Picking on guestbook spammers
Guestbook spam was usually less sophisticated than blogspam. But lately they’ve caught up. I get a torrent of spam these days, and blocking IP numbers just won’t work. They’ve started using proxies there too.
So I thought I’d pick on one of them today.
I don’t know his name for sure, but I’ll include some whois info that may or may not be his.
First of all, his user agent is a mistake. It’s entered in my logs exactly like this:
“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1″
He forgot the trailing ) in other words.
He first does a lookup of the add guestbook page, then comes back with ANOTHER IP number when it’s time to POST his comment.
I can’t say for sure if this is one spammer or several, using the same broken tool. Let’s treat them as several spammers for now, and see if we can find evidence later that they’re one and the same.
They use throwaway sites, or lookalike throwaway sites (sometimes hard to tell).
The spammers use different techniques for javascript redirection and avoiding detection.
—————
One of them uses throwaway sites, then redirects to sites he owns, that has the affiliate ID links:
malacity.com
kofit.com
both ping
212.48.153.193
and whois info gives:
Contact Name: Mihail N Suhorukov
Contact Street1: Isakovskogo st., 29
Contact City: Moscow
Contact State: Moscow
Contact Postal Code: 123181
Contact Country: RU
Contact Phone: +7 095 7266000
Contact E-mail: admin@nisku.ru
Affiliate IDs:
usapills-rx ID: 417
naturomeds ID: marvelent
searchadv ID: 44581
————
One of the “throwaways” is interesting in its own right. wgaga.com is figuring in LOTS of subdomains spamvertized on guestbooks and whatnot. And the root site has a 302 to searchmeup.com.
But what’s really interesting, is that I can’t find any spam pages owned by another spammer. I’m forced to wonder if the domain belongs to the spammer, and that he’s trying to emulate throwaway sites.
Whois:
Resourse Team
Vladimir (guron-fm@yandex.ru)
Vali Macsimova 5 flat 8
Biysk
null,659303
RU
Tel. +7.3854249022
Vladimir has apparently been in the domain biz for a while. He tried selling one in January 2005.
This particular spammer mainly uses this affiliate ID:
topsearch10 ID: 45492
————
One uses “throwaway subdomains on” two .be domains:
vacuums.be
looxe.be
they ping similar IPs:
64.111.199.185
64.111.199.188
Both are registered December 10, 2005, by a webhost/registrar:
Last Name: Hostmasters
Company Name: Nucleus bvba
Language: N
Street: Noorderlaan 133/8
Location: 2030 Antwerpen
Country: Belgium
Phone: +32.32750160
Fax: +32.32750169
Email: info@nucleus.be
I suspect it’s a whois privacy thing, and that the spammer owns the domains.
Affiliate IDs:
find.fm ID: 1524
The seo view on belgium free domain registration offer.
The seo view on belgium free domain registration offer.
Hi Huntress, I know just the punk you’re referring to in this blog! He’s been going nuts and seems easily identifiable, yet nobody is doing anything, presumably because he’s in Russia.
I posted this page because I got tired of manually deleting “WGAGA” pages submissions from my guestbook. I actually don’t know why they kept me in their list, because not a single one of their posts ever displayed on my site! Well, not untill I put this page up:
http://www.maxwaterholter.com/spamreporter.asp
But then they figured out how to include a snippet of javascript in their submission so that the user is just quickly redirected, so I HTML encoded their code so that it would be displayed.
I periodically flush the database out, but I capture as much info as I can about the spam submission, and could even go a step further to show statistics on IP addresses, etc…
This might narrow them down to a particular gateway which is complicit in allowing this to go on!
Dear Spam Huntress,
My guestbook just got spammed for the first time this last weekend and I decided to fight back. I called the hosting site where the spammer had a redirect site (brinkster.com) and told them that I was get getting a spam message with their domain name in it. Brinkster.com, that night, shut down the site and the redirect. This loser’s redirect went to (topsearch10.com) which is obviously a fake search engine with a bunch of “canned” (no pun intended) advertising links. I looked up the topsearch10 site in whois and it says it is owned by “Jaan Randolph” in the city of Victoria, in the state of Mahe, which is an Island in the Indian Ocean. This guy sure has a lot of time on his hands.
I have also restricted my guestbook to not accept any URLs in the message body. This should discourage any more of my would-be guestbook spammers. Thank you for letting me know that I am not alone in this fight. Keep up the good work. -William
Me too are spammed by this punk and startes looking this is what i found out about him, any help on how to stop this kinda spam is nice. Thanks.
Found this info on TopSearch10 at http://www.alexa.com/data/details/?url=topsearch10.com
UmaxSearch Ltd
Arch. Makarios III str./22
Nicosia 2406,
CYPRUS
+35799841423
noc@ctel.ru
Ann,
Right there wil ‘ya.
Will keep the data above and set a flag to watch for him in one of our site’s spam logs. Our rule: Second violation, they’re toast.
PS:
Would have never left a post here, but I used to work for Kongsberg N.A.
The Norwegian Spam Huntress? Great, just great!
We’re a host of the “throwaway” sites you mention.
These losers are constantly finding ways around our signup confirmation scripts, and abuse the crap out of our system - then half the people who get spammed think we’re responsible. I’ve taken some really nasty phone calls from people who’s blog or guestbook had been spammed thousands of times.
We’ve recently added “topsearch10.com” to our list of “instan-ban” keywords. If that, or a javascript-encoded version of it appears in a hostee’s content (as determined by our in-house automated content scan) the site is instantly terminated.
Its been hard to work this one in, because the spamvertisers encrypt the function to do the redirect in one, sometimes two, and once I found 3 layers of encoding, which really makes it hard to find them, and I’m sure every time we figure it out, they’ll find a new way to encode the redirect to make it harder to find.
Huntress,
We have been following this group- I am pretty sure it is connected.
Check out http://www.revenews.com/wayneporter/archives/002069.html
You’ll see ties to searchmeup/ Yap Browser / and our topsearch10 gang.
Thanks a lot for your great intel!
regards,
Wayne
I dont show that you have Bad Behaviour installed. I don’t see its cookie.
If you use Wordpress you should install BB and SpamKarma.
How can we stop them?