Alden Bates' Weblog: The War Against Spam Part 2

Ads by Project Wonderful! Your ad here, right now: $0

Home : April 2006

« The War Against Spam | Main | ...and your father smells of HYPE »

The War Against Spam Part 2

Filed in: Spam.

My apologies, one of the points in the MO described in the entry for Mike Tison last time is actually the MO of Alexander Morozov. Morozov is the one clusterbombing pages.

Alexander Morozov

Comment spams with porn URLs. He and the Bulgarians are together responsible for most of the spam hits on my site.
Has a script which is easily fooled by my on-page measures, but cluster-bombs and loads entries a lot which uses bandwidth.
As well as the above, the queries he makes to the comment script can be over 11kb in length, including the text twice as a text parameter and a comment parameter. Other parameters used include sk2_time, sk2_my_js_check1, currency_code, business, domains, and item_name. May be a multi-purpose script.
.com domains spammed: novusdelta, legacyart
.org domains spammed: holyroodarchaeology
see also: Spamhuntress Wiki: Dyakon (He's using a (fake?) New York address in domain registrataions now)

Other .com domains spammed:

888pokerguru via comment, registered to "Liron Snir" in Israel.
homeequityloan-zz via trackback, registered to "Javier Navarrete" in Florida (See also: Spamhuntress Wiki: Florida comcast spammer)
northvip via comment, registered to "Somer" (buglee11@yahoo.com) in Minsk, Belarus

The "Liron Snir" spam actually got to the point where it was almost posted! The domain's now in my blacklist of course.

Posted April 6, 2006 8:49 PM

Comments

Hi,

I was looking for info about "sk2_my_js_check1" as for some strange reason I saw that at one page of mine (can't recall anymore which one) the same script was part of the page code. I actuallly was getting troubled as I saw in my visitor stats referrers from Google and MSN results with site description that didn't make sense at all. Well, they did make sense but it was all about warez etc.

Ok, long story short and I hope I don't bother you too much with it, but how did you find about these spammers and did they also spam related SERPS descriptions. And last not least, is this vulnerability fixable as far as you?

Well, thanks for reading this and I totally understand if my questions are a bit too much.

Thanks,

Posted by: Gemme | July 21, 2006 12:35 AM

That sounds to me like someone had hacked into your site and made some modifictions to it. :/

The spammers hit a decoy comment script on my site. They basically posted a dozen or so different parameters, I guess to cover all bases in trying to get their comment posted. The parameters included:

sk2_my_js_check1=mgnppc9x3h
sk2_ip=81.36.114.170
sk2_time=1149457444
sk2_my_js_check2=58fbedfd49ce3748370f8d70b96042be
sk2_payload=b3b1d55ce3501ca2bba088ccbe856182

I suspect that in this case sk2 is a reference to Spam Karma 2, an anti-spam plugin for WordPress...

Posted by: Alden Bates | July 22, 2006 2:33 PM

Alden Bates' Weblog

Feigning normality since 1973

The War Against Spam Part 2

Comments

Post a comment


	Home : April 2006 Alden Bates' Weblog Feigning normality since 1973 « The War Against Spam \| Main \| ...and your father smells of HYPE » The War Against Spam Part 2 Filed in: Spam. My apologies, one of the points in the MO described in the entry for Mike Tison last time is actually the MO of Alexander Morozov. Morozov is the one clusterbombing pages. Alexander Morozov Comment spams with porn URLs. He and the Bulgarians are together responsible for most of the spam hits on my site. Has a script which is easily fooled by my on-page measures, but cluster-bombs and loads entries a lot which uses bandwidth. As well as the above, the queries he makes to the comment script can be over 11kb in length, including the text twice as a text parameter and a comment parameter. Other parameters used include sk2_time, sk2_my_js_check1, currency_code, business, domains, and item_name. May be a multi-purpose script. .com domains spammed: novusdelta, legacyart .org domains spammed: holyroodarchaeology see also: Spamhuntress Wiki: Dyakon (He's using a (fake?) New York address in domain registrataions now) Other .com domains spammed: 888pokerguru via comment, registered to "Liron Snir" in Israel. homeequityloan-zz via trackback, registered to "Javier Navarrete" in Florida (See also: Spamhuntress Wiki: Florida comcast spammer) northvip via comment, registered to "Somer" (buglee11@yahoo.com) in Minsk, Belarus The "Liron Snir" spam actually got to the point where it was almost posted! The domain's now in my blacklist of course. Posted April 6, 2006 8:49 PM Comments Hi, I was looking for info about "sk2_my_js_check1" as for some strange reason I saw that at one page of mine (can't recall anymore which one) the same script was part of the page code. I actuallly was getting troubled as I saw in my visitor stats referrers from Google and MSN results with site description that didn't make sense at all. Well, they did make sense but it was all about warez etc. Ok, long story short and I hope I don't bother you too much with it, but how did you find about these spammers and did they also spam related SERPS descriptions. And last not least, is this vulnerability fixable as far as you? Well, thanks for reading this and I totally understand if my questions are a bit too much. Thanks, G. Posted by: Gemme \| July 21, 2006 12:35 AM That sounds to me like someone had hacked into your site and made some modifictions to it. :/ The spammers hit a decoy comment script on my site. They basically posted a dozen or so different parameters, I guess to cover all bases in trying to get their comment posted. The parameters included: sk2_my_js_check1=mgnppc9x3h sk2_ip=81.36.114.170 sk2_time=1149457444 sk2_my_js_check2=58fbedfd49ce3748370f8d70b96042be sk2_payload=b3b1d55ce3501ca2bba088ccbe856182 I suspect that in this case sk2 is a reference to Spam Karma 2, an anti-spam plugin for WordPress... Posted by: Alden Bates \| July 22, 2006 2:33 PM Post a comment Name: Email Address: URL: Remember personal info? Comments: (you may use HTML tags for style)
Tetrap.com Site Map