Spamhuntress

My bandwidth consumption on annelisabeth.com has jumped to new heights. And I believe most of it is due to referrer spammers.

According to Awstats, these IP numbers have consumed a lot of bandwidth so far this month:
203.162.27.201 - 106.62 MB
203.162.27.196 - 40.72 MB
203.162.27.195 - 11.44 MB

In other words, one spammer has stolen in excess of 200 MB of bandwidth from me.

In addition, I’ve found these sucking down a lot:
203.162.27.195
203.162.27.200
203.162.27.197
203.162.27.199

Here’s a sample log line:
203.162.27.200 - - [19/Dec/2005:07:33:41 -0600] “GET /blog/archives/000313.html HTTP/1.1″ 200 11248 “h*tp://phentermineadipexionamin.lookscute.com/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7.5) Gecko/20041108 Firefox/1.0″

In addition to that post, they’re pulling down archives quite often.

One of the URL’s spamvertized, goes through a frame redirect to
1-800-pills.com
which pings
69.50.176.254

I looked at other domains hosted on that IP address. They all have similar and different whois info. Clearly fake.

More info on the spammer, including whois, can be found here:
Pills referrer.

I’ll gather more info on the spammer, and might update here or make a wiki page. He definitely deserves some tracking time.

Update:
Sites spamvertized by this bunch point to domains that use name servers from
xxlsearcher.com

That domain has whois info that includes an e-mail address that figures in other anti-spam posts:
TMnet spam
Dumb or beginner - who cares

I got a referrer from a subcategory on a site named recommendlist.com. It’s a scraper directory. No original content whatsoever.

I searched for the name. Google nixed the domain, but there are still lots of references to it. And since it’s a scraper directory with no original content whatsoever, the sites it’s mentioned on are either scraper directories themselves, or the site has been spamvertized.

And in this case, major case of scraper directories.

Matt, you could zap a lot of them just by following that one around!

Guestbook spam was usually less sophisticated than blogspam. But lately they’ve caught up. I get a torrent of spam these days, and blocking IP numbers just won’t work. They’ve started using proxies there too.

So I thought I’d pick on one of them today.

I don’t know his name for sure, but I’ll include some whois info that may or may not be his.

First of all, his user agent is a mistake. It’s entered in my logs exactly like this:
“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1″
He forgot the trailing ) in other words.

He first does a lookup of the add guestbook page, then comes back with ANOTHER IP number when it’s time to POST his comment.

I can’t say for sure if this is one spammer or several, using the same broken tool. Let’s treat them as several spammers for now, and see if we can find evidence later that they’re one and the same.

They use throwaway sites, or lookalike throwaway sites (sometimes hard to tell).

The spammers use different techniques for javascript redirection and avoiding detection.

—————

One of them uses throwaway sites, then redirects to sites he owns, that has the affiliate ID links:
malacity.com
kofit.com
both ping
212.48.153.193
and whois info gives:

Contact Name: Mihail N Suhorukov
Contact Street1: Isakovskogo st., 29
Contact City: Moscow
Contact State: Moscow
Contact Postal Code: 123181
Contact Country: RU
Contact Phone: +7 095 7266000
Contact E-mail: admin@nisku.ru

Affiliate IDs:

usapills-rx ID: 417
naturomeds ID: marvelent
searchadv ID: 44581

————

One of the “throwaways” is interesting in its own right. wgaga.com is figuring in LOTS of subdomains spamvertized on guestbooks and whatnot. And the root site has a 302 to searchmeup.com.

But what’s really interesting, is that I can’t find any spam pages owned by another spammer. I’m forced to wonder if the domain belongs to the spammer, and that he’s trying to emulate throwaway sites.

Whois:

Resourse Team
Vladimir (guron-fm@yandex.ru)
Vali Macsimova 5 flat 8
Biysk
null,659303
RU
Tel. +7.3854249022

Vladimir has apparently been in the domain biz for a while. He tried selling one in January 2005.

This particular spammer mainly uses this affiliate ID:
topsearch10 ID: 45492

————

One uses “throwaway subdomains on” two .be domains:
vacuums.be
looxe.be
they ping similar IPs:
64.111.199.185
64.111.199.188

Both are registered December 10, 2005, by a webhost/registrar:

Last Name: Hostmasters
Company Name: Nucleus bvba
Language: N
Street: Noorderlaan 133/8
Location: 2030 Antwerpen
Country: Belgium
Phone: +32.32750160
Fax: +32.32750169
Email: info@nucleus.be

I suspect it’s a whois privacy thing, and that the spammer owns the domains.

