Spamhuntress

Gadi Evron wrote about the decline of certain types of spam, and the reasons for this.

He told me about those neighbors of his a long time ago, but would never say who they were. I’ve always wondered if they were the same who used the pinapple proxy software, who I mistook for the Bulgarian twins for a long time.

Here’s his article:

Taking down spammers: Successful spam fighting via legalization, regulation and economics

I’ve noticed lately that there’s more spam dealing with subjects we never saw before. Spam is branching out. It’s like Jason D said a long time ago: He’d hate for spam being used to sell cat food. I’m afraid we’re about there now.

I’ve seen the first instance of spam at Youtube. I have an account there, with comments pre-moderated. I got an e-mail that someone had commented on a video and checked it out.

It was from krystalt355, who’d registered her account the day before, and was trying to promote something:

Rate girls online at collegeboobies dot com

The site is hosted in Boca Raton in Florida, spam capital in the US. Note that the spam is not geared towards Google. This is an attempt at reaching the people who view the videos on Youtube, not to get a search engine boost. And the site itself appears to have been online since 2004.
Whois:

OMI
OM I (omitraffic@gmail.com)
6628015828
Fax: none
POBox224
Oxford, MS 38655
US

ns1.sirbooty.com
ns2.sirbooty.com

Creation date: 20 Apr 2004 14:55:39
Expiration date: 20 Apr 2008 14:55:39

I also noticed that Youtube has a button you can press in order to mark something as spam. And it’s possible for me as a logged in user to mark someone else’s comment as spam. But it appears as though the spam still persists, it’s just hidden for me as a user. If I check the same page in a browser that isn’t logged in, the spam is still there.

I found the same spam on metacafe.com (multiple comments on the same video), as well as some other spam with a similar MO.

I got one of the most elegant fake comments I’ve seen so far:

I couldn’t understand some parts of this article Coping with joe jobs, but
I guess I just need to check some more resources regarding this, because
it sounds interesting.

The comment is just a set text, with a variable for the title of the post. So they’re scraping that and inserting it into the text of the comment. Presumably they only send one comment per blog.

The domain they’re pushing is this:

vacation.myadventuretraveltours.com

When I loaded that address, I got an ad covering the whole page. Ads by adspopup. Looks like a deal where it’s covering the page, but there’s a close ad X there. But the page itself is typical spam content anyway.

I just got an e-mail from Matthew Prince, the guy spearheading Project Honey Pot. They’ve just started tracking comment spammers. Here’s the announcement:

Project Honey Pot Begins Tracking Comment Spammers 

Looks like they’ve got more up their sleeve. I’ll be checking back tomorrow!

How is it possible for a webhost to NOT know one of their clients is spamming - up to or even over 500 spam comments on my blog, per domain (4 domains).

That’s how it looks for Compila in the UK right now.

These are the domains:

revengemonkey.com
capuk.org
ukaiim.org
london-student.net

I’m still working on another project, so I haven’t had much time to keep up on approving posts. And then while that’s going on, comment spam is going through the roof. It’s more than doubled since I started that project.

Is it just here, or is this going on all over the place?

Pretty soon I’ll have to install some anti-spam software here. Handling it manually just isn’t an option anymore, even though I’ve got pretty extensive bad word filters.

I’ve been getting a certain amount of comments to one of my most spammed posts, and one other. They look like off topic questions without any links whatsoever. But they bear the marks of a Russian spamming crew. The e-mail address is their signature.

Can anyone shed light on their motive?

I suppose it could be a test. It could be comment spam poison. But is it something less obvious? Like trying to get a few approved comments, in order to sail through the approval later on?

I got a comment to an old post that seemed fairly well on topic, but it had a “commercial” link, so I dug deeper. It’s a manual spam, meaning it was done with a browser, not a script.

He first came in from a Google search October 6, and left after checking out the post
Query syntax:
Name (required) + Website + comments + blogs + office machinery

He came back October 21 after a Google search, and posted
Query syntax:
Name (required) + Website + comments + blogs + fax machines

The text in the spam comment was this one:

One that has no comment spam (now) had 700+ comment spam entries before the plugin.

That sentence is lifted from an existing comment on that page and then used for the spam comment.

And the site was: shredderwarehouse.com

It’s kind of unusual for business sites to have whois protection, but this one does.

It’s on 68.178.184.239, which is ip-68-178-184-239.ip.secureserver.net. It appears that the IP has changed hands very recently. All the sites listed for it are on another IP by now.

It’s been spamvertized at least since August 30th. And it’s been spamvertized together with evision.com.pk, which is owned by someone in Pakistan. The spam I received also came from an IP in Pakistan. They’ve also spammed for flowergirldressforless.com, which wants people to think they’re based in California. There’s a mailbox rental company at that address, so they’re not really at the address listed in the whois. Their phone numbers are local to that area, though.

If I were to guess, I’d say it’s quite possible eVISION is a Black Hat SEO company that’s spamming for themselves as well as customers.

I’ve received hundreds of spam comments from one outfit. They’re relatively easy to recognize:

*They send several hundred spam comments to the same blog
*Lots of nonsense domains with subdomains
*Just a few IP addresses used, all on Layeredtech
*The domains usually have dns servers with the same domain name
*The whois info has yahoo e-mail addresses and addresses in African sounding countries.
*They use open proxies for posting

There are some more characteristics that you can find for yourself. Basically, for now, the spam can be blocked, if you look at the logs or the database. But of course, the moment they figure it out, they’ll try and correct those, so let’s keep it quiet for now.

Once you get hit by this spammer, the best bet is to try and block them rather than cleaning your database later. Spam Karma probably zaps them, but if you’re using some other software, beware - do some .htaccess blocking sooner rather than later!

Another interesting factoid: I see several other types of spam comments with the same features. Not sure if we’re talking about the same software or the same spammer doing stuff for various parties or various spam sets.

I got this comment today. The content seemed fine, but I noticed a spammy looking domain. Even when looking at the site, I had to view several pages to figure out there had to be a con somewhere. It was a cell phone site, and it looked as though it was built around a news feed of some sort.

K, let’s look at the comment:

Hi!
I have a TC1000 compaq pc tablet. I have had it for maybe a month now and
about a week ago i switched it on and the screen went blank and in the top
left hand corner it said ‘operating system not found’ and will not
proceed. I have tried everything i can think of and searched high and low
and cant fix it. Can anyone help, i really need to to work. Thanks and
have a good day!!!

Looks fine, right? Except if it’s a spam comment, you’ll find the exact same text somewhere else. So I looked, and found the original post - it was written in 2004!

And it was posted manually.