Spamhuntress

I was checking the spam comments, and saw the word Flytevest. It’s Norwegian, so I started wondering if this was a Norwegian spammer.

The IP number was Swedish, but it turns out to belong to a geek who’s got a webserver on his linux server. My guess: Open proxy.

The final touch was the use of the word inside the English text, in ways that didn’t make grammatical sense. A Norwegian wouldn’t do that, even if he was using a script.

So, who’s this joker?

He’s using .be domains. And he’s got cloaking going on. The text seen by spiders is visible in grey at the bottom of the pages, but what you’ll actually SEE, is the javascript induced affiliate linkmap at the top.

life-vests.byterfer.be/flytevest.html

There’s only one access from the Swedish IP number, and it’s got this user agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1″

A fake one, in other words, complete with typo (missing bracket at the end).

I guess now it’s time to tell the hapless Swede…

I had a conversation with a customer a while ago. I noticed some of his domains were about to expire. He told me to delete them, he didn’t need them anymore.

So today I was doing some spring cleaning on our DNS server, and noticed the domain was still there. So I checked the whois data, and the domain is still registered to him. One new year starting February 15. So I think to myself, that’s weird. And especially since the DNS servers no longer point to us, which they would if he was still in control.

So I check the website, and find a domain parking page.

My problem with that, is that the whois info still has my customer’s info in it, despite the fact that he no longer owns it, and doesn’t benefit from the domain parking program advertising.

The registrar is register.com, and the technical contact is lycos.com

Just wanted to vent a little…

I decided to check a random comment spam today:

zorpia.com/buysildenafil47

It’s a free site on a community homepage service.

And apart from the telltale name of the site, there’s nothing on it that belies its spammy nature.

It’s even filled out with the name of a female.

I tried to post a comment, just to see what would happen. Sneaky site too. It looks like a simple form, but once I hit submit, I get asked if I’ve logged in.

No problem for the spambots. They come with that capability built in…

——————–

Update: I checked another URL in the same comment spam. And had a bit more luck. It redirects to pharmacy-goods.com
Tricky redirect script too.
It first redirects to a javascript at berlin.pills-onweb.com, then goes on to pharmacy-goods.com.

Both domains are hosted on near lying IP numbers, registered through the same outfit, and the target website appears to be a bunch of advertizing links.

Whois:

Rocky Dello admin@pharmacy-goods.com
763827346 fax: 763827346
Suite 68, 17 Glenn st.
NewYork AD 19634
US

Nelson King nelson@pills-onweb.com
6523473837 fax: 2343542344
Suite 507, N. Market st.
Wilmington AD 19801
US

I was tipped of a site that had some hanky panky going on.

I noticed a large area of empty space, and highlighted it. Come to find a large number of links to high profile websites. Some of the links are to rather unsavory characters (180solutions ring a bell?), as well as to loads of search engines and e-commerce sites as well as portals and other stuff.

My guess is, this is an attempt at having links TO sites with good standing in the search engines, but at the same time hiding them from users, so the links won’t ACTUALLY lead to anyone clicking on them. The links are there for the benefit of the search engines.

So yes, this is against the webmaster guidelines at Google, at the very least. Which means I label it search engine spam.

See for yourself:
diamonds-chicago.com/diamonds_chicago_map

In addition, this entity has three websites with similar content, though not similar enough so the duplicate content penalty kicks in:
diamond-jewelry-store.net
diamonds-wholesale.net (check out the invisible keyword stuffing at the bottom!)

Disclaimer: This investigation uncovered information about an outfit that might be a CAN-SPAM compliant bulk e-mailer. I consider bulk e-mail spam, but I realize there’s a distinction there in the eyes of the US law. Just bear with me when I call them spammers, in the beginning of this piece.

I checked my stats for my mailservers, and came upon a weird error message:

status=bounced (host mail.ewayecity.com[64.194.168.4] said: 550 relaying blocked, read new mail, add (munged, our mailserver IP) to forwarding or enable smtp authentication in yo (in reply to RCPT TO command))

So I checked a bit more, and noticed several domains with similar names throwing up that error message.

Turns out it’s a spammer that’s using multiple domains containing ewaye, and a host of IP numbers to send his spam. In yesterday’s log, I did a search for ewaye, and found mails had been sent from these specific IP addresses:

64.194.168.4
64.194.168.40
64.194.168.73
64.194.168.83
64.194.168.114
64.194.168.215
64.194.169.95
64.194.169.98
64.194.169.162
64.194.169.166
64.194.169.180
64.194.169.197
64.194.169.201
64.194.174.72
64.194.174.87
64.194.175.6
64.194.175.43
64.194.175.79
64.194.175.119
64.194.175.126

I also routed around my spambin, and found messages from them. Here’s some text from one of them. I’ve munged it and removed some tags to avoid it being hyperlinked:

You have received this advertisement from E Way

If you’re not happy with this email and wish to remove check this URL:
a =
xhref=3D”http://ewayecenter.com/unsub.php? (munged, our domain and address)
Also you may direct communications here:
E Way
5023 W 120th Ave., #175
Broomfield, CO 80020

I’ve also seen it written as:
My Eway

Even so, I think this is a rather new MO. I haven’t seen samples earlier than March 13 (Oops, just found one from February 20, from aMyEway.com, same address, same IP range), and I can’t see anything relating to this MO on NANAS.

