MainDoctor WhoMusicSoftware
Main Page

Alden Bates' Weblog

Spam Archives

Page 1 of 4

June 3, 2012

Spammer's gotta spam

Unsurprisingly this blog still attracts a sort of background noise of spam. Most of them are along the lines of "This blog is so great. I am totally subscribing naked casino chips party" but I got one in late May that was kinda blunt:

The next time I read a blog, I hope that it doesn't disappoint me just as much as this particular one. I mean, Yes, it was my choice to read, however I truly thought you would have something helpful to talk about. All I hear is a bunch of whining about something that you could fix if you were not too busy looking for attention.

Wow! That's pretty harsh for someone trying to advertise doors. The spam link included on the comment suggested to me that the spammer in question might not speak English, so...

Posted at 10:39 AM | Comments (1)

April 20, 2010

Save who from Berlusconi?

Here's a strange thing - web sites are showing up in google with the query string "Save Us from Berlusconi" appended to the end of their URL, like http://somedomain.com/?q=Save+Us+from+Berlusconi. Witness: Google results. There's even a long thread about it on Google Support. I happened to notice it when a Google Blog search came up with the errant query string added onto the Transformers Wiki and Seibertron.com URLs.

I suspect the way that they may be getting in there is by someone adding the URL with query string to Google Reader. Why someone would do this is a question in itself. What are they hoping to achieve? It's clearly a political statement, but delivered in a distinctly odd manner.

Posted at 10:02 PM | Comments (3)

May 2, 2009

Wacky comment spammers

Seems for a long time I wasn't getting any comment spam. Probably the long gaps between updates were taking this blog off their radar. Anyway, I've gotten a few really curly ones in the last week or so from one guy who appears to be trying to spam domains similar to search engines. The spam comments generally look like:

Hi, I found your site using [domain close to search engine domain], does your site support [web browser]?

A day or so later, I got another one trying to give the impression it was a real person:

Hi, It's the second time i'm posting you without a reply. I found your site using [domain], does your site support [web browser]?

Gee, that's really annoying. They've also posted it to the NZDWFC forums a couple of times, but I've temporarily added "does your site support" to the spam filter - hopefully it won't crop up in any legitimate posts.

So far I can only only see google results for "does your site support firefox", none for Google Chrome (which they posted a comment about overnight), Opera, or Safari.

Meanwhile there's another spammer who's been posting comments with random strings of characters, but including no URL at all. Them spammers are crazy.

Posted at 10:26 AM | Comments (0)

April 30, 2008

Where's the comment spam gone?

It occurred to me that I'm not seeing much comment spam here recently. In fact, they don't even appear to be trying any more. The last spam which SpamLookup caught was on the 25th of March. Maybe they got discouraged by my security measures. Maybe I'm not writing about stuff which spammers typically look for. Maybe I'm not posting enough.

Or maybe spammers are moving on to hacking sites and inserting links that way. Most of the bad hits I've been getting lately are from people trying to hack my site using PHP exploits. Of course, I don't use any PHP applications here, so they get a nice error in response. Judging by the URLs they hit, they found this site by searching for sites which mention PHP. On the bright side, so long as they're making futile attempts to hack my site, they have less bandwidth to use on trying to hack less secure sites.

So is comment spam on the decrease, or am I just lucky? It'll be interesting to see if blogging about it causes an increase in attempts...

Posted at 10:32 PM | Comments (1)

April 16, 2008

Overcomplicating Hacks

Wow, it's the middle of the month already! Where does the time go?

A week or so ago I noticed an odd hit in my server logs. The referrer url looked like this:
http://buxhotel.com/?page=<script> eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72
[whole bunch more encoded characters cut out]
%72%61%6d%65%3e%22%29%3b'))</script>&t=2

Java script in the referrer? I guess the idea was that it would end up in the referrer logs which I don't publish on my web site, and then any unsuspecting people who visited said logs would execute the javascript. Or possibly would follow the link to the buxhotel page, which would give them back the javascript. Anyway the pile of encoded characters translated to more javascript, which looked like this:
document.write("<iframe src='[URL REDACTED]' height='2' width='2'> </iframe>");

The iframe loaded a URL containing yet more javascript which started document.write(unescape('%3c%68%74%6d%6c%3e etc etc etc. I didn't bother to extract all of it, but what I did translate made it obvious that the page was loaded with nasty spyware and viruses.

