Spamhuntress

Hi guys.

There’s a problem with the webserver this site is on. I don’t know exactly what happened, because they didn’t tell me. My website is intact, but it looks like they haven’t put in mod_rewrite yet, which my website relies on to produce pretty URLs.

I don’t know how long it’ll be before mod_rewrite gets put in. But until that happens, only the first page will work. You can find my e-mail address if you go to the “About Me” link further down the right pane.

I’ve seen countless examples lately of mail sent from legitimate accounts via Squirrelmail. Do a search for “authenticated user” on news.admin.net-abuse.sightings and sort by date. You’ll see it’s become quite common.

I don’t know exactly what’s happening here, but I assume spammers have stolen passwords for legitimate accounts somehow.

I know of one case where the spammer changed the password of the account a while after the spamrun was complete.

If your established password stops working, do some due diligence after you get a new one issued.

The spammy mails were still in the Sent box in one account!

I came across this Youtube problem a few days ago. Videos embedded in a Norwegian online newspaper didn’t work. Although the preview photo was still there, when I clicked on the video to start it, I got the message:

We’re sorry, this video is no longer available

But when I clicked on “menu”, I got the URL for the Youtube page for that video, and when I went there, the video worked.

And today, the embedded video works again - in that same online page!

A video I found today on a Myspace profile didn’t work, yet when I found the link on the Youtube page for pages linking to the video, I found that it DID work when embedded - on Facebook!

This problem has been reported at least since late December. And some have correctly noted that there are Youtube users who elect to not allow embedding of their videos, or if the video is set to private. But none of these videos had those settings enabled.

So something’s wrong over at Youtube. And since I haven’t found any explanation for it, I’m opening up the floor for suggestions, speculation and maybe downright solving this?

Apparently, disappearing e-mails is the new rage in some (business) situations.

Just a little rant here: If I receive such an e-mail, I’ll go get my cameraphone and snap a picture of the screen. The best cameraphones today are totally capable of snapping readable images of the screen. And they’re fast, so you should be able to get several images if it’s a long message. And yes, I’ve tested it, works with my cameraphone!

Heck, some of those services may even be susceptible to a screen capture!

A cameraphone and a screen grab was even part of the plot of the recent movie Firewall…

Another trend is ReadNotify. Don’t trust that either. Some friends tested that out on me a few years ago (I was told they tested it). Doesn’t work if you’ve got an e-mail program that’s severed from the internet when you read messages, unless you purposely allow interaction with the internet. At least, they never got it to work when they sent messages to me…

So, the moral is: This sort of thing works some of the time, but you shouldn’t rely on it. If you send it to someone like me (and there are many like me on the net), expect it to bite you down the line. If it’s imperative nobody can prove you sent an e-mail, don’t send it. And failure to get a result with ReadNotify, doesn’t mean the e-mail was never read.

A comment spam contained a redirect URL that eventually led to a page on the search-4-pills.com site.

I accessed the root site, and found this meta code:

That looked suspicious, so I checked around some.

The side panels also include links with that affiliate code in them. But those only go back to the same site. However, the payoff links are to klik.php on 64.111.210.10.

So, I guess the game is deniability. When someone complains about their spamming, they’ll tell their webhost that no, they don’t spam. It was one of their affiliates who spammed!

Problem is, I believe this is a ploy. The real affiliate links are the klik.php ones, and the typical affiliate links on the site are put there to throw off anti-spammers and the webhost.

So complain away, if you get spam that ends up on one of their sites.

Here’s whois and IP:

09/07/06 14:33:41 whois search-4-pills.com
208.66.194.130
Registrant Contact:
izaak Inc
tanney stern enos@search-4-pills.com
1000910598 fax: 1000496838
Suite 653
Fort Wayne Fort Wayne 1360
GB

DNS:
ns3.cnmsn.com
ns4.cnmsn.com

Created: 2006-06-05
Expires: 2007-06-05

That IP also contains two other sites:

09/07/06 14:39:21 whois YOURBESTPILLS.COM

Registrant Contact:
waverley Inc
talbert vaughn nicholas@yourbestpills.com
1000443914 fax: 1000107590
Suite 496
Portland Portland 4319
GB

Created: 2006-05-17
Expires: 2007-05-17

09/07/06 14:40:56 whois CHOSENMEDS.COM

Registrant Contact:
olav Inc
tom emmit wheeler@chosenmeds.com
1000566354 fax: 1000144511
Suite 986
Kurgan Kurgan 4383
GB

Created: 2006-05-17
Expires: 2007-05-17

And a third used to be on there. It currently doesn’t resolve:

09/07/06 14:41:51 whois REDIRFEED.COM

Registrant Contact:
darnell Inc
lyle emmanuel xenos@redirfeed.com
1000125582 fax: 1000094719
Suite 150
Libreville Libreville 1544
GB

DNS:
ns3.cnmsn.com
ns4.cnmsn.com

Created: 2006-03-22
Expires: 2007-03-22

That site had the same code, according to the Google cache. The affiliate number was different, but otherwise, it’s the same type of site.

