Spamhuntress

I got a few hundred e-mails today in the space of a few minutes. The e-mails were identical, except they came from a few different sources. The spammer misused a feedback form, or so it seemed.

The mails came from e-mail addresses that included Free_Porn@ and some random domain names, but the return-path was usually from a working domain name - same as the server the hacker sent the e-mails through. The ones coming from a different server had the nonsense domains as return-path too (reminds me, that server - not mine - needs to be locked down a bit more).

The domain spamvertized in all those e-mails appears like an innocent bystander - constantpated.blogspot.com. I found spam for that same site other places (including gmane.linux.debian.devel.bugs.general a few days ago).

I wonder what the heck the bad guy is looking to accomplish?

I’ve seen the first instance of spam at Youtube. I have an account there, with comments pre-moderated. I got an e-mail that someone had commented on a video and checked it out.

It was from krystalt355, who’d registered her account the day before, and was trying to promote something:

Rate girls online at collegeboobies dot com

The site is hosted in Boca Raton in Florida, spam capital in the US. Note that the spam is not geared towards Google. This is an attempt at reaching the people who view the videos on Youtube, not to get a search engine boost. And the site itself appears to have been online since 2004.
Whois:

OMI
OM I (omitraffic@gmail.com)
6628015828
Fax: none
POBox224
Oxford, MS 38655
US

ns1.sirbooty.com
ns2.sirbooty.com

Creation date: 20 Apr 2004 14:55:39
Expiration date: 20 Apr 2008 14:55:39

I also noticed that Youtube has a button you can press in order to mark something as spam. And it’s possible for me as a logged in user to mark someone else’s comment as spam. But it appears as though the spam still persists, it’s just hidden for me as a user. If I check the same page in a browser that isn’t logged in, the spam is still there.

I found the same spam on metacafe.com (multiple comments on the same video), as well as some other spam with a similar MO.

A blog reader e-mailed me and asked for advice. She’d just opened a phpBB forum on her site, and had discovered too late that spammers had started posting porn spam posts full of smutty pictures. The spammers then posted the links to those posts on other forums.

She’s now worried her domain name is tarnished because it appears in Google searches along with porn content. So she’s contemplating abandoning her domain name, even though she’s invested a lot of work into it, since it’s also her moniker.

So, apart from abandoning her domain name, what are her options? Some of the posts pointing to her site are on porn forums, so I doubt she could get those posts deleted.

Would it be possible for Google to drop all posts with links to her forum, if she sent Google a list of specific URL’s that appear in their index? Any Google Guy around to answer that one?

Another alternative: Find out how they’re generating the tiny font, then make a filter that removes all phpBB page that contain that particular code in a particular location! BTW, I identified the code, and it’s (I’ve removed the tags, or Wordpress goes nutso): span style font size 1px and line height normal. Could someone give some feedback on where inside a phpBB post that code would be used legitimately?
And since I’m addressing this ball of wax, I’ll also do a short analysis on the spam.

First of all, they include loads of pictures. They’re loading from this site: trafflow.com

If you load that site, you get a message that there’s nothing to see there, and to go on to freerhost.com, which is a free hosting site. Both sites are owned by the same person - previewtgp.com. That e-mail address is on a list of owners of Malware domains. One of his domains are tagged for distributing Zlob.

Below the pictures, there’s a long porn text, and under that is a list of links in tiny font (not human readable) that points to other forum posts where they’ve posted porn.

Under that, there’s a list of links that link to keyword rich URL’s promising different types of video related software. Anything from keygen to porn. Same tiny font.

I’ve checked the domains in these links, and so far they all belong to the same IP subnet (except one), and they’re all connected by whois identity, dns servers or subnet:

207.176.39.228
207.176.39.230
207.176.39.232
207.176.39.235
207.176.39.238
68.178.232.99

Normally, I’ll need to put in a disclaimer, saying that the spammer and owner of the domains may not be one and the same. The same is true here, but I’d like to add one more fact: The non-porn spam links at the bottom of the posts point to page where I’ve found links to trafflow.com.

I’ve got an old Invision forum. The latest free version. And yes, I know, it’s a bad idea. But it’s been the only solution for having a decent featured pre-moderated forum for a while, unless you want to pay for the software.

So, it’s gotten hacked a few times. And this last time it was embarassing:

They posted AS ME!

The topic title was “please help”, and the content was one link:

blueice77.com/server.exe

I haven’t checked out the program. I’ll leave that to the security geeks. My forum wasn’t the only one that got hacked like that. They always post as one of the admins, and there’s nothing more than the link in the post.

IP used: 195.22.229.24

It’s an open proxy, so doesn’t help much. And the user agent is the latest English language Firefox version.

The website with the exe file on it appears to have been hacked. The file existed on the server when I tested it, though I don’t know what it contains. Since it’s been hacked, I won’t post the whois here, and I’ll contact the owner.
And on the topic of pre-moderation (I only checked for php software): vBulletin and Invision has pre-moderation. But they’re both commercial software (except for the old version of Invision, that’s got more security holes than a sieve), so not an option for all. Simple Machines and phpBB have promised pre-moderation in the next major version. phpBB has a release candidate with pre-moderation currently available. miniBB has pre-moderation currently, but the new posts will show - you just can’t see the content until approved.