Spamhuntress

Sometimes you just have to laugh.

I got visits from this joker November 15-27:

195.225.177.190 - - [27/Nov/2007:10:50:35 -0600] “POST /2005/04/07/trackback-run-expected/trackback/ HTTP/1.1″ 403 246 “” “USERAGENT”
195.225.176.177 - - [27/Nov/2007:11:00:40 -0600] “POST /2005/04/08/mathematics-trackbacks/trackback/ HTTP/1.1″ 403 246 “” “USERAGENT”
You should not feel bad for firewalling all of Netcathost. I see a lot of bad there, and so far no good. If you don’t agree, comment below.

195.225.176.0 - 195.225.179.255

James Friesen reports on the same bot in October.

It’s possible the bots are no more on those IP numbers, since I can’t find any newer spam from them.

If you search for one of those IP’s, you get spam with this whois, which appears fake:

Ferdinand
Ferdinad Stalevsk        (ferdinand@hotfunspace.com)
8 Trinity Terrace
Weymouth
Maryland,54442
US
Tel. +1.567456765

The root of the site is a failed Wordpress install, so I’m wondering if the site really does belong to the fake whois, and that it’s not a “free subdomain”. Also, it’s registered with ESTdomains… But the same bot also spamvertized some sites on freewebs.com, and a random check found a subdomain that was yanked for abuse.

The payoff on hotfunspace is Google Adsense: pub-1388391656005128

Village-idiot saw a new referrer in her log and followed the link, only to find a trackback spamming tool - spamming as she loaded the page.

She’s hoping to get the website shut down, but the site is on Layeredtech, and so far they’ve been ignoring her pleas, despite posting on alt.spam and digg and reaching out various ways.

Now, with the recent wave of hackings you’d think the website was hacked. But the owner of the spamming site is the owner of the spamvertized site (lendingtreecenter.com), so you’d most likely be wrong.

The whois for affiology.com, where the script is located, is sort of obfuscated:

syarief, agung netspions@hotmail.com
Somewhere in US
Cali, California 10101
United States
(210) 101-0101 Fax –

But some comment spam from January 2005 carries his name, and the domain extra-long.com (no extra points for guessing what it’s about) with this whois:

registrant-firstname: Agung
registrant-lastname: Syarief
registrant-street1: 2700 S Azusa
registrant-street2: Apt 261
registrant-pcode: 91792
registrant-state: CA
registrant-city: West Covina
registrant-ccode: US
registrant-phone: +1.6262894155
registrant-email: asyarief@gmail.com

(That phone number may or may not be his. I found a listing for someone else at that number)

And, interestingly enough, all his websites found so far, are at 72.232.76.73.

Agung, you want to explain this?

I’ve been getting quite a lot of spam from AOL the last few days. I counted 136 message0 - trackbacks. All about ringtones. Links pointing to AOL user homepages. Multiple users with names containing “ringtone”.

The pages themselves don’t work in Firefox, because of some junk before the html tag, but the search engines should gobble them up, because the browser receives the whole page, it just doesn’t display it.

I suspect a bait and switch to happen at a later date. Right now I can’t find a payoff.

But anyway, filter by proxy.aol.com, and watch out for real commenters among the catch.

An interesting fact is that the user agent is broken:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Remember a long time ago, when I tracked a longtime blogspammer to Bulgaria? Todor and Iavor Zahariev are spammers, as far as I know.

Trouble is, at some point they seemed to switch gears, and started using Moniker and used fake whois data. The rest seemed identical, so I thought it was the Zahariev twins.

Trouble is, I assumed too much. The Moniker whois coupled with support-something e-mail addresses in the whois, and usually US faked names and addresses, is a mark of another spammer. An early trace led to Israel, but I couldn’t make sense of it and discounted it.

Turns out that was the best trace.

shetef.com

Registrant:
Shetef Solutions Ltd.
10 Azmaut Street
Ness-Ziona, ISRAEL 74010
IL

Administrative Contact, Technical Contact:
Dascalu, Yonat ziv@web2000.us
Shetef Solutions Ltd.
21 Tlalim street
Raanana 43568
IL

I received a piece of information recently that I can’t divulge. But it squared completely with this information. For a while I didn’t see any spam from them. I don’t know if they were inactive or just avoided my friends.

But they seem to be back, if the post below is any indication:

Another trackback spam storm overnight…

And this one is talking about putting ONE ping or comment on other people’s blogs. Hmmmm….

Thus trying to avoid getting penalized by Google.

Sounds vaguely different than Maryann Myer’s scheme. Her massive comment bonanzas were easy to spot and devalue.

