Spamhuntress

Update: The spam campaign resulted in a flood of e-mail to Michael Pollit. The effect was like a mailbomb.

I got tipped about a guestbook spam campaign fraudulently using our names - Halz, Lemat, Michael Pollitt, Ann Elisabeth, Dirk, Paulo and others.

And I followed the trail. The first tip was that someone using the same IP numbers as the spammers had looked up the name

Denis Basargin

In my blog some time in February. So I kept that in mind as I continued tracking.

The URL’s spammed led to blogs that had obfuscated javascripts redirecting to a specific URL on compays.com. If you checked the root domain, you couldn’t get any info. But when I checked the specific URL I got in the script, I was 301 redirected to 1-800-pills.com, which is owned by the spammer I identified as using the name Denis Basargin, a long time ago. Today, the same e-mail address is given for both the spam domain, and Denis’ main domain for his software. So we can be reasonably sure it’s the same person.

And in case you’re wondering, here are the IP numbers to his (no doubt leased) spambots:

85.255.116.178
85.255.116.179
85.255.116.180
85.255.116.181
85.255.116.182

I did a search for blog blasters, and found some “verboten” programs in Adwords at the top of the page again.

blog blaster - Google Search

Google really need some Adwords policing!

These domains are banned from the index, yet the Adwords program accepts them?

Update: Did you see his reason for selling? It’s pure BS, if you check what he said earlier on Michael Pollitt’s blog.

PRstorm is yet again for sale.

Is there anything we can do to get this piece of shit yanked once and for all?

PRstorm on Ebay

I’ve noticed referrer spam from jaja-jak-globusy.com now and then the last few months.

Today I checked, and it doesn’t even resolve.

So my question is, have they left the spambot on autopilot and forgotten to turn it off? It’s been spamming from the same place forever now.

I’ve been working on ways to find infected computers on my network.

And there is one very simple way.

If you have a Postfix server, grep the log files each day for these phrases:

Blocked SPAM, LOCAL
Passed SPAM, LOCAL

Or you could do it in one go:
SPAM, LOCAL

That should net you a few infected machines.

I’ve seen infected machines sending spam to addresses in their own address book, so you should be able to find stuff that way.

Be on the lookout for stuff that looks like infected computers, but isn’t. A mailserver (at a client site) that sends mail to other recipients (such as a blackberry) may send on spam mails. You should familiarize yourself with the recipients in these cases, and figure it out that way.

Other servers may be set up in such a way it could be used to relay mail to its own domain. If that’s what you’re seeing, you’ll notice there are no outside recipients.

Some vocal webspammers have claimed recently that webspam isn’t illegal.

It’s true that there are no laws that spell it out per se. But that doesn’t mean it’s legal.

Laws are struggling to keep up with our technological world, and it’s quite common for older laws to be stretched by presedence to encompass newer crimes.

And there are laws that could (and probably will be) be used against techniques often used by webspammers.

I’ve been thinking about this for some time, and meant to blog on it. And maybe I have mentioned it before too, here and there.

Gadi Evron has written a post where he’s talking about the same topics.

SecuriTeam Blogs » Comment spam: drive-by sites, domains and spyware - analysis, samples and facts

Gadi Evron is well known in the zombie fighting scene.

Recently he’s experienced first hand how bad comment spam has gotten, and as a result he’s started thinking about ways to fight webspam.

Here’s his take on the topic:

SecuriTeam Blogs » Comment Spam: new trends, failing counter-measures and why it’s a big deal

I had another spike in my bandwidth meter today.

Perpetrator:
210.177.215.29
from Hong Kong

User agent:
Java/1.4.1_04

This one wasn’t too bad in terms of how much I downloaded. I think. I haven’t checked it for sure.

But 152 requests from 10:01:21 to 10:04:34 is VERY inconsiderate at best.

I’m tired of this. I’ll block anything with Java in the user agent, unless you guys can find some reason not to?

Here’s another hungry bot:
Hungry Java bot

Oh, and I ran a grep on my logs, a few days in February netted these with a Java/1.4 something bot:

62.163.12.31 (came back another time)
63.230.22.115
82.170.231.97
84.36.69.19
84.176.66.18
84.176.74.179
84.178.149.81
163.17.205.1
207.91.139.189

An explanation of HELO configuration for admins.

