Spamhuntress

I get one piece of advice over and over:

Make up a new e-mail address every time you have to register at a new service, or even post on someone else’s blog. Then you can just turn off that e-mail address if it ever gets harvested by a spammer.

That’s bad advice for regular people for one very good reason: To make it work, you’ll need to configure your domain as catch all. No matter what you put in front of the @, it’ll end up in your inbox, until the day you “turn that particular address off”. One day you’ll wake up to in excess of (wildly estimated) five thousand mails in your inbox, because a spammer decided to misuse your domain as the from address, or decided to do a dictionary attack - sending mail to thousands of made up addresses on your domain while trying to find valid ones. Also, turning off an address may not be all that easy unless you know a thing or two about the mail setup you’re using.

But it’s a very good idea if you’re a spamhunter, and live for tracking down people who sell their e-mail lists, or whose databases get hacked or whatever.

Pascal Van Hecke found out that Performancing.com’s database somehow ended up in the hands of a spammer. His findings were confirmed by another user.

Yeah, right….

Just wanted to underscore how you should never trust spam. I received this e-mail to my two functioning e-mail addresses on a domain. Yep, there are two in existence, and both received the same e-mail. What are the chances of that, if this were indeed true? Very close to none!

We are happy to inform you that you have emerged a winner
under the First Category,BankGiro International
Promotion. The draws were officially announced this day
24th of February,2007.Participants were selected through
acomputer ballot system drawn from 2,500,000 email
addresses of individuals world wide.You have therefore
been approved for a lump sum pay out of ?1,000,000.00 (One
Million Euros ).

I’ve found the newest trend in wiki spam seems to be to go after pages that don’t usually have content on them. Like category pages and talk pages connected to categories. Talk pages in general are popular, and I’ve also had quite a bit of spam coming to Talk:W/w/index.php

In the beginning I would just delete the pages, but the spammers would just come back. So I’ve taken to protecting those pages, THEN removing the comments by editing. At least then they’ll have to find other pages to vandalize.

Yep, that appears to be the latest scam.

I got a bulletin from a “friend” on MySpace today. I’ve sent him an e-mail to check if he sent it or not. I’m guessing not. No idea how this one works.

But the link you’re supposed to claim the giftcard at is

preesly.com

It redirects (in HTML) to an affiliate ID at directtrack, which (for me in Norway) eventually leads to a page where it says the offer isn’t available in my area (geotracking). That page has a poker affiliate ID redirect on it. But for those in the US, it eventually ends up on ConsumerResearchBureau.com

According to McAfee SiteAdvisor, they got mucho spam after registering on that site.

So, this is about spam, however it’s done.

Would you get a gift card from Macy’s after registering? I don’t know, and I’m not going to try and find out. I’ve got enough spam as it is.

I’ll leave out the whois for now, until I know for sure how that bulletin got sent.

Update: Just got a second bulletin from the same guy. This time he’s gushing about a Louis Vuitton bag. Yeah, right, I don’t think so. This is a GUY, not a girl. I doubt he’d willingly be seen with that thing!

Domain name this time: vdaybags.com

It seems every day it’s something else. I find them on profiles for famous singers or other people who get a lot of comments, have lots of friends and don’t moderate heavily.

Here’s one example of a profile spammed with that kind of comment, where HTML wasn’t disabled. Look for comments today from Chad and Wendy Lyn:

Jenny’s profile
Today’s catch is:

kerryissoverry.info/startnow.php
whoswaldo.info/getitnow.php
wswirl.info/dlnow.php

Do NOT go there! It throws up a 302 redirect to profilewatcher_setup.exe.

That site actually advertizes that software. Except, I can’t for the life of me figure out how an exe file can do any profile watching on MySpace, unless the program is instructing YOUR computer to do the watching, and maybe who knows what else…

Either way, it appears they’re doing some spamming. Those comments are (unsuccessfully on the profile I was watching) formatted to have a random MySpace graphic with that link under it. Stealth promoting, in other words. Anyone who clicks on the image, gets the program.

