Fourth fake Spamcop site
I’ve written about a few fake Spamcop sites.
The fourth is abusecenter.org.
It’s on 82.179.172.131, which holds maybe 50 Italian language websites.
I checked one of them, and it had Google websearch results, complete with links to the cache (which has a Google IP). But people won’t see that page, and won’t click on those links (tipping Google off). Because human visitors are redirected through a tricky obfuscated javascript (not the same script as the other fake Spamcop sites I’ve seen so far). That javascript sends you to
http://js.gbeb.cc/advertizing/?ref=
There’s an even trickier redirect on there, that will spit you out to abusecenter.org if you’re not coming directly from a search engine.
But I’m not going to try coming from a search engine - at least not on this machine. Because I found some Italians talking about a trojan on that IP, and mentioned the site I tried specifically. This was yesterday, and the Babelfish translation isn’t good enough to figure out exactly what they’re complaining about. I did figure out they’re complaining about the search engine spam this group is committing, though.
So, this MIGHT be another spammer, with a similar MO. I haven’t been able to find any throwaways pointing to this version, so I don’t know for sure what’s going on.
Whois:
Domain Name:ABUSECENTER.ORG
Created On:26-Jul-2006 12:28:40 UTC
Last Updated On:26-Jul-2006 12:28:46 UTC
Expiration Date:26-Jul-2007 12:28:40 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Registrant Name:Josef Gehringer
Registrant Organization:none
Registrant Street1:Lexington Avenue 91 47
Registrant City:NEWARK
Registrant State/Province:New Jersey
Registrant Postal Code:07175
Registrant Country:US
Registrant Phone:+1.2012246424
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: admin@abusecenter.org
Name Server:MANAGEDNS1.ESTHOST.COM
Name Server:MANAGEDNS2.ESTHOST.COM
And, this one too was registered with EstDomains, though the other domains were registered somewhere else. And the IP is from St. Petersburg - Russia
August 27th, 2006 at 3:37 pm
This operation has to do with some affiliate programmes offering luctrative quotes for infecting vulnerable Italian visitors with diallers. This has been going on for about a year and is one of the reasons a couple of Russians suddenly started registering Italian domains and planted Italian gibberish on their doorway pages
Anyway, I picked up some italian domains on this server by random and they all seem to be inactive. Judging by the message, they currently lack a webroot (the reason for the 404 error message), but may become active somewhen in the future as part of a spamrun. The server itself is located in Saint Petersburg and it seems ilca is responsible for the ip connectivity.
Irritating detail: Whois lists Sergey Prasolov as responsible person for this ip range, but a look on his personal page reveals that he stopped working there one year ago. So from that 82.179.160.0/20 looks more than fishy and whether Sergey likes the idea of being bombarded with complaints despite having nothing to do with the adminstration any more remains to be seen.
Vasily
August 30th, 2006 at 12:37 am
Hey, there has been a lot of discussion at tinkertoys.net about Spamcop’s ShotGun Reporting style and how it picks up innocent URLs from spams that spammer put there on purpose. You think these guys are behind it?
August 30th, 2006 at 3:12 am
Hi Ronnie,
No, I don’t think one has to do with the other. There’s little spill over between webspammers and mailspammer. If anything, there’s a tendency that disenchanted mailspammers make a lateral move to webspamming.
My guess is, what you’re seeing is a purposeful poisoning of spamcop’s RBL. The same has been happening to webspam. Spammers have tried to poison the RBLs we had for that as well.
September 13th, 2006 at 9:37 am
Hi, I wonder if you can help me. I’ve been hearing a lot about the javascript at h*tp://js.gbeb.cc/advertizing. I managed to decode the script, problem is, I just get an IFrame to abusecenter.org and from there its a dead end.
You mentioned in your blog that
“There’s an even trickier redirect on there, that will spit you out to abusecenter.org if you’re not coming directly from a search engine.”
Howd you manage to get around it and get the actual javascript code that will lead me to the php exploit?
(Moderator: Unlinked the URL)
September 13th, 2006 at 9:49 am
You’ll need a text browser. Sam Spade (windows program), http://www.wannabrowser.com/ (website), wget (unix/linux command line) are examples of text browsers that don’t present the final results. They show you the code. No matter what, though, PHP will be parsed by the server the code is residing on. But HTML, CSS and javascript doesn’t get parsed by the server, rather by your browser. So a text browser that displays the source code will show you what’s what.
September 14th, 2006 at 4:07 pm
A bunch of spam sites have been trying to hit me that redirect to ABUSECENTRAL.ORG and it’s OFFLINE at the moment.
Wonder if they got shut down?
November 2nd, 2006 at 11:19 am
[…] SpamHuntress reports on fake spamcop sites, which are supposedly sites you can submit complaints about spam to and expect something to be done. Instead, they’re redirecting visitors to other sites, and getting up to various other sorts of no-good. Other articles from her include: […]