Spamhuntress

Guestbook spam info

I have a few old guestbooks on Dreambook.

Now and then I’ve received notification that spam comments have been posted. But before I manage to come by and clean them, they’ve been removed.

I can only guess that the Dreambook admins are on top of the spam problem and has a centralized system for removing spam. Blocking and removing, most likely.

The Zaharievs came by a few months ago, but haven’t returned. Probably figured out quickly that it’s a spam unfriendly environment!

Guestbook spam info

I’ve been getting a lot of e-mails from my formmail script on nativecelebs lately. They look like probes to me. And they’re all from this IP:

62.213.73.92
ALLMP3Z.ru

So I thought I’d do a search for it, and found a guestbook spam:
rx-shop.info/vicodin-online
80.77.80.175
which is on ipipe/hqhost (remember them?)

I’ve also found numerous entries (with the dns name) in a guestbooklog, a few forum profiles with the link

The formmail attempts were all coming through my form page, so they might be manual attempts.

HTTP_ACCEPT=*/*
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Some of the other spammers have other weird headers, like this one:
204.186.159.229 - bess-proxy.csiu.org
HTTP_VIA=1.0 MAILSVRBACKUP

And they often just scan for scripts instead of going for the real (oddly named, and non standard code) script.

Anyway, I’ve got a honeypot script that catches quite a lot of fish. If you’re interested in one of your own, let me know. This one is incapable of sending mail, so the joke is on the spammers! I’ve got a trap on the real formmail script as well, just in case I catch something interesting.

Guestbook spam info

There’s a new EV1 spammer afoot.

Rojisan did the first report on them.

It’s even bigger than his report indicates, though that one is certainly indicative of a large scope!

Rojisan tracked the IP numbers spammed from. I decided to track the IP numbers pinged by the spamvertized domains:

69.57.150.28
69.57.150.107
69.57.150.120
69.57.150.121
69.57.150.122
69.57.150.123
69.57.150.124
69.57.150.125
69.57.150.126
69.57.150.127
69.57.150.128
69.57.150.129
69.57.150.130
69.57.150.131
69.57.150.133
69.57.150.158
69.57.150.165
69.57.150.196
69.57.150.209
69.57.150.213
69.57.150.214
69.57.150.215
69.57.150.216
69.57.150.218
69.57.150.219
69.57.150.220
69.57.150.221
69.57.150.243
69.57.151.149

They are all on EV1’s IP block. I don’t know if they were rented out by EV1 or by a hosting company. Almost all have dns pointing to EV1.

Exceptions:

69.57.150.28
ns2.lomejordeinternet.net
This one’s in EV1’s IP block.
It’s likely the dns is for the former owner of the box. That dns name doesn’t ping anything.

69.57.150.107
ns2.hc11.net
This one’s in EV1’s IP block
Hosting company appears to be, unless they’ve since moved (very likely, since that hostname now pings: 69.45.6.164): hostcolor.com

The domain names end in:
.pl
.com.pl
.info.pl
.ch

And then he’s using dynamic dns from:
gmina.pl
and one .com domain

I’ll report his domains to Google for banning.

Whois info:

company: Eugeniusz Sawicki
street: Jazowa 15A
city: 43-316 Bielsko-Biala
location: PL
handle: tdc5462363137953
phone: +48.693340370
last modified: 2005.04.27
registrar: AZ.pl SC Albert Jerka, Andrzej Kostrzewa

Eugeniusz Sawicki
Jan Sawicki
Jazowa 15A
PL-43-316 Bielsko-Biala
Poland
janeksaw@gmail.com

The name servers are always custom. And always the same name as the domain name they serve.

I believe he’s rented one or several servers on EV1, and have lots of IP numbers on each server. The game is probably to make it difficult for people to figure out all his domains, if someone were to start tracking one of them.

Most of the domain names were registered around April 27, 2005, The .ch sites were registered around May 18.

So, did he enter the correct whois info? I don’t know. I do know there’s someone with the same name who’s Poland’s ambassador to Brunei. Apart from that it’s hard for me to figure anything out, not knowing Polish.

