Spamhuntress

My previous post was only scratching the surface.

By checking for domains on IP numbers and then googling them, I found legion subdomains (almost all of them visibly spamvertized) on all domains on these IP numbers that had the banner URL that led to the Web Attacker code mentioned in my previous post:

216.255.185.9
216.255.185.10
216.255.185.11
216.255.185.12
216.255.185.13
216.255.185.14
216.255.185.15
216.255.185.16
216.255.185.17
216.255.185.18
216.255.185.19
216.255.185.20
216.255.185.21
216.255.185.22
216.255.185.23
216.255.185.24
216.255.185.25
216.255.185.26

And probably a lot more.

And I found a Norwegian pay-per-click search engine that had a Norwegian language page from one of the domains. Considering the spammers have possibly paid money for that placement, it’s a big vote AGAINST that SE: hent.no

More whois info:

uniq-soft.com (one of the cutouts) on 81.177.26.26

09/01/06 11:53:20 whois uniq-soft.com

Registrar Onlinenic

Registrant:
Fedorchenko-mladshiy fedir@ep.ua +7.4954950099
Fedorchenko-mladshiy
Lubyanka
Moscow,Moscow,RUSSIAN FEDERATION 100998

Domain Name:uniq-soft.com
Record last updated at 2006-08-09 19:46:23
Record created on 2006/8/9
Record expired on 2007/8/9

Domain servers in listed order:
ns1.game4all.biz   ns2.game4all.biz

09/01/06 11:55:02 whois gruhit.com

Registration Service Provided By: ESTDOMAINS INC

Registrant:
WorlLTD
Orly        (orly65@bk.ru)
Olimpiskay 20-65
Himki
Cy,654287
RU
Tel. +634.564342748

Creation Date: 21-Feb-2006
Expiration Date: 21-Feb-2007

Domain servers in listed order:
ns15.crybits.com
ns14.crybits.com
09/01/06 11:56:40 whois FREEFOK.COM

Registrant:
MainGlac
Lenin Ilich        (estdomains@mail.ru)
krzsnay plochad - 1
Moskwa
Moskovskaya oblast,654198
RU
Tel. +095.65178922

Creation Date: 21-Feb-2006
Expiration Date: 21-Feb-2007

Domain servers in listed order:
ns15.crybits.com
ns14.crybits.com

Basically, they do a different whois for every other IP number, so this could go on forever.

I started out reporting a comment spammer to Intercage. He was spamming from 216.255.190.66.

The spam contained a URL at mytcentral.com, which is at 216.255.185.10.

I checked the URL in my browser, and my anti-virus woke up and nuked a trojan.

So I checked some more. Can’t say for sure I found the infectious stuff, but here’s what I think I found:

There was an advertizing banner at se-v.com (69.50.177.38), which among other things, produced an iframe of one pixel width and height. That one was on
ps500.com (85.255.116.246)

From then on, I found a string of 302 redirects on the same domain: 24hwebsex.com (85.255.116.246), ending up at a very risky looking (nb, I’ve munged it to avoid accidental infections):

http://24hwebsex.com*/demo.php

I tried that URL directly anyway, and got this (blank) URL in return:

http://www.24hwebsex.com*/cgi-bin/ie0606.cgi?type=MS06-006

When I try that with a text browser and redact the type, I get this- munged both code and some detail:

Web-Attacker Control panel

Your IP is: (munged)

Your Browser is: Firefox 1.5.0.6

Your Operation System is: Windows XP

Current Date and Time: 31-Aug-2006 12:8

Please enter the password to access the statistics

FORM action - http://24hwebsex.com*/cgi-bin/ie0606.cgi

INPUT type “password” name “password”

INPUT type “submit” value “Enter”

I found mention of this software at the Bleedingedge forums.

And it might be the same software Sophos wrote about in March. Wikipedia entry.
——————

Whois:

08/31/06 12:22:27 whois mytcentral.com

Registration Service Provided By: ESTDOMAINS INC

Registrant:
none
Serg (serg78@pisem.net)
Lesnay 1-54
Pushkino
msk,687120
RU
Tel. +321.96478521

Creation Date: 21-Feb-2006
Expiration Date: 21-Feb-2007

Domain servers in listed order:
ns15.crybits.com
ns14.crybits.com

08/31/06 12:23:09 whois se-v.com

whois -h whois.estdomains.com se-v.com …
Registration Service Provided By: ANUNAH LLC

Registrant:
N/A
Abdula Khaled-Mamed Dzibah (glac@crybits.com)
Shaytanhasy Obdukurlasy 2
Islamabad
Islamabad,54000
PK
Tel. +763.2784936

Creation Date: 17-Mar-2006
Expiration Date: 17-Mar-2007

Domain servers in listed order:
ns15.crybits.com
ns14.crybits.com

08/31/06 12:21:21 whois ps500.com

Registration Service Provided By: ESTDOMAINS INC

Registrant:
none
Alex Zudov (work@vnukovo.net)
Uralskay 14
Zarechensk
Msk,095437
RU
Tel. +78.63798524

