Spamhuntress

Etanisla is complaining about the bot
65.88.178.10

I’ve got a few sites, and tracked it across several. Only interested in blogs, and occasionally will hit other pages. My guess is they’re linked to from blogs somewhere.

It does HEAD on images.

And the IP number appears to belong to Symantec, if the address in the tracking info is correct.

Why does Symantec crawl blogs? No idea…

Careless Thoughts uncovered a spammer about to begin.

A spammer tried listing all her posts. The trail eventually led back to Andy Hoffman, the guy behind tigerspice.

The IP number to block is
216.195.44.106

It’s associated with the webhost 3fn.net (try dig and see for yourself), whose dns servers I’ve seen a few times associated with spammers, including really disgusting stuff.

I haven’t seen this one in my own logs, so block it now and hopefully miss the attack. BTW, notice how the user agent in CT’s logs match Alexander’s. Don’t know if it’s a coincidence or not.

Update
I found something interesting. Another of Andy Hoffman’s domains is eddiereva.com
Turns out Yukkii owned it before.

There’s a bot I’ve seen now and then, that I suspect of being bad. It’s been trying to GET my old B2 comments script on annelisabeth.com.

67.19.91.50
That’s a webserver at ThePlanet. But it’s managed to fool both whois.sc and webhosting.info into believing there’s no website at that address. So what’s it doing? If you access the IP address, there’s a plesk desk served.

And it used to have the user agent:
Mozilla/3.0 (compatible; Indy Library)

But last night that changed. It started trying HEAD on the same file, but this time with this as the referrer:
http://Dmoz.org

That site is of course totally above approach. Not owned by someone who’d be into spamming.

But I think the wielder of the bot intends to spam.

The user agent is now:
Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
About as common as they get…

Anyway, this one should be blocked by IP number. I’ve found samples online of spam from that IP address going back to July 2004. I did manage to find some recently spammed stuff (February 20th), and the IP address of the site spamvertized is:
209.51.135.146
According to both lookups, that IP address only has one site on it.

But wait, there’s more!

This spammer also utilizes this server for hosting:
66.225.211.190
Once again, the lookups only find one site.

Hmmm, duplicate that a few times, and a picture begins to emerge: Virtual Private Server.
Which might mean you get your own IP address and your own server. Hmmm…

I thought I’d see which bots are checking out a brand new blog. A few pings have gone out to pingomatic, and it’s linked from my old blog, which pings a few services as well.

I see quite a few searching for technoratibot:
That one makes your posts available for bloggers. You can search for keywords and such.

Here’s what I found:

• 216.52.237.214 with user agent: geourl/2.0b4 - http://geourl.org/bot
• 198.87.83.123 with user agent: Syndic8/1.0 (http://www.syndic8.com/)
• 213.239.211.101 with user agent: A2B Location-Based Search Engine (+http://www.a2b.cc)
• 170.224.8.126 was seen on my old blog February 6th. But on this one it’s accessed with two different user agents: 1) libwww-perl/5.65 (which also checks robots.txt) 2) Java/1.4.2_06 goes straight for the feed, and then individual posts.
• Alexander Morozov’s bot was one of the first to reach it. Block 69.50.170.122 before you bring a new blog live to hopefully avoid his trackbacks.
• A human with a Firefox browser leaves the user agent Sage in one of the accesses - the feed.
• 66.151.189.7 with user agent: Feedster Crawler/1.0; Feedster, Inc. Checks several different feed types
• A human with Firefox leaves the user agent Straw/0.25.1 when fetching the feed
• 216.148.212.180 with user agent: Bloglines/2.0 (http://www.bloglines.com). And subscribers clicking on links follow right behind.
• A human sets up his feed software. User agent: NetNewsWire/2.0b25(Mac OS X; http://ranchero.com/netnewswire/)
• Googlebot comes sniffing for the root and robots.txt
• Raggle/0.3.1 (i386-linux; Ruby/1.8.2) comes for the feed. Unsure if this is a bot or a human.
• My first referrer spam, I believe? 61.210.180.74 http://www.dela-grante.net/ and user agent: Mozilla/4.0 (compatible; MSIE 6.0)
• 66.250.128.131 with user agent: ping.blo.gs/2.0 and referrer: http://blo.gs/ping.php
• 64.26.171.196 with empty user agent. Two different feeds. It’s all over my old blog as well
• 209.237.230.104 with user agent: Technoratibot/0.6
• 205.147.9.200 with user agent: blogsnowbot (+http://www.blogsnow.com/bot.html)
• A human comes with a Linux version of Firefox, then sends an aggregator back for the feed: Liferea/0.9.0b (Linux; fr_FR@euro; http://liferea.sf.net/)
• Ask Jeeves/Teoma have been by

Phew! Quite a few bots and aggregators!

I went through Latest Visitors - couldn’t sleep tonight.

Found a user agent that looked like Alexander Morozov, and checked nslookup, it’s from esthost.

69.50.170.122

Date stamp: Feb 24 19:56:27 (I assume -6 time zone).

There’s a collection of other bots too. Even ones I never saw on annelisabeth.com. Might be because this one pings pingomatic?

UPDATE: I checked that IP number with the tool that finds websites associated with the IP number. None at all. Which is really bad news. It means that server does nothing but botting…