Spamhuntress

I was chasing a wiki spammer, and came upon another wiki spammer.

One who does invisible wiki spam.

69.31.82.66
colo-69-31-82-66.pilosoft.com

Pilosoft has been increasingly known for linkspam lately.

The root site on that server is TakeYourBucks.com. It’s a Russian site dedicated to traffic - and they’re not shy about what kind of traffic. It’s a likely owner of a bot. In this case I’m guessing the owner of the site is also operating the spambot.

Whois:

KLS Network Inc.
68-70 North End Road
London, UK W14 9EP
GB
+1.7755998336

Buckley, Joanne support@quickiesx.com
68-70 North End Road
London, UK W14 9EP
GB
+1.7755998336

Record expires on 01-10-2006
Record created on 01-10-2005

NS1.IDEASFORHOST.COM 209.25.147.9
NS2.IDEASFORHOST.COM 69.56.220.74

The nameservers have been implicated in guestbook spamming before.

Dyndns subdomains hosted on:
69.93.145.180

I found the wiki testing bot active on the same wiki, before the 69.31.82.66 bot showed up.
69.31.131.178

The syntax is remarkably similar. I’m guessing it’s either the same outfit or a copycat.
For a good list of edits showing this pattern.

Conclusion:
Block this IP number from wikis now.

I got a tip about a wiki spammer:
69.31.131.178

So far I’ve only seen wiki vandalism. And some is very subtle. IE, it isn’t visible. But some wiki users have complained that he’s deleted content off pages.

I see lots of instances of experimenting. He’s adding Disney links that turn out to be completely invisible. But they’re easy to find on Google, as you can see. The game may be to see which wiki moderators are sleeping on the job - not checking diffs.

But his changes are certainly excessive. Here’s an example of user contributions to one wiki.

The IP number loads a website belonging to 24-7-solutions.net.

One of the techs is apparently Russian. First name Sergey. Oh, and they have a Russian language version of their site. Just search for the ICQ numbers, and you’ll find it.

Someone at 195.24.194.5 created a new page on my wiki. I decided to check that IP number out. It’s got a long and distinguished career at wiki spam, and it’s an open proxy. I believe wiki spammers are creating new orphan pages to spam. That would make more sense than defacing pages that already holds content, right? And it might quietly flit by a busy admin without him or her noticing.

Anyway, I looked for wikispam, and one of the users of said proxy had a very interesting page. At scarletton.teenposes.com/bankers-long-term-care-insurance.html I found an iframe that went to 195.225.177.33. It then 302 redirected to 195.225.177.33/vx/ where I found a trojan waiting to be downloaded.

I don’t have a clue what it does (not coming near my system!), but the name of the file is win32.exe.

The host is netcathost in Ukraine. Ukraine is the home of a LOT of spam, so that’s not surprising.

I went further, trying to figure out who owns this thing…

I found a domain on that server, with this whois info:

Danyelle Christian
Danyelle Christian (mortiis@ukr.net)
Chocho Street 16
Highland Beach
null,96365
US
Tel. +09.6070231

Fake name and address, in other words.

Those domains and that whois info is implicated in browser hijacking in the past. McAfee christened a trojan associated with one of the domains StartPage-FX.

Someone from 69.50.165.186 created a new page named Chem on another wiki I maintain. The page had one word: Hello.

I believe it’s a test to see how well maintained wikis are. Remove that page. I may be used to enter spam later on.

The IP address is on Atrivo/Intercage. The mailserver identifies itself as sysguardian.com, which is on that same IP address, and allegedly owned by a Max Tiper.

The domain name was registered at ESThost. I don’t have to tell you guys that the chances this is a spammer is overwhelmingly obvious?

On other wikis, the text has been different, and the poster’s command of English seems poor. Some sentences are in Russian without the cyrrilic alphabet.

On one wiki, I found this text:

Dear site owner! If my pages will be deleted your site will be deleted too. If you have any questions please contact me: no.content.spam@gmail.com Sorry for intrusion.

When searching for that, I find even more instances of this pointless wiki editor, planting Chem pages. I see a similar IP address connected to some edits that Richard’s WikiMinion subsequently cleaned:
69.50.182.10
193.22.84.7 is also connected with that sentence. Black Sea TV Company in the Ukraine…

The Chongqed regulars has been discussing this one quite a while ago, but this was the first time I’d come across him. The interesting part here is that they’ve named him the HyipInvestment spammer. HYIP is a term occurring on sysguardian. I’d be interested in some info on why he was given that name. Guys?