Affiliate IDs:
find.fm ID: 1524

I’ve used local homepages for years. Instead of a website being my “home” page, I’ve got a custom made page with links I use a lot. It’s quicker than using bookmarks. I’ve even used subpages linked from the first page for stuff I don’t use as often. But lately I’ve been thinking about a cross between that and a more structured way of gathering information.

There are several personal wikis out there. But most of them use software and save the pages in a way so that I can’t use them in a browser. And some are meant to sit on the web. That’s fine for public info, but not as secure for personal stuff.

I found that TiddlyWiki was usable. It’s a pain to set up initially, since they don’t give you a template that’s set up for personal use. It’s just an an empty version of the front page of their website. But if you’re willing to put in the time to edit in notepad, it’s quite interesting. A good idea would be for someone to make a customized one, but us geeks can manage for now.

Update: It’s less of a pain to setup than I thought. Open MainMenu and edit the categories there. Open DefaultTiddlers and edit out all the extraneous journal entries on the front page. Maybe add some tiddlers YOU would want there instead. Also use the Timeline menu on the right actively if some tiddler gets lost before you nail it down somewhere. Options (on the right beneath the search field) is good for making it autosave, changing default author and so on.

And this version is probably the best for a local browser homepage. It’s a “productivity” version:
http://shared.snapgrid.com/gtd_tiddlywiki.html

I’ve decided I’ll keep spam URL’s there for now, along with often used links. And I’ll retire the old homepage. Only gripe is that links open new windows, so I need to right click to use tabs instead. Update: Open the wiki in notepad, search for this and remove:

if(config.options.chkOpenInNewWindow)
theLink.target = “_blank”;

This wiki saves EVERYTHING in one file, so it’s highly portable. It probably becomes a beast once you’ve saved a lot of stuff, though.

My tip: You can include links to files on your harddrive, using the same syntax as links to websites. Make separate wikis for separate topics, if you expect to hoard lots of info, then interlink them from your main homepage wiki. Just save them in the same directory tree.

Also, it makes backups for each time you press Save Changes, so clean out the backups now and then.

I’ve only played with it for about 45 minutes, so I’ve only just scratched the surface.

I started my day reading the statistics mail from my new testmail server. Bad move.

I’ve been butting my head against various errors all days. Including some I introduced myself (think I fixed it now, but it took a reboot afterwards).

But I’ll explain the worst one, that has me so frustrated.

When I first set up the server, the deferred queue filled up right away. I found some problems and fixed them. But there’s one I can’t fix:

450 address @domain.net: User unknown in local recipient table (in reply to RCPT TO command))

(I had to remove some brackets here. WP doesn’t like them)

I get this from a server I relay mail to regularly, and from various servers I send mail to now and then.

450 is a temporary error. And when you use 450 for a situation that’s never going to be resolved, the result is that the sending server can’t get rid of the mails until the end of the queue lifetime. The mail will just keep being resent, meeting the same error code and message each time.

The correct way to do this is this line:

said: 550 address @domain.net: Recipient address rejected: User unknown in relay recipient table

So for everybody who maintains a mail server, PLEASE double check that you don’t use a 450 for this use.

I mean, it’s OK if you do it when you first set the machine up, while you’re testing the configuration. But after that it’s a definite no no!!!!

I scolded a friend a few weeks ago. He’d given sms.ac the password to his address book, and I received an invitation at my (previously unknown to sms.ac) gmail account.

He told me he’d unsubscribed straight away, and I told him he needed to let his entire addressbook know. I told him we’d see. If they’d cleaned up their act, I shouldn’t get any more invitations from him about sms.ac.

Today I found another inviation in my spam folder.

If he was straight with me, he’s unsubscribed, yet they continue sending invitations in his name. Not good…

And yeah, I call that spam!

——–

Update: I just cornered him now. He says he got as far as giving them his password for the addressbook. He was a bit tired. But you have to answer an e-mail they send out in order to confirm your subscription. He never did that, and says he’s not a member because of that. Never having tried that service, I don’t know if it works that way. I’ll see if I can figure it out.

Ah, looks like the process was convoluted enough, he thought he was unsubscribed, though in reality he was “non-activated”.

And he’d blocked them from his computer, so anything else they sent him, he wouldn’t get. Quite into geek stuff, this guy.

But now he’s unsubscribed for real, and managed to do it without activating his membership.

But problem is, a lot of people might think they’re not really members, yet their friends are getting spammed. And continue getting spammed, by this service.

The part that requires activation, is the phone part of the service, he tells me now. And the way I’ve seen it told before, that gets expensive really fast. And that’s what stopped him. He’d been tired and signed up, kept going through the process, until he saw the stuff about the cell phone.

But he still told me, straight up until our conversation right now, that he’d gotten out right away. So, it’s confusing. He believed the confirmation mail was for his membership, and that not answering it meant he was unsubscribing. We’re so used to double opt-in, I’m sure he thought that’s what it was. But he was actually subscribed, even though he never answered their mail.

