Spamhuntress

I got a slew of referrer spam from an outfit who’s trying to SELL people the secret behind promoting through blogging! I don’t get much referrer spam these days, so running this down was a worthy cause.

Get this, they send loads of referrers quickly, from the same IP address, using loads of different user agents, then switch to another IP address and then back.

The kicker is that one of those IP addresses are inside Google’s net block!

64.233.172.4

Matt, this isn’t good! Are they using the Google Web Accelerator, or Google wifi?

Oh, and this is so good I just have to show you exactly what they’re doing.

The spamvertized site is:
bloglegend.freewebteam.com
If you go to:
freewebteam.com
You’ll see that they think they can sell you the secret to SEO.

Hmmmm…. Wait a minute! This is the same outfit that’s spamming in such a way it’s glaringly obvious and just has to be spotted and banned?

And the Google cache of their site says there are data entry positions available… (dataentry.freewebteam.com)

Matt, get your red pencil out, these guys are too stupid to keep whatever Google mojo they’ve gained!

Whois:
Paragon Innovations Group
Domain Administrator (domains@ParagonIG.com)
638 Camino De Los Mares
Suite: H130A-240
San Clemente
CA,92673
US
Tel. +01.8007537784

If you follow the trail of Googling “Paragon Innovations Group” you’ll find they’re hawking all kinds of promotion stuff, and they’re none to discerning about what they make money on.

PRstorm is yet again for sale.

Is there anything we can do to get this piece of shit yanked once and for all?

PRstorm on Ebay

I’ve noticed referrer spam from jaja-jak-globusy.com now and then the last few months.

Today I checked, and it doesn’t even resolve.

So my question is, have they left the spambot on autopilot and forgotten to turn it off? It’s been spamming from the same place forever now.

I got this cute little message from a spammer today on my wiki:

I really think you should get a life . I bet you’re single and frustrated and decided to upset other people with your small insignificant existence . Just a thought from a spammer . Happy Valentine’s !

I love it when I get these little love notes. It shows me what I’m doing has some effect. The more personal the potshots, the more I think I’m on to something.

The IP number (195.175.37.55) was from Turkey, and a proxy. So I checked my logs. The joker didn’t try too hard to hide himself. The real IP address was easy enough to find:
86.120.197.66
That’s from Bucharest, Romania. And it’s been used to spam extensively in the past.

It’s known primarily from November last year, when he earned a lot of bans from wiki admins. He was into “invisible” wiki spam, and also left this cute message:

We leave content intact . We allow you to easily remove the additions
We respect your pages and appologize for the spam .
We are the Ethical Spammers group .
(this is an oximoron - two terms that are put together but are opposed meaning) .

Which means he’s the spammer known as

Ethical wiki spammers.

He seemed to disappear shortly after November, so I tried to find more info.

Most of his spam back then was subdomains on rx-seote.com. That site throws up 403s for me at the moment.

But a subdomain on buy-quality-meds.info (also his, but made to look like throwaway domains) had a redirect to findrxdrugs.com that might look like an affiliate link to the uninitiated. which has this whois info:

Andrei, Calugaru design@websign.ro
Str. Cicero Nr 111
Bloc S11 Sc1 Ap 6
Drobeta Turnu Severin, 220022
Romania
+40744366836 Fax —

The e-mail address in the whois info used to be a webdesign business. Now it’s blank, but there are invisible links to drug related pages that redirect to findrxdrugs.com. There’s also webspam with that domain from January 2006.

So chances are that really is his contact info.

So, did he stop spamming? Noooo

Lately he’s been spamming a lot of forums, especially yybbs.cgi. Looks like that’s a type of forum or guestbook that’s primarily in use in Japan. And they’re usually spammed to death. I also see some amount of referrer spam.

And I found a log full of spammer entries, where he’s tried to spam:
86.120.197.66 - - [03/Feb/2006:10:24:56 +0900] “POST /cgi-bin/bbs4/yybbs.cgi HTTP/1.1″ 403 311 “-” “Mozilla/5.0″

So, he’s still using his own IP address.

He’s also using a technique where he appends a bookmark with the name of his target keywords. The anchor probably doesn’t exist on the site, since the goal is the redirect from the throwaway site.

