Spamhuntress

I’ve noticed some URL’s that are left in my logs. A path to my wiki, and then through some (working or not) redirect to somewhere else, that always ends in a ? I see many of those links in Google, so it’s possible the point is to get the URL’s into statistics summary pages.
Here’s an image with the code I found when accessing one of those pages. Usually they end in a 404, as the owners of the servers realize what is going on (I assume), but sometimes I see the code. I’m wondering what this code does to someone who browses to that page?

Questionable code image

The user agent is always some permutation of libwww-perl and the page where the code is located often has the extension .txt, making it seem harmless. After having seen several of these pages, the code seems slightlyl different for each time.

I originally meant to only provide one example of code, but I’ve seen some that went even further, and I’ll try and give examples of those too.

Here’s one that seems extremely fishy. Although it’s a text file, be careful when opening it! I noticed that the file was last changed November 4. What’s interesting about this particular domain name, was that a hacker left a message on another site with an e-mail address on that domain. And e-mail addresses from that domain has also been used for spam (not sure which type, since I can’t read the language of the site that collected those addresses).

Some other domains are on Yahoo’s servers (old Geocities, sometimes), and some of the sites appear to have been hacked. But the registration data seems wacked enough, I’m not sure. Here’s an example. That address doesn’t exist, and the phone number is from elsewhere in the US:

Domain Name………. baguscrew.net
Creation Date…….. 2007-10-24
Registration Date…. 2007-10-24
Expiry Date………. 2008-10-24
Organisation Name…. aris asmoro
Organisation Address. 565 ne norton ave
Organisation Address.
Organisation Address. bend
Organisation Address. 97701
Organisation Address. CO
Organisation Address. UNITED STATES

Here’s another code snippet.

I’ve noticed that my wikis had way too many users, and guessed most of them belonged to spammers. But what I didn’t know, was that most of them are recent. One wiki had around 440 users, and around the 26th of September, what appears to be one particular spammer, started creating users en mass. The wiki had 150 users up until then. The other blog had over 1500 users before I started deleting.
I recently had to close edits to anyone but logged in users, to try to stem the tide, in addition to using Bad Behavior. And if I have loads of already created users just waiting to be used by a spammer, I have a problem!

So check your database, and look at the users. I bet you’ll find lots of users you can safely delete!

This is weird…

I was checking my logs for weird patterns, and found that spammers search my wiki. A lot. And since search doesn’t work, it’s weird. I find that they search for spam. One pattern is to search for phentermine and similar, and another is to search for specific URLs that spammers have tried to insert as spam - I assume.

One such URL led to mac.com:

idisk.mac.com/mysharon/Public/narutoporn.html

I harvested the page, removed the redirect javascript, and loaded it. The page looks like a Blogger blog post. The “About me” page is greyed out, as is any other typical blogger system link - or removed altogether.

So, how did a spampage get on a Mac site? I don’t find ANY reference to idisk.mac.com except with the directory mysharon.

Could someone who knows how to get Apple’s attention please notify them?

Incidentally, the spammer that searches for lots of URLs tends to use this malformed user agent:

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Might be the same bunch (or someone using the same software) that are churning out comment spam from this IP on Inhoster: 85.255.117.226

A domain on that server seen in spam is this one: willywonka.co.in

Whois: Registrant Name:Nick Priest
Registrant Organization:IQ inc.
Registrant Street1:Pr. Pobedy 102
Registrant City:Kiev
Registrant Postal Code:05033
Registrant Country:UA
Registrant Phone:+93.456474776
Registrant Email:lustiq@p5com.com

I found 20 more domains on there (.com and .org, probably more domains with other tld’s), and they were very similar. Spot checks revealed they all belong to the same person, though he sometimes uses a Buenos Aires address. I’ve mentioned this guy before.

For a while now, I’ve seen very insistent wiki spam on both wikis I maintain, and no doubt on many other wikis I haven’t checked.

The spammer is the same in most cases. Uses a never ending stream of new IP addresses (most likely proxies), and keeps overwriting his own edits. The end result is that you can’t use the rollback feature on MediaWiki, unless you keep diligent watch all day long.

The most effective way I’ve seen of reverting the edits, is to find the last unaffected edit before he started spamming in diff mode, click on that revision then click edit and save.

