IrishVette proposes litigation against some guestbook spammers who’ve made trouble for her business.
This seems related to the post she’s commented on, so revisit the post and see if you want to compare notes or join in. Comment on the old post, not here.
Michael Pollitt and The Guardian went looking for a guestbook spammer who misused the names of key anti-spammers (yes, he misused mine too). The kick is that the spammer used Michael’s e-mail address, and later added that of The Guardian as well. The result was a flood of guestbook postings acknowledgements, and some seriously irritated journalists.
The search culminated with the story today:
The Guardian:
On the trail of the spammers
Michael Pollitt’s blog: On the trail of the spammers
My gripe is that without media attention, it’s hard to get anyone to do anything about spammers. How about we target them one by one, and get their accounts with affiliate schemes forfeited?
The spammer who spammed in Michael Pollitt’s name (and incidentally he also misused my name, as well as many other anti-spammers), started misusing an e-mail address belonging to The Guardian. They didn’t like that one bit, and are now pursuing the spammer intensely, with success:
Guardian Unlimited: Technology
The thing is, I have this nagging feeling, that the degree of success in having affiliate programs and hosting pull support for a spammer is directly proportionate to how famous you are, and how much public scrutiny you can bring to bear on them.
I think we need some more heavies on the warpath, preferably from having been revenge spammed by some clueless guestbook spammer!
Michael Pollitt is venting his frustration about the guestbook spammer who keeps using his name by doing what he does best - writing for newspapers:
Guardian Unlimited Technology | Technology | An unwelcome guest of spam
Well, at least one IP from there:
72.232.92.138
138.92.232.72.reversedns.resolve.ru
Bled me for in excess of 72 megabytes, and most of it April 14th.
I saw it on April 7th and 12th, with a normal user agent and one with Snoopy v1.2.3. When Snoopy got blocked, it came back with a normal user agent within seconds, and started downloading.
And get this, he’s primarily interested in the guestbook-spam archive, downloading the same page over and over with one second intervals. He’s also downloaded the feed for the Roy Giles page over and over, and then the picking on guestbook spammers page.
Hmmm, anything that has guestbook in the URL.
I’m guessing this is a guestbook spammer.
Block!
He occasionally tries Snoopy again
That guestbook was moderated, so no spam actually got through. But even so, it was spammed to death. So much so I had no way of figuring out if any legitimate messages had been posted.
So, it’s gone. And good riddance!
Update: The spam campaign resulted in a flood of e-mail to Michael Pollit. The effect was like a mailbomb.
I got tipped about a guestbook spam campaign fraudulently using our names - Halz, Lemat, Michael Pollitt, Ann Elisabeth, Dirk, Paulo and others.
And I followed the trail. The first tip was that someone using the same IP numbers as the spammers had looked up the name
Denis Basargin
In my blog some time in February. So I kept that in mind as I continued tracking.
The URL’s spammed led to blogs that had obfuscated javascripts redirecting to a specific URL on compays.com. If you checked the root domain, you couldn’t get any info. But when I checked the specific URL I got in the script, I was 301 redirected to 1-800-pills.com, which is owned by the spammer I identified as using the name Denis Basargin, a long time ago. Today, the same e-mail address is given for both the spam domain, and Denis’ main domain for his software. So we can be reasonably sure it’s the same person.
And in case you’re wondering, here are the IP numbers to his (no doubt leased) spambots:
85.255.116.178
85.255.116.179
85.255.116.180
85.255.116.181
85.255.116.182
I got this cute little message from a spammer today on my wiki:
I really think you should get a life . I bet you’re single and frustrated and decided to upset other people with your small insignificant existence . Just a thought from a spammer . Happy Valentine’s !
I love it when I get these little love notes. It shows me what I’m doing has some effect. The more personal the potshots, the more I think I’m on to something.
The IP number (195.175.37.55) was from Turkey, and a proxy. So I checked my logs. The joker didn’t try too hard to hide himself. The real IP address was easy enough to find:
86.120.197.66
That’s from Bucharest, Romania. And it’s been used to spam extensively in the past.
It’s known primarily from November last year, when he earned a lot of bans from wiki admins. He was into “invisible” wiki spam, and also left this cute message:
We leave content intact . We allow you to easily remove the additions
We respect your pages and appologize for the spam .
We are the Ethical Spammers group .
(this is an oximoron - two terms that are put together but are opposed meaning) .
Which means he’s the spammer known as
He seemed to disappear shortly after November, so I tried to find more info.
Most of his spam back then was subdomains on rx-seote.com. That site throws up 403s for me at the moment.
But a subdomain on buy-quality-meds.info (also his, but made to look like throwaway domains) had a redirect to findrxdrugs.com that might look like an affiliate link to the uninitiated. which has this whois info:
Andrei, Calugaru design@websign.ro
Str. Cicero Nr 111
Bloc S11 Sc1 Ap 6
Drobeta Turnu Severin, 220022
Romania
+40744366836 Fax —
The e-mail address in the whois info used to be a webdesign business. Now it’s blank, but there are invisible links to drug related pages that redirect to findrxdrugs.com. There’s also webspam with that domain from January 2006.
So chances are that really is his contact info.
So, did he stop spamming? Noooo
Lately he’s been spamming a lot of forums, especially yybbs.cgi. Looks like that’s a type of forum or guestbook that’s primarily in use in Japan. And they’re usually spammed to death. I also see some amount of referrer spam.
And I found a log full of spammer entries, where he’s tried to spam:
86.120.197.66 - - [03/Feb/2006:10:24:56 +0900] “POST /cgi-bin/bbs4/yybbs.cgi HTTP/1.1″ 403 311 “-” “Mozilla/5.0″
So, he’s still using his own IP address.
He’s also using a technique where he appends a bookmark with the name of his target keywords. The anchor probably doesn’t exist on the site, since the goal is the redirect from the throwaway site.
Webhost IP numbers I’ve found that may be associated with this spammer:
209.59.132.158
70.85.249.130
70.86.183.34
70.84.123.66
Update: Proof of concept
Since discovering the iframe on Yahoo Groups, I’ve been thinking about the possible ill uses of that technique.
Basically, those that have interactive services: You need to disable iframes from working.
Iframes can be used to drop parasites, as well as ads, into services that never intended to become a vehicle for such.
So Yahoo Groups, now’s the time to act!
And any software - forums, guestbooks, wikis, classified - anything out there that allows contributions by people whose character you don’t know, make sure iframes can’t be used!
Link spam on my guestbook and blog is up significantly.
The guestbook spam was manageable, but now it’s to the point of at least 10 per day. The guestbook spammers used to be easy to block, but they now use proxies.
Comment spamming on spamhuntress.com is also up significantly.
And as you guys know, I’ve been complaining bitterly about one particularly bothersome referrer spammer, who steals bandwidth. One blog has more than one gigabyte more traffic than normal this month, and chances are, this one spammer is behind it.