Spamhuntress

Here’s a comment spam I received today, posted on to the post about me deleting my guestbook (a favorite among spammers).

Author : PorellPartners (IP: 193.253.255.51 ,
LNeuilly-152-21-137-51.w193-253.abo.wanadoo.fr) E-mail :
loginsim@cashette.com URI :
http://porellpartnersc.com/contacts/information.php Whois :
http://ws.arin.net/cgi-bin/whois.pl?queryinput=193.253.255.51 Comment:
PorellPartners Company, one of the fastest growing financial group in USA With over six years of specialized experience has openings for courier place. Company was established in 2000 year, currently is based in USA and provides mergers and acquisitions consultation and policy consulting for all clients across the entire range of wealth management and financial services businesses worldwide. We are seeking individuals who are interested in building a profitable and rewarding business with our help and support, while achieving a balanced lifestyle that offers both personal and professional growth. This job, if approached correctly is an opportunity for almost unlimited income potential, and very fast-growing career. And the Job itself is not that hard one may think, on a contrary it as easy as one-two-three, as we already have mentioned our company works with the clients worldwide, many of them deposited their money in our dividends and we are paying them every month, the point is that there are too many clients (more then 45,000) and our managers can not do all job that is why we are hiring the courier as indeed one of the main parts of the company work-chain, and the courier will have responsibility for receiving company funds and dividends and sending them to the company clients and will receive payments from every transfer they did . The PorellPartners is growing and we again need an open-minded people with the ambition to become successful and richer indeed.

Requirements: The ideal candidate has prior experience and familiarity with financial services. You must have excellent organizational as well as customer service skills. Teamwork Skill is a “must”. Bachelor Degree is an advantage.

Best Regards: Chief Manager Jamie Stevens
Web-site: http://porellpartnersc.com/contacts/information.php

Sounds nice, eh?

But if you look just a little bit closer, it all falls apart.

First of all, this sounds a lot like a job ad for being a mule. In the past criminals would have folks in the US receive parcels at their home, then ship them abroad. Problem was, those parcels had been bought with stolen credit cards, or were the result of some other fraud.

I hadn’t heard of the Money Mule, but I’m guessing this is what this scheme is about.

Here’s the whois information. Notice how the domain was registered just a few days ago? That’s a sure sign it’s a fraud. A prestigious company would have had a long established website:

08/25/06 20:18:35 whois porellpartnersc.com

Registrant:
n/a admin@porellpartnersc.com +7.495000000
n/a
n/a
Moscow,RU,RU 112312

Record last updated at 2006-08-17 14:27:53
Record created on 2006/8/17
Record expired on 2007/8/17

Domain servers in listed order:
ns1.viphosting.biz ns2.viphosting.biz

And the IP address is: 81.177.37.61, which is on prestige-media.ru. Hardly a likely webhosting for a prestigious US company.

A quick search turns up a website that looks like the real website for them. Problem is, that one’s a fake too. It’s down, but the Google cache shows it’s identical to this new one.
08/25/06 20:25:06 whois porellpartnerscompany.com

Administrative Contact:
Petrovitsky, Stepan porellpartners@inbox.ru
Kanatnaya str., 19-31
Krasnoznamensk, Moscow region 142910
Russian Federation
79259988731
Created on: 10-Aug-06
Expires on: 10-Aug-07
Last Updated on: 10-Aug-06

Domain servers in listed order:
NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
I’ve seen the spammers before too. Often quite inventive spams. They quite often post comment spam that looks as though it’s meant for e-mail spam. The spam is quite often interaction intensive. Fraud of different sorts. Including Russian girls looking for guys. There’s more, but I won’t get into that just now.

There’s a project named Web Spam Test Collections. They’ve got some definitions on what is web spam. Actually, what they’re describing is search engine spam - ie spammy directories etc. Useful definitions (of search engine spam).

Web spam is of course much more than what they’re describing here, just to be accurate. It includes the actual spamming of interactive webservices such as blogs, forums and guestbooks.

Tricky stuff, these definitions, ey?

Hat tip to Threadwatch for the tip.

