Spamhuntress

I got some comments on annelisabeth.com, and went after the spammer.

I’m not that much wiser, but at least I got the IP number spammed from, for your blocklists.

Florida Comcast Spammer

Here’s a guy who does a lot of linkspam, and releases an album under the same name.

As if it wouldn’t come back to haunt him some day?

Pete Bragansa

Or, Pete Brag, as he’s known as a musician.

How do I know they’re one and the same? Same e-mail address as on the whois info…

A spammer once upon a time hit mainly forums. Maybe some forum owners subjected him to their wrath? So he decided to try some honey. Here’s the message he put at the top of his spams, lightly munged:

If you don’t need these messages at your guestbook, email us to abuse@mungedxxxxx.com.
Include your guestbook’s url and all your mirrors urls in the letter. Your website will be taken off our list in 48 hours.

His brand of spam is incest and beastiality, along with straight porn. So it should be common sense that most people wouldn’t want his “ads”.

I found some of his ads on a forum that had been long abandoned. Absolutely filled with porn and other spam. Including a redirect in the subject field of one of the spam posts.

Do me a favor. If you find a forum of that sort, send off an e-mail to someone in a position to remove the forum. The scripts are often Matt’s wwwboard or variants of it. That stuff should be banned! A forum for today is phpBB or Simple Machines (free ones), or Invision Power Board or vBulletin (paid ones).

Guestbook spam info

I’ve been getting a lot of e-mails from my formmail script on nativecelebs lately. They look like probes to me. And they’re all from this IP:

62.213.73.92
ALLMP3Z.ru

So I thought I’d do a search for it, and found a guestbook spam:
rx-shop.info/vicodin-online
80.77.80.175
which is on ipipe/hqhost (remember them?)

I’ve also found numerous entries (with the dns name) in a guestbooklog, a few forum profiles with the link

The formmail attempts were all coming through my form page, so they might be manual attempts.

HTTP_ACCEPT=*/*
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Some of the other spammers have other weird headers, like this one:
204.186.159.229 - bess-proxy.csiu.org
HTTP_VIA=1.0 MAILSVRBACKUP

And they often just scan for scripts instead of going for the real (oddly named, and non standard code) script.

Anyway, I’ve got a honeypot script that catches quite a lot of fish. If you’re interested in one of your own, let me know. This one is incapable of sending mail, so the joke is on the spammers! I’ve got a trap on the real formmail script as well, just in case I catch something interesting.

Kelly McNeill got spammed by the Zahariev’s.

He’s running post-Nuke, which isn’t too easily cleaned at the moment. Understandably, he got irritated, so he sent (a very polite) e-mail to the support address at Moniker, their registrar.

And was very confused when he received a reply from Doris Young at tqiopi@yahoo.com. Magnetic Ink once sent an e-mail to the whois contact of one of the domains and got a reply from the same Doris Young, at the same Israeli IP address. She offered to have him removed from their list.

What confused Kelly, was that the quoted text was from the e-mail sent to the registrar. Although he’d sent one e-mail to the spammer, it was different. We did some investigation, and the message ID of the message she replied to was from an e-mail sent to Moniker.

So what happened? You’ll excuse Kelly for believing the worst just about then. I tend to look for less dramatic possible explanations, and found one ..possible:

When you bounce forward a message to a new recipient, the original message ID is preserved (at least my results show that), and the message that’s sent hardly shows any signs of having been received by someone else first. That option isn’t present in all mail programs (I haven’t seen it in Outlook Express), so we probably don’t see much of it these days. But it’s still in use in some programs, and probably by some early adopters (it was an easily accessible feature of Eudora 9 years ago).

So, barring any more …spectacular explanations, Moniker just bounce forwarded the abuse complaint to the spammer instead of even acknowledging having received the mail.

You see, Kelly, smelling a rat, called Moniker and demanded an explanation. And was told they’d never received that e-mail.

Hmmm, something to think about next time you write abuse…

Gpshewan spotted this article on A Crank’s progress

This is a company looking to hire someone to hand spam their URL.

Might work, unless the site is spammy looking, and if the hireling is intelligent. But most aren’t.

I mean, let’s say you have a blog, and you find posts about your own topic. You comment, and include your URL. It isn’t spam, but it’s done ALMOST the same way. It does have a promotional value. Not in increasing link popularity. After all, most blogs have nofollow. But it generates posts about your blog, if your content is good enough.

Do I see that happening with an electronic greeting card company? Not unless it’s a fantastic product that is lightyears ahead of everything else. Greeting cards are dime a dozen. I mean, how many conversations are there about that topic? Not that many. I’d thunk viral marketing would work better by actually sending greeting cards to the hireling’s friends. If it’s good enough, they’ll start using it.

Anyway, I don’t see this kind of marketing working, unless it’s a non-spammy site. Non-spammy product. And having the CEO or a press relations professional doing it would help. Someone who’s recognizeable as a public face for the company. Say, someone like Matt Cutts for Google, Tim Mayer for Yahoo. Some faceless hireling? Forget it…

Looks like forum spam is on the upswing. I see referrers now and then from forum posters in response to threads reporting spam. Afflicted forums:

Mozillazine
No2id

The No2id forum is afflicted with this spammer: 1, 2. A casino spammer I’ve seen only sparingly.