I’ve sent Scott at Ripside batches of comment spam, and he’s analyzed the URL’s that hadn’t been caught by his filters, and added autoban for whatever he found.
As of a few days now, I haven’t seen any spamvertizing of sites on Ripway. That may be a coincidence, or it just may be that it’s possible to wean spammers off a free webhost provider?
One of the comments to this blog was from this guy:
How to combat spam with ex-spammer Ryan Pitylak
I found his first entry, The Psychology of a Spammer, especially interesting.
Looks like a very new blog, so we’ll see how it develops.
Here’s Ryan’s “resume” at ROKSO:
ROKSO
and another story about him.
Michael Pollitt is venting his frustration about the guestbook spammer who keeps using his name by doing what he does best - writing for newspapers:
Guardian Unlimited Technology | Technology | An unwelcome guest of spam
I got this e-mail today:
Hi Ann Elisabeth I was catching your blog in google, while i was serching information about spam. I have a really big problem right now, a spammer is using some of my pop3’s on brinkster (payed host) to send spam. In the last 24 hours i received more then 450 returned emails with email that not could be delivered,. I took contact with brinkster and the answerd was only this:”Unfortunately, there is no way for us to prevent this.” The day before they ask to change all my paswords so it will stop but unfortunalety it don’t stop. I am so free and affraid to ask you Ann with your experiance in this jubject if i can do somthing about that. I am really a newby on this point. I have saved the returned emails, but i guess with this we can not track the spammer. Thanks on advance for any info you can give me. Best regards (munged) ps: sorry for my bat english i am dutch talking
What you’re experiencing is forged return address spam. One spammer who tends to do that is Leo Kuvayev. Might be him, might be someone else.
If you’ve got a whole domain:
The only thing you can do at this point is to turn off catch all e-mail. What that means is that unless the spammers use an e-mail address you’ve purposely set up to receive mail to, the mail won’t be received by your server. If your server doesn’t support turning off catch-all, and rejecting mail before it’s received, switch host.
If you’ve got single e-mail addresses:
Erm, you’re screwed unless they stop using that address. And they might. It’s very unusual for spammers to use single valid e-mail addresses these days.
Looks like China is going tough on everything, not just spam:
We’ve got another spammer (I presume?) who’s found of the word Ratamahatta (notice slightly different spelling). You see, we’ve got a resident spammer here (meaning one who comments on here) who goes by the moniker Rathamahatha (sp?).
Anyway, this guy uses adult sounding domains to promote pills!
shemalefuckpics.net
He’s got a site map on that domain that he’s spamvertizing. The links on that page (not the root page) leads to other pages with links to other domains. All of them are owned by various European sounding names in various European cities. But all of them have e-mail addresses going to the ratamahatta domain.
Whois:
Bouravtsev, Alexei webmaster@mfaka.com
N\A
Nagatinskaya quay, 42-2-79
Moscow 115470
Russian Federation
1182945 Fax —
I’m sure I’ve seen this e-mail address before? Ah yes, it’s the guy who also speaks Hindi, in addition to Russian and English. And uses the nickname Lexus. He’s programmer (aren’t they all?).
This spammer is savvy enough not to use catch all e-mail addresses (drat!)…
OK, back to the trace. mfaka.com belongs to Vasya Pupkin, whoever that is. Ah, it’s Russian for John Doe.
But all of these domains use the nameservers from
nastysperm.com (which again has one of those ratamahatta e-mail addresses). That domain was once the home of a TGP program (adult site traffic sharing).
And the IP address of nastysperm belongs to (according to ThePlanet rwhois):
ip-network-block 70.86.20.160 - 70.86.20.175
organization-name Alexei Bouravtsev
organization-city Moscow
organization-zip 115470
organization-country RU
description-usage customer
There’s an old website (nonresponsive at the moment) for dear old Alexei:
aleksei.ru
Whois:
domain: ALEKSEI.RU
type: CORPORATE
nserver: ns1.teentiger.net.
nserver: ns1.nastysperm.com.
state: REGISTERED, DELEGATED
person: Alexei V Bouravtsev
phone: +7 095 1182945
e-mail: mister_j@mail.ru
registrar: RUCENTER-REG-RIPN
created: 2001.09.28
paid-till: 2006.09.28
source: TC-RIPN
Notice this one has the same nameserver as the other domains, thus tying this Alexei to the other.
