I’ve seen some recent comments about Omni-Explorer, and one just a few days ago in particular said it had downloaded a gig of data off his website!
My wiki page on the bot is often referenced (referrers), so I’m kept up to date now and then.
I got an insistent referrer spammer. And this one was a bit more work to track.
He uses lookscool.com URL redirect addresses. Those are hard to track. Sam Spade won’t cut it. You can load the addresses in your browser, or use a tool which is a bit more invasive: Ethereal.
Bottom line, the addresses redirect to 1-800-pills.com, which then have encrypted links to paysefeed/goclick/enhance.
Domain bought and hosted at ESThost:
69.50.176.254
Whois:
SinteZ Ant Hill
SinteZ (mail@sintez.us)
Ant Hill 1-10
Ant Hill City
,10025
US
Tel. +10.67536487
And the e-mail address isn’t in Google, so I checked the whois on that domain as well:
Registrant Name: Denis Basargin
Registrant Organization: Guard Software, LTD
Registrant Address1: pr. Vernadskogo 17
Registrant City: Moscow
Registrant Postal Code: 326000
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +791.14003377
Registrant Email: densys@onego.ru
Denis is/was interested in Delphi programming, and has released a program for hiding files. He’s 24 years old, and is from Petrozavodsk in Russia. He is or was a CIO for a company.
Considering the whois info for the spamvertized domain is fake, and the trail leads to him, Denis has an explaining problem.
I got a comment today that seemed unusually clueless. I’m sure many bloggers would think it WAS a clueless comment, and approved it. I waited for the other shoe to drop. And it did. From another IP number, and with another link in the URL field, another clueless comment was left on the same post. And what do you know, the websites ping the same IP number…
So, here are the clueless comments:
1) Hi! I can not load the image on server in any way.
2) Help, I can not understand with the coding…
3) Hi Do not prompt how to adjust a font of the messages?
4) Hi
I can not find coordinates for a feedback.
Spambot IP numbers (most likely proxies):
147.202.65.178
204.50.14.17
72.9.236.50
69.72.139.138
And website IP:
72.9.234.170
66.246.252.141
66.96.212.210
But I’m unsure of that IP address. It could be a proxying server. I’ll leave that to others to investigate.
Whois info:
Admin Name……….. Ilya Burkaltsev
Admin Address…….. Vasilyevsky Ostrov 11-linia dom 20 kv.3
Admin Address……..
Admin Address…….. St. Petersburg
Admin Address…….. 14413
Admin Address…….. NY
Admin Address…….. RUSSIAN FEDERATION
Admin Email………. ilya@artpromcompany.ru
Admin Phone………. +1.79119146267
Name Server………. ns73.dnsprotect.com
Name Server………. ns74.dnsprotect.com
A 26 year old guy who said his website was artpromcompany.ru, is named Anton, and has ICQ number 230087306. He also claimed to have another site, also owned by ilya. He even has a blog on Livejournal. But since I don’t read Russian that well, I won’t be studying it in depth.
ilya Burkaltsev ilya@artprom.ru
Burkaltsev, ilya
Pushkarskaya 3
Petersburg, — 198000
RU
Phone: +7 812 233 92 62
Fax: +7 812 233 92 62
Turns out the spammer has been at it for a little while. He’s been pestering guestbooks with sentence number 2 for at least a week.
Update: Another whois info for a new domain spamvertized this way:
Admin Name……….. Ivar Tenter
Admin Address…….. Keguma str. 45-2
Admin Address……..
Admin Address…….. Riga
Admin Address…….. Lv-1084
Admin Address…….. Riga
Admin Address…….. LATVIA
Admin Email………. ivarix@ivarix.ee
Admin Phone………. +371.999999999
Admin Fax………… +371.999999999
I was reading about Splogs on Plagiarism Today, and it hit me:
Adsense could search for Adsense publishers who get income from a large number of blogspot addresses. Shouldn’t be too hard to whip up some statistics software to do that. Then do a hand check on some of the splogs, to verify general splogginess (and please have some real geeks doing that, not some Adsense manager who can be fooled by anything).
Then remove those publishers from the program, and remove the blogs from Blogspot.
Easy, eh?
I found a post through Joe’s blog, about an ethical wiki spammer group.
What they mean by that, is that they don’t delete wiki content, but add their own.
More spammer ethics…
The blogger also noted how he’d had to look out for hidden spam. Note to wiki owners: Look at the diffs. That’s the only way to consistently remove invisible spam. I get almost nothing but invisible spam these days.
Interview with an e-mail spammer
More stories I found:
New (for me) referrer spammer today.
He’s like a terrier, keeps shaking the same pages. Better block him fast if you have the misfortune of receiving his attention:
216.255.178.130
I saw a spike in my bandwidth today.
IP:
68.14.199.27
wsip-68-14-199-27.no.no.cox.net
User agent:
Java/1.5.0_05
I found a guestbook entry on the net from that IP number. Absolutely no content. The obvious conclusion is that the bot just followed yet one more link and posted without realizing what it was doing.
151 requests in 2 minutes 46 seconds.
Ban with extreme prejudice!
I noticed that Joe had resaved loads of his posts, and looked into why.
He’s got this cool little mini banner in all the posts. I went to his blog, and they weren’t visible on the blog. Soo, they must have been inserted into the RSS template.
Smart, if you have a tiny graphic in the RSS feed from a site where you have raw logs or good stats, you get logging capabilities for RSS feeds.
Just as important, with a link back to the blog, you make sure scrapers will have a bit more trouble stealing your content without giving you credit for it.
Think I need to look into that myself, Joe!
Update:
This works for Wordpress:
Angsuman’s Feed Copyrighter Plugin
I made a small alteration to this plugin, to both make it do what Angsuman designed it to do, and to provide me with logging.
I wasn’t comfortable having my e-mail address potentially ending up on the web where it could be harvested, so I wanted an image (what I usually do when putting my e-mail address out there). That image also provides logging, so it works nicely. I put the whole img src tag where you can customize the e-mail address (instead of using the default one set up by the script). I tried a validator, and it seems to work. And it displays in Thunderbird, so I guess mission accomplished?
Thanks Joe, for digging it up!
————–
Forget this stuff, it doesn’t work:
Tutorial for adding image to RSS feed (oops, this is for an icon). Here: Adding image for each post. Actually, that doesn’t work too well either. Try something like this. Nah, that doesn’t work either. Help?
I think we need a scraper site database. Preferably one Google would use to blacklist the sites in question, AND revoke their Adsense accounts.
I’ll go first, creating a temporary wiki page where we can leave our frustrations (and I left my current one). But hopefully we can get something along the lines of the splog databases.
Such as splogspot and antisplog. net (currently misconfigured server).