Spamhuntress

The quote is from a comment on the Block Snoopy post.

I’ve heard large websites have to spend a considerable amount of time fighting comment spam.

Anyone with war stories to tell?

A long time ago, I got a theoretical lesson in culture clash. How different cultures relate, and how they treat other cultures. One culture in particular was singled out. I’ll leave out the details, as what I was told was confidential.

Men from one culture was often employed under bosses from another culture. They were cheap, but not unskilled labor. While stealing wasn’t an act of honor within that culture, it was considered honorable when they stole from the westerners. Not directly from their bosses, but little things that wouldn’t get missed immediately. Things that passed under their noses. In that culture, there was, as far as I can tell, a deep seated animosity against westerners. What they considered wealthy westerners.

Similar to other cultures meeting, where one has more than the other, or one is oppressing the other.

If you check the recent discussion here between Russian spammers and western anti-spammers, you’ll see the exact same sentiments.

Just like the cheap laborer had no way of knowing if the people they actually stole from were wealthy or not, Russian spammers have no way of knowing, and no interest in finding out, if the victims of their spamming can actually afford the ultimate results of their spamming.

I was reviewing some .htaccess blocks, and realized I’d blocked several IP numbers in these two ranges:

195.225.176.
195.225.177.

I’ve currently got one Italian language (but actually Russian) spammer who keeps switching IP numbers within those ranges.

So, better to just block those two altogether. Since the block belongs to a webhosting company, I don’t see it blocking legitimate surfers. I guess you can live without trackbacks from blogs hosted on Netcathosting, right?

I’ve been seeing a lot of KLIK Media GmbH as registrar (or rather, registration service under PublicDomainRegistry) lately. Always spammy domains. So I thought I’d check if there was a connection between the registrar and the KlikVip PPC program.

Yep, it’s one and the same.

The whois on for instance KLIKVIP.com is fake (says it’s in Victoria, SC). The company is actually in Germany:

KLIK Media GmbH
Alt-Karow 3
13125 Berlin
+49.3094413291

But the owner also speaks Russian.

So, the PPC company is also serving as registrar for it’s spammers.

Looks like Scrimak knows we’re investigating him. He changed whois on at least two domains since yesterday. Right now he’s sporting this e-mail address: spmhuntress@mail.ru

You can see the whois progression on the Wiki page about Scrimak.

I guess we’ll find out if he’ll stop hacking or not.

I’ve received copies of what appear to be files placed on a website without the owner’s knowledge. Presumably the site was hacked.

The spammer was Asiawood.

The code looks encrypted to me, so I’ll need some help in deciphering what it does.

Any takers?

Update: I’ve confirmed hacking from Scrimak as well. And I have code samples. There’s also a possible third and fourth hacker. Either that or the same spammers, different MO.

Several people have had a look at the code. One described it as quite sloppy. The spammer is using the PHP files to pull in files from his own site. The location of that file remains invisible until you figure out the code - which you can only do by looking at the raw code. Since webhosts don’t log outgoing connections, there are no signs in the logs except for the requests by visitors - you’d catch it by looking at the files requested. One site owner compared what he found on the server with the files he had in his backup. He found even the root index.php had been altered. Some sites have alien files added in several directories - usually pre-existing directories. I found two sites that looked like a default index page, except it had spammy links on it (probably added by the owner of the site - the domain name was spammy). The sites had also been hacked - serving up files belonging to someone else!

I’m beginning to wonder if there’s a connection here.

I’ve so far found three sites hosted on Vizaweb that have files on them used by one particular spammer. One I’ve termed Asiawood, and described briefly before.

Two sites with read.php in subdirectories. Modified or uploaded just days ago:

wbpresbyterian.org
coasterdom.com (Update: Confirmed alien code not placed by site admin)
And one with a wp-read.php file:

paulinekilar.com

I’ve been unable to find any other wp-read.php files (so far), and none other spamvertized in Google.

So, what’s going on? Hacking? Deal made with the hosting company? Deal made with their customers?

Vizaweb has been hacked before, as has many other hosting companies. And we’ve had a recent slew of cpanel hackings. They have both cpanel and Fantastico on Vizaweb. If cpanel hasn’t been patched, I guess it’s possible? We’ve had some Turkish hackers spreading their propaganda, but a spammer would be better served with a less noticeable hack?

Just speculating here…

Update: I’ve since found the same spammer on other hosting companies. Two more seemingly hacked sites. One had three files used in spamming. Different file names, same spammer.

Disclaimer: I don’t know for sure that this is cross scripting. Could be done some other way. I’m just guessing, OK?

———

Update: I checked with someone who’s seen a lot of …stuff.

He says one of the cases (probably by another spammer than the one I wrote about in the rest of this post) I showed him had to have been done by using a redirect in .htaccess, and a script.

The URL in question was:

http://www.blogshub.com/help/1/didrex-online-rx.html

That URL is broken, because the spammer’s site no longer contains those files. It was rigged to call

http://www.blogshub.com/help/1/script.php

And no matter what file name you came in with, the script would send you to the corresponding file on ebestdrugs.com.