Whois info:

Created On:24-Jan-2007 05:16:32 UTC
Registrant Name:Janice Robb
Registrant Organization:ZeroPoint Search Solutions
Registrant Street1:1555 Sky Valley Dr.
Registrant Street2:#A101
Registrant Street3:
Registrant City:Reno
Registrant State/Province:Nevada
Registrant Postal Code:89523
Registrant Country:US
Registrant Phone:+1.7756241422
Registrant Email: janice@zpsearch.com
Name Server:NS1.GEODNS.NET
Name Server:NS2.GEODNS.NET

IP: 66.135.40.95

zpsearch.com is deemed unsafe by McAfee site advisor. They said the profilewatcher software was safe, but frankly, I don’t care. Zpsearch are spammers, and I don’t trust spammers! I’m fairly sure that software is doing a bit more than McAfee thought - at least today!
Paretologic is a bit more skeptical than McAfee - they point out you have to enter private credentials…

I highly doubt these people entered these comments of their own free will, which leaves the software as the likely culprit.

I thought I’d check out the specifics of the tracker scam on MySpace. I’ve seen some comments sections crammed full of those comments, typically saying in large font:

See who is spying on your MySpace page! Click here to start tracking your profile lurkers!

downloadthefox.net
trackyourspace.net
hellaadds.com

Update:
I’ve seen redirects from these to stalkertrack recently.
11021986.info
beeasy.info

What’s interesting, is that all of these are owned by the same person and are hosted on 64.131.64.86. The owner tends to use trainreqhost.com as the DNS servers, and also posted about selling hellaadds on a forum, under the name TrainReq. Another name I’ve seen associated with that domain, is Josh919 as a moderator on a forum.
Most of the addresses redirect directly to stalkertrack.com

All domains have whois protection on them.

Other domains associated with trainreqhost.com

essentialproxy.com - used to be on the same server as trainreqhost.
nightstarproductions.com - has the dns servers. The PHP info on essentialproxy.com references josh.nightstarproductions.com as well as webmaster@trainreghost.com. And Trainreq posted on Sla.ckers and used the nightstarproductions as an example of where he’d put MySpace cookie stealing code, only he couldn’t get it to work at first. And I found a working cookie stealer javascript on that domain as well. Oh, and there’s even a forum for support for the tracker customers. This you’ve got to see: h*tp://profileviewz.nightstarproductions.com/index.php?act=idx

So this guy actually DID sell a tracker in the past. But there’s been quite a bit of press about stalkertrack, and what’s been said is that in order to sign up, you need to hand the keys to the kingdom to the site - in other words, they spam ALL your friends on MySpace with their ad copy for the tracker. AND, you still don’t get the tracker - yet.

Can anyone help figure out who TrainReq is?

MySpace has a huge bull’s eye on it. With that many users, the potential for income is huge, if you figure out how to spam the system. We’ve seen many do that. The services that promise you can spy on who’s looking at your page, sometimes spam your friends, if you sign up for the service. And they sued Scott Richter… But there’s a twist I haven’t seen before.

Make a fan profile for a hugely popular band, then after it’s become very popular, change the name and launch it as your own profile..

(edited name out) did just that.

What used to be his tribute page for Petra (hugely popular Christian rock band), at http://www.myspace.com/petra is now his own page - the old URL is invalid, but all the people who added Petra as their friends, now has his profile in that spot instead. With all the comments entered for Petra still intact…

Tim says in his blog post (now removed) on what used to be Petra’s profile that he wouldn’t have done that, except MySpace blocked his own profile from sending comments. Hmmm, I just have to ask the question: Did he send LOTS of comments? It’s a valid question, but not one I know the answer for.

Anyway, rationalize it any way you want, it’s still dishonest!

Update, March 8th 2007:

This guy got in touch with me. At first he thought I’d slandered him and tried the usual legal bluff most people fall for. When that didn’t work, he asked me nicely to remove his name. The guy possibly DID send way too many comments, and got punished for it by Myspace. He argued that his own profile had had way more friends than the Petra profile, and that Petra isn’t his target audience. When it was time to promote his new album, he was locked out of doing it the way he wanted to, so he did (what to me is dishonest, even though I understand his reasoning - the end justifies the means) what he could to get the word out - he butchered his fan tribute site and put his own site there instead.

I guess the main two lessons from this story are these:

*Don’t send out way too many comments (or bulletins, messages or friend requests). With the current level of spamming happening on Myspace, you might be labeled a spammer and might lose the right to send comments or bulletins, maybe even messages.

*Don’t do the bait and switch, the backlash could cost you a lot - especially if someone like me gets her toes stepped on.

I did find a current profile for two members of Petra, that I put on my friends list. The artist who did the bait and switch is not my cup of tea, and long gone from my friend list.