Guestbook spam info

PhantomSteve is commenting on the Googlepray post about the umax search spammer.

Sid/Dmitriy has been spamming my guestbook, all from the same EV1.NET IP.

Contacting abuse@ev1.net, admin@ev1.net, admin2@ev1.net - all bounced back.

I have emailed support@ev1.net - with a list of *26* dates/times that the same IP was used.

I’m even considering ‘phoning them up to talk to them (I’m in the UK, so I need to get a time when I can phone during their opening hours).

However… I’m guessing from the number of references to this b*****d online that they aren’t willing to do anything…

What is the legal situation with regard to Everyone’s Internet hosting a spammer… they have to *know* about him, as they have had a lot of emails to their abuse department….

So, does anyone know how the law in the US can be used against Everyone’s Internet… we all know that if they are shut down then Sid/Dimitriy will move to somewhere else… but if they think the only way not to get shut down is to co-operate with Sid’s address (real, not the TN one), phone number, bank details, etc etc….

My guestbook (which I am re-coding/re-naming/etc) has *two* options which have to be changed (one is a tick box which is on by default but if it is ticked, the entry is automatically flagged as spam; the other is a drop down box which defaults to a “I am a spamming b******d”) - and both of these *are* getting changed. I dunno how a bot can do that, but it must be happening, because none of his entries have *ever* been flagged as spam.

It is (as you might gather) a moderated guestbook… so none of these entries have ever got into the guestbook.

Keep up the good work!

Regards,
Steve

Any comments?

I found a post where the Blog Herald had outed a spammer. And then the spammer, Amy Cross, posted an answer.

I had a feeling of deja vu when reading it. Do they xerox the spammers or what?

She says she’s not a comment spammer. She doesn’t say she’s not a spammer, rather interesting distinction, considering…

I’ve found a lot of spam for free sites on bigsitecity.com

So I decided to send them a note, asking them to terminate some of the spammers.

And come to find out, EACH AND EVERY ONE of their e-mail addresses are misconfigured and bounce!

Geez!

———

Update
Through some tracing, we found an e-mail address that worked. But so far I haven’t received any reply. And the specific spam I reported, is still being served. Either they haven’t seen my e-mail, or they don’t care.

Dirk found that the Omniexplorer bot IP addresses suddenly emanated referrer spam, and investigated.

I thought I’d explore the areas he hadn’t covered yet.

I found more domains on the IP addresses mentioned. One of the domains was used in a December 2004 guestbook spam run. I’m sure I’ll find more with time.

I also found that Google had blocked a significant number of the domains. The spam run now is for domains they’ve spammed before. Maybe they think they’ll be able to force them into Google? Sorry, that’s a lost cause. They’re not going to relax those bans!

The only thing they can hope for is direct clicks and placement in MSN and Yahoo.

The payoff is a porn network, not sure which (probably adultprovide). The affiliate ID is:
promote

Guestbook spam info

Here’s the comment the GooglePray spammer posted to my first post about him.

# romas Says:
April 29th, 2005 at 1:15 am e

HI.
I wrote that I just ADD COMMENTS.
And It not my problem tha YOUR stu[id script not have protect for add easy message. and it not my problem that YOUR script on taylor-arts.com - SEND TO YOUR Email a letter.

If you soo stupid and have no any idea to protect / update YOUR guestbook script - it`s JUST ONLY YOUR problem.

NO ANY LAW WRITE THAT GUESTBOOK IS PRAVATE LIKE SMSM OR EMAIL.

What you’re doing, Romas, is considered spam. Just because the laws are slow in forming, doesn’t make it ethically right.

1) Your INTENT in doing what you do, is to trick search engines.
2) Nobody would WANT to display your links because they’d consider the content good.

When those two points are true, it IS spam.

You could add a third point, that isn’t always true when it’s spam, but often is:
3) Content entered automatically by scripts in hundreds or thousands of blogs, forums or other feedback gathering pages on the net.

E-mail spam wasn’t legally spam for a long time, it became illegal because of political pressure. Don’t argue with politics, legalese and ethics when you don’t have a clue about the process. You’ll only look immature and criminal.