So to recap, this method depends on the target site publishing its logs publicly in some manner that people will either execute the long chain of javascript by visiting the logs or by following the link. Either way, it seems just a bit desperate to me...

Posted at 1:42 AM | Comments (1)

December 9, 2007

Newsflash: SORBS still sucks!

Some 95% of my email comes from a good friend of mine. Unfortunately, cowboy spam fighters SORBS (who still suck badly) keep banning the SMTP servers of the ISP he uses, Clear.

They're not banning him personally, but because someone on Clear sent spam, he now can't email me, because my web host uses SORBS to filter its incoming email. This is the third time in recent months, and I'm getting pretty tired of it, but since Clear apparently can't stop spammers using their SMTP servers...

Well, I'm off to ask my web host to whitelist his address so I can get his emails again

Edit: my webhost have now whitelisted it! I love my web host. :)

Posted at 6:15 PM | Comments (4)

November 6, 2007

Complaining about Google

Regarding my post a couple of weeks back on Microsoft's sneaky bot, today I spotted an example of Google using the same tactic! Shortly after a request from Googlebot for yesterday's fireworks post, there was a second hit from a Google-owned IP address with a Firefox user agent and the referrer "http://www.google.com/search?q=abc". This second hit loaded only the page and none of the associated style or graphic files, and I don't appear in a google search for "abc" so I'm reasonably sure it was a cloaked bot. Since it didn't load any stylesheets, I'm not sure what abuses it's looking for (perhaps it's merely checking for server redirects?).

However, that's not what I'm complaining about. A while ago I noticed that some of the URLs in the spam comments I was getting (which never appeared on the site because my defences are well set up) were for Google Groups. Sure enough these were groups which had been set up by spammers to promote their crap. As every post in a Google Group (assuming it's not a Usenet mirror) has a report abuse link on the bottom, I reported some of the posts. Google sent me an automated email thanking me for reporting the abuse, however weeks later the spammy Google Groups are still there.

Case in point: http://groups.google.com/group/callas1178/

Now, considering how strict Google is on sites which allow this sort of thing, I'm somewhat surprised that they haven't acted more decisively in this case.

Posted at 8:08 PM | Comments (0)

July 3, 2007

Yet Another Bloody Spammer

It took a while for the spammers to catch up, but as of the 28th, one of them started hitting a decoy comment script on here. The comments weren't very interesting - just collections of links to his spammy sites which were all .info sites. Sample domains:

noleggio-auto-ita.info
german-musikvideo.info
fr-musique.info
pc-france.info
1-minijob-de.info
1oferta-trabajo.info
software-para-abogado.info
1achat-logiciel.info
1crm-software-de.info
it-musica-italiana.info
infojobs-net-es.info

They're all registered to one Dan Georgius, with the address str.10 building 1, Victoria, Mahe, the Seychelles and an organisation of MBM Ltd. The sites themselves are physically hosted in China. Dan appears to have been at it a while - here's a Wiki item from over a year ago with a different address.

Mr Georgius, I am very cranky.

Posted at 10:27 PM | Comments (0)

May 24, 2007

wealthdoctors.net = comment spammers

I was trying to find out why Googlebot and Slurp kept hitting a URL on here which was incomplete (they were trying to load http://www.aldenbates.com/ archives/.../09/spam_and_movable_type_comments.html) and stumbled on this page:

http://www.wealthdoctors.net/prosubmitter/log1.html

No link love for them. It's a log of attempts to post comment spam to various blogs. It looks like they tried to hit a couple of my entries (and were stopped by some rules in my .htaccess file), but successfully posted to a bunch of other blogs. I checked a few of the blog links they had there, and none of them had the spam comment that the log says they posted, so evidently they picked poorly when looking for blogs to spam. If they're using that page as an example of their leet spamming skills, it's not very impressive.

Their spambot appears to operate off their web site, so blocking hits 66.98.218.84 in your .htaccess file should stop them.

Posted at 7:59 PM | Comments (0)

April 24, 2007

Y HALO THAR SPAMMER!

