Spamhuntress

One of the newer regulars here devoted a post on his blog to me. He’s a self professed spammer, so I can’t expect him to agree with me on spam. He finds my blog amusing. But he had nice things to say about my looks and personality, and I have to say thanks for the compliments.

But since I have my real name on my blog, I like to deal with the real name of the people who write about me, not an alias. So I went to see if I could find out who he was.

He’s commenting here as Spam King, with a link to a site not his own. He generally goes by the name Bud Wiser. He went by Jimbo in the past. But his real name appears to be James Kiricov.

I’m not going to waste any time detailing his spam. He’s been a spammer for many years, so his reputation is long since established. I doubt he’ll lose sleep over me printing his name either, it’s been known in anti-spam circles for years.

And yes, I found some of his tactics. Quite interesting. I might share one with Matt, when I get some free time.

(Since Olliver already figured it out, I better post this now instead of waiting until tomorrow)

So, who did the tigerspice and emistry spam?

As far as I can tell from the circumstantial evidence, it’s none other than the regular here who goes by the nick “seo black & white”. He also goes by Rathamahata, but his real name appears to be Sergey S. Kostyliov.

He’s been here for quite a while, and I should have put the pieces together. But I’ve been preoccupied with my job and mail servers, and he was playing nice, so I welcomed him. Actually, I’m not saying he should take a hike now either. I’m not going to chase him away if he’s playing nice. But that might be too much to expect after this little expose. Or maybe he’s glad for the attention?

Sergey, you knew I was a spam hunter. You knew I get my kicks from finding out exactly who spammers are. So why did you come here in the first place? Do you like living dangerously?

Anyway, back to the expose.

Emistry.com had the same Adsense publisher account as his personal site (pub-7003516765187668). Like I said, the emistry spammer was quite a joker, so I couldn’t be sure it was his code. But there’s more.

His blog at rathamahata.blogspot.com has links to speedygoogle.org, which has an e-mail address from rathamahata.net in the whois info. That site is hosted on 65.75.152.31, which also holds a few other domains. Some of those have whois info I remembered. Spammers often use naming conventions, even when they use fake whois info. And the Tigerspice spammer used lots of different names. I’ve collected many of them, and remember them. So it was easy to figure out that the domain was (and probably still is) owned by that spammer.

Sergey has been mixing his whites and his coloreds, as a house wife would say. He’s been keeping white and black domains on the same servers…

But spammy domains can live side by side with non spammy domains on the same IP address, and the domains can be owned by different people (different reseller accounts or single accounts). So next order of business is to figure out exactly what kind of IP address this is.

Managed INC uses an rwhois server, so you can find info on small IP blocks. Here’s the info for this block (and I munged the abuse address):

Server Used: [ rwhois.managedsg-inc.com:4321 ]

65.75.152.31 = [ ]
network: Auth-Area: 65.75.128.0/18
network: Class-Name: network
network: Network-Name: NET-MSG
network: IP-Network: 65.75.152.30/30
network: IP-Network-Block: 65.75.152.30-33
network: Organization-Name: Co
network: Organization-City: Moscow
network: Organization-State: RU
network: Organization-Zip: 113093
network: Organization-Country: US
network: Description-Usage: customer
network: Created: 20060111
network: Updated: 20060111
network: Updated-By: abuse at managedsg hyphen inc dot com

In other words, those four IP addresses belong to the same outfit.

So, next question is if this is coincidence or not.

A lot has been written about Tigerspice. There was a collective cry of pain from the blogging world when he started that campain in February 2005.

Mildinsanity traced some of his dns servers, and they came down to numbers in that block.

And here is where netcraft (or several old zone files, if you can get them. I’m interested, if you’ve got some BTW) comes into play (check my tracing page for links).