Creation Date: 03-Aug-2006
Expiration Date: 03-Aug-2007

Domain servers in listed order:
ns1.dns-parking.com
ns2.dns-parking.com

08/31/06 12:20:46 whois 24hwebsex.com

Registration Service Provided By: ESTDOMAINS INC

Registrant:
n/a
Alex Ferietko (websex24hour@yahoo.com)
Hrushevsky str 16, ap 26
Ivano-Frankivs
Ivano-Frankivs’ka Oblast’,252033
UA
Tel. +38.0342225216

Creation Date: 16-Jul-2006
Expiration Date: 16-Jul-2007

Domain servers in listed order:
ns2.24hwebsex.com
ns1.24hwebsex.com

Update: Check out the Spamhaus record for 85.255.116.246

I found multiple attempts to reach nonsense addresses on one of our domains this morning. It was so weird, I just had to blog it. I’ve redacted the domain, but kept the attempt count.

As far as I can tell, that domain was used as the from address in a spamrun. These message counts represent the MAILER-DAEMON bounces from misconfigured mail servers. When mail is rejected, they just keep on trying.

And no, I don’t accept bounces for non-existing addresses.

36   dang.anything
34   concocter.breadroot
34   Millerbodhisattva
33   cedillaacademe
30   biconcavecircumvent
24   complyambrosial
18   conantcybernetics
14   barnyarddeneb
10   biconcavecannonball
9   acetate.attention

I’ve been receiving lots of comment spam lately that’s obviously culled from a new feed, with spammy links interspersed, hidden behind the text. Here’s an example from today, with the links redacted:

Cable deal lifts B’ville station Time Warner Cable and three Baldwinsville-area municipalities tentatively life insurance comparison agreed to a deal that would guarantee the local cable access station a steady source of money life insurance comparison the next decade.

One of the links was:

http://eteamz.active.com/businessloan/files/life-insurance-comparison.html

It had a javascript redirect to:

http://search.comparezone.info/life-insurance-comparison.html

Now, that site is on the same IP the spam came from:

70.84.176.58 - The Planet

I checked my inbox. I had 429 spams from that IP address in August.

In addition to Adsense, the site had several affiliate links that I didn’t bother to figure out:

Adsense: pub-2039039127093366

The site is on a net block that rwhois says is owned by CPS Labs Ltd, in Illinois. Problem is, the only company with that exact name I could find on the net, is actually in the Russian Federation. That got me curious enough to keep digging. So far I’ve been unable to find a company by that name in Oak Park, Illinois.

However, CPS Labs has at least two IP blocks at The Planet:

70.84.176.56 - 70.84.176.63
67.19.100.224 - 67.19.100.231

Some whois data used by sites on those ranges is obviously fake:John Smith
Apartado Postal
Quito, 423012 423012
Ecuador

But the guy who’s really behind this forgot to hide very well:

Kokareff, Den den_kokareff@hotmail.com
32 Rebecca Rd
East Hanover, New Jersey 07936
United States
9733861607 Fax –

That’s a legit address, and I found an older listing (confirmed October 2005) for him at that address:

Denis Kokarev
32 Rebecca Rd
East Hanover, NJ 07936-3431
(973) 386-1607

Unless this guy’s been whois joe jobbed by the spammer, he IS the spammer.

Update: There is or was a 30 year old by that name in Oak Park, Illinois. Maybe that’s the new address?

Ajay got a bit hot under the collar regarding a site that stole his content via an RSS scraper. That site is now for sale, apparently as is.

Stolen Content, Sitepoint and Host turn blind eye!

BTW, I’ve had some questions why I don’t like scraping of my entire articles, and republishing without my permission. Besides the obvious - I want people to come to my site rather than thinking it’s over somewhere else, there’s another reason:

I often update my posts, sometimes even weeks and months after I first wrote them. If new information comes to my attention, or I got something wrong, I will update the post. I don’t like the thought of another site having an entire copy of an outdated post, without my edits on it!

I’ve written about a few fake Spamcop sites.

The fourth is abusecenter.org.

It’s on 82.179.172.131, which holds maybe 50 Italian language websites.

I checked one of them, and it had Google websearch results, complete with links to the cache (which has a Google IP). But people won’t see that page, and won’t click on those links (tipping Google off). Because human visitors are redirected through a tricky obfuscated javascript (not the same script as the other fake Spamcop sites I’ve seen so far). That javascript sends you to

http://js.gbeb.cc/advertizing/?ref=

There’s an even trickier redirect on there, that will spit you out to abusecenter.org if you’re not coming directly from a search engine.

But I’m not going to try coming from a search engine - at least not on this machine. Because I found some Italians talking about a trojan on that IP, and mentioned the site I tried specifically. This was yesterday, and the Babelfish translation isn’t good enough to figure out exactly what they’re complaining about. I did figure out they’re complaining about the search engine spam this group is committing, though.
So, this MIGHT be another spammer, with a similar MO. I haven’t been able to find any throwaways pointing to this version, so I don’t know for sure what’s going on.