I followed a link to a free phpBB forum, from a comment spam I’d received. It had a redirect in the subtitle line, as usual. But this was no ordinary redirect. It was the screwiest type of redirect I’d ever seen.

I managed to deobfuscate it, and saw that it pointed to an IP address: 207.226.162.126 (which answers as fat-women-porn.shacknet.nu, which in turn doesn’t resolve). The document was a php file with some keywords.

Trouble is, that php document spits back a redirect to:

abusecentral.org

It’s a fake spamcop site, on a nearby IP address: 207.226.162.122

Whois:

Domain Name:ABUSECENTRAL.ORG
Created On:18-Apr-2006 03:37:18 UTC
Last Updated On:26-Jul-2006 11:45:40 UTC
Expiration Date:18-Apr-2007 03:37:18 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:DI_2795099
Registrant Name:Dan Bush
Registrant Organization:n/a
Registrant Street1:700 Co Op City Blvd Bronx
Registrant Street2:
Registrant Street3:
Registrant City:New York
Registrant State/Province:New York
Registrant Postal Code:10475
Registrant Country:US
Registrant Phone:+1.7183205492
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: red12@neotwin.com

I poked around some, and that script gives a different result if you come in from a search engine. The abusecentral page is supposed to throw anti-spammers off his scent. The trail seems to end at pharmasearch.name (also on 207.226.162.126).

Whois:

Registrant Organization: Aivar
Registrant Name: Aivars Iltans
Registrant Address: Invu 9
Registrant City: Mexico
Registrant Country: MEXICO
Registrant Postal Code: 23258
Admin ID: 1753557CONTACT-NAME
Admin Organization: Aivar
Admin Name: Aivars Iltans
Admin Address: Invu 9
Admin City: Mexico
Admin Country: MEXICO
Admin Postal Code: 23258
Admin Phone Number: +2.888375498

Registered at EstDomains, and the e-mail address is on a domain that has no DNS.
The affiliate scheme is klik.php at 64.111.210.10

You can see the size of this operation by downloading the logs off a subdirectory on 207.226.162.126.

—————

The spambot in this case was 85.255.117.253, which has posted other spams since August 22. The user agent was: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

The two most recent spams had this at the end of the body of the comment:

End ^) See you test

That’s curious, since it was also something I found in the files of a spambot (on a hacked site) that did a few revenge spams - on my site, impersonating Michael Pollitt. That time, it had this form:

End ^) See you

Spams with the first variation go back to August 23, while the first variation goes back to the beginning of August. And yes, it’s the same spam script, but different MO. The payload URL’s are different. Could be a different spam campaign, or two spammers.
———

Another whois variation implicated is:

TraffMan
Andris Maupalis (traffman@gmail.com)
Elgavas - 18/25
Riga
,LV2019
LV
Tel. +371.52477618

I found his sites in various ways. Both on 207.226.162.126 and on 69.31.41.84.

There’s a LOT of evidence in those logs, wow!

There’s a tentative link to something I wrote about on Hinter Inc. 207.226.162.126-207.226.162.138 contains dynamic IP subdomains, with affiliate looking redirects to dynamicscripting.com. That overlaps this spammer by one IP address. What’s interesting, is that there are some regular domains on some of the IP numbers, and those do not have affiliate looking links/redirects. Just regular search links. Each redirect also has a different number, so it’s possible it’s a “fake affiliate scheme”.

———-

Spambots:

85.255.117.253 (Inhoster has one of his sites on it, when accessing the IP number)
82.137.209.12
202.155.100.96
210.17.38.206
125.60.204.68

Several of these are in RBL lists for mail spamming

A site on 85.255.117.253 had this whois:
Hiromax ltd
Hiromax ltd (tech@hiramax.com)
Suite 2, Portland House, Glacis Road
Suite 2
,00000
GI
Tel. +1.3023380662
Fax. +1.3023380662

One of the scripts I found on the spammer’s site had the name Hiromax as the owner of the (redirect) script.

I’ve been talking about the blasted redirects for some time now. They’re not new. This has been going on for a looong time. What was new to me was the use of unauthorized uploads.

But it’s time to focus on free website services and redirects.

Why is that so bad?

