Tarred with the same brush
Update: The spam campaign resulted in a flood of e-mail to Michael Pollit. The effect was like a mailbomb.
I got tipped about a guestbook spam campaign fraudulently using our names - Halz, Lemat, Michael Pollitt, Ann Elisabeth, Dirk, Paulo and others.
And I followed the trail. The first tip was that someone using the same IP numbers as the spammers had looked up the name
Denis Basargin
In my blog some time in February. So I kept that in mind as I continued tracking.
The URL’s spammed led to blogs that had obfuscated javascripts redirecting to a specific URL on compays.com. If you checked the root domain, you couldn’t get any info. But when I checked the specific URL I got in the script, I was 301 redirected to 1-800-pills.com, which is owned by the spammer I identified as using the name Denis Basargin, a long time ago. Today, the same e-mail address is given for both the spam domain, and Denis’ main domain for his software. So we can be reasonably sure it’s the same person.
And in case you’re wondering, here are the IP numbers to his (no doubt leased) spambots:
85.255.116.178
85.255.116.179
85.255.116.180
85.255.116.181
85.255.116.182
February 28th, 2006 at 8:47 am
Thanks for the headsup on this.
This is only on guestbooks or have you faced the same on the blog as well?
Do you know of any guestbook to recommend?
March 5th, 2006 at 7:14 pm
This is interesting, I have been dealing with irritating blog spam as well for several months. I help maintain a high profile high trafficked blog; spam blogging needs to be treated like mail spamming. I report it best I can to the ISPs. Not sure what affect yet if any it has had. I have reported mostly the sites they spamvertise. I know of at least 1 instance where the spamvertised website was disabled, but I do not know if that was due to complaints to ISP abuse or some other reason.
March 13th, 2006 at 4:03 am
I’m pleased to report that following complaints to WV Fiber, the upstream provider to Inhoster.com, that the IP range above has been stopped from spamming. The 1-800.pills.com web site has moved to a US host and is currently returning a 403. I’m going to remain on this spammer’s tail until I’m sure that he has stopped using other people’s names for his spamming campaign.
March 21st, 2006 at 8:42 am
He’s back - search-pharmacy-online.com this time - but using the same names (including mine) as before for spamming. More details in my blog. If anybody spots the spammer’s IP in the guestbooks (I’ve not seen it so far), please let me know. I just reported the search-pharmacy site to EV1. The other site from the previous spam run, 1-800-pills.com, is now showing an empty directory list.
April 3rd, 2006 at 1:56 pm
Caught the IP today trying to spam our phpBB forum. So I guess it’s not only guest books he’s after. Can’t give any info on which site he tried to spam, of course. Just using the old forum spammer way of trying to do some automated registration, but he failed. Anyway, he indeed is still at it.
April 4th, 2006 at 1:34 am
Which IP did he use, Ellen? Please e-mail me or post it here. This spammer remains very active in guestbook spamming using my details - read my blog for more info.
June 24th, 2006 at 12:49 am
Hi,
I’m new at this tracking thing.
I’m having trouble with a guestbook type spammer that is not a bot.
At least I don’t think so as I have in place the graphic character type authentication
active on the site.
Once or twice a day they register as a user always leaving a link back to
a Pilosoft held IP addr. It’s always some kind of pills.
I’m saving up approximate times and names hoping to troll through the logs and find a common IP source. I’m I crazy? Is this how it’s done?
Can you give me any hints on what I need to do.
We’re running a phpbbs.
June 24th, 2006 at 3:43 am
Finding the corresponding IP address when using phpBB isn’t easy, but it’s doable. Most likely you’ll find they use multiple IP addresses, but you could try running it down and blocking IP addresses.