Now we’ll see if the mails keep coming to me or not. Because now he really IS unsubscribed.

Second update: Gmail considers the sms.ac invitations as spam. But how about going one further? What if Yahoo and Hotmail blocked their bot from accessing the accounts of all these people who unwittingly sign up? I mean, that’s logical, right? Just find their IP addresses, and block the whole shebang!

Third update:
Interesting post, where one guy claims to have received invitations to himself from himself, about joinging the network. Considering he never joined, that’s kind of interesting. That part is in the comments to the post.

80.237.140.233 gobbled up 60 megabytes from annelisabeth.com during December. He loaded specific pages over and over, then moved on to other pages. He shows up as proxy77.net in Awstats.

User agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7.5) Gecko/20041108 Firefox/1.0

The IP number itself is a proxy from Germany.

My conjecture is that the spidering is done by a referrer spammer who’s particularly hungry. So hungry he’s stopped doing GET requests the last day or so. He’s switched to HEAD!

He’s using proxies for the actual referrer spamming, but keeps using that exact same user agent. I’ve seen him here too.

Another to watch out for is

216.220.192.132
Who identifies itself as
NutchCVS/0.7 (Experimental Nutch)

It gobbled up 30 MB of spamhuntress.com so far in December. That software is used for running search engine spiders. Problem is, this particular one isn’t identifying itself. If any of you knows anything about this one, please let me know.

Update: Proof of concept

Remember a little while ago, that a spammer said spamming had moved on anyway? Well, I believed him, and have been anticipating evidence of the new types of spam.

I found one today.

A yahoo group started by a spammer, with public archives.

There’s only one message, and that message was linked to from a guestbook spam entry somewhere.

spammer yahoo group
(Update: Yahoo already acted on my complaint. The group is history, a mere hours after my report. But they still have a lot of work to do, because they didn’t nuke all his pages. They should have some way of nuking all of them, don’t you think?)

Details:
The affiliate links are in an iframe in the body of the message in that group.

The guestbook spambot was 69.50.187.242
And the affiliate feed was from 69.50.191.22

The whois on the domain is:

Zuluz Networks Inc.
David Zuluz (ppcse@te.net.ua)
175, Carnival str.
San Diego
,45789
US
Tel. +95.22564879

ns1.loldns.com
ns2.loldns.com

That name server domain is on: 69.50.191.21

The domain itself, disorders.biz, has a WP blog on it. It actually looks legit, like a bona fide medical info site. It even has a masthead with a photo of a doctor on it. But the most recent article was lifted from eMedicine. A splog, in other words.

The domain was once linked to Webtouch.

But my main question is: How do we notify Yahoo about this? There’s bound to be more of this sort of thing, and we need a way to make them aware. They actually have to delete groups! Not something they’re likely to do, but there’s no way around it. Either they start doing it, or the next splog like hysteria will be Y!spamgroups…

Here’s a start point: yahoo groups TOS reporting

I occasionally get interesting comments to old posts. Today was one of those days. SEW was musing if something said in this article had to do with PRstorm:

Newsweek about SEO

For those of you who are regulars and like commenting, you may want to read the comment RSS regularly. You’ll find a link at the bottom of the blog.

I’ve been thinking about this for a while. What is the future of spam?

What we can predict is this:

1) The technical solutions will continue to change. Expect a lot of innovation
2) We’ll see new types of spam, as the internet changes and new technologies and interaction becomes available
3) Spam won’t quit

Some have been talking about spam in terms of winning the war. They’ve hoped for the day they’d win the war against spam.

I don’t think that’s going to happen. Why?

Think about it, how long have we known drugs are bad? How long has the sale and distribution of drugs been outlawed? Has it stopped?

So, as long as the economical incentives for spamming are still there, spam will still be there. We can’t put a bandaid on it and expect it to stop. IE, we can’t solve it with a technical solution. The best we can hope for is making it less irritating, but we can’t stop spammers trying.

So, how would we be able to stop spam?

Same way we could stop drugs:

1) Remove demand (ie end users)
2) Remove supply (ie no more drugs to be found)

And how could we theoretically stop spam?
1) Remove the financial payoff.
One way would be a global ban on affiliate programs. We wouldn’t stop spam that way, but we’d raise the bar so it would be harder to break into spamming
2) Stop the effect of spamming.
That would mean total spam filtering, and nobody would click on spam links anymore. And it would mean total spam filtering in search engines. Still, some spam might survive.

But tell me, do any of these scenarios look realistic? How long have governments had to eradicate drugs?

Mmmm, didn’t think so.

But going touch on affiliate schemes would be a start…