I found this one in my logs:
And yes, it was an affiliate URL, spamvertized.
The owner says outright it’s to hide affiliate links.
Well, how good of you to let us know Google should ban that subfolder.
And here’s another domain for good measure: runurl.com
Matt, you listening?
There’s been a lot of comment spam lately, and some of it is very similar. I just got some that proved it:
Hey,
guys! If you looking for $word please visit my site
Heh, a script and database?
I think I just found an identity thief. In Google’s cache of all things!
I sent Matt Cutts an SOS, hoping he’ll know what to do, and do it with some more weight than my name carries.
This joker seems to be in Bulgaria. I seem to remember something in the news about some identity thiefs caught in Bulgaria recently, so I may have caught on to this AFTER the fact.
But anyway, this stuff is erie to say the least. More details later IF I can release them! And if I hear more at all. Who knows…
I got thoroughly spidered yesterday, by some unknown entity.
205 MB from 23/Jan/2006:03:28:34 to 23/Jan/2006:11:47:00 -0600
IP number:
83.64.251.92
User agent:
Snoopy v1.2
Which led me to this little project:
What’s interesting is that it tried to retrieve pages on this form:
GET /index.php?year=2005&monthnum=07&day=06&name=revenge-referrer-run&page=
It’s a site ripper. But I’m not keen on that kind of inconsiderate ripping, so I’d advocate banning all of snoopy. Not by IP number, but by user agent.
The IP number is revealing by itself, though. It’s some sort of news site in German, owned by someone on Mallorca in Spain. It doesn’t appear to have any incoming links, and the domain name is from December last year. Looks like it’s owned by some SEO types, which makes me all the more suspicious.
Hmm, on further thought, block the IP as well…
The owner of massinternetservices.com complained on a forum somewhere that he couldn’t get anywhere without pagerank in his competitive market.
Fast forward a few months.
I get a rush of 20 referrer spams, all delivered to the same file and within about 9 seconds.
So I start checking. Turns out he’s been comment spamming for quite a while. His comment spams would look legit to a casual observer, but if you Google the stuff, you’ll see the same identical wording over and over. That’s what I’d call comment spam, whether or not it looks relatively on topic.
Second check, yep, his root domain is banned in Google. I’m not surprised.
So, he got banned in Google, and he’s coming back for more?
You want 19 more domains banned? Geez…
This is the breakdown from a partial day’s worth of logging from one of my mail servers.
A significant percentage of mail was rejected, without any backscatter, apart from (any possible) legit senders getting bounces from their sending servers.
Helo command rejected: Invalid name (total: 3)
Recipient address rejected: Access denied (total: 118)
Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs (total: 1940)
Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty (total: 924)
Recipient address rejected: User unknown in relay recipient table (total: 3142)
Recipient address rejected: Your MTA is listed in too many DNSBLs (total: 1269)
Relay access denied (total: 21)
Sender address rejected: Domain not found (total: 800)
Sender address rejected: need fully-qualified address (total: 3)
Know what I mean?
There is one gotcha: Antivirus on servers sometimes send out mail using incorrectly configured sender addresses. They’ll be rejected. Of course, most of those are sent to the wrong party anyway, because most viruses fake sender info. And there are a few machines that send mail that nobody knows about. Plunk, they’ll never make it through my machines. Those are quite often sent from root@domain.com. Occasionally postmaster accounts are similarly incorrectly configured. These mails often bypass the mailserver, so all bets are off. Oh, and here’s a good one: One company has a machine (a Xerox machine?) somewhere that sends reports to the mother company. Only they never receive them because the whole thing is incorrectly configured.
I’m testing out policyd-weight, a spamfilter that looks at blocklists and HELO compared with IP number.
I strained my logs for possibly legit mails that would have been rejected had I used default setting: 1. It’s fairly easy since we’re in Norway, and I can just grep for .no and let it go at that at first pass.
Anyway, I was surprised to find quite a few legitimate senders with incorrectly configured HELO. Even mailservers that had been configured to have only the domain in the HELO. I was astounded! There are quite a lot of clueless admins out there!
After a second pass at this, I found even more incorrectly configured HELO’s. And this even from some pretty prestigious companies! Looks like a common plague…
I came upon some messages with the recipient address encoded into the return address, and investigated. By checking the body of the message, I found something to search my spambin for:
support@casinorewards.com
These all have a physical address, and insist the recipient opted in. The mails even give the IP address and place where the opting in supposedly happened.
These mails are formatted as typical CAN-SPAM compliant mail, with a postal address you can complain to, and an opt-out facility.
I found one with a credible IP address, and the opting in was from a now defunct e-mail service, as far as I can tell. So that could theoretically be legitimate. I won’t know unless I ask the intended recipient. There were a few others with relatively credible IP addresses.
