Spamhuntress

I’ve been seeing a lot of KLIK Media GmbH as registrar (or rather, registration service under PublicDomainRegistry) lately. Always spammy domains. So I thought I’d check if there was a connection between the registrar and the KlikVip PPC program.

Yep, it’s one and the same.

The whois on for instance KLIKVIP.com is fake (says it’s in Victoria, SC). The company is actually in Germany:

KLIK Media GmbH
Alt-Karow 3
13125 Berlin
+49.3094413291

But the owner also speaks Russian.

So, the PPC company is also serving as registrar for it’s spammers.

I had some comment spam in July that proposed to sell credit card skimmers for ATM’s. The kicker is that he’s then proposing to buy the information gathered by the skimmers.

He’s operating with an e-mail address and an ICQ address. That ICQ address is still operational.

I mean, come on, can we have some law enforcement types lay a trap for this guy? Let me know and I’ll send you the ICQ number.

The bad guys get more and more brazen.

Here’s a story about a break-in that culled data on customers who bought stuff on an AT&T website. The bad guys then used that info to collect more info.

Phishing expedition at heart of AT&T hacking

via securityteam

Vnunet thinks this is the wave of the future, when it comes to phishing.

Update: Chris Newcomb has been the head of the EV1 abuse department for years. He’s the new abuse manager for The Planet, after the merger between the two companies. The management he was commenting on was that of The Planet. Unfortunately, this means we can’t expect more from EV1 than we’re accustomed to: EV1 is known for not nuking accounts for webspamming unless they have incontrovertible evidence. In their case, they hardly ever do anything about it.

September 1, 2006: I notified The Planet about comment spam coming from 70.84.176.58 on August 29. It’s still going strong. Typical EV1 incompetence when it comes to webspam, in other words.
—————

Found this in my referrers:EV1/ThePlanet takes action against spammers

I guess we’ll see when he’ll get around to clearing out the webspammers, eh?

Here’s a quote from news.admin.net-abuse.blocklisting:

Bill,
While I would love to speak for the previous administration of the abuse desk, I cannot. I however can speak for the current administration which I am the manager of. It will take me some time to get everything cleaned up, which I will spend more time on focusing on rather then responding here. If you or anyone else for that matter have any ongoing issues, please feel free to contact me at chrisn at ev1servers dot net. Since I have taken over management of the abuse desk my priorities are to get the glaring problems cleaned up first, and then go after the small problems.

Looks promising, provided he’ll get around to our problems, of course.

Update: There are posts by him to NANAB going back to November 2005, when he was “Abuse Team Leader” at EV1. No significant action was happening back then, so unless he’s had a change of direction, I guess we shouldn’t expect too much now, eh?

Here he is, including a photo.

Webspam is constantly evolving. A while ago a spammer told us spammers had long since moved on from what us anti-spammers were writing about. That webspam had moved on from comment spamming blogs. And I was sure he was right. What I’m seeing now, is the newbies spamming my blog. The spammers who don’t yet know what they’re doing, for the most part, with a few comment spammers who rely on inventive wording thrown in.

Today I’ve been on the trail of a spammer who’s constantly trying new things. He’s been at this for a long time. Eugene Blagodarny (some of you are no doubt tired of my talking about him). Lately he’s been using upload scripts to place spammy pages on otherwise clean sites. Not links to spammy pages, but regular throwaways that redirect to his money sites or his affiliate links. There might be other spammers doing the same thing, I just haven’t found their trails yet.

And this guy is using any upload script he can find. He’s not just searching for specific types of scripts. In one case I confirmed that he misused a custom written script that was used on ONE website.

In addition to any upload script he can get to accept his HTML pages (usually with .htm extension), he’ll leave comments or user profiles anywhere his javascript redirects will work. Some of his favorites are HyperNews (comments), Twiki (user profiles) and SnipSnap (userprofiles with uploads). He’s also (I assume) signed up for user accounts at compuserve in Germany.

He then comment spams other websites with links to his upload pages and redirect enabled comments, in order to get them into search engines. They’re often hidden on the websites he’s uploaded them to, so he needs to get them linked by other means.

What does all this mean?

If you’ve got a website that has an upload script that accepts HTML files, you need to be alert. Either recode to not accept HTML files, have a good admin interface and check it for uploads every day. Or remove the script altogether. Another possible option, if you haven’t been targeted yet, is to add a robots.txt file that bans search engine indexing of the directories your uploaded files are deposited in.

If you’ve got an interactive script on your website, make sure they don’t allow javascript redirects. That includes old scripts for guestbooks, forums etc.

If you’ve got a free website service, such as free homepages, free blogs, free groups, free forums, you need to recode those services so javascript redirects won’t work. Disabling iframes and frames pointing to somewhere else would also be proactive. I know of at least one free webhost who runs scripts every night, looking for certain keywords that spammers tend to use, and then disabling pages en masse. Identifying obfuscated redirects would also help you remove other sites with those redirects on them.

Whois data is supposed to be the glue that holds the web together. You’re supposed to be able to figure out who owns a website by checking the whois.

Here’s a good site for that: domaintools.

Problem is, lately spammers have turned whois into hideawhois. They use info that’s false, and the registrars let them get away with it.

Figuring out who a spammer really is, has been made almost impossible today, since the spammers know we track them. You’d have to track them back through time in order to pin something on them. Some of us have historical records that make it possible in some cases. And my wiki have enabled others to figure out who their spammers are.

But we need to do something about hideawhois!

Any ideas?

Have a look at the first post in this thread on WebProWorld. A lot of good points there.

Living off Adsense will make a webmaster go down a slippery slope pretty quickly!

It appears as though the Distributed Denial of Service is winding down. A request every other hour matching the pattern.

I’m watching the log realtime now, and not much of interest to report.

I found some inbound links from an article that was for subscribers only. Turns out it’s The Wall Street Journal. A Google News search turns up a small part of the article.

The journalist said something about some Asian magazines etc, but I must have missed that part about the Wall Street Journal

Anyway, could someone check if it’s in the print edition as well? If so, I’d like to try and get the right issue for my scrapbook. Not even sure of the logistics here, though I know it’s possible to get hold of it in Norway.

I found the article out on the web - without subscription, in the Chinese version of Wall Street Journal

A friend asked me about getting on the internet again. She’d moved, and hadn’t been connected at home for a while.

Not thinking, I’d given her an old modem a while ago (she’d had ISDN at her old place, and just regular phone line at her new place, so I knew she didn’t have a modem that would work).

Now she was talking about broadband connections, and if nothing else worked, she’d use the regular modem.

And I said, wait a minute!

You can’t bring your old computer online now! It’s got 16 MB RAM and 166 MHz AMD processor, you may be able to download mail with it, but I’m not even sure the latest browser would run on it, and your old browser would only throw up javascript errors on just about every page you’d visit!

So we talked a while, and I was berating Windows 95 compared to newer versions of Windows. And then she said: Oh, but we upgraded it to Windows 2000, so then it’s OK!

I burst out laughing. I know, not cool, but I couldn’t help myself. The thought of Windows 2000 on such an old machine had me in stitches, and her satisfied tone when she told me was a hoot too. She very nearly got offended with me. And I’m sure she would have been, if I hadn’t been genuinely trying to help her.
I guess the morale is: Don’t assume regular users know what they’re doing. They’ll gladly make a mess of their computers, thinking they’re improving them.