I’ve been so busy this last week, I haven’t posted.

Comment spam has really exploded lately. I think Rathamahata might be right - probably lots of newbie Russian spammers out there.

So I took a random comment spam, and turned it inside out. It happened to be the last one to arrive.

valentine-day-gift-idea.50megs.com
has a javascript that ultimately leads to affiliate ID: 49221 at topsearch10, as well as links from the body pointing the same place.

What was interesting with the free webhost here, is that when I tried to load the javascript in wannabrowser, I got an error, but it worked in a regular browser. Now, WHY is that? Got something to hide?

K, back to the spammer.

This is a low volume spammmer, unlike some of the others I’ve seen lately.

User agent:
libwww-perl/5.803
I’ve had hits with that user agent from others. Some asking for robots.txt, some legitimate spiders. And one legitimate feed reader: XmlRssTimingBot/2.03 (libwww-perl/5.803). I’m leaning towards blocking POST as a request type with this user agent. I’ve also seen other versions of this user agent. Other software revisions. So block libwww-perl with POST.

IP:
204.15.149.58
It’s a proxy

Other IP addresses seen with that user agent (various versions), posting comments:
201.6.101.190 (proxy in Brazil)
64.246.42.58 (proxy. EV1 server)
202.57.138.131 (proxy in Bangkok)

E-mail address:
xanax@yandex.ru
(I got a few others from that address, and so far that corresponds with the user agent)

This entry was posted on Sunday, February 5th, 2006 at 7:36 am and is filed under Bots, Comment spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.