Spamhuntress

I don’t often proclaim someone to be a spammer right out. But this is either a spammer, or he’s been revenge spammed.

Bruce C. Shaw
3765 W 4600 S
Roy, Utah 84067
US
801-731-7648

Why? I just got referrer spam for his website yourbesttrafficsource.com. You know, one of those cleverly worded websites that promises traffic to your website, and doesn’t say a word about what you ACTUALLY have to do to get that traffic. I just have to assume spamming comes into it somewhere, since he has to resort to spamvertizing his site to get that traffic, right?

IP: 65.100.197.196
User agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
- now that is most likely a fake user agent!

Heh, even the IP is from Utah, on Qwest!

And since I was nosing around, I found comment spam from the end of July.

You’ve been a very bad buy, Bruce! Let’s see how Qwest likes having a spammer for a customer.

Disclaimer: Of course, it’s possible Bruce’s neighbor got irritated and referrer spammed his site, but that’s a whole lot of maybe’s, so let’s see if Qwest agrees it’s him.

Yahoo has announced something they hope will counter webspam:

Yahoo!’s Trustrank Approach To The Spam Problem

How about some of you smart guys poke some holes in it?

I’ve got one: Expired domains. There’s already a rush on them, and with this, it might get even worse.

Webspam is constantly evolving. A while ago a spammer told us spammers had long since moved on from what us anti-spammers were writing about. That webspam had moved on from comment spamming blogs. And I was sure he was right. What I’m seeing now, is the newbies spamming my blog. The spammers who don’t yet know what they’re doing, for the most part, with a few comment spammers who rely on inventive wording thrown in.

Today I’ve been on the trail of a spammer who’s constantly trying new things. He’s been at this for a long time. Eugene Blagodarny (some of you are no doubt tired of my talking about him). Lately he’s been using upload scripts to place spammy pages on otherwise clean sites. Not links to spammy pages, but regular throwaways that redirect to his money sites or his affiliate links. There might be other spammers doing the same thing, I just haven’t found their trails yet.

And this guy is using any upload script he can find. He’s not just searching for specific types of scripts. In one case I confirmed that he misused a custom written script that was used on ONE website.

In addition to any upload script he can get to accept his HTML pages (usually with .htm extension), he’ll leave comments or user profiles anywhere his javascript redirects will work. Some of his favorites are HyperNews (comments), Twiki (user profiles) and SnipSnap (userprofiles with uploads). He’s also (I assume) signed up for user accounts at compuserve in Germany.

He then comment spams other websites with links to his upload pages and redirect enabled comments, in order to get them into search engines. They’re often hidden on the websites he’s uploaded them to, so he needs to get them linked by other means.

What does all this mean?

If you’ve got a website that has an upload script that accepts HTML files, you need to be alert. Either recode to not accept HTML files, have a good admin interface and check it for uploads every day. Or remove the script altogether. Another possible option, if you haven’t been targeted yet, is to add a robots.txt file that bans search engine indexing of the directories your uploaded files are deposited in.

If you’ve got an interactive script on your website, make sure they don’t allow javascript redirects. That includes old scripts for guestbooks, forums etc.

If you’ve got a free website service, such as free homepages, free blogs, free groups, free forums, you need to recode those services so javascript redirects won’t work. Disabling iframes and frames pointing to somewhere else would also be proactive. I know of at least one free webhost who runs scripts every night, looking for certain keywords that spammers tend to use, and then disabling pages en masse. Identifying obfuscated redirects would also help you remove other sites with those redirects on them.

While looking at HyperNews misuse, I started thinking. How would an owner of a HyperNews site nuke all the comments with redirects?

A script that looks for common redirect code would get a lot of those comments, providing the template doesn’t contain that type of code. On the other hand, HyperNews is dead. It’s too hard to keep up these days. Spammers will just pump out the comments without checking for admins who clean their installations. So the only logical step is to remove the software altogether.

But, owners of free blogs and free websites, should definitely scan for redirect code. And remember that the moment you remove sites containing one type of code, the spammers will try and outwit you. So it’s an arms race, all the way.

