Spamhuntress

I don’t have the answer to that. He could be the innocent victim of a shady SEO company.

What I can tell you, is that I’ve found spam pointing to his domains as early as June this year. I got one spam comment pointing to his domains today in a guestbook that is rather spam resistant.

The spammer often uses 216.255.183.194 from Intercage to spam from. I haven’t seen any other spam from that IP so far, so I’m considering the possibility it might be used exclusively by this spammer.

Whois:

owner-organization: Tatet
owner-fname: Ivan
owner-lname: Davidchuk
owner-street: a.ja 101
owner-city: kiev
owner-zip: 02099
owner-country: UA
owner-phone: 0675024084
owner-email: istone@mail.ru

person: Ivan Davidchuk
organization: Artmam
email: istone@mail.ru
address: Borispolskaya, 9
city: Kiev
postal-code: n/a
country: UA
phone: +38.0675024084

The earliest mention I’ve found of this person is from 2001, when he offered services to search for art in Russia. That post was submitted by someone who used the same e-mail address and name as used for the whois. He also represented himself as an art supplier in 2001. Note the ICQ number. The profile page sports a picture of mr. Davidchuk.
The spam I’ve seen, ranging from June until today, generally point to bookmarking services, and the bookmarks all point to domains owned by mr Davidchuk.

Examples:

67.15.143.6:
afete.com
atagira.com
bliklist.com
limerex.com
memorexa.com
tatet.com

67.15.181.24
artmam.com

67.15.181.111
artnam.com
artvam.com

209.62.77.34
antalax.com

During the same time period I received the spam comment from this spammer, I also got a slew of porn spam comments. And since this guestbook has been virtually spam free for a long time, I’ve considered the possibility it could be the same spammer with two different campaigns. I did find a spam comment from June that combined the two different methods - spamming bookmarking pages and porn pages. The one porn domain that was spamvertized together with the bookmarking pages had a whois pattern that was similar to the current whois pattern used by the porn spammer who’s currently spamming my guestbook.

The porn spammer spams from these two IP addresses: 85.255.120.58, 216.255.179.34

Intercage has been notified.

Update: I found some accesses to the guestbook that looked like accesses from a spammer - the surfing activities of a spammer, looking to see what happened with my guestbook. On a hunch, I checked the logs on spamhuntress for the same IP numbers. Yup, the same two people had checked out the blog in the same time frame.

87.252.242.16 - from Minsk, Belarus
80.68.6.198 - from Taganrog in Russia

80.68.6.198 did some wiki spamming in 2005. 87.252.242.16 has been seen mailspamming as late as a week ago. I wouldn’t be surprised if one or both are proxies.

I got a Gmail phish today. Short version: They wanted me to fill in my account details, including password, in order to avoid my gmail account being deleted. And then reply with those details.

More details: All images were from the Gmail server. The e-mail appears to have been sent from through Gmail servers, not from anoutside server. Official looking e-mail address.

So, why do I believe it’s a phish?

First of all, Gmail wouldn’t need me to send them anything to confirm my account is active. I happen to be conversant on e-mail servers. Gmail will at any time know - if they need to find out - when I last logged into the server. That’s part of mailserver architecture. In the past, you could use a tool called “finger” to find out when someone else last logged into their mail account. A very useful tool, that unfortunately became a security risk when the internet took a nosedive into spam, commercialism and crime.

The e-mail had a “To” address that wasn’t my address. That’s inelegant, and wouldn’t be used for an e-mail sent to ALL accounts on a server.

Imagine the amount of e-mails something like this would generate, if it were legit. And to even consider using ONE e-mail address as a recipient for responses? Not feasible on this scale. Gmail would use a secure form on their server. But wait, Gmail already knows my password… No human other than the account holder has any business knowing your password, as long as the server itself can handle you logging in and out, changing your password and retrieving it if you lose it. When you know about server architecture, it’s just so obvious that it’s a phish.

Unfortunately, it probably seems legit for a large enough number of people, some criminal element decided it was worth the expense to do this.

Or, if I put on my tinfoil hat, maybe some criminal element decided on trying to acquire the passwords of particular accounts? So guys, who received this phish?