Free webservices are generally based on one business idea: Ad revenue.

And that’s not what the spammers are after. They want surfers to see THEIR ads, and nobody else’s. Which breaks the free webservice business model. Which means they need to break the redirects, and preferably scan their harddrives for websites using those kinds of redirects and booting them off the service.

My latest analysis was alice.it. There’s a javascript file pointed to from xoomer.alice.it/put0/3/, which has a convoluted but easy to decipher javascript on it that does the redirect. Not understanding Italian, I couldn’t find a way to notify them. If there are any Italian speaking people here, could you help? Comment here if you notify alice.it.

Ajay asked me to teach him to figure out spammers based on the logs, like I do.

Well, Ajay, I imagine others want to do that as well, so here’s a post about it.

But I can’t promise you’ll figure it out. It’s got to do with how your brain processes information as well as knowing what to look for.

First of all, you need access to the raw logs. I’m not talking about Latest Visitors, like you’ll find in cpanel. I’m talking about the full raw logs. Preferably going back to the start of the month. And you should save them at the end of each month. Save them to your computer in a zipped or gzipped format (that compresses them to about one tenth of the size).

If you’ve got hosting that allows you ssh (command line interface) access, you can use grep (linux command set) on the raw logs while they’re still on the webhost. If you don’t (most budget webhosting doesn’t allow ssh), then you need to download the logs to your computer.

The best tool I’ve found for dealing with raw logs on a Windows computer, is TextHarvest. It’s a free demo app. It’s plenty powerful enough for our purposes, but also shows how powerful the proprietary paid versions will be for other kinds of tasks.

When I use TextHarvest, I start by unzipping the log file and navigating to it, so it’s my input file. I then make a bookmark for the output file in my browser, and untick the autoview (the app will crash if you autoview several megabytes of log file).

Then, when I receive a comment I suspect to be from a jokester, like that comment from Dima, I find the IP address from the comment, and input that in the Keep list. And I’ve found that using the \ slash instead of the / (which is the default they tell you to use, but any character will work) one makes sense, since I often search for user agents as well.

Press start, and it chugs through the log file.

When I then look at the log output, it contains only the entries made by that IP number, and possibly when others look at their user page if they’ve made any wiki edits.

What I then look at, is if the pattern is that of a normal user. Does it load any images? Does the browsing history look legit? There are so many things jokesters and spammers do, so I won’t detail them here. But YOU need to figure out what a normal browsing history looks like on YOUR website. And if some user diverts from that, what’s the reason? Sometimes normal users don’t have normal browsing patterns either.

When you look at the browsing history, pay attention to the user agents. Spammers sometimes have scripts that change their user agents more or less in mid flight.

Finally, a warning: Don’t be too cocky now that I’ve taught you the basics of checking logs. There’s a LOT more to be learned, and I’ve seen people completely misunderstand the information in front of them. Hopefully I haven’t made too many errors myself. I started reading logs years before I became Spamhuntress, so I had a head start.

I’ve been following trails of spammers who’ve been spamvertizing URL’s on one of the free forum sites. And while I was doing that, I followed some URL’s that didn’t appear to forums.

What I found, was that some (probably more and more) spammers specialize in using redirects. They’ll basically test out any free service to see if they can find a working javascript redirect.

I’ve found four different ways of redirecting from blogspot! And that’s just for starters.

Basically, if you’ve got a free service of any kind, you must disable user entered javascript. No ifs or buts about it.

And yes, that will probably break some nice designs you’ve got on the service. But it’s either that or getting overrun with spammers. Because they WILL keep changing their scripts to keep ahead of you.

Manila Industries first came to my attention as a spammer. But later on it’s gotten a lot of folks riled up as an outfit that buys domains people forgot to renew. The domains are then used to earn ad income.

Today, someone left a new edit on the Manila Industries wiki page where contact info was added. I peeked at the logs, and he or she has been thinking about this for close to a week before deciding on adding that information.

Here’s the text from the wiki page:

In speaking with someone at Manila Industries named Jill, who thought I was a prospective job candidate for the legal department (with extensive trademark experience, as she requested), I was provided the following contact information.