Here’s one from February 21:
TheMyEway.com Dept
February 28
ewayspots.com

——–

It appears as though this spam operation is using a majority of the IP numbers assigned to bauerhosting.com in Colorado. Hmmm, interesting. The spam operation also has an address in Colorado. And the homepage is branded: e-way.com. So, it’s the same thing. Which means you can block them if you want, by blocking these ranges:
64.194.168.0 - 64.194.169.255
64.194.174.0 - 64.194.175.255

The MO is relatively consistent with bulk e-mailers. I’m seeing e-mail to two different addresses on our network. One of the addresses used here doesn’t exist. I don’t know right now if it never existed. I’d have to check that out. Update: I have checked with the owners of the domain. It’s unlikely it’s legit, because they generally use a different naming structure. On the other hand, that e-mail address has been on a lot of spam lists. Today, eway represents maybe half of the spam to that address.

The non-existent address received 6 spam attempts from this outfit in one day! The address that is operational received 13 e-mails in one day! I expect our spamfilter got some of them…

I was frustrated that I could find no information about this spammer/bulk e-mailer, so I nosed around.

e-way.com is owned by an outfit named Corporate Express Inc. And I found this on Sun’s site:
One of the applications running in
this environment is Corporate Express’ proprietary online procurement system, E-Way®.

Update: 

According to this press release, there’s a company called eWayDirect which is also into e-marketing. Their contact info:

The company is located at 12 South Main Street, Suite 301, Norwalk, CT 06854. The phone number is (888) 655-0464. The company also has offices at 800 Salem Woods Drive, Raleigh, NC 27615.

CONTACT:  eWayDirect
Wendy Marx
(203) 445-2850
wendy@marxcommunications.com

There are some other malformed user agents, and I’m looking for blocks for them.

One ends like this:
Windows NT 5.0))”
Another ends like this:
Windows NT 5.1″

Then there are those that spell out their entire posts in the log file. Can we block those?

There’s one particular spammer (or maybe several), that leaves comments and has no referrer and no user agent.

As long as he keeps to that pattern, he can be stopped via an .htaccess trick:

See it in this file:
no user agent htaccess

Now and then spammers I’ve outed have told me I got it wrong. And sometimes I do. Similar MO’s may lead to me grouping two spamming operations together and tagging one spammer with another’s work.

But it’s a tough call to say whether a spammer is telling the truth when he denies having done a particular spamrun.

Here’s one story where they’ve cornered someone named Brendan Battles who denies having spammed. Yet the circumstantial evidence they’ve uncovered seems pretty strong:

Computerworld > Spam king sets up in New Zealand?

The Spam Diaries is reporting on a new form of 419 scam. The scammer arranges to buy a service from you. And it’s targeted DIRECTLY to something you’re selling or providing.

They then send a cheque for more than you’re asking, and then ask you to return the excess money. Problem is, the cheque is fraudulent…

The Spam Diaries: New kind of phishing scam

In fact, this scam isn’t brand new. I saw the first mention of it a while ago, when someone in Africa arranged to buy a car in Norway and have it shipped to Africa. They sent more money than the car was going for, and asked the seller to send them back the excess. I don’t remember if the seller was taken in by the con or not, but the story ended up in the papers as an example of the new type of con.

I found one story about this (but not the one I originally read), from November 2004: Nigeria svindlere. Ah, here’s one example of the type of story I was thinking about, from December 2004. Nettsvindler slo til etter en halvtime, and here’s another: Ny massesvindel via nettannonser

Here’s an actual example of such a car buying scamster from February this year:
no.it.sikkerhet
Just ignore the Norwegian stuff and scroll down to the sample letters.

Hmm, looks like this is the story I originally saw: Stefan snakket med Nigeria-svindlere

And here are some stories I found in English:
Joe Wein, Nigerian Scam Involving Counterfeit Cashiers Checks for the Fraudulent Purchase of Used Cars and Online Auction Items using Bogus Bank Draft Cheques., Car Buying tips, Nigeria Check Fraud Scams

Spyware Stories

I got a request via e-mail, and am quoting it verbatim here:

I am a third-year student at Stanford Law School. Stanford University’s Center for Internet and Society and the Stanford Cyberlaw Clinic want stories about how spyware and adware affects personal computers. We hope to help enact dramatic and much-needed reforms in the ways in which spyware and adware companies operate and contract with Internet users. We regularly file lawsuits as well as amicus briefs in other lawyers’ lawsuits, testify before governmental bodies and advocate for legislation, assist civil liberties organizations, and author white papers. We are a high-profile catalyst for change and the spyware industry is our major
focus at the moment. Stanford’s Center for Internet and Society, of which the Stanford cyberlaw Clinic is a part, is directed by Lawrence Lessig. The Cyberlaw Clinic is run by Jennifer Granick, Wired columnist and renowned San Francisco cyberdefense attorney.

In particular, we are curious about your experiences with these programs:

PacerD: also referred to as Exfol
180solutions: also known as 180 Search Assistant, BlazeFind
EliteBar: also known as YupSearch, Search Miracle, Elite Toolbar,
Enternet Media Toolbar, EM Bar, 3D Desktop

Please fill out (or forward on) our very brief spyware questionnaire at:
http://cyberlaw.stanford.edu/spyware/

Pacer D and Exfol, two drive-by download programs taking advantage of Windows exploits, are of mysterious origin and not easily traceable to a distinct responsible party. It is all too easy for “companies” like those to mess up people’s computers and get away scot-free because of their hidden nature. Enternet and 180solutions are already the target of litigation by private parties
and the FTC. We want to do our part to hold these companies accountable for their deceptive practices and reform the spyware/adware landscape. Given our goals, it is imperative that we
speak to consumers who have been harmed by these particular products, as well as any other spyware-impacted consumers that would like to share their stories with us. And while our goals
necessitate that we gather personally identifiable information, at least during this initial phase of our project, it will not be shared with anyone outside the Stanford Cyberlaw Clinic and only
shared with the faculty and students involved in this particular project.

Your help is sincerely appreciated. Thanks so much!

Sincerely,

John Eden and the Stanford Cyberlaw Clinic