I just tested this postfix setting:

reject_unknown_hostname

If you implement that setting under smtpd_helo_restrictions in main.cf in postfix, it checks the HELO of all sending servers, and checks if the HELO actually resolves (to the IP number that again resolves to the HELO, by checking DNS). If it doesn’t, the mail is rejected.

It’s wonderful, because it rejects a lot of spam. But there’s a problem…

Lots of legitimate mail was rejected. Why? Because Norwegian postmasters are either lazy or incompetent.

OK, so they’re not the only ones who have incorrectly configured servers, but I’m in Norway, so chances are I’ll see more of those.

Please, please, please, postmaster: Check that your mailservers have the correct HELO.

It’s a common rookie mistake, but for a production server, you really NEED to make sure it’s right!

If you’re administering a mail server and don’t have a clue what I’m talking about, then get serious about your job and learn!

——-

You could get away with using this instead:
reject_non_fqdn_hostname

It will reject mail from HELO’s that don’t look like IP numbers or ending in a TLD. It won’t check if the address is valid. You’ll still reject legitimate mail with this setting, for the same reason as above: Lazy or clueless admins. But at least the casualties won’t be quite as many.

Most of the mails that would have been rejected by this one, is also rejected by policyd-weight.

Today I’ve seen HELO’s from (probably) legitimate servers, on these formats (some of these are the actual HELO’s or very lightly munged):
EXCHANGE2K3.domain.int
tplist.adm.adm
z50v002.domain.local

I got this cute little message from a spammer today on my wiki:

I really think you should get a life . I bet you’re single and frustrated and decided to upset other people with your small insignificant existence . Just a thought from a spammer . Happy Valentine’s !

I love it when I get these little love notes. It shows me what I’m doing has some effect. The more personal the potshots, the more I think I’m on to something.

The IP number (195.175.37.55) was from Turkey, and a proxy. So I checked my logs. The joker didn’t try too hard to hide himself. The real IP address was easy enough to find:
86.120.197.66
That’s from Bucharest, Romania. And it’s been used to spam extensively in the past.

It’s known primarily from November last year, when he earned a lot of bans from wiki admins. He was into “invisible” wiki spam, and also left this cute message:

We leave content intact . We allow you to easily remove the additions
We respect your pages and appologize for the spam .
We are the Ethical Spammers group .
(this is an oximoron - two terms that are put together but are opposed meaning) .

Which means he’s the spammer known as

Ethical wiki spammers.

He seemed to disappear shortly after November, so I tried to find more info.

Most of his spam back then was subdomains on rx-seote.com. That site throws up 403s for me at the moment.

But a subdomain on buy-quality-meds.info (also his, but made to look like throwaway domains) had a redirect to findrxdrugs.com that might look like an affiliate link to the uninitiated. which has this whois info:

Andrei, Calugaru design@websign.ro
Str. Cicero Nr 111
Bloc S11 Sc1 Ap 6
Drobeta Turnu Severin, 220022
Romania
+40744366836 Fax —

The e-mail address in the whois info used to be a webdesign business. Now it’s blank, but there are invisible links to drug related pages that redirect to findrxdrugs.com. There’s also webspam with that domain from January 2006.

So chances are that really is his contact info.

So, did he stop spamming? Noooo

Lately he’s been spamming a lot of forums, especially yybbs.cgi. Looks like that’s a type of forum or guestbook that’s primarily in use in Japan. And they’re usually spammed to death. I also see some amount of referrer spam.

And I found a log full of spammer entries, where he’s tried to spam:
86.120.197.66 - - [03/Feb/2006:10:24:56 +0900] “POST /cgi-bin/bbs4/yybbs.cgi HTTP/1.1″ 403 311 “-” “Mozilla/5.0″

So, he’s still using his own IP address.

He’s also using a technique where he appends a bookmark with the name of his target keywords. The anchor probably doesn’t exist on the site, since the goal is the redirect from the throwaway site.

Webhost IP numbers I’ve found that may be associated with this spammer:

209.59.132.158
70.85.249.130
70.86.183.34
70.84.123.66