And as for your comments about my guestbook:

I invite comments on my site that are entered by normal people, not scripts. Personal comments to me and the site. A guestbook was never invented for anything else. Person to person communication. Did you know that this kind of communication on the internet is actually covered by our anti-spam legislation where I come from? Don’t assume you know all the laws all over the world…

I also didn’t like it when you used my text to spam someone’s guestbook. And don’t tell me you had a license to violate my copyright. You didn’t. That was a copyright violation, and THAT is illegal.

OK, readers, you want to talk back to a spammer? Now’s your chance. I’m sure he’s hanging around…

————

The spammer’s real IP address:
82.207.76.138
as-0-10.ar64-4s.kharkov.ukrtel.net
UA: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7.6) Gecko/20050223 Firefox/1.0.1

He found the post about him after searching for his e-mail address in Google, Ukraina version. He immediately switched to another IP address (a VPN line) after checking out my post, and posted his comment using the VPN line, thinking I wouldn’t figure out his real ISP IP address. Guys, this is a good candidate for losing his internet line. Keep complaining to his ISP if he spams you.

ISP information:
inetnum: 82.207.76.0 - 82.207.76.255
netname: UKRTELNET
descr: Ukrtelecom IP access network in Kharkiv
descr: JSC Ukrtelecom
country: ua
remarks: E-mail for SPAM and abuse postmaster at kharkov.ukrtel.net

And he HAS spammed using that IP address.

————-

You @$£€£ spammer!
He’s substituting the domain names I named in my text for innocent people’s domain names, making it seem like Neil Turner’s taylor-arts.com is a spam domain! See the link to the guestbook where he used my text, to see an example of this. There are many others, coming into Google just about now. Joe felt he was trying to bury my post in Google, so people wouldn’t find it when searching for the source of the article exposing him. He’s done it before to others.

Guestbook spam info

I was chasing a rampant guestbook spammer. In the source of one of his pages, I found a funny meta tag:

This spammer uses baikalguide, and a variant of Umaxsearch as domain names. Looks like he’s already banned in Google.

whois info:

owner: Dmitriy Soldatenko
organization: Sid Wongvorakul
email: sidfeehit@yahoo.com
address: 979 Rutland Dr
city: Memphis
state: TN
postal-code: 78243
country: US
phone: +49 221 88585850

BTW, dialing code 49 is Germany.

Other posts about this spammer:
Bobonit, Buffoons 1 Buffoons 2 Buffoons 3

In one of these posts, one of the commenters mentioned that the pages spammed by this spammer contains code that creates new posts on guestbooks, that will carry the IP address of the person that visits the page. I found that to be very credible. I’ll include one such chunk of code that I found. (Eh, I don’t think it’s wise to display this one in an iframe, considering IE could execute it…)

However, some of the pages display as source in Firefox, so won’t execute every time.

I found one IP address was responsible for all posts and attempted posts to my guestbook:
216.127.68.15
user agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)

This is however a webserver. A spammy website at that. Site owned by:

romas
romas (a-romas@lycos.com)
Tarasovskaya St. 40
Kiyv
null,54566
UA
Tel. +38.0677412714

Another whois info often used by this spammer:

rex
jet rex (jetrex@gmail.com)
Ukraine, lviv pb 4317
lviv
null,76224756
UA
Tel. +067.7412714

—————

Update
Joe and I had a look at his spamming technique, and he’s attempting to understand the exploit, where the spammer tricks visitors into spamming for him.

Guestbook spam info

I’ve got a guestbook spammer hitting me regularly. My guestbook is moderated, so it was only a minor annoyance, until today. Today I found out that somehow my guestbook ate itself. Thousands of pages with junk - virtually nothing on them. I restored an old backup, so it works again. But now I need to keep an eye on that guestbook, and that’s when I noticed the spammer without a user agent.

I’ve got a similar block for trackbacks, so I can use that one:
trackback spam htaccess block

I’m probably going to use it without limiting it to specific files. The guestbook directory has its own .htaccess.