Spamhuntress

I followed a link to a free phpBB forum, from a comment spam I’d received. It had a redirect in the subtitle line, as usual. But this was no ordinary redirect. It was the screwiest type of redirect I’d ever seen.

I managed to deobfuscate it, and saw that it pointed to an IP address: 207.226.162.126 (which answers as fat-women-porn.shacknet.nu, which in turn doesn’t resolve). The document was a php file with some keywords.

Trouble is, that php document spits back a redirect to:

abusecentral.org

It’s a fake spamcop site, on a nearby IP address: 207.226.162.122

Whois:

Domain Name:ABUSECENTRAL.ORG
Created On:18-Apr-2006 03:37:18 UTC
Last Updated On:26-Jul-2006 11:45:40 UTC
Expiration Date:18-Apr-2007 03:37:18 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:DI_2795099
Registrant Name:Dan Bush
Registrant Organization:n/a
Registrant Street1:700 Co Op City Blvd Bronx
Registrant Street2:
Registrant Street3:
Registrant City:New York
Registrant State/Province:New York
Registrant Postal Code:10475
Registrant Country:US
Registrant Phone:+1.7183205492
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: red12@neotwin.com

I poked around some, and that script gives a different result if you come in from a search engine. The abusecentral page is supposed to throw anti-spammers off his scent. The trail seems to end at pharmasearch.name (also on 207.226.162.126).

Whois:

Registrant Organization: Aivar
Registrant Name: Aivars Iltans
Registrant Address: Invu 9
Registrant City: Mexico
Registrant Country: MEXICO
Registrant Postal Code: 23258
Admin ID: 1753557CONTACT-NAME
Admin Organization: Aivar
Admin Name: Aivars Iltans
Admin Address: Invu 9
Admin City: Mexico
Admin Country: MEXICO
Admin Postal Code: 23258
Admin Phone Number: +2.888375498

Registered at EstDomains, and the e-mail address is on a domain that has no DNS.
The affiliate scheme is klik.php at 64.111.210.10

You can see the size of this operation by downloading the logs off a subdirectory on 207.226.162.126.

—————

The spambot in this case was 85.255.117.253, which has posted other spams since August 22. The user agent was: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

The two most recent spams had this at the end of the body of the comment:

End ^) See you test

That’s curious, since it was also something I found in the files of a spambot (on a hacked site) that did a few revenge spams - on my site, impersonating Michael Pollitt. That time, it had this form:

End ^) See you

Spams with the first variation go back to August 23, while the first variation goes back to the beginning of August. And yes, it’s the same spam script, but different MO. The payload URL’s are different. Could be a different spam campaign, or two spammers.
———

Another whois variation implicated is:

TraffMan
Andris Maupalis (traffman@gmail.com)
Elgavas - 18/25
Riga
,LV2019
LV
Tel. +371.52477618

I found his sites in various ways. Both on 207.226.162.126 and on 69.31.41.84.

There’s a LOT of evidence in those logs, wow!

There’s a tentative link to something I wrote about on Hinter Inc. 207.226.162.126-207.226.162.138 contains dynamic IP subdomains, with affiliate looking redirects to dynamicscripting.com. That overlaps this spammer by one IP address. What’s interesting, is that there are some regular domains on some of the IP numbers, and those do not have affiliate looking links/redirects. Just regular search links. Each redirect also has a different number, so it’s possible it’s a “fake affiliate scheme”.

———-

Spambots:

85.255.117.253 (Inhoster has one of his sites on it, when accessing the IP number)
82.137.209.12
202.155.100.96
210.17.38.206
125.60.204.68

Several of these are in RBL lists for mail spamming

A site on 85.255.117.253 had this whois:
Hiromax ltd
Hiromax ltd (tech@hiramax.com)
Suite 2, Portland House, Glacis Road
Suite 2
,00000
GI
Tel. +1.3023380662
Fax. +1.3023380662

One of the scripts I found on the spammer’s site had the name Hiromax as the owner of the (redirect) script.

This entry was posted on Thursday, August 24th, 2006 at 8:17 am and is filed under Comment spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.