My source thinks the site owner made a deal with the spammer, while my hypothesis was that the site was hacked. Basically, we can’t tell from the outside.

———

I found a read.php script that appears to have been cross scripted. I tried a random keyword, and it returned the same spam as with the URL’s I found in Google (the owner of the site has been notified).

The script returned a redirect on this site: t3search.net
That then sent back a file from this site: search-vip.net

The whois info seems fake, but contains this e-mail address: scrimak@mail.ru

Abates already had a story on that spammer.

I took the time to read the Russian traces the spammer had left behind. Turns out he sells doorway scripts and “spamilki”. In other words, spamming scripts. And his first name is Dimas, according to his ICQ page: 227922772

Payoff links are klik.php at 64.111.210.10

The website of the Western Boulevard Presbyterian Church in Raleigh, has what appears to be a rogue file on their website

A file that was uploaded September 4, 2006:

http://wbpresbyterian.org/contact/read.php

I’ve received several pieces of comment spam referencing that file and certain keywords. When those keywords are attached, the file serves as a spammy redirect.

There’s no e-mail address available to notify the church, so I called them. Twice. The office administrator hung up on me. Twice. I have no idea what to think, except at the very least, her handling of the situation was very rude. I managed to explain the situation roughly, but didn’t get far enough to tell her what the file was.

I wasn’t planning on making this public, but the behavior I encountered was bizarre enough, I just have to get some answers.

Did she think I was crank calling? Did she know about it already? If so, why’s the file still there?

And did the spammers hack their site?

Here’s what I know about the spammers:

The spammers are using proxies instead of spambots.

The javascript redirect goes through this site:

more777.info

And it redirects to bettingcasinosite.com. Both sites have basically the same whois:

Registrant:
N/A
Michael (info@asiawood.ru)
Lenina, 6
Kurgan
null,640000
RU
Tel. +7.9128351001

Creation Date: 12-Aug-2006
Expiration Date: 12-Aug-2007

Domain servers in listed order:
ns2.bettingcasinosite.com
ns1.bettingcasinosite.com

I found that e-mail address elsewhere on the net. Translated with Babelfish from http://wood.yondi.ru/inner_id_60400_c_firms_page_4.phtm
Export of construction lumber into the countries of Asia. Form of the activity: Wholesale trade Price- sheet the address: 640022, Kurgan region, Kurgan, Polovinskaya ul, 10a bodies: (3522) 578302 fax: (3522) 578344 e-mail: info@asiawood.ru

The payoff links are go.php on 66.230.172.114

——–

Update: I found several sites with read.php used for spammy redirect. And a mention of a version of Phorum being vulnerable to cross site scripting. That might be what happened to that church - except what was that file doing there in the first place? It didn’t appear to be in use. So how was it found?

A comment spam contained a redirect URL that eventually led to a page on the search-4-pills.com site.

I accessed the root site, and found this meta code:

That looked suspicious, so I checked around some.

The side panels also include links with that affiliate code in them. But those only go back to the same site. However, the payoff links are to klik.php on 64.111.210.10.

So, I guess the game is deniability. When someone complains about their spamming, they’ll tell their webhost that no, they don’t spam. It was one of their affiliates who spammed!

Problem is, I believe this is a ploy. The real affiliate links are the klik.php ones, and the typical affiliate links on the site are put there to throw off anti-spammers and the webhost.

So complain away, if you get spam that ends up on one of their sites.

Here’s whois and IP:

09/07/06 14:33:41 whois search-4-pills.com
208.66.194.130
Registrant Contact:
izaak Inc
tanney stern enos@search-4-pills.com
1000910598 fax: 1000496838
Suite 653
Fort Wayne Fort Wayne 1360
GB

DNS:
ns3.cnmsn.com
ns4.cnmsn.com

Created: 2006-06-05
Expires: 2007-06-05

That IP also contains two other sites:

09/07/06 14:39:21 whois YOURBESTPILLS.COM

Registrant Contact:
waverley Inc
talbert vaughn nicholas@yourbestpills.com
1000443914 fax: 1000107590
Suite 496
Portland Portland 4319
GB

Created: 2006-05-17
Expires: 2007-05-17

09/07/06 14:40:56 whois CHOSENMEDS.COM

Registrant Contact:
olav Inc
tom emmit wheeler@chosenmeds.com
1000566354 fax: 1000144511
Suite 986
Kurgan Kurgan 4383
GB

Created: 2006-05-17
Expires: 2007-05-17

And a third used to be on there. It currently doesn’t resolve:

09/07/06 14:41:51 whois REDIRFEED.COM

Registrant Contact:
darnell Inc
lyle emmanuel xenos@redirfeed.com
1000125582 fax: 1000094719
Suite 150
Libreville Libreville 1544
GB

DNS:
ns3.cnmsn.com
ns4.cnmsn.com

Created: 2006-03-22
Expires: 2007-03-22

That site had the same code, according to the Google cache. The affiliate number was different, but otherwise, it’s the same type of site.

And they have and image at the bottom with this text:
Copyright 2006
Online Pharmacy Catalog
All rights reserved