Whois:

Domain Name:ABUSECENTER.ORG
Created On:26-Jul-2006 12:28:40 UTC
Last Updated On:26-Jul-2006 12:28:46 UTC
Expiration Date:26-Jul-2007 12:28:40 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Registrant Name:Josef Gehringer
Registrant Organization:none
Registrant Street1:Lexington Avenue 91 47
Registrant City:NEWARK
Registrant State/Province:New Jersey
Registrant Postal Code:07175
Registrant Country:US
Registrant Phone:+1.2012246424
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: admin@abusecenter.org
Name Server:MANAGEDNS1.ESTHOST.COM
Name Server:MANAGEDNS2.ESTHOST.COM

And, this one too was registered with EstDomains, though the other domains were registered somewhere else. And the IP is from St. Petersburg - Russia

I’ve written about fake Spamcop sites recently.

I found a third site:

spampatrol.org

This one is on 67.19.92.171

Whois:

Registrant Name:Jerry Hirster
Registrant Organization:Spam Patrol
Registrant Street1:1000 Cameron Woods Drive, Apex, NC 27523
Registrant Street2:
Registrant Street3:
Registrant City:Apex
Registrant State/Province:
Registrant Postal Code:27523
Registrant Country:US
Registrant Phone:+866.8260453
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: abuse@spampatrol.org

But it’s registered on EstDomains…

And other sites on that same IP number look decidedly spammy…

One of those sites is hydrocodone-1.com. What’s interesting, is that it’s got a similar javascript redirect as the other sites. And this goes to  a php redirect script on emaxrdr.com (on 207.226.162.125) which then redirects to abusecentral.org, which we remember from my first post!

Most of these domains have whois info pointing to (fake, of course):

Josua Givash        (emaxseo@gmail.com)
5821 Reddman Road
Charlotte
North Carolina,28212
US
Tel. +866.7465632

A reader at the Spamcop forums found yet another fake spamcop site.

This is uses the same redirect script we found at Redirect to Spamcop.

The javascript on the spamvertized throwaways is the same, except this time it redirects to:

http://netcat45.isprime.com/tools/r/?r=&cat=somekeyword

What comes out the other end is either the

abusepost.com

if you’re accessing the throwaway directly, like bloggers and others investigating would. If you access directly from Google or other search engines, you’ll be redirected to an affiliate page, depending on the keyword.

I found spam sent directly from the server abusepost.com is on: 66.230.167.245

But I also found spam with the e-mail address sksld@mymail.com, pointing to both redirect sites.

So, either the same spammer, or a software package that takes care of everything?

Whois:

08/26/06 17:47:15 whois abusepost.com

Registrant:
John Smith manager@abusepost.com +1.2024783654
Abuse Post Inc.
3520 Wisconsin Ave NW
Washington,DC,US 20016

Domain Name:abusepost.com
Record last updated at 2006-08-04 03:38:13
Record created on 2006/8/4
Record expired on 2007/8/4

Domain servers in listed order:
ns1.abusepost.com   ns2.abusepost.com

I got a comment that appeared to be from the guy who impersonated Michael Pollitt recently. I knew from before that this one is a bit sloppy, so I checked the IP address. Turns out he left all his files out in the open.

zonewarez.net

You’ll find site logs as well as logs from his spamming. Check it while it’s still operational.

Update: Chris Newcomb has been the head of the EV1 abuse department for years. He’s the new abuse manager for The Planet, after the merger between the two companies. The management he was commenting on was that of The Planet. Unfortunately, this means we can’t expect more from EV1 than we’re accustomed to: EV1 is known for not nuking accounts for webspamming unless they have incontrovertible evidence. In their case, they hardly ever do anything about it.

September 1, 2006: I notified The Planet about comment spam coming from 70.84.176.58 on August 29. It’s still going strong. Typical EV1 incompetence when it comes to webspam, in other words.
—————

Found this in my referrers:EV1/ThePlanet takes action against spammers

I guess we’ll see when he’ll get around to clearing out the webspammers, eh?

Here’s a quote from news.admin.net-abuse.blocklisting:

Bill,
While I would love to speak for the previous administration of the abuse desk, I cannot. I however can speak for the current administration which I am the manager of. It will take me some time to get everything cleaned up, which I will spend more time on focusing on rather then responding here. If you or anyone else for that matter have any ongoing issues, please feel free to contact me at chrisn at ev1servers dot net. Since I have taken over management of the abuse desk my priorities are to get the glaring problems cleaned up first, and then go after the small problems.

Looks promising, provided he’ll get around to our problems, of course.

Update: There are posts by him to NANAB going back to November 2005, when he was “Abuse Team Leader” at EV1. No significant action was happening back then, so unless he’s had a change of direction, I guess we shouldn’t expect too much now, eh?

Here he is, including a photo.