Fairy tale spammer
I had a quiet moment at work, and decided to check on one of my regular spammers. This one seems to like fairy tale beginnings. Often kinda weird. Always sounds intrigueing, but formulaic.
On my blog he’s mostly posting comments on ONE post, and he uses this user agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
What is a constant, is his IP number:
194.44.198.45
Jazz.Franko.Lviv.UA
We should all block this one.
He uses subdomains of what appear to be his own sites, protected whois.
He appears to be affilate 2179, subaffiliate 17 at your-needs.info
I’ve never seen that affiliate scheme, so not sure I buy it - yet. That site has links going to peakclick, the same affiliate number. And the whois info for your-needs.info seems phony.
your-needs.info:
Domain ID:D12123766-LRMS
Domain Name:YOUR-NEEDS.INFO
Created On:15-Feb-2006 13:48:13 UTC
Last Updated On:16-Apr-2006 20:35:56 UTC
Expiration Date:15-Feb-2007 13:48:13 UTC
Sponsoring Registrar:Direct Information Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS)
Status:OK
Registrant ID:DI_2227708
Registrant Name:Masm D.
Registrant Organization:My Company
Registrant Street1:Masm str.8
Registrant Street2:
Registrant Street3:
Registrant City:Tallin
Registrant State/Province:Alytaus Apskritis
Registrant Postal Code:98756
Registrant Country:LT
Registrant Phone:+987.5698756
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: masm@ukr.net
That e-mail address can be found on the net. I found three test guestbook messages on usnun.org. That was in Google’s cache from January. Today that page has lots of links to spammy subdomains on that same site.
One of those had a javascript redirect (can we all say spammy?) to a search term on shplanet.org. The interesting part is that the redirect has the exact same type of code as the page I started tracking.
Whois info is the same for both usnun and shplanet:
Domain Name:USNUN.ORG
Created On:10-Dec-2005 19:24:29 UTC
Last Updated On:09-Feb-2006 04:08:45 UTC
Expiration Date:10-Dec-2006 19:24:29 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:OK
Registrant ID:DI_1924641
Registrant Name:Danny Price
Registrant Organization:nn
Registrant Street1:Sommerset 6
Registrant Street2:
Registrant Street3:
Registrant City:St. Petersburg
Registrant State/Province:Petersburg
Registrant Postal Code:23658
Registrant Country:RU
Registrant Phone:+658.7895423
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: masm@ukr.net
One of the links at shplanet ends up with peakclick links, but this time affiliate with apparent affiliate ID 537
Send me the link where my bot posts messages, I will remove it from base. Sorry for any troubles I have made to you.
Hi Nick,
It’s very simple: Stop spamming altogether!
Or we document what you do, and when we get enough on you, off you go to prison!
[...] Find.fm looks like an old style web directory: you can search for products you want to buy. The results are presented in a Google-like formatting, and all links go through a domain peakc.com. The latter is owned by a Stefan Meyer from Salzburg, Austria, and the first, as you might suspect, by Mark Hostetler, Rudigergasse 4, 1050 Vienna, Austria. Stefan Meyer is a too common name in Gemran to find anything specific about the guy, but Mark was easier to track down. Rojisan outs him as the owner of Cashwebsearch.com / Peakclick.com. So we can easily suppose that he is in fact also the one behind peakc.com . He even has a Peakclick GmbH company that boasts: “We have the highest bids in the Pay-Per-Click industry; we aggregate bids from twelve paid search partners to provide you with the highest revenue potential possible.” They’ve been doing that since October 2005. One of the affiliates claims that according to the console interface some webmasters earn up to $2000 per day with (of course, that is something you *would* tell them). Peakclick also got mentioned in the recent Guardian’s quest for a spammer and in a Spamhuntress post. [...]