And if you’ve got a website with any kind of interaction: The spammers will find a way to use your scripts against you. So you need to stay vigilant and monitor everything. Don’t want to monitor anything? Remove all the interactive stuff, and stick to clean HTML. OK, CSS might work, but php and cgi is out. While you’re at it, you should move to a dedicated box…

Seriously, the most cutting edge is way beyond guestbook spam by now. It’s high time we rethink our old methods for combating webspam. It just doesn’t work.

Update: Check out Google Groups spamvertizing of HyperNews spam. Don’t know what the point is, unless Googlebot spiders links in their groups. But there it is anyway.

Eugene Blagodarny has started using uploading scripts as means of turning regular clean websites into spammy websites.

Here’s an example (that will hopefully be removed soon) of his handiwork:

m4l.berlios.de/pub/Main/MarkusMerk/

He likes using the username MarkusMerk.

But the problem goes deeper. Any file upload facility needs to be turned off unless you’re able to monitor daily (wikis that aren’t too busy might be able to keep it a little longer. Mediawiki also seems immune - doesn’t like html files). Upload facilities are often part of wikis, forums and content management systems that support communities. The SnipSnap blog software is especially vulnerable.

And HyperNews needs to be removed altogether.It’s a forum like script, with articles that can be commented on. It allows javascript redirects, and Eugene has been turning any installations into spam heaven for a while now. I notified the creator of the script of the problem a few weeks ago. So far no response.

Lately there’s been an influx of comment spam from Russian girls seeking to date men from other countries. They often complain of not having a credit card, and thus not being able to use a dating site.
I often receive several copies of the same spam, and there are new variations daily. Normally there’s no link, just an e-mail address. And lately that e-mail address has even been munged to avoid being harvested by spambots.
Although there are lots of Russian girls seeking to meet foreign men, you’re more likely to get scammed if you get involved with one of these.

You see, there’s a subculture where men (yes, men) pretend to be Russian women seeking men. They chat up anyone who responds, and after a while announce that they want to visit the man. Problem is, they don’t have enough money for the ticket. So if the man could please send them enough money for the ticket? Or part of the cost.

It’s a scam. Pure and simple. The same type of scam even hit the front pages of Norwegian tabloids, when a Danish magazine investigated a Norwegian scammer who took Danish men for a ride - the exact same scam. The same picture, with different names and locations, had been placed on a dating service, and the respondents were men. Yup, it happens.

I first saw this scam in operation when I saw spam addressed to a defunct address coming through my mail server at work. A girl who said she’d noticed this gentleman online, and was bold enough to e-mail him. I realized this had to be fake. That it HAD to be spam, and checked to see what the scam might be. The news is, that now the scammers are moving from e-mail to blogspam. And this is not traditional webspam. It’s aimed at the owners of the blogs, and the visitors of the blog.

So guys, PLEASE delete those messages from your blog, and please don’t fall for the scam!

I was looking for links explaining the scam. Not that easy to find. These seemed relatively clean: Delphi FAQs: Dating Scams , Russian Women Black List. Update: Found this link: Russian Tea Room (thanks Dave, for the link)
And now for the technical stuff. I’ll tackle some of the many spams I’ve received, and see what I can glean from the technical end.

The first spams I received were the work of a Russian speaking hacker gang. The same gang who offered mail lists they stole from dating sites. And they’ve offered their services for spamming forums etc. It’s their MO, and it was so unique in the beginning, there was just no doubt it was them. I’m guessing they spam for themselves as well as customers. And who knows if the dating spam is for them or customers. No way to know right now.

Back then, and even today, the comments always have the same user agent, and it’s a bot - not a person browsing:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

The IP addresses are from all over. Italy, France, USA, Ukraine, Russia.

The first few messages related to this scam, were a few comments with women saying they were photo models (around June 17), with links to websites. I’m guessing that didn’t bring the desired results, so the next permutation was an invitation to a Russian dating site (June 23). Same site, different subdomain (free website service, both pages are now gone). The first message directly from an alleged Russian woman that I noticed, was July 11.
Their favorite posting place is this post (it’s currently the estimated most spammed post on my site) :

I deleted my guestbook today

Comment spammers are getting more and more inventive. The “quality” of the spams have gone up recently. And now it’s so common, the value of warning bloggers overrides the risk of educating spammers:

Any time you receive a comment that seems on topic, or seems personal, you need to check the link included. If it’s spammy or commercial in nature, chances are, it’s spam. Don’t approve it.