I’ve locked (protected) most of the talk pages, adding a piece of text asking people to edit a universal talk page. That won’t work for very busy wikis, which hopefully have other spam filtering in place. I’ve never seen spam on wikibooks, for instance.

The latest wave of spam is typical genre porn. Affiliate links are hidden deep in the pages. The latest links have been on .cn pages. Few wikis would have any interest in .cn links, so the hold TLD might be worth adding to the blacklist.

Most of the spam is today on this IP: 203.116.63.123. It’s from Starhubinternet in Singapore. One of the domains is registered through Estdomains:

N/A
Henry Verinton (support@gay-pornclub.com)
Manfred Av. 34
Huntsville
Alabama,35801
US
Tel. +001.8003867409

Another (Chinese) domain has this info:

Registrant name: OpobaUjojo
E-mail: o_ujojo@yahoo.com

Update: The barrage of wiki spam became too much work. I’ve set the wiki to only accept edits from logged in users. New: Only to discover that wasn’t enough. The MediaWiki setting I used only hides the edit tab for unregistered users, unless you go to for instance diff pages (the edit tab is visible there), and it probably doesn’t stop unregistered users from “guessing” the edit URL.

Someone added a new page to my wiki today. The name of the page was “Alcohol Intervention”. The content of the page seemed perfectly reasonable. If it had been on topic, it would have passed superficial inspection. But the link to the page was added first, and it was added many link breaks below the content on another page. So… the method was suspect from the get go.

So, here’s someone who made an effort to write a perfectly reasonable page on alcohol addiction, with some credible links at the bottom, mainly to edu and authority sites. Yes, and the spammer’s own domain at the beginning of the article.

But here are some domains associated with this spammer - he’s got links to several at the bottom of the website he spamvertized on my wiki:

druginterventions.net - 205.234.132.159
drugrehabprogram.net - 72.34.32.176
heroin.org - 205.234.146.222
addictiontreatmentcenter.com - 205.234.140.184
floridadrugrehab.com - 205.234.253.132
helpaddicts.com - 75.126.44.60
drugrehabcenter.com - 66.113.130.222
dual-diagnosis.net - 75.126.44.69
addictionsearch.com - 66.225.219.7
detox-center.com - 75.126.44.71

All of these appear to have an 800 number as a payoff. I couldn’t figure out how that worked, until I found evidence that they have a treatment center. I suppose if you called for a free consultation, you might get a hard sell for coming to the treatment center.

This one appears to be owned by someone else, and has a different payoff, but has links to the same network of websites. Incidentally, the website is owned by someone with the same last name as a therapist employed by the same center as the other websites, and a press release about said therapist is pointing to this site:
enhancedhealing.com - 72.41.61.196

But the main bulk of websites either have whois protection, or the whois tends to point to this guy:

(Whois of two domains removed. The owner of the domains says he got scammed by someone he paid to submit to articles directories. He now says this post comes up as the number one result on Google when searching for his name. If you’re curious, his full name is associated with many of these domains anyway, but let’s just assume he’s learned his lesson, and no need to permanently embarass him)
Another domain associated with Gerald, is kgolf.net. It’s been extensively spamvertized, including one January 2006 sighting, here.
It’s a scraper site with Adsense as payoff. The site is currently owned by Gerald, though I can’t say how long he’s owned it without looking at whois history (anyone?).

And the fact that this is probably a real person, is underscored by this press release:

Drug Rehab Launches New Drug and Alcohol Addiction Talk Show

So, who did the spamming? I don’t know. The IP address is from the Phillipines. 61.9.75.136. Also associated with this spam:61.9.75.189 and the username Shamra.

I woke up today to a quite massive attack on my wiki. Large edits to lots of pages. The links spamvertized are all to free forums, misused forums belonging to other people and various other non-hacker exploits.

So far the exploited pages all redirect to one domain:

diving-deep.net
216.255.179.196

That’s in Intercage space - they’ve been notified.

The whois is interesting, it points to Norway. The person is allegedly:

Billy Fulkerson (geojon@care2.com)

And the address and phone number points to the Neptun hotel in Haugesund, Norway. Yep, the address and phone number is legit, but I doubt it has anything to do with the spammer. The registrar is KLIK MEDIA GMBH. Remember them?