And they have and image at the bottom with this text:
Copyright 2006
Online Pharmacy Catalog
All rights reserved

I found some spam for uploads on a forum powered by the anyboard forum software. Here’s an example of a working redirect (will probably be removed by tomorrow):
strongisland.com/anyboard9/si-anyboard/uploads/cheap-fioricet.html

The developers have been notified.

It should be possible to ban search engine spiders from the uploads directory via robots.txt. The forum would still be indexed. If you own a forum like that, please consider doing that, even if the developers make a fix available.

My previous post was only scratching the surface.

By checking for domains on IP numbers and then googling them, I found legion subdomains (almost all of them visibly spamvertized) on all domains on these IP numbers that had the banner URL that led to the Web Attacker code mentioned in my previous post:

216.255.185.9
216.255.185.10
216.255.185.11
216.255.185.12
216.255.185.13
216.255.185.14
216.255.185.15
216.255.185.16
216.255.185.17
216.255.185.18
216.255.185.19
216.255.185.20
216.255.185.21
216.255.185.22
216.255.185.23
216.255.185.24
216.255.185.25
216.255.185.26

And probably a lot more.

And I found a Norwegian pay-per-click search engine that had a Norwegian language page from one of the domains. Considering the spammers have possibly paid money for that placement, it’s a big vote AGAINST that SE: hent.no

More whois info:

uniq-soft.com (one of the cutouts) on 81.177.26.26

09/01/06 11:53:20 whois uniq-soft.com

Registrar Onlinenic

Registrant:
Fedorchenko-mladshiy fedir@ep.ua +7.4954950099
Fedorchenko-mladshiy
Lubyanka
Moscow,Moscow,RUSSIAN FEDERATION 100998

Domain Name:uniq-soft.com
Record last updated at 2006-08-09 19:46:23
Record created on 2006/8/9
Record expired on 2007/8/9

Domain servers in listed order:
ns1.game4all.biz   ns2.game4all.biz

09/01/06 11:55:02 whois gruhit.com

Registration Service Provided By: ESTDOMAINS INC

Registrant:
WorlLTD
Orly        (orly65@bk.ru)
Olimpiskay 20-65
Himki
Cy,654287
RU
Tel. +634.564342748

Creation Date: 21-Feb-2006
Expiration Date: 21-Feb-2007

Domain servers in listed order:
ns15.crybits.com
ns14.crybits.com
09/01/06 11:56:40 whois FREEFOK.COM

Registrant:
MainGlac
Lenin Ilich        (estdomains@mail.ru)
krzsnay plochad - 1
Moskwa
Moskovskaya oblast,654198
RU
Tel. +095.65178922

Creation Date: 21-Feb-2006
Expiration Date: 21-Feb-2007

Domain servers in listed order:
ns15.crybits.com
ns14.crybits.com

Basically, they do a different whois for every other IP number, so this could go on forever.

And the litany of vulnerable apps continues:

I got spammed with a link to a free forum site. A link to the front page of said user created forum. I got curious, and found that the user somehow got a redirect into the code.

Turns out the code was in the sub heading of the post. The only post on that forum.

Anyone with a free service handing out phpBB forums to those who sign up, better make sure that hole is plugged. I haven’t had time to check regular phpBB forums. Hopefully it is plugged

Update: It was interesting to see how that particular free provider had solved the problem. They substituted < " and > with the HTML equivalents that display the characters correctly, but the META refresh no longer works. With this substitution, HTML code or javascript wouldn’t work either, but BB code would. The META refresh code the spammer had inserted, is now clearly visible in the subtitle, but no redirection.

I first noticed this IP when I was wondering about referrers that just didn’t add up. They were for ordinary blogs that didn’t have links to my site. I was starting to wonder about a software glitch somewhere, when I noticed that all the referrers were from the same IP number.

220.163.31.141

But there’s a point to the madness:

This is a spambot in service for a spammer in China (as far as I can tell). The spam has gibberish on it, and the domain spamvertized is cnn4.cn. There are redirects to various permutations of cnnxx.cn. I haven’t done much snooping, because of the situation in China (domain registrations are often in the name of the registrar).

But referrers and user agents are blank, except for some accesses with the fake referrer (blank user agent even then). And the bot accesses the same posts over and over.

Update: When that IP is blocked, the same spam comes from this IP:

220.163.33.27
218.242.74.174 (new July 22)
72.232.9.234 (new August 6, does google.com and disney.com spam. Probably another entity)
61.141.145.251 (new August 14)

I’ve moved this site to a new server. The DNS hasn’t quite propagated all over, but most visitors will see this new site.

There are some gremlins with weird characters in the imported databases, but apart from that I haven’t seen any problems. Could you guys notify me if you see anything wrong? Either comment on this post, or e-mail me. You’ll find an e-mail address on the About Me page.