sorely needed, since spammers use lots of subdomains from your service (seeing as v3.com is your service).

Here’s an example:

You need to remove ALL subdomains currently redirecting to URL’s starting with:
http://www.searchmeup.com/search.php?aid=34671

Please get back to me on this. I think it’s scandalous that there’s no easy way to report spammer sites.

I got ticked off enough I reported on it:
http://spamhuntress.com/2005/10/08/fortunecity-ignorous-about-spam/

————–

In the post below I was talking about the ESThost spambot. That spammer uses v3.com subdomains, and I’ve asked FortuneCity to deactivate ALL subdomains redirecting to that affiliate URL… Let’s see if they wake up.

Update: I contacted Russell, got a reply from him, and then from ESThost. It appears they’ve found and nuked a spammer that had hidden rather well. If there’s any new spam from 69.50.191.130, please grep your logs, send them and the domain name of your site to ESThost. That particular server is NOT meant to be misused by spammers.

——————-

Russell from Intercage (formerly Atrivo) has been fed up with NANAE recently. He also said privately to me that he’d null spammers I reported to him.

I reported quite a few comment spammers, but so far he’s been ineffective.

The infractions are on ESThost IP space, of course.

I’ve just sent a few reminders to Russell, and I HOPE he’ll finally get something done.

I just found a spambot still sending me spam that I reported to him a long time ago. I reported it to ESThost still longer ago, and they didn’t believe me at the time.

69.50.191.130

The latest spam to be entered from that bot had searchmeup ID: 34671

I would like to see major internet joints to block all traffic to and from ESThost’s IP space:
69.50.160.0 - 69.50.191.255

I’ve had less time to blog recently, and the spam has multiplied, especially on annelisabeth.com. I suppose it’s been classified as an abandoned blog by now, eh?

Anyway, I wrote a new post there:
What’s on YOUR keychain?
Don’t miss the link to essential USB thumbdrive contents.

And I took some time to sift through the stuff I’ve missed on bloglines. This was a top contender:
Threadwatch: Just say NO to Comment Spamming?
Guys, remember that Threadwatch is historically grey. In that there are both white hats and black hats there, and the discussion reflects that. It’s historically more welcoming to black hats than staunch white hats. Even so, it’s interesting to see what the other side of the street thinks, eh?

This was also interesting:
What’s the best order in the Chaos of Linking?. Via Threadwatch’s SEO’s Stick Out Like a Sore Thumb

Ouch! Etanisla explains why she’s got StumbleUpon blocked on her site.

And Joe is pointing out the obvious: Google has a conflict of interest between their domain parking Adsense program, and their efforts to fight spam… And guys, just as a side note, the program will accept services with combined traffic of 750,000 page views per month. That may be across thousands of (unused) domains. Doesn’t make it any better, but I thought I’d point that out.

Eh, I need to get back to reporting sites to Google for spamming…

I wrote about a small time referrer spammer a while ago. This morning I found a comment from said spammer. Same spammer ethics I’ve seen so many times before.

Go give him a piece of your mind:

Swedish spammer