Webhost IP numbers I’ve found that may be associated with this spammer:

209.59.132.158
70.85.249.130
70.86.183.34
70.84.123.66

I found this one in my logs:

Short URL

And yes, it was an affiliate URL, spamvertized.

The owner says outright it’s to hide affiliate links.

Well, how good of you to let us know Google should ban that subfolder.

And here’s another domain for good measure: runurl.com

Matt, you listening?

The owner of massinternetservices.com complained on a forum somewhere that he couldn’t get anywhere without pagerank in his competitive market.

Fast forward a few months.

I get a rush of 20 referrer spams, all delivered to the same file and within about 9 seconds.

So I start checking. Turns out he’s been comment spamming for quite a while. His comment spams would look legit to a casual observer, but if you Google the stuff, you’ll see the same identical wording over and over. That’s what I’d call comment spam, whether or not it looks relatively on topic.

Second check, yep, his root domain is banned in Google. I’m not surprised.

So, he got banned in Google, and he’s coming back for more?

You want 19 more domains banned? Geez…

Link spam on my guestbook and blog is up significantly.

The guestbook spam was manageable, but now it’s to the point of at least 10 per day. The guestbook spammers used to be easy to block, but they now use proxies.

Comment spamming on spamhuntress.com is also up significantly.

And as you guys know, I’ve been complaining bitterly about one particularly bothersome referrer spammer, who steals bandwidth. One blog has more than one gigabyte more traffic than normal this month, and chances are, this one spammer is behind it.

My bandwidth consumption on annelisabeth.com has jumped to new heights. And I believe most of it is due to referrer spammers.

According to Awstats, these IP numbers have consumed a lot of bandwidth so far this month:
203.162.27.201 - 106.62 MB
203.162.27.196 - 40.72 MB
203.162.27.195 - 11.44 MB

In other words, one spammer has stolen in excess of 200 MB of bandwidth from me.

In addition, I’ve found these sucking down a lot:
203.162.27.195
203.162.27.200
203.162.27.197
203.162.27.199

Here’s a sample log line:
203.162.27.200 - - [19/Dec/2005:07:33:41 -0600] “GET /blog/archives/000313.html HTTP/1.1″ 200 11248 “h*tp://phentermineadipexionamin.lookscute.com/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7.5) Gecko/20041108 Firefox/1.0″

In addition to that post, they’re pulling down archives quite often.

One of the URL’s spamvertized, goes through a frame redirect to
1-800-pills.com
which pings
69.50.176.254

I looked at other domains hosted on that IP address. They all have similar and different whois info. Clearly fake.

More info on the spammer, including whois, can be found here:
Pills referrer.

I’ll gather more info on the spammer, and might update here or make a wiki page. He definitely deserves some tracking time.

Update:
Sites spamvertized by this bunch point to domains that use name servers from
xxlsearcher.com

That domain has whois info that includes an e-mail address that figures in other anti-spam posts:
TMnet spam
Dumb or beginner - who cares

I got an insistent referrer spammer. And this one was a bit more work to track.

He uses lookscool.com URL redirect addresses. Those are hard to track. Sam Spade won’t cut it. You can load the addresses in your browser, or use a tool which is a bit more invasive: Ethereal.

Bottom line, the addresses redirect to 1-800-pills.com, which then have encrypted links to paysefeed/goclick/enhance.

Domain bought and hosted at ESThost:
69.50.176.254

Whois:
SinteZ Ant Hill
SinteZ (mail@sintez.us)
Ant Hill 1-10
Ant Hill City
,10025
US
Tel. +10.67536487

And the e-mail address isn’t in Google, so I checked the whois on that domain as well:

Registrant Name: Denis Basargin
Registrant Organization: Guard Software, LTD
Registrant Address1: pr. Vernadskogo 17
Registrant City: Moscow
Registrant Postal Code: 326000
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +791.14003377
Registrant Email: densys@onego.ru

Denis is/was interested in Delphi programming, and has released a program for hiding files. He’s 24 years old, and is from Petrozavodsk in Russia. He is or was a CIO for a company.

Considering the whois info for the spamvertized domain is fake, and the trail leads to him, Denis has an explaining problem.

New (for me) referrer spammer today.

Alexandre Krouglov

He’s like a terrier, keeps shaking the same pages. Better block him fast if you have the misfortune of receiving his attention:

216.255.178.130