Problem is, I found several different versions for some e-mail addresses. And in one case both IP addresses in the wrong part of the world.
In other words, the CAN-SPAM compliancy is SERIOUSLY in question!!!!
I should note here that I got subscribed to another such list. VERY similar formatting. And the subscriber was my 82 year old virus infected friend in Arizona. She did not do this on purpose.
I was minding my own business, tweaking my mail servers. Then suddenly the active queue was up significantly. I thought, what the…?
So I grepped for the domain that had the most mail waiting, and found several transactions originating at the same IP number:
84.60.208.31
dslb-084-060-208-031.pools.arcor-ip.net
When I grepped for that IP number, I found that the whole spamrun was initiated at 14:44 and ended at 14:52 today.
All of that spam was for one domain, and I believe a significant portion of the 36 mails ended up in active inboxes.
Some addresses were broken, and in a fashion I’ve seen a lot of lately. This is a fictional example that illustrates how an address might be broken. Let’s say we’ve got a user with the address susan.nobody@domain.com.
The broken address could take this form:
domain.comsusan.nobody@domain.com
domain.comsmtpsusan.nobody@domain.com
smtpsusan.nobody@domain.com
usan.nobody@domain.com
san.nobody@domain.com
osan.nobody@domain.com
I’ve seen a lot of misspelled addresses in general. Usually mising one or two initial characters. Sometimes stuff is prepended, like 0.
All mails came from different addresses, and had different Message-ID domains.
The mail was sent to the secondary mail server. Not one message came in to the primary one. That’s fairly typical. Spammers hope the secondary server is less likely to have good anti-spam protection.
———
So I check the queue again. Nooo! It’s full again. This time one of the offenders is:
200.118.9.171
But this time only 12 mails from that system. I did find several IP addresses involved in spamruns. I can’t say if it’s the same spamrun or not, but chances are excellent that it was one spamrun.
Here’s another IP address:
148.221.134.77
—————–
I found an earlier spamrun today, from
59.10.183.23
And these mails ended in the spam-bin. I fished out one, and it was for s0ftware (all messages had the subject line: Software). My guess is this is a specific bulk mailer with a very recognizeable MO. I found several runs from different IP addresess, and have done some filtering and coloring of messages in my spambin to identify them. I’ll hang on to them and see what I can find out.
For those that ended in my spam-bin, that I fished out and looked at, every single one pointed to the same URL, with this whois info:
Registrant / Admin Contact :
PERSON
Glenn ESTUS (ESTUS2-BMN-PE)
PO Box 51, Westport
12993 NY
UNITED STATES
phone : +48 22 3895469
fax :
e-mail : glenn_estus@yahoo.com
Domain servers :
one.offletea.com (OOC2-BMN-HST)
two.offletea.com (TOC2-BMN-HST)
Created on 12/30/2005 09:45:58
Updated on 01/04/2006 17:57:33
Expires on 12/30/2006 04:45:58
Registrar : BookMyName
The domain pings this IP:
211.144.147.202
Which is in this (surprise..) IP block:
Beijing Xiao Xiang Commerce Co.,Ltd
The e-mail address was registered at 12/30/2005
The spammer switches domains quite often, according to the NANAS thread I found concerning this spammer MO.
Whois info is different probably with a few domains sharing the same info, but the same IP pool and registrar is used. DNS servers are different, but they’re vanity domains and are from the same pool of IP numbers.
———
E-mail headers:
I found some anomalies in the message headers. Here’s a munged example:
Received: from 144899528 (unknown [59.10.183.23])
by munged.ourserver (Postfix) with SMTP id EDAF517BA9
for
Received: from givingtreegifts.com (144848872 [146990032])
by grahamrichardson.com (Qmailv1) with ESMTP id D674021FAF
for
I noticed that most of the messages had 144899528 or similar as the domain name, and it of course doesn’t match the sending IP number. The secondary recipient line seems forged, and doesn’t include an IP number at all, but the 144899528 or similar is given as a server in the chain. The headers are completely broken and forged, except for the server mine received the mail from. And that’s probably a zombie.
Guys: There are ways to make your mail server check for mismatch between HELO and IP name. Policyd-weight is one such package that works with Postfix.
I’ve been comment bombed today. 84 new comments.
The offender is one
200.108.238.107
And the linkspam is French.
Most of the spam is for sites at
membres.lycos.fr
User agents:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8) Gecko/20051111 Firefox/1.5
The weird thing is that this one loads images and css files. It appears to be a real browser. And there’s this word appended to the URL’s on my blog sometimes: chuades. Eventually the browser (or whatever it is) stops asking for the images (most of the time) and goes straight into spamming mode. Hmm, two different browsers, two behaviors, one IP, one time period.