Spamhuntress

My blog is under a DDOS attack at the moment. It’s back up right now, but the attack goes on.

Read more about the outfit that’s behind the DDOS attack at Zdnet’s spyware blog.

I’m looking at more DDOS proof hosting…

Update: This particular trojan is designed in such a way that it’ll most likely keep the denial of service attack up as long as there are still infected machines out there. The only way it’ll stop is if the trojan is removed or updated.

I’ve made some changes to the site that are inconveniences, both to me and visitors. But with these changes, the DDoS attack won’t make my webhost knock me offline.

A friend lives in an old farmhouse miles from civilization. Miles from broadband connections.

He had an older computer that had been upgraded until it got way too slow.. And when I asked about it last time we met, he said it didn’t work at all anymore.

Mice had gotten into it and chewed through the wiring during the winter, according to his best calculations.

!!!!

I guess there’s a reason for cats being the favorite geek pet?

Bill Stanley got very angry with Spamhaus, and registered an old standby in the spammer circuit:

spamhaussucks.com

And then proceeded to webspam an article about it. Including one to my blog, and I’ve also seen it on various forums.

Saying “up yours” to Spamhaus that way is about the dumbest move any spammer could make. Watch Bill Stanley go up in flames, digitally speaking!

Gloating NANAE thread 

I’ve been tracking certain comment spams that had …interesting contents.

The first I was aware of advertized e-mail lists for “email marketing”. The payoff in the spam was an e-mail address, but I also found a website address. On that website, spam hosting is especially mentioned. There’s a debate raging on a Russian forum about his services. How long the site will last etc.

Today I found two messages from the same outfit. This time selling skimmers. Yes, I’m talking about bank card skimmers! This is clearly illegal. He’s also selling dumps and pins. I’m guessing he’s referring to card numbers with pin numbers.

As I checked the logs, I found the same IP address and user agent selling those Russian grandmother dolls. The e-mail address used in those spam comments are linked with the e-mail lists through earlier spams I found on the internet. Those are mainly written in Russian.

The name on the registration of the domains involved is:

person: Alexey A Gusarov
phone: +7 906 1373729
e-mail: rassilka2006@yahoo.co.uk

At first I was unsure if this was the person behind the spam (due to the nature of Russian domain registrations), but the e-mail address is also used in the spam runs.

He’s also implicated in ICQ spam:

Domains (if you want to run him to ground…):

modmo.ru
424000.com
interneo.ru

E-mail addresses used in the spams (some of them hidden):

klimenkov-alekse@inbox.ru
kloffert007@yahoo.co.uk
eduard-rozumov@mail.ru
interneoster@gmail.com
admin@megafona.net

ICQ: 194-8-194

He’s spamming forums, with a registered user: Interneohyk007
The Russian sites has Alexey A. Gusarov as the owner, but the non-Russian ones have different whois info, probably fake:
megafona.net

Dougherty, Kevin arnybiz@yahoo.co.uk
616 Richards Lane
Champaign, IL 61820
US
9090909099

424000.com

Haza Int
Arnold Drew
Russia
Yoshka, MR 424000
RU
Phone: 1.75784845
Fax..: none
Email: arnybiz@yahoo.co.uk

Suddenly, my e-mail spam was spiking on one of my domain accounts. I’d been extremely careful with that address. It was NOWHERE to be found on the web. I still got the occasional spam. Probably hand harvested, but probably not sold yet.

So, suddenly I get a lot of “spam”.

I didn’t understand it. Some of them even have my name (which isn’t visible in my e-mail address) and an IP address. It looked as though this company was keeping track of how the address was harvested, and that somebody had subscribed me to something.

So I start trying to trace the number. Couldn’t find anything. Silly me, I should have searched my harddrive, because I would have found it…

Today I got a bounced message I didn’t send. And the content of said message solved the mystery. It was sent out through a service called tafmaster.com. And the contents of the mail was from a sweet old lady I know, who’s been having repeated issues with spam on her machine. She’s quite often had trouble cleaning it. So my first hunch is that she has some kind of malware on it.

Tafmaster is a service that earns money for people who send out stuff to their friends, so it’s possible someone sent out a virus or trojan to mass send mail to contacts of his/her victims.

The mail looked as though it was sent by me, and sent to someone I don’t know, but x-sender and sender was typical of the service. The mail contents looked as though it was from the sent mail folder of my friend. It contained enough identifying information I knew at once who it was. And the IP address noted in the spam I’d received matched as well.

I haven’t heard back from my friend, and in the meantime, the spam keeps pouring in. I suspect most of it is actually mailing lists, but I’ve even had some 411 spam (multiples from the same name even).

So my question here is: Assuming this sweet old lady hasn’t misconfigured her computer so it sends out e-mail as me? What could it be that she has on her computer? It could be some old malware, but since this became a problem just a few days ago, it might be a new strain.

Got a sort of threat today. Not sure what to make of it. If you guys would help me speculate?

Vinnie’s spammer

Check the first comment there, and my responses.

I found a new spammer on my internet trawls:

Alseo

Has the dubious honor of having a few domains suspended by ESTdomains/Directi!

Remember a long time ago I griped over some funny referrers I couldn’t figure out? I sent the domain owner of gizmo.org an e-mail, but received no reply.

Now the puzzle is solved, as the bot owner has come forward:

Michel Arboi is using a bot as his personal Netcraft style crawler. He originally gave it a random referrer, but stopped doing it since it gave the domain owner trouble.

Michel, how about you put a referrer to your own domain in the user agent, leave the referrer empty and explain what you’re doing on your own domain name? Use a free website if needed, as long as you give a good explanation (so it won’t be taken down).

I’m just curious. Is there a blacklist for worm infected machines? Wouldn’t that be helpful?

I’ve seen some probes in my logs, trying to probe these ports in sequence:
5554
1023
9898

Most of the machines I’ve seen lately have been from Asia. China and Hong Kong. Hmm, come to think of it, those might be bad guys looking for infected machines… Maybe I should include their IP addresses?

It would have been interesting to have a blacklist where you could submit based on unsolicited probes. The problem is probably differentiating between bad guys and infected computers?

I woke up to referrers from report-abuse.dmoz.org today.’

Huh? How come they were accessing the post where I celebrated being included on dmoz?

Then I found who’d probably reported me.

I also posted my take on what happened in my original post. Let’s just say the person who wrote abuse must see conspiracies everywhere…

Update
They’re talking about this post on the dmoz forums. I’m SOOO curious what they’re saying, but don’t have access.