The spammer moved his domains from IP address to IP address. He often recycled them, and moved them about (probably) depending on the amount of traffic he expected. He’s got accounts on machines that hold other people’s domains (probably reseller accounts), and he’s got his own machines with only his own domains. It’s all moving about. Here’s Netcraft’s saved history of

tigerspice.com
13-Jan-2006 205.234.132.13
23-Feb-2005 219.153.9.11
18-Feb-2005 65.75.152.33
15-Feb-2005 211.144.164.145
14-Feb-2005 205.234.132.13
12-Feb-2005 211.144.164.145
10-Feb-2005 211.144.164.145
7-Feb-2005 211.144.164.145

genaholincorporated.com
13-Jan-2006 206.225.93.42
8-Apr-2005 81.3.150.161

emistry.com
11-Nov-2005 Failed to resolve hostname
15-Sep-2005 84.204.54.116
14-Sep-2005 84.204.54.116
13-Sep-2005 206.225.93.42
12-Sep-2005 216.32.95.180
1-Sep-2005 216.32.95.180

poker-rooms-777.com
13-Jan-2006 205.234.132.13
But according to http://drupal.org/node/14216 :
December 2004 222.47.62.198

free–online–poker.com
13-Jan-2006 65.75.152.31
9-Jan-2005 69.50.163.38
31-Dec-2004 222.47.62.198

online—–poker.com
13-Jan-2006 65.75.152.31
9-Jan-2005 69.50.163.35
31-Dec-2004 222.47.62.198

As I mentioned before, the Tigerspice (and subsequent domains) campaign started February 2005. But poker-rooms-777.com was spamvertized as early as October 2004 , and the earliest mention of it (that I could find) in MT Blacklist was September 2004.

Judging from Sergey’s opinions and self professed Black and White SEO activity, I’d say it’s likely he’s the Tigerspice and Emistry spammer, and he also may have done some nonsense spam . He’s quite fond of experimenting, so that fits. He says he’s been involved in SEO since June 2005, but his spamming activities appear to go back further than that. The only way I can see that it’s a misunderstanding, would be if the spammer is a friend and let him host his personal site on his machine for free. It’s theoretically possible, but I don’t know how likely it is. There doesn’t appear to be any sites on those IP numbers that are unrelated to the spammer. I’m guessing it’s the same machine, and it has three IP numbers. That’s quite common in the spamming world. Based on my experience with tracing, it’s almost certain the domains on those IP numbers are all owned by the same person. Today at least, what he does tomorrow to fudge is another thing. But this is a historical document, and I’ve got more stashed away, so it’s not going to help him.

Sergey has a history of Linux kernel development, and some other programming. And he likes BSD as an operating system (and many of the webservers are running FreeBSD). I’m sure he’s capable of coding his own spamming application. Which would explain his condescending comments about Russian school boys and spamming. They’re probably using code they’ve bought or pilfered from others.

The whois information on his personal site is probably either legit or a good forgery. The address exists. It’s not his home address, but a business location in Moscow.

I’ve uncovered circumstantial evidence that leads me to believe the emistry.com spam came from the same outfit that shot to fame as the tigerspice.com spammer.

Tomorrow: Who the spammer is

One of the regulars here is a spammer.

And I know what he did last summer.

I’m just putting the finishing touches on his expose.

I’m sure the regulars won’t be surprised that he is a spammer. But they might be surprised to find exactly WHICH spammer he is…

I’m using MediaWiki on my site. I like it a lot, and I was resting easy, assured that all outgoing links had nofollow on them.

So I’ve been wondering for some time about spammers, and why they bother with spamming it.

I think I may have found out why.

RSS feeds.

Both the atom and RSS feeds of RecentChanges are being indexed by Google. Not good. Although the links don’t actually work on those feeds, I can still find the spammy buzzwords doing a search for them via google with
site:spamhuntress.com

Some spammers are smart, but many are just using tools, spraying and praying, and don’t have a clue about nofollow or other sticky points. So figuring out exactly what the Mediawiki spammers are THINKING, is probably futile.

But the MediaWiki developers need to fix this. They need to put a nofollow on those links, and some others that Joe found. Joe, can we get a comment with your findings?

I’ve seen a number of double bounced mails addressed to a1aaa1azzzz1zaaaaa@domain.com

I finally smelled a rat and did some log grepping.

Yep, it’s looks like a test mail, sent to multiple domains.

I see some of those coming multiple times to the same domain. But even so, it’s a mark of a spammer.