Well, at least to me, this is a new wiki spam technique. I had a spammer (apparently Mike Tison) editing the first section of the Mike Tison page, replacing the contents with his spam.

That’s a first, as far as I can tell.

What’s even weirder, is that just moments before, attempts were made to post changes to exactly that first section, with a POST instead of a GET fetching the page. That seemed to have failed, and the next attempt (different IP number) included a get of the page first.

This particular spammer appears to be using a zombie army, something that’s very unusual.

This was the first attempt to spam the Mike Tison page. He’s been concentrating on *redacted* in the past.

We’ve seen multiple edits of the same wiki page by the same spammer, and have been wondering why on earth. What’s the point of removing your own edits?

Well, turns out there IS a good point.

My wiki runs Mediawiki, and it has a cool feature called rollback. An administrator can rollback edits he/she doesn’t like by clicking one easily accessible link.

By doing double edits on the same file, the spammer makes sure that feature can’t be used reliably, thereby necessitating a more complex operation to remove the spam. An operation any half assed administrator should be able to do. But as you know, that’s the theory, not the reality. A more complicated operation may be left for another day by an overworked administrator.

Guys, if you run a wiki, keep an eye on it, and learn how to rescue it should spammers get really obsessive. Chances are you’ll experience “obsessive” spammers. They’re just trying to up the chances of their spam sticking…

Svdb’s wiki got spammed, and he started unraveling the trail of the spammer, whom he named

Mike Tison

I joined into the fun, and within a day I got spammed too.

Turns out this guy is well known for CWS (start page hijackers) ladened sites and other not so nice things. He’s offered traffic from dialers (as far as I could tell) on Russian forums…

I got a comment spam on annelisabeth.com today and started running it down. First of all, there’s no obvious payoff. None at all. So it might be a future bait and switch.

The spam came in from (spambot):
85.250.204.98
217.132.186.33
Both are Netvision broadband IP numbers in Israel.

All pages are currently hosted on
192.117.97.56
which is an Actcom broadband IP number in Israel.

Some pages still point to
212.143.91.115
A Netvision IP address in Israel
Those pages are not served, so I’m guessing the IP number was lost somehow.

But the really interesting part is that the root domain, every single one of them, point somewhere else. The most recent ones point to various webhost providers, but earlier domains point to IANA reserved IP space, and one even pointed to an IP number in a DoD (Department of Defense) IP block!

All spam from this spammer is preceded by the letters
mn
and then the domain name of the hour, with no space between them. So finding the spam is easy. He spams guestbooks, forums and wikis.

Whois info is obviously fake, but I’ll include a recent one:

tsahal
24 rashborn ave.
yorkshier, NA 441456
GB

jordan, tomner tomberd@yahoo.com
24 rashborn ave.
yorkshier, NA 441456
GB
+41556623456

Another little wrinkle concerns the name servers. Some are a bit fishy:

This is one of the name servers:
NS.BROWSE-DNS-ONLINE.COM.NS-NOT-IN-SERVICE.COM

I removed this part, because it no longer resolves. But it did earlier today. And it had the IP number: 62.219.224.168. The domain itself has been terminated by the registrar, so it’s weird that it pinged earlier on.

In fact, you can look for NS.FREE-TV-DNS.COM as well. It’s also on bezeqint.net, and is used by this spammer as a name server.

Yesterday I wrote about Oleg Popov, who spammed my wiki.

Today I did some more digging, and found a wikispam he’d done while logged in as a user (Xx, a user name he often uses). Turns out he’s spamming by hand. While checking the user page, I noticed there was a user named OlegPopov. Heh, he’s been very busy.

He’d written a nice bio, and included a link to his wiki…

His wiki is a good idea and well executed. He’s even attracted very capable users.

The problem is the concept of a wiki spammer owning a directory of wikis…

http://wiki4all.com/

I’m sure you guys can see the possible ramifications of that?

Got some wiki spam here on spamhuntress today. Managed to get the writeup done right away:

Oleg Popov

I did see a Google cache of a page from Evgheni Tariuc (another wiki spammer) where one of Oleg’s domains was present, but that was either an error in Google’s database, or the content had been switched.