Gmail phish screencap

I’ve noticed some URL’s that are left in my logs. A path to my wiki, and then through some (working or not) redirect to somewhere else, that always ends in a ? I see many of those links in Google, so it’s possible the point is to get the URL’s into statistics summary pages.
Here’s an image with the code I found when accessing one of those pages. Usually they end in a 404, as the owners of the servers realize what is going on (I assume), but sometimes I see the code. I’m wondering what this code does to someone who browses to that page?

Questionable code image

The user agent is always some permutation of libwww-perl and the page where the code is located often has the extension .txt, making it seem harmless. After having seen several of these pages, the code seems slightlyl different for each time.

I originally meant to only provide one example of code, but I’ve seen some that went even further, and I’ll try and give examples of those too.

Here’s one that seems extremely fishy. Although it’s a text file, be careful when opening it! I noticed that the file was last changed November 4. What’s interesting about this particular domain name, was that a hacker left a message on another site with an e-mail address on that domain. And e-mail addresses from that domain has also been used for spam (not sure which type, since I can’t read the language of the site that collected those addresses).

Some other domains are on Yahoo’s servers (old Geocities, sometimes), and some of the sites appear to have been hacked. But the registration data seems wacked enough, I’m not sure. Here’s an example. That address doesn’t exist, and the phone number is from elsewhere in the US:

Domain Name………. baguscrew.net
Creation Date…….. 2007-10-24
Registration Date…. 2007-10-24
Expiry Date………. 2008-10-24
Organisation Name…. aris asmoro
Organisation Address. 565 ne norton ave
Organisation Address.
Organisation Address. bend
Organisation Address. 97701
Organisation Address. CO
Organisation Address. UNITED STATES

Here’s another code snippet.

I’ve noticed that my wikis had way too many users, and guessed most of them belonged to spammers. But what I didn’t know, was that most of them are recent. One wiki had around 440 users, and around the 26th of September, what appears to be one particular spammer, started creating users en mass. The wiki had 150 users up until then. The other blog had over 1500 users before I started deleting.
I recently had to close edits to anyone but logged in users, to try to stem the tide, in addition to using Bad Behavior. And if I have loads of already created users just waiting to be used by a spammer, I have a problem!

So check your database, and look at the users. I bet you’ll find lots of users you can safely delete!

A customer contacted me, complaining that mail didn’t seem to reach one of their contacts. Mail had started flowing heavily between these two companies, but the mail only reached the recipients if they originated at the contact’s server, not the other way around.

The contact was pretty convinced the problem was on my end, after having done some troubleshooting and finding that the configuration of the server software was sound. I was equally convinced the problem was on their end.

A lot of troubleshooting later, we reached some conclusions:

Although the server at the other end appeared to work fine, it didn’t send the initial server greeting to some servers. This happened across linux distros and mailserver flavors. I couldn’t find a rhyme or reason why some didn’t get the server greeting, but it was consistent. Some did, others didn’t. When I telnettet to port 25 from the affected servers I had to press enter (got the server greeting and a 500 error) or send EHLO manually in order to get the server greeting.
They had Symantec Mail Security installed, and I tried to find any mention online about it having problems. Found nothing.

Finally I thought, OK, since there’s an Exchange server behind Symantec, maybe I should see if there are any problems there. I found two mentions of identical problems. In both cases, they had a Zywall5 router in front of and Exchange server. One person had updated the firmware on the router, and the problems had vanished. I called the company, and asked the IT person point blank: Do you by any chance have a Zywall router in front of the mail server? He immediately said yes. After updating the router firmware, the problems vanished right away.

I found a page with a list of servers from Norway caught comment spamming lately:

Norway’s comment spamming servers at Project Honeypot

I found it while searching for the IP of one server I knew was Norwegian. I contacted the owner (a webhost). He told me he knew about it, and it had been an open proxy server that had been used by spammers all over the world. He also told me he’d fixed it a couple of days ago. Problem is, the last entry in my logs from that server was today! Well, hopefully he’ll fix it.

I also tried contacting another company that’s not a webhost. My e-mail bounced.

It looks to me like there are a lot of compromised servers out there. Compromised in various fashions - from a glitch in configuration, to dishonest customers, to insecure scripts.

Those of us who are responsible for servers need to keep an eye on bandwidth usage as well as logs, and also keep an eye on Project Honeypot and similar services.