Glen McCausland turns to webspam?
Glen McCausland is on ROKSO. Well known mail spammer, in other words.
He just comment spammed my blog.
Or, that’s what a comment spammer wants me to believe. 34 times from the same IP number. Blank referrer and user agent.
Here’s the spam:
Author : search engine ranking (IP: 65.98.40.122 , bucky.hdllc.net)
E-mail : rogertide@somtow.org
URI : searchenginepro.biz
Comment:
Hi My Friend,
This site is very nice. I am new to computers and blogs and am just
looking what is out there, to get ideas for my own site someday.
search engine ranking
Best Regards,
jean
Here’s the whois info:
Domain Name: SEARCHENGINEMASTER.BIZ
Registrant Name: Glen McCausland
Registrant Address1: 8591 S Rock Pt
Registrant City: Floral City
Registrant State/Province: FL
Registrant Postal Code: 34436
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.3526971849
Registrant Email: pre111@earthlink.net
The phone number is legit, BTW.
I wonder, did he move over to webspam or branch out to webspam? Or is this one red herring? Enquiring minds want to know. And I’m sure the good people at the webhost will want to know how to get the spamming script off their server!
Brian McWilliams at Spam Kings tracked down some stuff Glen did years ago, and he noted that Glen tended to like using pre111 e-mail accounts. Hmmm, so, the whois info might be legit? Also, on this ROKSO page, this exact e-mail address is mentioned. So it does appear like Glen is in control of the domain spamvertized.
Also, the forum connected to the spamvertized site has a username: bigmac2000. Site admin. Now that sounds an awful lot like a username Glen would like, eh? And from one post where he explains this, the program he’s hawking is a webspam program. It’s that simple. Look for yourself:
backlinkmaster.14.forumer.com/viewtopic.php?t=8
I’m starting to entertain the thought our mailspammer has found a new racket?
July 28th, 2006 at 10:43 pm
Hm, 65.98.40.122 is in a netblock from which I experienced an SSH attack that was more intelligent than what I’d experienced before. That ultimately lead me to perform a whois on the whole netblock. It seems fortressitx.com owns everything in 65.98.0.0/12 and apparently has no whois server that works via the whois utilities. As a result I have banned their entire subnet from my networks here “for extreme suspicion”. This attack took place on the 27th from a different IP in their range, 65.98.42.234 which has interestingly evocative names - server1045.servers101.com and server2.netonemedia.com. They may be a server farm company. In which case there’s no legitimate chance my machine should be contacted from their netblock by ssh. And I don’t know of any REAL servers that submit to weblogs for anything legitimate.
{^_^} Joanne
July 29th, 2006 at 4:55 am
Yes, rwhois.fortressitx.com:4443 isn’t really responsive. Actually it even seems to be firewalled as it doesn’t send an ICMP error code, the request simply remains unanswered and times out. Makes me wonder though why they set up an rwhois server at all…
Regarding “old school” spammers switching to web spam: There are quite a lot people on the move as it’s simply more effective, offers more opportunities to monetise the traffic (made for adsense/overture) and most of all isn’t considered a legal offense. If hosting companies are carefully selected, there’s almost nothing that could stop you from mass spamming other people’s sites.
Almost, of course the upstream provider could take the spam issue more seriously. And although there are still enough people who’ll never learn (and who prefer crying over spilt milk rather than being proactive) more and more people do prevent spam from seeing the light of day, which means a spammer has to target larger quantities of sites, thus requiring both more resources and time to build up an effective revenue stream.
July 29th, 2006 at 6:27 am
To Joanne:
rwhois may be down, but we know the server in question belongs to hostingdirect.net, just by following the breadcrumbs (hdllc.net redirects there).
July 29th, 2006 at 8:17 am
Hi.
I run hostingdirect.net. 65.98.40.122 is our address but not the one that Joanne mentions 65.98.42.234. Fortressitx is a large dedicated server company and their servers and addresses are used by all sorts of companies for all sorts of reasons.
As a web hosting company we have signups from all over the world. We have a very tough acceptable use policy (http://hostingdirect.net/aup.htm) and immediately cancel spammers. I would say that about one in ten new signups almost immediately starts email spamming or puts up a phishing page. We have active monitoring that allows us to turn them off almost immediately. We also have the maximum number of emails per hour per account set very low on our servers - far lower than a spammer would need, so at worst only about a thousand spam letters go out before we cancel.
I have actually talked with Glen by telephone in the course of setting up his account. Seems like a nice enough guy. His hosting package did not set off our email spam monitors. As far as I know, what he is doing is legal. But we did have a company meeting last night to review his use of our server and we decided to cancel his hosting. Hosting Direct simply does not need badwill caused by one of our budget hosting companies. We have over 1500 well behaved domains, mostly small churches, hobbyists and family sites. We cater to stable long term clients. I hope you understand that it is difficult to find new clients to serve without attracting some dicey characters, and that we spend a lot of time and effort to keep our good clients safe and sound (and out of the blacklists).
Thank you for your patience and understanding. And thanks for the heads up on this blogspamming operation.
July 29th, 2006 at 11:30 am
To Russell,
and thank YOU for your public reply!
Webspamming is not illegal in the same way mail spamming is. But if you look long and hard enough at it, you’ll soon find why it’s so unethical. It’s misuse of other people’s bandwidth. Webspamming bots have crashed many webservers. The load gets so high, websites are suspended, just because a webspammer is spamming them. And by now, the more hard core webspammers are using means that are illegal by themselves: Zombie nets, using insecure scripts turned into spambots, turning any kind of script against its owners by inserting spammy contents.
So thank you for deciding on not allowing spambots. I hope you will include spamvertized domains in this decision as well! For any possible future infractions by other spammers, I mean.