That e-mail address has quite a history on the net. I’m starting to believe this is his real name?
Thought I’d analyze one of the ripway spammers caught in today’s batch of comment spam.
The webpage contains links to topadult10.com, affiliate ID: 49280. There’s also a javascript redirect (of course).
What’s important to remember, is that many of these affiliate schemes have legion domains that their affiliates can use. In the beginning I thought it was about different niches. But I’ve seen the same scheme used in non-niche affiliate programs, so I’m starting to think the point is to have lots of different domains so the affiliates don’t have to lay all their eggs in one basket. In other words, if the free webhosting companies get wise to one and block it, the affiliates can use another and still get by the filters.
Which would mean the affiliate programs know what kind of challenges their affiliates are facing. In other words, they know they’re spamming?
This particular spammer does use encoded javascript, but no cutouts, so presumably it’s a medium experienced spammer.
No way to track him at the moment, unless he is using his own IP number for some of his activities.
I checked Google for 72.232.92.138 and found one spam:
canaleitalia.tv/news/comments.php?id=902
(Note that we don’t know for sure if this is the same outfit that stole my bandwidth)
The website spamvertized was aboutgoogle.info, owned by:
Registrant Name:Kirill Kroshkin
Registrant Organization:N/A
Registrant Street1:St. Batoria 6-30
Registrant Street2:
Registrant Street3:
Registrant City:Grodno
Registrant State/Province:Hrodnenskayav Oblasts’(be)
Registrant Postal Code:246028
Registrant Country:BY
Registrant Phone:+375.293550356
Registrant Phone Ext.:
Registrant FAX:+375.297804422
Registrant FAX Ext.:
Registrant Email: kde@tut.by
Possibly legit name. Someone by that name has been active on usenet in computer related groups.
What’s interesting, is that the IP the domain is on, 66.45.240.186, is listed in SORBS for webspam. The listing is from March 11, 2006, and they suspect a Rootkit has been installed on the server. It was listed already in February for sending spam.
The whole thing ends up at meta.7search.com affiliate ID: 64226
I was looking for patterns concerning the bandwidth stealer I wrote about in the preceding post. And looked for patterns with spammers spamming the Roy Giles post.
Here’s one:
kryogennaya tehnika
Vladimir Podgornyy (adminroot@mail.ru)
Krupskoy 27
Omsk
Omskaya oblast,644123
RU
Tel. +7.9043212962
And
N/A
Vladimir (rootnew@gmail.com)
Krupskoy 27
Omsk
Omskaya oblast,644123
RU
Tel. +7.9043212962
Another site owned by him has this info:
Podgorny Vladimir rootnew@gmail.com +7.3812264823
Cryogennaya Technika
Partsjezda 22
Omsk,Omskaya,RUSSIAN FEDERATION 644000
There’s a Russian composer also by that name. But on the other hand, there’s a guy by that name who’s been present on the net at least since 2002, and he seems to have frequented the typical technical sites that we see computer whizzes turned spammers often frequented in the past.
He’s using javascripts redirecting from blogger, using this cutout:
1google1.com
To lead to this site:
here.sexbegun.net
Both are on this IP:
72.21.44.34
It’s on the LayeredTech IP block, and this rwhois info:
organization Daniel OKeeffe
org-name D OKeeffe Hosting
street-address 22/1 Esplanade East
city Port Melbourne
state Victoria
postal-code 61054
country-code AU
phone 972-398-7998
But the nameservers are xmastershost.com, which are owned by:
Epsilon inc.
Eugeny (eugenyzxc@mail.ru)
Lenina str.25
N-Tagil
null,622002
RU
Tel. +7.3435247382
The links are hard to figure out, so I don’t know exactly what the payoff is.
Well, at least one IP from there:
72.232.92.138
138.92.232.72.reversedns.resolve.ru
Bled me for in excess of 72 megabytes, and most of it April 14th.
I saw it on April 7th and 12th, with a normal user agent and one with Snoopy v1.2.3. When Snoopy got blocked, it came back with a normal user agent within seconds, and started downloading.
And get this, he’s primarily interested in the guestbook-spam archive, downloading the same page over and over with one second intervals. He’s also downloaded the feed for the Roy Giles page over and over, and then the picking on guestbook spammers page.
Hmmm, anything that has guestbook in the URL.
I’m guessing this is a guestbook spammer.
Block!
He occasionally tries Snoopy again