« Nope, not Norwegian
Spammer on topic »

Block 207.58.130.217

I went through the spam comments today, and tried to spot any repeat offenders.

Found:
207.58.130.217
vps.onlyfind.info

User agent:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Pretty weird requests too:
“POST /index.php? HTTP/1.1″ 200 28030 “http://spamhuntress.com:80/index.php?”
“POST /wp-comments-post.php? HTTP/1.1″ 302 5 “http://spamhuntress.com:80/wp-comments-post.php?”
“POST /wiki/Special:Search? HTTP/1.1″ 200 11347 “http://spamhuntress.com:80/wiki/Special:Search?”

I think this bot should be blocked, both by IP number and behavior.

Here’s how to block the user agent and similar user agents in .htaccess:
SetenvifNoCase User-Agent “User-Agent” spambot=yes
deny from env=spambot

I saw the same behavior from this IP number:
72.36.223.107
(check Google. Loads of guestbook spam)
There are other IP numbers as well.

Both those IP number present an empty website, when you access it in a web browser. Which probably means the servers are virtual webhosts.

The spammer was spamvertizing louis vuitton purses, and used a site at blogspirit.com

It had a very tricky redirect to
searchboard.info (80.77.88.4 - hqhost.net
which again had a 302 redirect to
topresult.info (80.77.80.145 - hqhost.net)

Whois:
Admin Name:Nikolay Markov
Admin Organization:sia
Admin Street1:Skolas 28
Admin City:jurmala
Admin State/Province:Jurmala
Admin Postal Code:2111
Admin Country:LV
Admin Phone:+371.3465476
Admin Email: gogogh7878@yahoo.com
Name Server:NS0.HQHOST.NET

Admin Name:Markovich
Admin Organization:inbox
Admin Street1:Skolas 28-47
Admin City:Jurmala
Admin State/Province:
Admin Postal Code:2011
Admin Country:LV
Admin Phone:+371.6054515
Admin Email: tt7777@inbox.lv
Name Server:NS1.HQHOST.NET

And of course, the links we finally see, have those typical encrypted affiliate advertising links.

Finally, the contents of the spam is sometimes in German. They look like they’ve been harvested from real guestbook entries. One comment type refers to the blog as a guestbook. My guess is this is an old guestbook spammer that’s started hitting blogs as well.

This entry was posted on Saturday, March 25th, 2006 at 10:33 am and is filed under Comment spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “Block 207.58.130.217”

  1. Lemat Says:
    March 27th, 2006 at 1:15 am

    I can see in my logfiles many GET entries caused by proxy servers, where X-Forwarded-For is 72.36.223.106.

  2. Administrator Says:
    March 27th, 2006 at 4:20 am

    Lemat:
    That’s an Apache server on Unix. And it’s been used a lot to guestbook spam.

  3. the doetchie Says:
    March 29th, 2006 at 6:53 am

    Noobie here: i saw your wiki and blog and was just wondering if there is a list of known spammers out there that we can share. I think also there are some institutions working on this? Hmm, sorbs, but that’s just just for email right?
    http://www.sorbs.net/

  4. stone Says:
    April 5th, 2006 at 1:12 am

    Thx for the good work. I was spammed from 207.58.130.217 as well but didnt find anything when I googled the ip-number. It was written in norwegian :-)
    Keep up the good work!

    /Stone

  5. Great CornHolio Says:
    April 16th, 2006 at 11:23 pm

    Hey, woman, you are brood beatch, kill yourself!

  6. Henry Hertz Hobbit Says:
    April 22nd, 2006 at 8:43 pm

    No, you don’t Google the IP address. You do an ARIN WHOIS query:

    http://www.dnsstuff.com/tools/whois.ch?ip=207.58.130.217
    http://www.dnsstuff.com/tools/whois.ch?ip=!NET-207-58-130-0-1&server=whois.arin.net

    They are in McLean, Virginia, U.S.A. hqhost.net on the other hand is New York, NY.
    Yet another case of a convoluted trail going all over the place.

  7. Administrator Says:
    April 23rd, 2006 at 2:32 am

    The trail for hqhost used to point to England. Whois info now points to New York. Plenty of shady stuff going on over there in the past.

Leave a Reply