Spamhuntress

I received an e-mail that attempted to (in Spanish) getting me to log in somewhere. The link was fake, and pointed somewhere else than it appeared to.

It pointed to an exe file (haven’t tested the exe file) in a folder that turned out to be the docs folder in a phpBB installation. A 2.0.x version. That folder had obviously been compromised, and a lot of scripts had been placed there. The forum appears to have been installed September 2006, but the phpBB files were last modified a year later. Some of the files have dates before that, but probably were uploaded in such a way the original file date was preserved?

I’ve notified the site admin, so let’s see if he responds and tells us what happened. I assume this is a vulnerability that’s been fixed in newer versions of phpBB?

When I got the second e-mail from someone I didn’t immediately recognize, inviting me to answer a question at fanbox, I thought it was one of those irritating invitations from some application I haven’t installed at Facebook.

But when I got the second identical e-mail, I got irritated enough to check it out.

Turns out it’s from fanbox.com, which is a new incarnation of sms.ac, which I’ve blogged about before:

sms.ac abuse

sms.ac continues to send invitations

By now it’s not visibly centered around text messages (which to me looked like a scam that would quickly result in huge cell phone bills if you were unlucky), but rather a desktop application.

But I kinda doubt this person I got the e-mail from actually tried to send me a question. I might find out, because I’ve figured out the e-mail address (which isn’t in the e-mail from fanbox).

I think the same caution goes now that it did before: Do NOT give them the password to your webmail account, if you decide to join. Because they’ll spam your friends to death, and they’ll get angry with YOU for it!

Come to think of it, they’ll most likely get your webmail password no matter what, because this is a desktop application! The point is storing important documents, mail and passwords (presumably, I haven’t actually tried it, but it’s what I’d want to use a desktop app for, if I found one I trusted). Geez, I would NOT trust them enough to use them as a desktop app, based on their history!

Wait, I forgot to include the actual letter I received:

xxxxxsomeoneyoumayormaynotknowxxxx asked you a question. View the question and answer it.

FanBox.com is the web-based desktop that instantly turns every computer into your computer. It includes over 10,000 web applications and games to choose from, including the Question It application.

This email was sent by xxxxxsomeoneyoumayormaynotknowxxxx while using the Question It application on FanBox. Go here to learn more or stop receiving emails from friends using Question It. FanBox: 255 G Street #723, San Diego, CA 92101, USA

Update: I heard back from the person who supposedly sent those messages. She said she’d gotten starting yesterday too, and didn’t know why. But I also found I’d gotten another message, supposedly from her, and this time to a Yahoo groups listowner address. She’s on AOL, and I’m guessing she has a setting adding all senders of e-mails she receives to her address book automatically.

Got blocked from your blog, or other Bad Behavior equipped software? Update it. I got word that my wiki didn’t work, and went looking for an explanation when I couldn’t even log in myself. Here’s the writeup from the creator of Bad Behavior:

Upgrade to 2.0.11

Gadi Evron wrote about the decline of certain types of spam, and the reasons for this.

He told me about those neighbors of his a long time ago, but would never say who they were. I’ve always wondered if they were the same who used the pinapple proxy software, who I mistook for the Bulgarian twins for a long time.

Here’s his article:

Taking down spammers: Successful spam fighting via legalization, regulation and economics

I’ve noticed lately that there’s more spam dealing with subjects we never saw before. Spam is branching out. It’s like Jason D said a long time ago: He’d hate for spam being used to sell cat food. I’m afraid we’re about there now.

I got a comment for approval on my Myspace profile. It was posted today.

The video looked like it might contain porn. I wouldn’t approve that, but I thought, what if I’m wrong? I mean, few of the visitors to my profile would be stupid enough to post a porn video to it, and certainly not the gentleman who posted it.

So I clicked on it. It loaded normally at first, and then I noticed the page got dark, and up popped a message from Myspace Firefox saying it’s a “Suspected Web Forgery”.

Screen capture

Looking at it more closely, it’s pretty obvious. The URL contains Myspace in it - misspelled, and a few more letters, and it’s asking me to log in - a page that looks completely like a real Myspace page.

Clicking on “Get me out of here!” took me to Google.

But the guy who sent me that comment obviously got hacked, so somehow, the bad guys got past his defenses.

The whois and hosting is in China.

A referrer spamming bot that was active through most of November, and had it’s last recorded hit December 1st, is:

216.195.58.20

It resolves to dns237.3fn.net, which is a known entity around here. We’ve had a lot of porn coming from customers on there. Check a Google search for it on my site to see details. But the IP block belongs to APS Telecom in Portland. However, the abuse section is from 3fn, and it’s a pretty big IP block.

This outfit has been referrer spamming for some digg stories that have been removed by now.

There’s some spam to a University forum post that’s been hijacked by a method I’ve never seen before. The spammy site is placed within a cell in a table! The site is top7.biz, which is also registered with ESTdomains, and has DNS at f3n.net. The next hop is findroll.com, which is registered at Register Services, which has a calling code belonging in Estonia. The DNS servers are again from 3fn. The next hop goes through 216.195.44.106, which is also at 3fn. The link is encrypted, and goes through lightask.com or goclick.com and affiliatetracking.com

The latest spam is for sites ending in .ua, and is in Russian, so I gave that a miss.

Sometimes you just have to laugh.

I got visits from this joker November 15-27:

195.225.177.190 - - [27/Nov/2007:10:50:35 -0600] “POST /2005/04/07/trackback-run-expected/trackback/ HTTP/1.1″ 403 246 “” “USERAGENT”
195.225.176.177 - - [27/Nov/2007:11:00:40 -0600] “POST /2005/04/08/mathematics-trackbacks/trackback/ HTTP/1.1″ 403 246 “” “USERAGENT”
You should not feel bad for firewalling all of Netcathost. I see a lot of bad there, and so far no good. If you don’t agree, comment below.

195.225.176.0 - 195.225.179.255

James Friesen reports on the same bot in October.

It’s possible the bots are no more on those IP numbers, since I can’t find any newer spam from them.

If you search for one of those IP’s, you get spam with this whois, which appears fake:

Ferdinand
Ferdinad Stalevsk        (ferdinand@hotfunspace.com)
8 Trinity Terrace
Weymouth
Maryland,54442
US
Tel. +1.567456765

The root of the site is a failed Wordpress install, so I’m wondering if the site really does belong to the fake whois, and that it’s not a “free subdomain”. Also, it’s registered with ESTdomains… But the same bot also spamvertized some sites on freewebs.com, and a random check found a subdomain that was yanked for abuse.

The payoff on hotfunspace is Google Adsense: pub-1388391656005128