If he’s indeed talking about posting to blogs that didn’t agree to participate, he’s breaking the ethical code (no law against it yet, unless you want to stretch existing law).

And according to Search Engines Web, who tipped me with a comment on Grab Bag, he received an e-mail with this thing. He didn’t say if it was a spam e-mail, but the sender has been caught e-mail spamming before. Just search for his e-mail address and you’ll find lots of affiliate schemes he’s been trying to hawk. He’s got a few NANAS records dating back to 2000 and 2002!

At any rate, I thought I’d dissect the sample (minus the headers. Remember munged headers next time, SEW).

The URL in the e-mail was
newera2000.net/blogsubmitter/
which has a meta refresh to
hop.clickbank.net/?juareze/satcom&l=2
which does a 302 redirect to
www.spagack.com/flex/cape.php?l=1&hop=juareze&l=2
Which then ends up at
http://www.holygrailofadvertising.com/

What this means, is that the guy who sent SEW the e-mail, is an affiliate of the program hawker. Both spagack and holygrailofadvertising belongs to the same outfit and sits on the same server. And they both have whois protection. Not taking any chances, eh?

IP: 216.171.218.222
It’s on MARKETRENDS PRODUCTIONS at marketrends.net’s IP block.

The affiliate, on the other end, isn’t quite as careful.

The domain is sitting on a DSL line in Mexico!
And it allegedly belongs to this guy:

Trujillo, Alex webmaster@newera2000.com
Marcelino Davalos
No. 72
Col. Algarin. Delegacion Cuauhtemoc
Distrito Federal, 06880
MX
52 55301543

I upgraded annelisabeth.com to MT 3.2 yesterday. In the process, I didn’t transfer the .htaccess over, so my blocks have been off for half a day.

I did wonder why I suddenly got so many trackbacks. One of the spammers is someone I hadn’t seen before.

Spambot:
203.116.214.2

This is an IIS server from Singapore. I obviously don’t know if it’s compromised or leased.

User agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

IP numbers:
69.50.175.93
69.50.175.94
80.77.82.193
80.77.88.232

I’m in the middle of tracing, so I expect there are more IP numbers.

The whois info on the domains on his servers is fake. He goes by several names. Not sure it’s even worth including. And the sites he has on those domains are seemingly legit. At the bottom he includes some dyndns subdomain sites with filthy names. So the domains are there just to give links to the subdomain pages.

The subdomain pages generally load a javascript named in.js. It redirects to another page that opens popup hell. Porn popups.

The spammer seems experienced on some fronts, and like a noob on others. My guess is it’s a new spammer.

Og vær forsiktig. Det er rapporter om malware fra en av domenene.

I’ve been on the trail of some spammers lately, that I’ve dubbed
Hinter Inc

They’ve probably got many names. Some CWS hijackers in the mix here too. I got a new batch of trackbacks from them todayl, so I did some more digging. Nothing earth shattering here. If you’ve got more, please contribute.

There’s a spammer who just keeps sending trackbacks for a dead site:

ceixnoirs.dyndns.org

It was taken out by dyndns.org on Sunday, and I got a fresh batch of trackbacks this morning. This has to be a new guy? I mean, most spammers at least figure out quickly that their dyndns sites are gone!

And he keeps using that same IP number: 203.116.214.2

I notified the owners about the abuse, but nothing’s happened.

I first saw this spammer (that I know of) July 13, when he was pushing an orgfree.com subdomain. They terminated him, and he moved on to dyndns July 16, after having taken a day off spamming.

I’ve gotten a LOT of trackbacks lately. But with temperatures hovering in the low eighties, I’ve avoided the computer as much as possible. Now, with a rainy day, it’s time to expose some spammers.

One of the latest, who may be a new one, is now spamvertizing dynamic IP subdomains hosted on 69.50.170.18.

Earlier he was pushing an orgfree.com subdomain, but they booted him. Either for spamming or for having adult content - either is against their rules.

The spam is always coming through 203.116.214.2, which is an open proxy.

User agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.

Payoff:
searchadv.com ID: 10092

There are no domains associated with this spammer, so I can’t track him further yet. I’ll update if/when I get more.

Rojisan is griping about a trackback spam run. I got it too. Irritating buggers.

The domain that forwards to cheapmp3 is also owned by the spammers, as far as I can tell:

u5srv.com
212.158.165.202
“Global Metal”, abuse addresses at caravan.ru

Kruger Store Inc
Michelle Frankson (michellefrankson@gmail.com)
1059 Mineral Wells Ave
Paris
null,38242
US
Tel. +91.7316441070

Domain servers in listed order:
ns1.u5srv.com
ns2.u5srv.com

Registration Service Provided By: ESTDOMAINS