Spamhuntress

I woke up today to a quite massive attack on my wiki. Large edits to lots of pages. The links spamvertized are all to free forums, misused forums belonging to other people and various other non-hacker exploits.

So far the exploited pages all redirect to one domain:

diving-deep.net
216.255.179.196

That’s in Intercage space - they’ve been notified.

The whois is interesting, it points to Norway. The person is allegedly:

Billy Fulkerson (geojon@care2.com)

And the address and phone number points to the Neptun hotel in Haugesund, Norway. Yep, the address and phone number is legit, but I doubt it has anything to do with the spammer. The registrar is KLIK MEDIA GMBH. Remember them?

The IP numbers used for the spam run are all proxies.

The spammer is affiliate number 35vm5c with evoplus.

—————

Update:

Intercage nullrouted them, and they immediately switched to 85.255.115.213 at inhoster. Intercage is upstream, and immediately nullrouted them again, and now they’re on 212.176.41.8 which I believe is on equant.ru. Unfortunately that website is entirely in Russian, and I have trouble figuring out who to contact. Some help would be appreciated? I sent an e-mail to the contact for the IP numbers. And then I contacted the DNS provider as well. Awaiting reply.

Update May 4:

No response from either the current webhost or the DNS provider. And the spamming has started up again - two new wiki diffs on a wiki I own today.

I just got an e-mail from Matthew Prince, the guy spearheading Project Honey Pot. They’ve just started tracking comment spammers. Here’s the announcement:

Project Honey Pot Begins Tracking Comment Spammers 

Looks like they’ve got more up their sleeve. I’ll be checking back tomorrow!

I contacted Myspace April 13th with this text:

This guy has fake login code on his profile:
(link to the profile I was talking about)

I’ve contacted him multiple times about it, and he doesn’t care.

Today I got this response from Myspace UK:

Thank you for contacting MySpace Customer Support.

The issue seems to be resolved now. If you are still experiencing difficulties please reply to this e-mail.

Sincerely,

MySpace

I then immediately checked the profile in question. No change. Still got fake logins all over it, so I sent this as a reply:

He’s still got rogue code on his profile. Like I said, he doesn’t care.

My beef right now, is with that particular Myspace employee for not even recognizing a profile with fake login code on it.

Hey, maybe *I* should work for them? At least I can recognize bad code when I see it?

BTW, that was his profile I analyzed in the Anatomy of a hacked myspace page post.

I finally goe on Bloglines again, and read IncrediBILL’s blog - which I usually do when I remember to read bloglines. Anyway, I discovered I’d been tagged a few days ago (why didn’t you e-mail me, Bill? I DO read my e-mail, you know. I should probably enable my referrer script again, so I don’t have to figure this out long after the fact.

So, why do I blog?

1) When I started blogging, I had planned on writing mostly about theology. That’s my education, and I knew I had something to say. Problem is, in order to constantly have something new to say, it takes a LOT of thinking, so I haven’t blogged about that as much as I did in the beginning. But THAT was what got me started blogging on my old website.
2) Then I found I had something to say about several topics, and found that a blog is an easier way to say it than constantly making new pages on my website. I’ll still make pages for especially interesting topics, but a blog is a more personal medium than a page, and I enjoy the form.
3) Then I woke up to a massive spam run, and got irked enough to write something about it. I realized fairly quickly that I had a natural bent towards finding stuff out in that field, and continued.

4) I enjoy being thought of as an authority on this or that topic. It’s not that I take advantage of every opportunity, but without the spamhuntress blog, I wouldn’t have had the chance to go to Holland last year.

5) I like researching and investigating. That’s the driving force between what I do. I don’t usually get irked about stuff. One person recently took a look at the spamhuntress blog in my presence and immediately toldl me that I’m vindictive and negative. I looked dumbfounded before I found my voice and told him that isn’t true. I realized then that I probably need to tell people here: I don’t hate spammers, and I don’t do any of this out of a need for revenge. I actually don’t believe in hate or revenge. I believe it’s something that will damage the holder of the feeling more than the recipient, though it’s certainly not a good thing to be hated or the victim of a vengeful act. My ideal in doing what I do on spamhuntress, is to do it objectively, without getting hot under the collar.

Let’s see, who shall I tag?

Richi Jennings - curious about him

Joe - not much from you lately?
Matt Cutts - just because he didn’t do it last time

Can’t think of anyone else right now. I’ll take suggestions for the last two spaces…

I got some spam on a forum that appeared to be for a hacked website. It turned out to be a blog community running a modified B2evolution. The spammers had hacked index.php, and made redirects by using URL’s along this pattern: index.php?xanax#3

That particular website has been notifed, and has removed the hacked code.