Some of the really clued in bloggers have stopped including their link if they write a controversial comment, to avoid being dubbed as spammers (I assume). Especially if commenting on a blog where they’re not regulars.

So guys, be careful out there.

I’ve received questions about my opinion of the events in the Middle East. I’ve also received an offer of moderating my forum. Never mind the “forum” is actually a blog. I’ve received compliments on my blog. On the color scheme, on the navigation. I’ve received complaints about the same thing..

It’s all spam…

Glen McCausland is on ROKSO. Well known mail spammer, in other words.

He just comment spammed my blog.
Or, that’s what a comment spammer wants me to believe. 34 times from the same IP number. Blank referrer and user agent.
Here’s the spam:

Author : search engine ranking (IP: 65.98.40.122 , bucky.hdllc.net)
E-mail : rogertide@somtow.org
URI : searchenginepro.biz
Comment:
Hi My Friend,

This site is very nice. I am new to computers and blogs and am just
looking what is out there, to get ideas for my own site someday.
search engine ranking

Best Regards,
jean

Here’s the whois info:

Domain Name: SEARCHENGINEMASTER.BIZ
Registrant Name: Glen McCausland
Registrant Address1: 8591 S Rock Pt
Registrant City: Floral City
Registrant State/Province: FL
Registrant Postal Code: 34436
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.3526971849
Registrant Email: pre111@earthlink.net

The phone number is legit, BTW.

I wonder, did he move over to webspam or branch out to webspam? Or is this one red herring? Enquiring minds want to know. And I’m sure the good people at the webhost will want to know how to get the spamming script off their server!

Brian McWilliams at Spam Kings tracked down some stuff Glen did years ago, and he noted that Glen tended to like using pre111 e-mail accounts. Hmmm, so, the whois info might be legit? Also, on this ROKSO page, this exact e-mail address is mentioned. So it does appear like Glen is in control of the domain spamvertized.

Also, the forum connected to the spamvertized site has a username: bigmac2000. Site admin. Now that sounds an awful lot like a username Glen would like, eh? And from one post where he explains this, the program he’s hawking is a webspam program. It’s that simple. Look for yourself:

backlinkmaster.14.forumer.com/viewtopic.php?t=8

I’m starting to entertain the thought our mailspammer has found a new racket?

Yeah, that’s the user agent that submitted to a mailform, webspam style.

Apparently some spammers don’t really check if a form has mail or web output. Just spray and pray.

And that same user agent was in my logs at spamhuntress as well.

The spammer is into both MP3’s and porn, and (apparently) tends to use his own domains in such a way they seem like throwaway subdomains.

whois:

Domain ID:D125776928-LRMS
Domain Name:HOTTTY.ORG
Created On:12-Jul-2006 11:33:59 UTC
Last Updated On:13-Jul-2006 12:16:09 UTC
Expiration Date:12-Jul-2007 11:33:59 UTC
Sponsoring Registrar:Direct Information PVT Ltd. (R27-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:DI_3491768
Registrant Name:Danny Havard
Registrant Organization:none
Registrant Street1:St. Joseph St. 57 9
Registrant Street2:
Registrant Street3:
Registrant City:PHILADELPHIA
Registrant State/Province:PA
Registrant Postal Code:19144
Registrant Country:US
Registrant Phone:+1.2157422573
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: admin@xlists.org

Update:

Now THAT was quick? Just hours after I post this, I get a post to the same script, same MO, but different user agent? Hmmm, spammer reads my blog?

A newsfactor story claims that more and more spammers are abandoning mail spam in favor of webspam, social networking and IM spam.

We were asking exactly this question at the EU Spam Symposium. Would a webspammer graduate to mail spamming? Would a former mail spammer shift his focus to web spamming?

My gut feeling was that it’s more likely a mail spammer will move on to web spamming than the other way around. I’ve so far been unable to show a concrete example of a webspammer becoming a mail spammer. I have seen plenty of examples of earlier reported spam from a guy I’ve identified as a web spammer, though. Often rather sophomoric mail spam, actually.