Spamhuntress

Thought I’d round up some less serious stuff and post:

I’ve been getting some linklove this past week or so, and thought I’d return it. These are the high volume links:

http://shoemoney.com/2006/09/29/5-quick-and-easy-ways-to-stop-blog-spam-before-it-hits-your-blog
http://mattcutts.com/blog/review-google-reader
http://blog.outer-court.com/archive/2006-09-25.html#n44
http://seroundtable.com/archives/006222.html

Also check IncrediBILL’s response to Shoemoney’s post

I wrote some posts on my other blog I wanted to show you guys:

Computer use and back problems
WiFi conflicting with wireless AV

Also, we have a Black Hat defection this week. Esrun has announced that he’s quitting Black Hat, and will be doing more White Hat coding and stuff. Welcome to the light side! Maybe we should have a wiki page with names of defected black hats?

Jensense talks about hackers changing the Adsense ID on other people’s pages. Scary…

We’ve had quite a few webspammers come here and say that webspamming is legal, so quit calling us spammers. They’re afraid of the stigma of being called spammers. And because they say it’s legal, they feel we as spam hunters should leave them alone.

So, let’s examine exactly how legal webspamming is.

1) There are no laws against webspamming per se. IE, there are no laws where webspamming has been defined as illegal.

2) There are plenty of laws against mail spamming. In some countries those laws define e-mail spam to the exclusion of other types of electronic advertizing. Which means those laws narrowly do not cover webspam. Correct me if I’m wrong on this.

3) Some countries have laws that cover e-mail spam, but does not define that law as only covering e-mail spam. The law covers advertizing, sometimes electronic advertizing. Those laws probably sometimes do cover webspam. It depends on the language of that law, and the lawyers would probably haggle over some finer points. It’s a question of case law, and so far there is no case law.

4) Spamming is by definition unwanted commercial bulk messages. Any webspam that involves putting messages or profiles on other people’s property (ie websites), falls under that definition. And by engaging in that activity, a webspammer is a spammer. Whether or not it’s illegal per se isn’t really relevant. Mail spamming isn’t illegal in every single country across the globe. Those who send mail spam are still spammers. In other words, it’s quite acceptable to call a webspammer - a spammer. It’s not libel.

5) While webspamming, there are other issues that crop up, that could be illegal by themselves, or at the very least, cause for civil lawsuits. In no particular order:

*Denial of service attacks. Many servers have been brought down by spambots hammering sites with spam comments or trackbacks. Websites have been disabled or thrown out by hosting companies for that reason.
*Trashing websites. Guestbooks are regularly trashed by spam, and so are other types of sites withe built in interactivity. Some spambots may potentially mess the site up in other ways too. There’s a potential for a civil suit there.
*Some topics commonly spammed are illegal in some places. Like bestiality in the US, for instance.
*Hacking into other people’s servers in order to run proxies, spambots and placing spammy pages and scripts
*Using proxies that were never meant to be proxies
*Using compromised windows computers - zombies/botnets

Please help me add to this list.

Someone who’s speaking for the spammers said in a comment on Spamtool gets outed, that some spamhunters make threats against spammers or their wives and children. I don’t know if it’s true or not, but I still have to address the principle.

Do NOT attack spammers in any way! We’re not posting their information so you guys can contact them and bemean them in any way. That’s not the point.

The point is establishing a history, so when they do something that is illegal - either escalation of what they’re doing (using zombies, hacking), or when webspamming becomes illegal, we have a trail on them.

About harassment and threats

Simply put, if spam hunters attack spammers via threats or violence, then those spam hunters are more miserable beings than the spammers.

It’s illegal, and I’ll show you how:

Most states have harassment laws. They’re often called cyberstalking laws, but in reality they’re covering a sliding scale from single incidents of harassment. A phone call where you call a spammer names is harassment in my opinion, and if you keep calling it’s stalking, in many states. If you threaten them, you’ve just sealed the deal. Some states have intent as part of the law. Which means for it to be harassment or stalking, there needs to be intent. That will not be hard to prove in the case of a spam hunter trying to intimidate a spammer.

So don’t go there. The aim is to get the spammer in jail - eventually. If I see a spam hunter arrested for harassment or worse, I’m outing that spam hunter. Wall of shame, whatever. Do NOT go there!

As a rule I don’t get angry over spamming. But right now I’m feeling the blood boiling. Harassment and stalking is such a low tactic. If you feel the need to do something like that, go get help! It’s a sign of either a personality disorder or a very shaky sense of self. It’s like a playground bully, that has to bemean others to feel good about himself. We’re grown ups, so act like a grown up!

There’s been a lot of hacked sites lately. Sites hacked by or for spammers, who use other people’s websites to serve up their spammy content.

The websites may have been hacked using many different techniques, so I won’t get into ways they could have been hacked here.

