Spamhuntress

Block:
66.28.54.254
gw.magnoliaroad.net

They use multiple user agents. Looks like Reffy or similar.

Referrer spam for goldhqs.com

Whois:
Diversified CoCreative Ventures, Inc.
Domain Administrator (domains@diversifiedcocreativeventures.com)
+1.8153616235
Fax: +1.2068309674
5348 Vegas Dr.
Las Vegas, NV 89108
US

It’s a site promoting gold in various forms.

Payoffs:
Adsense: pub-1287241501913620
On another page I found a link to Commission Junction, with this ID: click-2017395-1481396

And at the bottom he’s got loads of links to other “topics”. Looks like links trading to me.

The website is residing on 216.240.157.200, which seems to have domains from several owners. But I found at least one more with the same whois details:
1-dental-insurance-place.com
ebssales.com

I had a quiet moment at work, and decided to check on one of my regular spammers. This one seems to like fairy tale beginnings. Often kinda weird. Always sounds intrigueing, but formulaic.

On my blog he’s mostly posting comments on ONE post, and he uses this user agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

What is a constant, is his IP number:
194.44.198.45
Jazz.Franko.Lviv.UA
We should all block this one.

He uses subdomains of what appear to be his own sites, protected whois.

He appears to be affilate 2179, subaffiliate 17 at your-needs.info

I’ve never seen that affiliate scheme, so not sure I buy it - yet. That site has links going to peakclick, the same affiliate number. And the whois info for your-needs.info seems phony.

your-needs.info:
Domain ID:D12123766-LRMS
Domain Name:YOUR-NEEDS.INFO
Created On:15-Feb-2006 13:48:13 UTC
Last Updated On:16-Apr-2006 20:35:56 UTC
Expiration Date:15-Feb-2007 13:48:13 UTC
Sponsoring Registrar:Direct Information Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS)
Status:OK
Registrant ID:DI_2227708
Registrant Name:Masm D.
Registrant Organization:My Company
Registrant Street1:Masm str.8
Registrant Street2:
Registrant Street3:
Registrant City:Tallin
Registrant State/Province:Alytaus Apskritis
Registrant Postal Code:98756
Registrant Country:LT
Registrant Phone:+987.5698756
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: masm@ukr.net

That e-mail address can be found on the net. I found three test guestbook messages on usnun.org. That was in Google’s cache from January. Today that page has lots of links to spammy subdomains on that same site.

One of those had a javascript redirect (can we all say spammy?) to a search term on shplanet.org. The interesting part is that the redirect has the exact same type of code as the page I started tracking.

Whois info is the same for both usnun and shplanet:

Domain Name:USNUN.ORG
Created On:10-Dec-2005 19:24:29 UTC
Last Updated On:09-Feb-2006 04:08:45 UTC
Expiration Date:10-Dec-2006 19:24:29 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:OK
Registrant ID:DI_1924641
Registrant Name:Danny Price
Registrant Organization:nn
Registrant Street1:Sommerset 6
Registrant Street2:
Registrant Street3:
Registrant City:St. Petersburg
Registrant State/Province:Petersburg
Registrant Postal Code:23658
Registrant Country:RU
Registrant Phone:+658.7895423
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: masm@ukr.net

One of the links at shplanet ends up with peakclick links, but this time affiliate with apparent affiliate ID 537

We’ve been discussing what must be done to curtail webspam. The big industries are porn, pills and poker. And there’s something that can be done to make gambling spam less attractive.

Simply put: Block payment to gambling sites from banks and credit card companies.

There’s a new law underway in the US to ban credit card payment for internet gambling. Hopefully it’ll pass, soon.

Some banks have decided to block internet gambling payment on their own.

Banks in Norway are also trying to block payment to internet gambling sites. None too soon. We’ve got TV ads for gambling sites up the wazoo, and gambling is super hot in all its forms here. Most “cheap stuff” stores sell poker tables and paraphernalia.

Omgår bankenes kortsperre- Aftenposten.no

Norwegian banks are reporting that there are ways to bypass the blocks, by using other services. But there’s another problem: Norwegian laws say that you can’t collect on gambling debts. Which means leading Norwegians to accrue gambling debts is a very bad business model…

Update:
Paypal will bar New Yorkers from internet gambling. You see, most forms of gambling are illegal in New York…
The Herald Tribune says online gambling is illegal in the US

I’ve been warning about forwarded mails. Hoaxes, chainmails etc. I’ve said they’ll eventually end up with spammers.

And I forgot one thing: It’s probably too much work to manually collect all those e-mail addresses.

Enter viruses.

We know they check address books. I don’t positively know there are viruses scanning through the bodies of e-mail on a victim’s harddrive, but I wouldn’t be surprised.

So being a recipient twice removed of a hoax, may theoretically compromise your e-mail address.

Comments?

I wasn’t going to write more about mailspam for a while now, but then I saw that someone on another blog was very curious about something I mentioned:

I reject the majority of spam before it’s accepted by my mailserver.

It’s a collection of filters that reject mail based on certain behaviors. Similar filters could probably be built for several mailservers. Mine is Postfix, and a lot has been done to make it configurable, and it’s also possible to use plug-in filters. All of this reduces the number of mails SpamAssassin has to deal with, making the whole box manage more mail total. Mine have quite a bit of traffic, and still runs with ridiculously low resource usage. I’ve got constant dictionary spam attacks running, and they don’t even bat an eyelash.

The idea behind these filters, is that viruses and spammers have certain behaviors that are different from most legitimate mailservers.

