Spamhuntress

Not much to write about lately. I pounce on just about any spam I get…

Anyway, I got visited by a very careful spammer on annelisabeth.com.

This is the sort of spammer that is so careful, he should sail by all filters.

I’ve gotten 4 trackback spams total (didn’t see the last two until today). Two on April 22, and two on April 29. In between those two dates, someone was probing my blog, including trying to get access to a directory he couldn’t pull up an index of.

Spamming from:
82.80.40.210
bzq-80-40-210.red.bezeqint.net
81.218.218.118
bzq-218-218-118.red.bezeqint.net

User agent:
Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Probing from:
67.113.225.66
adsl-67-113-225-66.dsl.snfc21.pacbell.net

Now this probing could be someone else. This is a very bad bot. Google has lots of stats recorded. It basically tries to get into every directory, whether it’s welcome or not. It may be a bot looking for secret stuff. A report from 2003 had that IP address looking for video feeds. Although it’s a bit long for an IP number to be assigned to the same outfit - who knows.

As for what the spammer is peddling, I’ve written him up before:
Casino spammer

His newest domain name:
mcr8.com
Whois protected, of course.

Time to block.

Whois info:

Jess Keer
NA NA (jess.keer@gmail.com)
NA
Fax:
NA
null
New York, NY 01810
US

Name Servers:
ns1.dns2007.net
ns2.dns2007.net

It’s Kirk Douglas / Andy Hoffmann in a new guise.

Kirk Douglas is at it with a new domain name.

Ban dawsonanddadrealty

I remember the ONSLAUGHT last time, so I’m glad I caught the first one early!

Actually, he’s been at it for at least two hours, this was just the first time he slipped through my trackback blocks.

The spammer from yesterday is at it again. This time it’s trackback, and the domain is shaffelrecords.com

——————

I strongly suggest having a look at my trackback solutions. The WP trackback block contains a line that blocks the majority of his attempts, since he’s still using a list of collected user agents - only a few will slip through. I’ve added one more line that will block a few more. The two first Setenvif lines should take care of this spammer for now.

Another approach is blocking direct POST to the trackback script. Works for WP.

————-

whois info for that domain name:

NA
NA NA (shaffelrecords.com@gmail.com)
Str. 6 Bay Pkwy
Brooklyn, NY 11204
US

DNS servers:
Name Server: NS1.SUSPENDED-FOR-ABUSE.COM
Name Server: NS2.SUSPENDED-FOR-ABUSE.COM
ns1.dns2007.net
ns2.dns2007.net

Registrar: Enom/NameCheap

This marks the spammer as the same we’ve seen earlier. The e-mail convention is also the same as we’ve seen this past week. This spammer used Yahoo mail before - only a few different accounts. He seems to be trying to hide his tracks now.

Judging by my error log, there’s a pretty huge trackback run currently underway.

I’ve blocked certain untypical user agents, so they’re not getting through. Except for one that circumvented the block.

It’s the spammer below. Accessing wp-trackback.php directly. Looks like the same script as Yukkii used before.

I’m getting a rash of comment spam to this site. They trip the auto-moderation feature of WP, because of all the links. Update: Trackback run just started as well.
Second update: The comment spam run is still going. They’re pacing it, so it won’t trigger any bans based on frequency. I’ve received 32 comments so far (all moderated), because I can’t figure out how to ban this one! If he doesn’t give it up, I’ll have to install Spam Karma! Uh, looks like he’s hitting every one of my posts, starting a month ago. He’s up to April 14 now, so I expect this to keep going for a while. Grrr…

Random IP addresses and user agents.

Sites are on:
land.ru
newmail.ru

I found ONE link on one of those sites, and it belongs to:

Donald, Kirk
NA NA (mamugs.net@gmail.com)
NA
South Brooklyn, 29th str. 34
New York, NY 10002
US

Registered on Enom, with name servers from:
PROJECTX7.COM
The first name server is on the same IP number as the website:
205.234.145.232

That domain name is owned by:
Stilman, Bred bredstilman@yahoo.com
Novodvorska 13
Ljubljana, SI 1000
Slovenia
12301274

All IP numbers are on scnet.net, which is in HostForWeb Inc.’s IP block.

The name Kirk Donald has been used by spammers before. Can’t say for sure that it’s the same spammer. Time will tell, I guess.

Update
It’s the same spammer that Nick from Threadwatch was bitching about a few days ago, according to the whois info patterns.

Got hit by a trackback spammer on annelisabeth today. Just one. And he’s left a few comments before. Not enough to be a nuisance, but enough to establish a pattern.

IP addresses:
first: 81.218.241.143
bzq-218-241-143.red.bezeqint.net
now: 82.80.40.210
bzq-80-40-210.red.bezeqint.net

Those servers are in Israel

He’s using blogspot, and one domain with whoisprotection (GoDaddy). The domain name is not in the zone (ie, not served).