The IP numbers used for the spam run are all proxies.

The spammer is affiliate number 35vm5c with evoplus.

—————

Update:

Intercage nullrouted them, and they immediately switched to 85.255.115.213 at inhoster. Intercage is upstream, and immediately nullrouted them again, and now they’re on 212.176.41.8 which I believe is on equant.ru. Unfortunately that website is entirely in Russian, and I have trouble figuring out who to contact. Some help would be appreciated? I sent an e-mail to the contact for the IP numbers. And then I contacted the DNS provider as well. Awaiting reply.

Update May 4:

No response from either the current webhost or the DNS provider. And the spamming has started up again - two new wiki diffs on a wiki I own today.

The latest spam attempt (who knows if it’s serious or a test), is an attempt to use the categories syntax in Mediawiki. The syntax looks similar to a category, except there’s a spammy link before the regular syntax. Once you look at the actual page, that link will not appear inside the categories box, but the link will work. Here’s the example I found:
Wiki diff

I discovered someone making small changes to my wiki pages. Some changes were malicious. Others were just removing the + in front of international phone numbers. Hard to figure out, until you take into account changes made by the same IP numbers on other sites. Sometimes rolling back previous changes, or partial earlier changes.

Here are the IP numbers associated with this behavior:

200.238.102.170
200.238.102.162

200.26.140.154
61.144.122.45

Several of these are on “free proxy” lists.

Any idea who’s behind this and what the point is?

I’ve found the newest trend in wiki spam seems to be to go after pages that don’t usually have content on them. Like category pages and talk pages connected to categories. Talk pages in general are popular, and I’ve also had quite a bit of spam coming to Talk:W/w/index.php

In the beginning I would just delete the pages, but the spammers would just come back. So I’ve taken to protecting those pages, THEN removing the comments by editing. At least then they’ll have to find other pages to vandalize.

Webspam is constantly evolving. A while ago a spammer told us spammers had long since moved on from what us anti-spammers were writing about. That webspam had moved on from comment spamming blogs. And I was sure he was right. What I’m seeing now, is the newbies spamming my blog. The spammers who don’t yet know what they’re doing, for the most part, with a few comment spammers who rely on inventive wording thrown in.

Today I’ve been on the trail of a spammer who’s constantly trying new things. He’s been at this for a long time. Eugene Blagodarny (some of you are no doubt tired of my talking about him). Lately he’s been using upload scripts to place spammy pages on otherwise clean sites. Not links to spammy pages, but regular throwaways that redirect to his money sites or his affiliate links. There might be other spammers doing the same thing, I just haven’t found their trails yet.

And this guy is using any upload script he can find. He’s not just searching for specific types of scripts. In one case I confirmed that he misused a custom written script that was used on ONE website.

In addition to any upload script he can get to accept his HTML pages (usually with .htm extension), he’ll leave comments or user profiles anywhere his javascript redirects will work. Some of his favorites are HyperNews (comments), Twiki (user profiles) and SnipSnap (userprofiles with uploads). He’s also (I assume) signed up for user accounts at compuserve in Germany.

He then comment spams other websites with links to his upload pages and redirect enabled comments, in order to get them into search engines. They’re often hidden on the websites he’s uploaded them to, so he needs to get them linked by other means.

What does all this mean?

If you’ve got a website that has an upload script that accepts HTML files, you need to be alert. Either recode to not accept HTML files, have a good admin interface and check it for uploads every day. Or remove the script altogether. Another possible option, if you haven’t been targeted yet, is to add a robots.txt file that bans search engine indexing of the directories your uploaded files are deposited in.

If you’ve got an interactive script on your website, make sure they don’t allow javascript redirects. That includes old scripts for guestbooks, forums etc.

If you’ve got a free website service, such as free homepages, free blogs, free groups, free forums, you need to recode those services so javascript redirects won’t work. Disabling iframes and frames pointing to somewhere else would also be proactive. I know of at least one free webhost who runs scripts every night, looking for certain keywords that spammers tend to use, and then disabling pages en masse. Identifying obfuscated redirects would also help you remove other sites with those redirects on them.