Jill Johnson
Manila Industries
714-920-9883

60 Palatine 112
irvine,ca 92612

3845 S bristol 628
Santa Ana, CA 92704

The Santa Ana address has been seen before in whois info, but the Irvine address is new. I also checked the phone number. It’s (provided the number hasn’t been ported somewhere else) a Nextel phone registered in Anaheim.

I checked satellite images on Google maps and yellow pages listings. The Irvine address is also the location of 24-7 Radiology. There’s a residential area nearby, but I’m not quite sure what the house in question is. Looks a bit scuzzy from orbit (Eek, that Google thing isn’t completely housebroken. Next time I searched, the arrow was somewhere else. This time it’s inside the nice gated residential area! If I search for the address, it’s the scuzzy area, and if I search for the Radiology place, it’s the nice area). The Santa Ana location has the arrow pointing at a parking lot. But I’m guessing it’s a mall, and there’s a Nextel retailer in the yellow pages with the same address.

There’s a thread on Search Engine Watch puzzling over server side search engine cloaking of an innocent third party’s website (thanks Joe for the tip).

After the conversation had died down, Brian White (works for Matt Cutts at Google) came around and told them:

“…We’ve discovered that the likely explanation is that a third party gained access to a number of sites and dropped files in these accounts (including a modified .htaccess using rewrite rules) for the purpose of rewriting the home page through a proxy script. The proxy script adds links when Googlebot visits, and in a sinister twist, adds the rel=nofollow link to cap off PageRank bound for any external URL not under control of this third party. As Danny noted, they also add a NOARCHIVE meta tag to disable the cached version in results…”

“…We don’t know how the third party got the files on the webhosts, but cPanel seems to be the common denominator. We’re in touch with some hosts who appear be affected by this….”

I guess it was bound to happen. Hacking for SEO…

I don’t often proclaim someone to be a spammer right out. But this is either a spammer, or he’s been revenge spammed.

Bruce C. Shaw
3765 W 4600 S
Roy, Utah 84067
US
801-731-7648

Why? I just got referrer spam for his website yourbesttrafficsource.com. You know, one of those cleverly worded websites that promises traffic to your website, and doesn’t say a word about what you ACTUALLY have to do to get that traffic. I just have to assume spamming comes into it somewhere, since he has to resort to spamvertizing his site to get that traffic, right?

IP: 65.100.197.196
User agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
- now that is most likely a fake user agent!

Heh, even the IP is from Utah, on Qwest!

And since I was nosing around, I found comment spam from the end of July.

You’ve been a very bad buy, Bruce! Let’s see how Qwest likes having a spammer for a customer.

Disclaimer: Of course, it’s possible Bruce’s neighbor got irritated and referrer spammed his site, but that’s a whole lot of maybe’s, so let’s see if Qwest agrees it’s him.

I just got a referrer from 43people.com. They’re publishing my blog - somewhere else. Yep, I said, my blog. The whole posts. I must have forgotten to bring the copyright infringement notice over from my previous host, because it’s not there. But they obviously haven’t read my copyright notice either (it’s at the top of the right pane on the main page), because it says outright that what they’re doing isn’t allowed.

Some thought went into this, because they have my photo and a short bio as well. It’s like a small website. Now that I don’t like. My website is here, not over there.

So, what to do. I guess I’ll let them grab this post, and then think about blocking.

So, how to block…

Their robot has this user agent:

http://www.robotcoop.com

And the IP number is: 65.61.137.66

And to the one user who’s accessing my site through that service: Sorry, you’ll have to find another aggregator.

Update: So why don’t I like websites syndicating my site, unless I’ve OK’d it in advance? Two reasons: 1) Some of the syndicators are ad driven. I don’t want someone else earning money on my work. 2) You don’t see the comments if you only read the syndicated stuff on another website. This is different from syndication software, that tells you when something’s new, and often gives you a shorter snippet.

Syndication software and websites like bloglines are great, because they enable you to keep up on loads of websites. But I don’t like being syndicated on someone else’s website unless it gives me something valuable in return. Some have gotten my blessing to do it, but those OK’s were usually in place prior to 2006.