He appears to have yet another website (images hosted on a domain name), web-tfx.com. That site is on a bezeqint server:
82.80.252.53
bzq-80-252-53.dcenter.bezeqint.net

It appears to be for sale. Javascript reveals the minimum price is over 10.000 dollars. I’d consider that a joke. Or rather, a fake for sale sign.

Another site is on:
62.219.82.1
cust-219-82-1.cust.bezeqint.net

The posts on one of this blogs are entered by Ertha Kitt.

User agents:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
trackback:
Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Header: HTTP_VIA=1.1 DRP-CACHE-7-B (NetCache NetApp/5.6.1D21)

This spammer has many domains. Many of the domains end in this: -tfx.com
Any idea why? I did find one domain on a server that appears to have sites only belonging to the spammer.

Gehl, Chaim support@trafix-ltd.com
Trafix-Computing Services LTD
6th Uri
Tel Aviv 64684
Israel
0544573249 Fax — 035223077

The dialing prefix given on another domain was: +972

Hmm, I guess now I know what tfx stands for…

They’re moonlighting as SEO professionals as well:
http://www.trafix-ltd.com/

I guess prospective customers should be aware that they’re also spammers?

Another Israeli site says about them:
This young company is moving forward in the area of Web Site Marketing, particularly in the area of Online Gambling. The site provides visitors with a clear path for understanding how the whole web site marketing process works.

BTW, here’s another spamrun from them today.

Nick W. of Threadwatch got a massive trackback spam run that got him lusting for revenge.

If any of you got hit by a spammer spamvertizing ace-decoy-anchors.com and have more tracking data, please comment here or there. I doubt this one’s easy to track down, he’s been at it a bit too long for that. But any break would be appreciated, if only a way to nail him every time he tries (a good block for instance).

I’d also like to compare him to the trackback spammer I got hit by yesterday.

I got a number of trackback spams today. Later I also found comments from the same spammer.

The spammer posted so many pieces of spam, my mailserver had a bit of trouble. He didn’t keep it going more than a few minutes, but it was pretty intense. I saw samples on another blog earlier today, so he’s probably sending spam to one server at a time until he’s through the list.

These accessed wp-trackback.php directly, which is unusual these days. That’s behavior you wouldn’t see from a real blog, and can be blocked with a Wordpress plugin. It can probably be blocked with an .htaccess block specifically targetting that file as well.

He’s also accessing wp-comments-post.php directly. That’s how it usually happens, but most browsers also leave a referrer. Not all, though. Hmm, hard to block without also blocking legitimate comments.

The trackbacks are part nonsense, part real domain names. One of the domains were probably entered by fluke. The two first pages on 1bc.com were last modified in 1999.

free-online-poker-000.biz on the other hand, belongs to the spammer:

Administrative Contact Name: Yukkii
Administrative Contact Organization: e-leave
Administrative Contact Address1: 3 Connell Dr.
Administrative Contact City: Berkeley Heights
Administrative Contact State/Province: NY
Administrative Contact Postal Code: 07922
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.9082342243
Administrative Contact Email: yukkikunikkennen@yahoo.com

Old acquaintance…

The website isn’t served right now, probably just standard MO. It should be up in less than a week.

Here are the proxy servers:

202.224.241.14
218.199.97.152
61.56.158.158
61.195.167.151
68.85.163.73
216.65.116.18
62.37.236.193

All of them with this header:
[CONTENT_TYPE] => application/x-www-form-urlencoded
Which I’ve also found with genuine trackbacks: MovableType/2.65 and more.

Many of them sporting this header:
[HTTP_MAX_FORWARDS] => 10

And some with VIA headers:
205.132.32.10
[HTTP_VIA] => 1.0 webmail

148.244.223.236
[HTTP_VIA] => webshield.daltile.com.mx

217.97.16.1
[HTTP_VIA] => 1.0 szuwarek.tpnet.pl

I’ve been keeping an eye on some porn spammers. Some usually leave trackbacks with sites on dynamic dns servers. This one however used comments.

I followed the trail of one such site (from dyndns site to site it redirects to via javacript), and ended up on the same server as Eugene Blagodarny’s advanced-submitter. It’s exactly the kind of software used for spamming the blogs.

So, my question is, do all the sites on that server belong to Eugene Blagodarny, or just the two connected with his submitter software?

Oh yes, he’s got something to do with it. Might even be his. The e-mail address used for registering the porn domains use an e-mail address from a domain registered by Eugene.

Mark Bosner is often the name associated with the domains, when there’s someone associated with them at all.

But since the e-mail address given for those domain names resolves to Eugene’s own e-mail address (VRFY is disabled on most mail servers, but this one was sloppy…), I think we can bypass Mark Bosner easily:

Yep, unless Eugene is fronting for someone else, he’s a spammer himself.

I trust that wasn’t a big surprise?

Posts in other blogs about the same topic:
1, 2, 3, 4