I haven’t found any other websites compromised that same way, but that doesn’t mean there’s nothing like it out there.

I sent an abuse complaint to websitewelcome.com, about two domains involved in myspace bulletin spam. The domains were:

playdate-fun.com
marketing-dept-v.com

This is what I got in response:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

abuse@websitewelcome.com
retry timeout exceeded

This has happened way too many times for me to forget about it:

It happens as I submit a spam complaint.

And since I apparently can’t reach myspace, I’ll post it here. It’s user number 181647733. CSS is hiding most of the normal myspace layout, instead displaying a grinning condom promising 3 free packs of condoms if people click on him. Who’d like to trade their e-mail address to the bad guys in order to get three packs of condoms? You realize that’s giving the spammers PERMISSION to send as much spam as they possibly can to you, right?

During the night thousands of e-mail addresses connected with people in Denmark have received an e-mail purportedly from fedex.com. It’s written in what appears to me to be perfect Danish, and promises 15 % off if they send in the form attached to the mail. Only the “form” is not a form. It’s an executable with a random numeric name, and containing the virus TR/Spy.Bzub.B.

Some journalists in Denmark originally thought hackers had gotten into fedex and sent out those e-mails. But the e-mails were sent out to random Danish addresses, including inactive ones - both customers and non-customers of Fedex. And I got a sample of the headers, and will paste them in here (the relevant bits). Notice that it doesn’t even come from Denmark:

Received: from 66-195-105-206.static.twtelecom.net [66.195.105.206] by recipientsmailserver2.dk with ESMTP
(SMTPD-8.22) id AA310348; Wed, 18 Apr 2007 22:06:09 +0200
Return-Path:
Received: from 209.205.25.170 (HELO smtp.albert-white.com)
by recipientsmailserver.dk with esmtp (/-26A4FH5 LU6Z)
id 4ESG>0-/FYYK7-OR
for recipient@recipientsmailserver.dk; Wed, 18 Apr 2007 20:06:27 +0600
Message-ID: <01c781f5$0c516520$6c822ecf@gblk>
From: “FedEx”
To:
Subject: Kvittering
Date: Wed, 18 Apr 2007 20:06:27 +0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_0007_01C781CB.237B5D20″
X-Priority: 3
X-MSMail-Priority: Normal

Notice how it’s got two received lines? The MX record for the e-mail address is for the recipientsmailserver.dk, while there’s another mailserver at the same IP number named recipientsmailserver2.dk (all recipient info munged). So I’m slightly unsure where that mail really came from… The twtelecom address is blocklisted at psbl.surriel.com for another spamrun on April 5

Here’s the text of the e-mail:

Æredede kunde,

Til Deres navn og adresse ankom der en pakke.

De vil få en modtagelseskvittering vedføjet til brevet.

Vær så venlig at åbne brevet og udfylde kvitteringen for at få pakken i den nærmeste FedEx afdeling.

De kan få adressen af den nærmeste FedEx afdeling på side fedex.com

Forbered en forsendelse online ved FedEx og spar på tiden, som De kan bruge til noget andet. De kan få informationer om priser, kan bestille afhentning og emballage, kan overvåge alle Deres forsendelser ved tracking dem derhjemme, osv, på fedex.com.

Registreres De nu, får De 15% rabat på FedEx Express tjenester online for 4 måneder fra registreringsdato.

Deres ærbødige,

Kundeservice

FedEx

Update:

Danish Computerworld has an article today about the speculation that a Baltic group is behind the mail, which they call a phishing mail. According to Peter Kruse at Csis, the virus is designed to spread over instant messengers and web based mail services. It supposedly uses templates (if I translated the Danish word skabeloner right), so I suppose that means it actually sends out messages in people’s names. There was a phishing attempt earlier regarding Tele2, and they feel the method is fairly similar (the use of templates). The command center that the virus phones home to is in Russia, and Danish internet providers have blocked access to it, in order to protect Danish surfers.

The latest spam attempt (who knows if it’s serious or a test), is an attempt to use the categories syntax in Mediawiki. The syntax looks similar to a category, except there’s a spammy link before the regular syntax. Once you look at the actual page, that link will not appear inside the categories box, but the link will work. Here’s the example I found:
Wiki diff

I discovered someone making small changes to my wiki pages. Some changes were malicious. Others were just removing the + in front of international phone numbers. Hard to figure out, until you take into account changes made by the same IP numbers on other sites. Sometimes rolling back previous changes, or partial earlier changes.

Here are the IP numbers associated with this behavior:

200.238.102.170
200.238.102.162

200.26.140.154
61.144.122.45

Several of these are on “free proxy” lists.

Any idea who’s behind this and what the point is?