Spamhuntress

Guestbook spam was usually less sophisticated than blogspam. But lately they’ve caught up. I get a torrent of spam these days, and blocking IP numbers just won’t work. They’ve started using proxies there too.

So I thought I’d pick on one of them today.

I don’t know his name for sure, but I’ll include some whois info that may or may not be his.

First of all, his user agent is a mistake. It’s entered in my logs exactly like this:
“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1″
He forgot the trailing ) in other words.

He first does a lookup of the add guestbook page, then comes back with ANOTHER IP number when it’s time to POST his comment.

I can’t say for sure if this is one spammer or several, using the same broken tool. Let’s treat them as several spammers for now, and see if we can find evidence later that they’re one and the same.

They use throwaway sites, or lookalike throwaway sites (sometimes hard to tell).

The spammers use different techniques for javascript redirection and avoiding detection.

—————

One of them uses throwaway sites, then redirects to sites he owns, that has the affiliate ID links:
malacity.com
kofit.com
both ping
212.48.153.193
and whois info gives:

Contact Name: Mihail N Suhorukov
Contact Street1: Isakovskogo st., 29
Contact City: Moscow
Contact State: Moscow
Contact Postal Code: 123181
Contact Country: RU
Contact Phone: +7 095 7266000
Contact E-mail: admin@nisku.ru

Affiliate IDs:

usapills-rx ID: 417
naturomeds ID: marvelent
searchadv ID: 44581

————

One of the “throwaways” is interesting in its own right. wgaga.com is figuring in LOTS of subdomains spamvertized on guestbooks and whatnot. And the root site has a 302 to searchmeup.com.

But what’s really interesting, is that I can’t find any spam pages owned by another spammer. I’m forced to wonder if the domain belongs to the spammer, and that he’s trying to emulate throwaway sites.

Whois:

Resourse Team
Vladimir (guron-fm@yandex.ru)
Vali Macsimova 5 flat 8
Biysk
null,659303
RU
Tel. +7.3854249022

Vladimir has apparently been in the domain biz for a while. He tried selling one in January 2005.

This particular spammer mainly uses this affiliate ID:
topsearch10 ID: 45492

————

One uses “throwaway subdomains on” two .be domains:
vacuums.be
looxe.be
they ping similar IPs:
64.111.199.185
64.111.199.188

Both are registered December 10, 2005, by a webhost/registrar:

Last Name: Hostmasters
Company Name: Nucleus bvba
Language: N
Street: Noorderlaan 133/8
Location: 2030 Antwerpen
Country: Belgium
Phone: +32.32750160
Fax: +32.32750169
Email: info@nucleus.be

I suspect it’s a whois privacy thing, and that the spammer owns the domains.

Affiliate IDs:
find.fm ID: 1524

I got a comment today that seemed unusually clueless. I’m sure many bloggers would think it WAS a clueless comment, and approved it. I waited for the other shoe to drop. And it did. From another IP number, and with another link in the URL field, another clueless comment was left on the same post. And what do you know, the websites ping the same IP number…

So, here are the clueless comments:

1) Hi! I can not load the image on server in any way.
2) Help, I can not understand with the coding…
3) Hi Do not prompt how to adjust a font of the messages?
4) Hi
I can not find coordinates for a feedback.

Spambot IP numbers (most likely proxies):
147.202.65.178
204.50.14.17
72.9.236.50
69.72.139.138

And website IP:
72.9.234.170
66.246.252.141
66.96.212.210

But I’m unsure of that IP address. It could be a proxying server. I’ll leave that to others to investigate.

Whois info:

Admin Name……….. Ilya Burkaltsev
Admin Address…….. Vasilyevsky Ostrov 11-linia dom 20 kv.3
Admin Address……..
Admin Address…….. St. Petersburg
Admin Address…….. 14413
Admin Address…….. NY
Admin Address…….. RUSSIAN FEDERATION
Admin Email………. ilya@artpromcompany.ru
Admin Phone………. +1.79119146267
Name Server………. ns73.dnsprotect.com
Name Server………. ns74.dnsprotect.com

A 26 year old guy who said his website was artpromcompany.ru, is named Anton, and has ICQ number 230087306. He also claimed to have another site, also owned by ilya. He even has a blog on Livejournal. But since I don’t read Russian that well, I won’t be studying it in depth.

ilya Burkaltsev ilya@artprom.ru
Burkaltsev, ilya
Pushkarskaya 3
Petersburg, — 198000
RU
Phone: +7 812 233 92 62
Fax: +7 812 233 92 62

Turns out the spammer has been at it for a little while. He’s been pestering guestbooks with sentence number 2 for at least a week.

Update: Another whois info for a new domain spamvertized this way:

Admin Name……….. Ivar Tenter
Admin Address…….. Keguma str. 45-2
Admin Address……..
Admin Address…….. Riga
Admin Address…….. Lv-1084
Admin Address…….. Riga
Admin Address…….. LATVIA
Admin Email………. ivarix@ivarix.ee
Admin Phone………. +371.999999999
Admin Fax………… +371.999999999

It’s been a while since I’ve busted a spamming operation. I’ve had limited time, and busting takes time. I processed some spam today, and came upon an operation a little bigger in scale than some.

Adsoft Development is a webdesign company headed by Andrew Kartashov from Russia.