However, I’ll cover what you need to do. Maybe others can think of other things you shoul do as well (comments).

First of all, look over the site. Look for php files that shouldn’t be there. It’s helpful to have a fairly recent backup to compare with. Download and save (via ftp or a control panel or file explorer) the php files you don’t recegnize. I’d love to see samples of the php files too, in order to track the spammers through the code, if you’re OK with that.
Notify your webhost. Ask them if maybe the hackers has used a hack that compromised other websites. Some hacks are “per site”, others are per server.

There are different techniques used by spammers when they hack sites. Some use php files, some use ordinary html files. Download and save any files uploaded by spammers, then remove them. Also be aware that one site owner reported that the spammers had deleted several thousand images to have room for their spammy files.

Erase ALL files from the website, if possible. If not, remove the files you don’t recognize. Reload files from a backup. Leave the databases as is. We haven’t seen any cases of altered databases so far. If you use php scripts on your site, be sure to upgrade to the newest version while restoring the site. Old php scripts may have gotten you hacked. Also review any problematic security settings on your host, pertaining to your scripts.
Check the .htaccess file for code that shouldn’t be there. Here’s one example for reference.

Change all passwords.

Download raw logs and store if possible.

Village-idiot saw a new referrer in her log and followed the link, only to find a trackback spamming tool - spamming as she loaded the page.

She’s hoping to get the website shut down, but the site is on Layeredtech, and so far they’ve been ignoring her pleas, despite posting on alt.spam and digg and reaching out various ways.

Now, with the recent wave of hackings you’d think the website was hacked. But the owner of the spamming site is the owner of the spamvertized site (lendingtreecenter.com), so you’d most likely be wrong.

The whois for affiology.com, where the script is located, is sort of obfuscated:

syarief, agung netspions@hotmail.com
Somewhere in US
Cali, California 10101
United States
(210) 101-0101 Fax –

But some comment spam from January 2005 carries his name, and the domain extra-long.com (no extra points for guessing what it’s about) with this whois:

registrant-firstname: Agung
registrant-lastname: Syarief
registrant-street1: 2700 S Azusa
registrant-street2: Apt 261
registrant-pcode: 91792
registrant-state: CA
registrant-city: West Covina
registrant-ccode: US
registrant-phone: +1.6262894155
registrant-email: asyarief@gmail.com

(That phone number may or may not be his. I found a listing for someone else at that number)

And, interestingly enough, all his websites found so far, are at 72.232.76.73.

Agung, you want to explain this?

According to Netcraft, HostGator’s servers were compromised due to a 0-day cpanel exploit. Iframes redirected to a site serving up VML exploits to unlucky surfers.

Hostgator says they’ve fixed it, and there’s a fix on cpanel’s website. But any webhost that hasn’t fixed cpanel, and has an account under control of a bad guy with the exploit - is a sitting duck.

Spammers blast their spam at any webform they can find. Now including customer reviews.

Example: Barclaymaps

Disgusting…

There’s a new vulnerability in Windows, that Microsoft isn’t going to patch until October 10. In the meantime, Webattacker is pushing out exploits for it.

The vulnerability is for Internet Explorer. If you’re using Firefox, you’re safe from that particular vulnerability.

But how many of us have friends, co-workers and family who insists on using Internet Explorer, because it’s familiar?

ZERT has released a patch for the vulnerability, according to Eweek. It also mentions that Gadi Evron, bothunter extraordinaire, is operations manager for ZERT.

The hackings have started up again. I’ve found files with dates from September 18. And with spam comments from today.

I’ve followed one trail “home”. It ends up here:

Best Line, Inc.          admin@americaru.com
Kanevsky, Andrey
267 McClean Ave., Side apt.
Staten Island, NY 10305
US
718-521-4842  Fax:

I’ll explain how I got there.

The hacked file I found on a British webservices firm had a redirect going to mx-medicl.com. That domain had a whois which included the e-mail address enot_terra@yahoo.com. That address was created in 2001. It address can be found all over the web, as the writer of those typical free articles used for anything under the sun. The author was Kevin Whales.

The domains he says he owns while writing those articles have whois saying they belong to Andrey Kaminsky. He also writes the same type of articles, even on the same topics. He even has his own website for articles on VoIP.

There’s also a link to Asiawood. That domain was connected to several of the hackings I ascribed to him.

I don’t know if they’re hacking in a team. If one is piggy-backing on the other’s work, or how this actually happens. But what I do know, is that  mx-medicl.com are getting traffic through illegal means.

The owner of a hacked website sent me information on the hacktool (more on that later, maybe) used to turn his website into a spammy one - without his knowledge.

I downloaded his .htaccess file, and found the following code:

Basically, it makes a redirect to the bad site, if you come in from any of these search engines.

Please check your .htaccess file for foreign code!