Spamhuntress

I’ve gotten loads of spamvertized porn subdomains on the domain allbestsmovies.org.

So I decided to check it out. Does it belong to the spammers, or is it a free service?

First test, the whois, looks fake to me. Looking up addresses and phone numbers in Israel (it’s Iceland, and utterly fake):

Created On:22-Jun-2006 14:24:06 UTC
Last Updated On:26-Sep-2006 15:35:24 UTC
Expiration Date:22-Jun-2007 14:24:06 UTC
Registrant Organization:Shpil
Registrant Street1:Enlike str. 387
Registrant State/Province:0
Registrant Postal Code:g89614
Registrant Country:IS
Registrant Phone:+2.95528646
Registrant FAX Ext.:
Registrant Email: gavr@poshlina.com

Nex test, the home page. This one has the usual sign up for free website. Problem is, you can’t sign up, because the register link goes to a nonexistent page! Every page connected to the free service goes to nonexistent pages.

In fact, some of the text has been scraped from Free Web Hosting, with a few words changed (search box on the right instead of left). Even the favicon has been lifted from that site!

But there are lots of links on the right, labeled either Help Pages or Friend. All of them are porn pages.

So to me this looks like a spammer run fake free webhost!

———–

Update:

This spammer likes preceding his spam with this phrase: PReved krosavcheg!
I searched for it, and found an explanation for the phrase on a livejournal:

“PREVED is a sacred word, used by ancient Russian warriors when meeting the enemy face-to-face. The worst cussword ever in ancient Russia was KROSAVCHEG. Thus, if smb says “PREVED, KROSAVCHEG” you’re likely to get your head beat.”

Judging from the fits of laughter from the Russian spammers, the phrase means something else… Jenny (from Moldovia) has an explanation, if you look in the comments below.
So I searched for more spam with that wording, and found another probably fake free webhost: keymit.org

203.174.83.55
created On:14-Jul-2006 12:13:10 UTC
Last Updated On:26-Sep-2006 15:32:59 UTC
Expiration Date:14-Jul-2007 12:13:10 UTC
Sponsoring Registrar:Direct Information PVT Ltd dba PublicDomainRegistry.com (R27-LROR)
Status:OK
Registrant ID:DI_3355421
Registrant Name:Maxxx
Registrant Organization:Home
Registrant Street1:Panin str.58
Registrant Street2:
Registrant Street3:
Registrant City:Gavay
Registrant State/Province:
Registrant Postal Code:5h4f8s
Registrant Country:BS
Registrant Phone:+5.65534883
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: maxxx@ampid.org
Name Server:NS1.UVILO.COM
Name Server:NS2.UVILO.COM

And this time I noticed something in the source code (and I’ve munged it slightly):

LINK REL=”SHORTCUT ICON” xhref= http://www.free-webhosts.com/favicon.ico

This time the links on the right are for various pills.

The redirect script (separate script named redirect.js) redirects to a complicated URL on trafficout.net. Thing is, even if you bungle that URL (which I did on purpose), you still get the same 302, as long as you hit the redirect script with the number right behind the ?. And it redirects to
topsearch10.com ID: 55038

In other words, trafficout.net belongs to the spammer:

Registration Service Provided By: REGNAME.BIZ
IP:72.232.223.195
Shokolad
Alexandr (apitok@mail.ru)
Bayman str/ 2
Moskoy
null,605105
RU
Tel. +7.0957856234

Creation Date: 04-May-2005
Expiration Date: 04-May-2007

Domain servers in listed order:
ns2.allveryeasy.com
ns1.allveryeasy.com

Don’t expect this whois to be any more accurate. I include it just for documentation purposes.

So I went back further, and found yet another:

otday.org
203.174.83.55

Last Updated On:26-Sep-2006 13:39:26 UTC
Expiration Date:25-Sep-2007 21:02:49 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:DI_4020257
Registrant Name:Huani
Registrant Organization:Dokinzo
Registrant Street1:Sekanifa
Registrant Street2:
Registrant Street3:
Registrant City:Haynan
Registrant State/Province:
Registrant Postal Code:4g5h65d
Registrant Country:CN
Registrant Phone:+23.5464431831
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: huani@dokinzo.com
Name Server:NS1.UVILO.COM
Name Server:NS2.UVILO.COM

This time it’s lolita type porn, and the redirect goes the same route, except different number, and eventually goes to todaysfreevideo.com, ID: 1029

Additionally, I checked the domains on 72.232.223.195, and they all have different fake whois, but with one common factor, random postal code, like we’ve seen on other domains in this case. There’s some movement of domains between 72.232.223.195 and 203.174.83.55.

————

2nd update:

I just got the first spam comment for a few new domains. Same IP, same setup.

googleshoppingcenters.org - food spam
dogonyay.info - insurance spam.
gemballagt.com - car spam
outsidereal.com - cosmetics spam
freetissot.info - finance, loans spam
kandelyabr.info - education spam
doublevisit.info - porn spam
rapagt.info - kitchen spam

This entry was posted on Saturday, October 7th, 2006 at 4:45 am and is filed under Comment spam. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.