Michael Bates hunted down another form of spamming.
Basically blogs that are on many blogrolls and since have been deleted. Typically on large services that allow old names to be reregistered by someone else.
A spammer then registers the old name that has lots of incoming blogroll links, then posts something on that blog, and lots of comment spam…
I don’t often excuse people of being stupid. It’s not exactly conducive to a good dialogue.
But this time I’m wondering…
A comment spammer goes about his task, probably doing a Google search to fetch prospects for his spam run. Then apparently doesn’t check the names of the blogs. Probably too many, eh?
So he proceeds to comment spam a blog called spamhuntress - about 137 times in about two days… (October 4-5)
Details:
IP number:
71.57.133.162
c-71-57-133-162.hsd1.fl.comcast.net
I didn’t portscan the machine, but it doesn’t seem to have a standard webserver, so chances are this MIGHT be a home or office connection. It does answer ping, which is unusual (for a regular desktop machine).
User agent, switching between:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; iOpus-I-M; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
He’d been at it for a while when he started spamming my blog. He was spamming forums September 25-29.
I’m not the first blogger to mention him either.
On my blog he spamvertized:
bestlowmortgagerates.com
debtconsolidation-site.com
homeequityloan-x.com
homeequityloans-x.com
mortgage-911.net
mortgagerates-x.com
my-mortgagerates.com
refinance-mortgageonline.com
refinance-x.com
And these on the forums:
autoinsurance-x.com
bestlowmortgagerates.com
debt-consolidationhome.com
carinsurance-x.com
cashdavance-x.com
creditcards-x.com
debtconsolidation-today.com
dentalplans-x.com
healthinsurance-x.com
homeequityloans-now.com
homeequityloan-now.com
homeequitylineofcreditlenders-x.com
homefinance-x.com
homeloan-now.com
homeloans-now.com
lifeinsurance-x.com
mortgage-911.com
mortgagebrokers-x.com
mortgagecompanies-x.com
mortgagerefinance-x.com
mortgagerefinancing-x.com
mortgages-411.com
mortgagelenders-x.com
mortgageloan-x.com
mortgageloans-x.com
paydayloans-x.com
realtors-x.com
webhosting-x.com
Update:
I was in a hurry, and didn’t trace him every which way, like I usually do. So I get to do it now instead. So far I’ve found these variations on whois info:
Navarrete, Javier info@mcfimortgage.com
Confin Home Mortgage & Loans Corp.
5775 Blue Lagoon Drive
Suite #190
Miami, Florida 33126
United States
8772603799 Fax — 3052653210
A, Javier info@refinance-mortgageonline.com
3001 S.W. 133 PL
Miami, Florida 33175
United States
23456789 Fax — 23456789
Owen, Junior info@my-mortgagerates.com
PO BOX 53562
Dallas, Texas 75221
United States
23456789 Fax — 23456789
I started looking up one of the e-mail addresses, and found a story of a blogger retaliating, and the spammer retaliating back. And another blogger got in on it too.
I got a hit on another e-mail address. This might be his real location, which conforms with the legit looking whois info above.
Via Joe’s blog, I found a list of ideas for Google and blog service providers, in order to combat splogs:
Continuing tricks concerning mail spam.
What if you keep getting spam from the same network, and want it to stop? See the specific story below.
Log in to cpanel
Follow link to E-mail filtering
Click on Add Filter
Choose From in the first drop down box
And the second drop down box is already set to contains
Enter vm-mail.com in the text field
The next line already has Discard entered.
Click on Activate
That should do it…
OK, here’s the story:
Because of a friend’s virus, I got subscribed to a lot of CAN-SPAM compliant spam lists (the so called opt in lists). Most of them had working unsubscription links, and I was able to get off many of the lists.
But I got enough mail from addresses on vm-mail.com to irritate me. And couldn’t find a way to unsubscribe, even after trying various things (I never confirm that I read their messages, until I actually unsubscribe, if I trust them enough to do that).
So I was looking to filter them out. Since they always use the vm-mail domain, that should be possible. Right now I’m waiting to see if my block is effective.
I got a cry for help from a fellow Norwegian whose domain had been used as the forged from addresses in a spam run. Since I’m acquiring more of an interest in e-mail spam these days, for various reasons, I decided to address that scenario.
First of all, if you’re drowning in bounces, chances are you’ve got catch-all set on your domain. You should familiarize yourself with your admin functions, and at least temporarily disable catch all (unless you’re as anally interested in statistics as I am…). I’ll post how to do that with cpanel, and maybe others will help us post howtos for other admin panels?
Disable catch-all e-mail in cpanel:
Locate and click on Default Address
(cpanel comes with lots of different skins, so I can’t tell you exactly where that link is. Usually along with the other mail controls)
Click on Set Default Address
If you want the mail to silently disappear, write in:
:blackhole:
If you want mail to bounce, write in:
:fail:
Click Change.
My skin also tells me I can route the mail to several addresses, which means I can receive the mail AND bounce it. Interesting…
But before you get this far, you should have set up POP3 mailboxes or forwarders for those addresses you actually use. Otherwise ALL mail will be lost. Most will probably have done this a long time ago, but some still only use catch-all.
OK, once you’ve freed yourself from the avalanche of bounce messages, it’s time to think about the damage:
Most domains will probably be misused this way at one time or another. Both of my oldest domains have been misused at least once. I don’t know if the spammers are even interested in how your mailserver is configured. Probably not. The point is deflecting the bounces to someone else, and making the mail seem more legitimate. So they won’t misuse your domain for a long period of time. Which brings me to the next point:
During the spamrun, some mailservers WILL blacklist your domain name. I’ve seen it happen, so I know it happens. Usually large servers that have automated blocking systems, and enough statistical material to actually make use of that. But as you’ll see from the bounces, the IP numbers are usually from all over the globe, and the HELO or message ID is usually faked (well, on the last such spamrun I had a chance to study in detail the message ID was faked, while the latest virus to make the rounds has a faked HELO).
And don’t sneeze at the number of bounces you could suffer from a forged from domain spamrun. If you’ve got catch-all, it could reach many thousand messages. I’ve got a mailbox with the combined mails from two domains misused in such a way (same time period), as well as other mail not addresses to the any existing address. In the course of about 14 days, that mailbox numbers just over 8000 mails! (and the bounces are still coming in).
There’s one thing you can do to distinguish between spammers’ use of the domain, and your legitimate users: Sender Policy Framework. I haven’t tested it out. It would require semi-cluefull users… Any comments from other geeks on SPF?
One last issue: Expect more incoming spam as a result of the spamrun. I see spam addressed to the forged addresses now.