But that’s my theory. There are lots of other theories on the net:

Joe Wein has a different perspective. He saw some joe jobs where the spammers sent mail to that account, with a link to a domain he owns.

I checked my spam bin, and I had one fairly recent mail sent to one such address.

Straight viagra mail, sent by Jarrod Glass. The investigation has already been done on NANAS. There’s lots of spam delivered to that a1aaa1azzzz1zaaaaa address on NANAS as well.

I saw someone saying it must be a virus.

And here’s someone with the same theory as mine. Well, except by now I wouldn’t block IP numbers based on that. The spammer appears to be using zombies. I’d say an e-mail with that recipient is enough to put the sending IP on a list of machines to check out to see if they’re zombies, though.

I was reading up on SANS, and found this gem:

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Basically, they advocate blocking all of Intercage due to a large number of wmf exploits.

Since Microsoft released the patch, those might be harmless by now (if you’re running a patched XP computer).

But the point is, when there’s a new exploit, Intercage (and it seems Inhoster), are likely to have a lot of exploits hidden in their IP range. Until they find and disable them. But considering ESThost is on Intercage, and the regular recruitment of badasses from there, the problem is they first have to find the exploits and shut them down.

So, I guess blocking those ranges might be a good idea in general.

I’ve seen a lot of disposable addresses over the last few years. There are services out there that hawk these addresses. There are spam aware domain owners who consistently use these when leaving messages on blogs. And I’ve had pitches from people who think they’ve found the solution to spam, and teach it to others. They want me to link to them on my blogroll. I’ve told one guy I don’t believe in his method (at least not the selfish way he’s teaching it). I’ll tell you why here.

Problem is, disposable addresses INCREASE the sum total of spam.

Why?

The point isn’t just how much spam you personally see in your inbox. The point is just as much how hard mailservers have to work to try and deliver spam.

And the main point is, that the more e-mail addresses that get into the hands of spammers, the more spam we’ll see.

Except.

If you use e-mail addresses responsibly, the spam never leaves the spamming servers.

And the trick is to make sure you don’t use catch all e-mail addresses. It’s a lot more work. But if you only allow your mailserver to accept valid addresses, it can safely reject the invalid ones.

A postfix server (for instance) can reject mail all day and not break a sweat. It might break a sweat if it has to receive mail and then try to bounce them once they can’t be delivered to the intended recipient.

There is an easy way to use disposable addresses, though.If you use a webserver with cpanel, it’s possible to use disposable addresses combined with catchall. The trick is to add a forwarder once you retire an address:

Go to Forwarders
Click on Add Forwarder (at the bottom of the screen in my skin. I prefer Monsoon, BTW)
Write in your address, then write :fail: in the forward to field, then click Add Forwarder. Like this:

Click on the image to see it in full size

A few years ago, cpanel changed the functionality of these fail forwarders. Today, the server will reject the mail without accepting it. In the past, you could speficy a message after :fail:, and that message would be sent on to the recipients of the bounce. Today, since the server rejects it and doesn’t even receive the mail, that message has no function. Writing :fail: is enough.

If I send an e-mail to that address, I’ll get a bounce from MY sending mail server, saying something like this:

host annelisabeth.com[munged] said: 550-”The
recipient cannot be verified. Please check all recipients of this 550
message to verify they are valid.” (in reply to RCPT TO command)

If a spammer sends spam, there will be no bounce. The zombie will just quietly go on sending to another spam victim. Hopefully the spammer keeps track of which addresses are rejected, but I wouldn’t hold my breath.

If you don’t use disposable addresses, but have cpanel, the responsible way to run your domain, is to make forwarders for each address you intend to receive mail on, then disable catch all e-mail. That’s done by clicking on Default Address in cpanel. Click on Set Default Address (at the bottom of the screen), then send it to :fail: the same way you’d do with a forwarder for an address you want to reject.

Matt Cutts, me and my friends are all on a do not spam list, by one guy who’s writing a blog on black hat techniques.

And no, I won’t link to it here.

But it’s wild to see spammers keep a do not spam list…