I suspect Genaholincorporated/Tigerspice of being behind the current comment spam run, followed by a massive trackback run. The MO is very similar, but we can’t be sure of course. What I do know, is that genaholincorporated.com was respammed a little over a week ago. So he’s active.
Sites are on these IP numbers:
216.32.82.51
216.32.82.52
72.36.161.180
Proxies used to spam from.
Just got a trackback spam on annelisabeth.
This one’s interesting, in that it appears to be a blog. It looked valid on the face of it.
When you open the page, you get a Server Error message.
But since I opened it in a text-browser, I saw a bunch of table junk beneath it and got suspicious enough to scroll to the bottom. Turns out there are lots of porn links…
I’m still unsure who this spammer is, but keep an eye out for trackbacks that lead to pages with server error. That could be clever concealed spam!
I also noticed that the IP number the spam was entered from is that of the server hosting the site. But even the front of the site has a Server Error message. But even though the page insists there’s a 500 error, the status code is actually 200…
I got some trackback spam on annelisabeth.com. I’ll write up the spammer later. But one thing caught my attention.
The IP number the spam came from appears to be running an embedded webserver. That’s a chip!
So it’s either an open proxy or a webserver under the control of the spammer.
Have fun testing it!
66.208.198.22
I tracked a spammer I hadn’t noticed before today. The identifying pattern is that the domains have name servers from webtouch.info
Got a trackback on annelisabeth.com today.
It advertized many subdomains on
purichee.info
And when I checked earlier trackbacks, I found some more June 15:
tellskin.info
And spamvertized on other sites:
cartmark.info
cheesquare.info
cheesquare.info
kesktown.info
kesktown.info
malknight.info
mapledark.info
minismall.info
netistar.com
plexsky.com
suptarg.com
tresdin.info
valitest.info
radcoin.info
dreamstin.info
samtailo.com
spritkin.com
kingdest.com
nexshine.com
synckin.com
I did some digging:
He’s been at this at least since June 1, 2005.
The point is to present a dead end to surfers, so they’re redirected to a page that just displays the name of the site (including subdomain).
However, spiders will see a directory with links. Googlebot is specifically instructed to not index the page, but is expected to follow the links.
The next layer of pages are also protected with javascript to throw off human visitors - same purple page.
The next layer is the final layer, and has Adsense on it:
pub-9219922125396009
It also contains what must be random text. In one case information about Mars.
One part of the text was scarfed from an encyclopedia article. Another from Biology Daily. A third section is from Biography
And the final section is scraper search engine results. Many of the links are dead.
I checked a page for another topic altogether. That one also had an astronomical article as the middle content.
Conclusion: This is a scheme to get pages to rank for high paying Adwords. There’s no other point to the pages. In other words, it’s both search engine spam and Adsense spam.
Whois:
Domain Name:PURICHEE.INFO
Created On:14-Jun-2005 00:26:06 UTC
Last Updated On:15-Jun-2005 23:45:52 UTC
Expiration Date:14-Jun-2006 00:26:06 UTC
Sponsoring Registrar:R171-LRMS
Registrant Name:Freddy Dirkson
Registrant Street1:PO Box 3411 345 Nesville Ave
Registrant City:Toronto
Registrant State/Province:Ontario
Registrant Postal Code:M3L 3K9
Registrant Country:CA
Registrant Phone:+1.4164542655
Registrant Email: afflink@hotmail.com
The phone number is from Toronto, Rogers Cantel wireless. Might be legit.
There was a new trackback run tonight. Lots of 403’s in my log, and two managed to punch through. I’ll delete them tonight.
Anyway, the specifics:
Rolling user agents and proxies.
URL:
illcom.com
pings:
193.124.133.138
Registered at Namecheap by:
NA NA (denise.yeager@gmail.com)
NA
Fax:
NA
null
New York, NY 10002
US
Name Servers:
ns1.the-dns.net
ns2.the-dns.net
I’m unsure what the payoff is. Can anyone help me figure that out?
I just got a trackback to annelisabeth.
No apparent spam message, but the IP that left the trackback is:
209.66.120.12
sys17.3fn.net
Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.0
3fn is NOT benign! It’s a webhost that hosts many spammers. Among them Alexander Morozov/Dyakon.
The post it was posted to is from February. Which means it’s unlikely to be legit no matter what.
I’ve noticed that some older versions of Movable Type often have links to a trackback page for each post. They’re fashioned like this:
mt-tb.cgi?__mode=view&entry_id=821
The problem with these, is that there could be loads of trackbacks on that page, but they may not be visible on the blog post page. And if the owner is lax with security and moderation, he may have no idea that those pages are indexed by search engines and spammed to death.
I’ve got quite a few feeds under observation for exactly that problem. And yes, as one of the spammers taught us, MT makes feeds of everything:
mt-tb.cgi/821?__mode=rss
There’s one spammer that’s very hard to block. He goes by several different names, including Kirk Douglas and Andy Hoffman. The closest to a real name is probably Ded Moroz. But so far we don’t know who he is. He does perfect his technique almost on the fly, and is very aggressive. He cycles the blogs he spams, so chances are you’ll be hit eventually, for a while. I wrote about this one last week, while I was being spammed by him.
Please help us keep a list of domains he’s spamvertizing. We’ve put this list on a Wiki, so anyone can update:
Genaholincorporated spammer
(Check the blogroll for this link when you need it later on)
A good way to check if your spam is from this spammer is to compare with whois info he’s used before. He shakes things up a bit now and then, but you can usually see a pattern. One such pattern is the use of a gmail address, often encoded with the domain name. He uses Enom registrar, and uses custom name servers.
I’ll ask Joe (the maintainer of the Wiki) to put a paragraph near the top where we can put new domains we find in our logs, so others can put those in their blocks soon.
For WP there’s a place you can ban domains. And for other blogs there are plugins that let you block domain names.
Is there a way to subscribe to an RSS of that page, Joe?
Not much to write about lately. I pounce on just about any spam I get…
Anyway, I got visited by a very careful spammer on annelisabeth.com.
This is the sort of spammer that is so careful, he should sail by all filters.
I’ve gotten 4 trackback spams total (didn’t see the last two until today). Two on April 22, and two on April 29. In between those two dates, someone was probing my blog, including trying to get access to a directory he couldn’t pull up an index of.
Spamming from:
82.80.40.210
bzq-80-40-210.red.bezeqint.net
81.218.218.118
bzq-218-218-118.red.bezeqint.net
User agent:
Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Probing from:
67.113.225.66
adsl-67-113-225-66.dsl.snfc21.pacbell.net
Now this probing could be someone else. This is a very bad bot. Google has lots of stats recorded. It basically tries to get into every directory, whether it’s welcome or not. It may be a bot looking for secret stuff. A report from 2003 had that IP address looking for video feeds. Although it’s a bit long for an IP number to be assigned to the same outfit - who knows.
As for what the spammer is peddling, I’ve written him up before:
Casino spammer
His newest domain name:
mcr8.com
Whois protected, of course.