Spamhuntress

I received spam associated with Leo Kuvayev to two new addresses today. One is a spam trap, and one is a primary address. So one was harvested somewhere (I’ve put it several places on the web), possibly months ago, and the other was harvested from some discussion list, either directly from the server or list, or an archive site.

In other words, Leo and or his people seem to have added a lot of addresses to their spam lists today. Which means a lot of new people will be inconvenienced with a steady stream of pills spam.

Leo’s spam is instantly recognizable. It’s form is on variations on a time. Several names of pills, with the wrong spelling, in several lines. One pill per line, or even one pill broken into several lines. And then some random text at the bottom.

What was unusual this time (I’ve seen a LOT of his spam), is that the link I load (which is the root of the site, with www in front), contains a frame set with an affiliate link. But the frame with this affiliate link, loads a subdirectory on the same domain, and there’s nothing on the payment pages that suggest this is actually an affiliate. So I’m wondering if the affiliate link is a scheme. If you land outside of the rather oddly named subdirectory, you end up with a page asking if you want to have your e-mail removed.

BTW, the copyright line at the bottom now reads:

ED Med Choice Online

But the guys at NANAS seem sure it’s Leo, and the method certainly speaks to that as well.

Lately there’s been an influx of comment spam from Russian girls seeking to date men from other countries. They often complain of not having a credit card, and thus not being able to use a dating site.
I often receive several copies of the same spam, and there are new variations daily. Normally there’s no link, just an e-mail address. And lately that e-mail address has even been munged to avoid being harvested by spambots.
Although there are lots of Russian girls seeking to meet foreign men, you’re more likely to get scammed if you get involved with one of these.

You see, there’s a subculture where men (yes, men) pretend to be Russian women seeking men. They chat up anyone who responds, and after a while announce that they want to visit the man. Problem is, they don’t have enough money for the ticket. So if the man could please send them enough money for the ticket? Or part of the cost.

It’s a scam. Pure and simple. The same type of scam even hit the front pages of Norwegian tabloids, when a Danish magazine investigated a Norwegian scammer who took Danish men for a ride - the exact same scam. The same picture, with different names and locations, had been placed on a dating service, and the respondents were men. Yup, it happens.

I first saw this scam in operation when I saw spam addressed to a defunct address coming through my mail server at work. A girl who said she’d noticed this gentleman online, and was bold enough to e-mail him. I realized this had to be fake. That it HAD to be spam, and checked to see what the scam might be. The news is, that now the scammers are moving from e-mail to blogspam. And this is not traditional webspam. It’s aimed at the owners of the blogs, and the visitors of the blog.

So guys, PLEASE delete those messages from your blog, and please don’t fall for the scam!

I was looking for links explaining the scam. Not that easy to find. These seemed relatively clean: Delphi FAQs: Dating Scams , Russian Women Black List. Update: Found this link: Russian Tea Room (thanks Dave, for the link)
And now for the technical stuff. I’ll tackle some of the many spams I’ve received, and see what I can glean from the technical end.

The first spams I received were the work of a Russian speaking hacker gang. The same gang who offered mail lists they stole from dating sites. And they’ve offered their services for spamming forums etc. It’s their MO, and it was so unique in the beginning, there was just no doubt it was them. I’m guessing they spam for themselves as well as customers. And who knows if the dating spam is for them or customers. No way to know right now.

Back then, and even today, the comments always have the same user agent, and it’s a bot - not a person browsing:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

The IP addresses are from all over. Italy, France, USA, Ukraine, Russia.

The first few messages related to this scam, were a few comments with women saying they were photo models (around June 17), with links to websites. I’m guessing that didn’t bring the desired results, so the next permutation was an invitation to a Russian dating site (June 23). Same site, different subdomain (free website service, both pages are now gone). The first message directly from an alleged Russian woman that I noticed, was July 11.
Their favorite posting place is this post (it’s currently the estimated most spammed post on my site) :

I deleted my guestbook today

Comment spammers are getting more and more inventive. The “quality” of the spams have gone up recently. And now it’s so common, the value of warning bloggers overrides the risk of educating spammers:

Any time you receive a comment that seems on topic, or seems personal, you need to check the link included. If it’s spammy or commercial in nature, chances are, it’s spam. Don’t approve it.

Some of the really clued in bloggers have stopped including their link if they write a controversial comment, to avoid being dubbed as spammers (I assume). Especially if commenting on a blog where they’re not regulars.

So guys, be careful out there.

I’ve received questions about my opinion of the events in the Middle East. I’ve also received an offer of moderating my forum. Never mind the “forum” is actually a blog. I’ve received compliments on my blog. On the color scheme, on the navigation. I’ve received complaints about the same thing..

It’s all spam…

Just a week ago, I received a tip about a site that had lots of spammy pages. The root site was a business site that at least in the past had seemed solid. But the spammy pages seemed unrelated, and had also been spamvertized.

While we were looking, the pages disappeared from the site and from Google. I never found out if the site had been hacked or if the spammy pages were there on purpose.

And here’s a related story from May 2006. Syndic8 got “tricked” into accepting and promoting spammy subdomains, with the resulting fallout.

Jeff from Syndic8 wrote a blog post about his stupidity.

I thought it was a good tale, and hopefully will make another webmaster think twice about going down that path.

Have a look at the first post in this thread on WebProWorld. A lot of good points there.

Living off Adsense will make a webmaster go down a slippery slope pretty quickly!