The problem is that some legitimate mailservers are set up by people who don’t know what they’re doing, so you WILL reject a measure of legitimate mail. So care must be taken to make it possible for them to contact you even so.

What happens when you reject mail before accepting it, is that you reject the mail based on the handshake information you receive from the sending server prior to receiving the e-mail. That way the mail never actually leaves the sending server, and it is responsible for sending bounces to the sending e-mail address. That reduces what we call backscatter - endless bounces from legitimate and non-legitimate mail.

Some mailservers are so broken they’ll send a notification as an e-mail to e-mail addresses used as senders of viruses. And those mailservers are often so broken the mails are rejected by my mailserver. Let’s just say there are a lot of mailservers out there who are still running by yesterday’s standards.

Run of the mill webhotel mailservers do not use the filters I do. Relatively few mailservers do - yet. So if you want to use those, you may need to either set up your own server, or seek out a mailserver that does include them. Edit: Run of the mill webhotel mailservers DO reject mail to nonexistent e-mail addresses, as long as catchall for the domain is turned off. But they won’t reject mail addressed to existing addresses.

So I got myself a spambait address. One I’ll use to feed my filters.

But how do I get it into spam lists quickly?

I’ve placed it on a guestbook, a first page of a formerly often harvested site, and my blog.

No spam yet (I admit I’m impatient, it’s only been a few hours. I should give it a few days).

But let’s say you’d like to get it into play quickly, WITHOUT opting in to any spam?

Here are ways I know of to get spam, and still be able to argue you haven’t opted in to any spammer mails:

1) Subscribe to a major domo style discussion list, then post once
2) Sign a guestbook or several
3) Submit a comment or forum post, include your e-mail address
4) Put the e-mail address on your site, with a mailto link.
5) Post to usenet (outside of the NANA groups) with an unmunged address.

So, which one’s more effective, and what have I forgotten?

Update (late May 6th):
I’ve received my first spam to this address. And it got rejected by my filters, so I didn’t get to look at it… Since I’m only using one address, I won’t know what’s effective in terms of exposing it, of course. And that particular spammer may stop using it too, since it didn’t make it past my initial filters. Well, we’ll see what happens over time.

Wow, this one had a fake address at dell.com. I’d really have liked to see what kind of spam that was! But this e-mail came from Asia, and the IP address was in the CBL blocklist just minutes after they sent that e-mail!

2nd Update (early May 7):
That same spammer keeps sending. And originally enough he doesn’t appear to be using zombies. Look at this collection of IP addresses:
ppp-124.120.184.217.revip2.asianet.co.th[124.120.184.217]
ppp-124.120.184.124.revip2.asianet.co.th[124.120.184.124]
ppp-124.120.145.237.revip2.asianet.co.th[124.120.145.237]

The forged sender addresses are from short, well known domains:
dell.com, ibm.com, she.com

3rd Update (afternoon May 7th):
I finally got my first spam that wasn’t rejected by the server. Fourth spam attempt. This one is a Nigerian 411 scam, with some Italian stuff on top in a different color. SpamAssassin awarded it with close to 14 stars, so no point feeding it to the filter again. This is typical of the stuff you receive after signing guestbooks (and I did sign a guestbook with that address).

So, like, don’t e-mail this one:

nodontemail@can.no

I’ll feed anything caught here to my filters, unread…

Note:Publishing such addresses the way I’ve done here is generally frowned on. Such addresses should be sneaked out, so nobody knows what they’re for. Mine will be used differently, so I didn’t care. Just to say that out loud…

I apologize in advance for this looking more cryptical than usual. It’ll make perfect sense to mailserver admins who use Spamassassin…

If you’ve got a mail server with Spamassassin, which relies on bayesian filtering, you need to keep it trained. Many trim the bayesian database weekly to keep the size and speed down.

Even if you keep auto-learning on, you may end up in a situation where you reject so much spam before it’s received, your bayesian filters will deteriorate over time. They simply don’t get enough spam to keep them effective.

If and when that happens, feed the filters spam manually, and they’ll get better.

This deterioriation may happen over time. Keep an eye on your spam-bin statistics. See how much of the mail gets “skimmed off the top”. If the numbers go down, chances are it’s not the sum total of the spam that’s gone down, but the effectiveness of your filters…

The Blue Security has been hit with a DDOS attack today, and a percentage of their members have received extortion spam e-mails.

They’ve obviously rattled the spammers enough for them to strike back.

Makes me tempted to check out this whole thing… Blue Security (don’t expect the site to work as I’m posting this)

Here’s a writeup about the extortion:

Spammer Desperately Tries to Undermine Blue Security @ Alice Hill’s Real Tech News - Independent Tech

Update:
Might I suggest for our admin friends here that they find the most heavily spammed defunct e-mail address on their system? Install Blue Frog on a computer, then let it churn through the spam? Leave your own e-mail address out of it if you like, but I have to say I’m sorely tempted… My servers reject so much mail to start with, it’s hardly worth the effort, but if I had an old spammed address… wait, I think I have one laying around somewhere….

The spammer who spammed in Michael Pollitt’s name (and incidentally he also misused my name, as well as many other anti-spammers), started misusing an e-mail address belonging to The Guardian. They didn’t like that one bit, and are now pursuing the spammer intensely, with success:

Guardian Unlimited: Technology

The thing is, I have this nagging feeling, that the degree of success in having affiliate programs and hosting pull support for a spammer is directly proportionate to how famous you are, and how much public scrutiny you can bring to bear on them.

I think we need some more heavies on the warpath, preferably from having been revenge spammed by some clueless guestbook spammer!