This company designed the pages, and e-mail addresses from a domain they own are used in the whois info of most of these domains. It looks to me like fake whois info apart from the e-mail addresses, but I haven’t checked.

I’ve seen forum posts from Andrew more or less admitting to linkspam, so chances are good he’s the spammer.

Eugene Blagodarny has been spamming guestbooks as me at least since August 4th.

I first got a few angry guestbook entries, but couldn’t figure it out. I knew I hadn’t spammed anyone, and I couldn’t find anything in Google to indicate someone had spamvertized my site (revenge spam).

Turns out it’s worse. I finally found a sample, and used the wording to find other samples.

The wording is like this:

AnnElisabeth

Great site! Keep it alive!

And then there are some really vile URL’s entered in the website field. Disgusting deviate porn.

He’s targeted xtremguestbook in particular, and he’s really been laying it on thick. There are LOTS of entries in the spammed guestbooks. All of them have an e-mail address from my domain under the e-mail button. That e-mail address doesn’t work. The spammed webmasters probably think I’m the spammer, and since the e-mail address doesn’t work, they sign my guestbook instead.

I should probably enable the address for a while, to catch any e-mail regarding this.

Any ideas on what I should do? This is obviously hurting my reputation…

Updates:

I traced one of the dyndns sites to one of his domains. The whois is very sketchy (by design, of course), but the e-mail address is his. It’s one he’s used many times.

Admin Organization: NA
Admin Name: NA
Admin Address: NA
Admin City: NA
Admin Country: AFGHANISTAN
Admin Postal Code: 11111
Admin Phone Number: +91.226370256
Admin Email: domains@gals4all.com

He’s doing his usual PHPnuke spam runs as well, under his usual “optimized” names. The guestbook spam run is in addition to his usual spamming.

While tracking the blaster networks, I came across a specific player that turned out to be a bit more interesting than most.

Meet Rohit Kumar Seth aka Rohit Seth.

He’s a guestbook spammer, but before he started spamming guestbooks, he’s been the owner of a free scripts site. He’s been plugged into the ad blaster networks for some time too. But looking at a recent list of commissioned scripts will give you an idea of what he’s currently into. I’ll quote a few more interesting script descriptions:
Guest book autoposter (July 4)
wordpress blog auto submit script (June 30)

The guestbook spamming was done around July 8-11…, for this site: getfreeblogs.com

I found the spam while checking a blog that had a suspicious number of typical blaster comments.

What I eventually found, was a list of all the users. Note in the middle of the page, there are a lot of names with no info on them. And the names are listed almost alphabetically. Lots of variations of similar name. Those are, I believe, fake blogs, designed to blend in with the real users. The fake blogs are there to receive blaster ads… Right now most of them have ONE blog post (a welcome post entered by the system), and 191 comments.

So, although the site does have legitimate users, the INTENT of the whole site and service is to have lots of fake blogs with blaster comments. In other words, the whole site was conceived to hold search engine spam. And it was spammed from the get go.

Very interesting how the blaster people are more and more doing spam now to cut through the noise…

I guess the big boys have shot him down one too many times for mail spamming, so now he’s into guestbook spamming. And he goes for sites that are naturally positive towards preachers - other Christian sites.

He’s currently got one of his sites hosted on what I assume is his broadband net connection:
67.166.241.132
Update, August 1, 2005: It’s off that IP address. Currently on Netfirms - 64.34.66.18.

Search for roygiles.org on Google, and you’ll find lots of guestbooks he’s posted on.

I’ve come across some people before who say they’re in the ministry and have the ethics of alleycats. This guy is a good number two on my list of top unethical people in the Christian ministry. Shame on you, Roy!

For more back story on Roy Giles
Before you read this, let me tell you the story about him and the spamhuntress server. He had his site on the same server, and before the webhost could figure out he was a spammer, the IP number got blacklisted at Spamhaus. It got sorted quickly when he was booted by the webhost and Spamhaus released the block.
Iknowwhatimdoing
Spam Kings
Spam Kings 2
419eater

I’ve been working on an update of the Airline ticket spammer page today.

As usual, you can find trails going in more directions than we first saw. My update is at the bottom of the page.

Here’s a guy who does a lot of linkspam, and releases an album under the same name.

As if it wouldn’t come back to haunt him some day?

Pete Bragansa

Or, Pete Brag, as he’s known as a musician.

How do I know they’re one and the same? Same e-mail address as on the whois info…

I tracked a spammer I hadn’t noticed before today. The identifying pattern is that the domains have name servers from webtouch.info

Webtouch

A spammer once upon a time hit mainly forums. Maybe some forum owners subjected him to their wrath? So he decided to try some honey. Here’s the message he put at the top of his spams, lightly munged:

If you don’t need these messages at your guestbook, email us to abuse@mungedxxxxx.com.
Include your guestbook’s url and all your mirrors urls in the letter. Your website will be taken off our list in 48 hours.

His brand of spam is incest and beastiality, along with straight porn. So it should be common sense that most people wouldn’t want his “ads”.

I found some of his ads on a forum that had been long abandoned. Absolutely filled with porn and other spam. Including a redirect in the subject field of one of the spam posts.

Do me a favor. If you find a forum of that sort, send off an e-mail to someone in a position to remove the forum. The scripts are often Matt’s wwwboard or variants of it. That stuff should be banned! A forum for today is phpBB or Simple Machines (free ones), or Invision Power Board or vBulletin (paid ones).