Heh, one of the many spammers I've reported on dropped by and left a comment. Unfortunately he did it from a blacklisted IP address, so it ended up in the spam bin. Basically it was:

:) Hello from scrimak

You can read more about him on Spamhuntress' Scrim page.

I haven't actually had much spam recently, due to the fact that most of the spam scripts are still hitting abates.tetrap.com and ignoring the redirect*, and also because of some decoy comment forms I have on my pages. So far I've had a grand total of one spam even reach SpamLookup.

* Speaking of which, how do I tell aggregators like Google Feedfetcher and Tailrank to stop hitting the old URL? Apparently a permanent redirect status is not enough.

Posted at 8:07 PM | Comments (1)

February 10, 2007

Aggressive Spammer Scripts

I have one spammer who has a comment spamming script which regularly pounds on my site. This script hits from four IP addresses sending up to 40 requests per second and despite only getting 403 access denied responses, has not given up. The IP addresses are:

  • 195.226.230.58 - owned by the Hard Rock Cafe in Kuwait.
  • 82.114.68.194 - owned by the Kujtesa Network in Kosova.
  • 62.150.35.230 - owned by "Lebanese Besources for Car Spare parts Co.", part of QualityNet Kuwait.
  • 62.150.40.142 - Same ownership as 62.150.35.230

I attempted to communicate with the owners of the IP addresses to try to get this sorted:

  • The cafe in Kuwait: They don't have a web page, and their email address on the Hard Rock Cafe web site bounces with a "not a valid mailbox" error. I got another email address from the HRC site's customer care team... which bounced with "mailbox unavailable".
  • Kujtesa Network: No response yet.
  • QualityNet Kuwait: The email address on the RIPE whois bounced with the error "Over quota". I forwarded it to their support email address from their site. No response yet.

Another spammer (or possibly the same one) is also trying to spam from an IP address from rbnnetwork.com (see also Spacesquad Anti-Spam service). An email to their abuse address I sent on the 1st remains unanswered.

So where does that leave me? At least these spammers are using a small number of consistent IP addresses, so perhaps my last resort is to ask my web host whether I can get them blocked at the firewall level...

Posted at 10:22 PM | Comments (1)

January 30, 2007

Spammer humour

Recently I've been getting spam comments from someone who likes to leave a random humorous story evidently culled from somewhere on the interweb, followed by links to their pages. Here is one of the latest examples:

A Girlfriend Called Lorraine

There was a guy and he had a girlfriend called Lorraine. She was very pretty and he liked her a lot.

One day he went to work to find that a new girl had started working there. Her name was Clearly, and she was absolutely gorgeous.

He began to like her and after a while it became obvious that she was interested in him too. But, he was a loyal man and he wouldn't get involved with Clearly while he was still going out with Lorraine.

He decided that there was nothing for him to do but to break up with Lorraine and date the new girl. He planned several times to tell Lorraine but he couldn't bring himself to do it.

One day as they were walking along the river bank, Lorraine slipped and fell in to the river. The current carried her off and she drowned.

The guy stopped for a moment by the river and then ran off smiling and singing..." I can see Clearly now Lorraine is gone..."

:D:D:D:D

[links snipped]

Naturally I was immediately compelled to report the spammer to their web host. I mean spamming is one thing, but there's no call for that.

Posted at 6:35 PM | Comments (2)

January 23, 2007

Spam post #456345673

Our first contestant this evening posts has been mentioned here

So far he's been posting roughly once a day, leaving comments which start off with phrases like "Pleasse Do not delete this urls , i need money for my child", "Please Do not delete it , I need lots of money urgent.", and "Do not delete it please. I need money urgent". He uses http://google.com/ as a link, probably to trigger whitelisting, but his comments a filled with links to message boards on phpbbx.de (I'm sent an email to their abuse address), myforum.ro. The email addresses he uses are along the lines of corpseh@tut.by, seomail1@tut.by, seomail2@tut.by, etc.

The message board links all redirect to pages on the domain online-deals.org (I've just informed their web host). Whois information is mostly blank, but there is this:

Registrant Name: Alexey Tesliuk
Registrant Organization: BelPromStroy
Registrant Country: BY (Belarus)
Registrant Email: wrestlerr@mail.ru

I have no idea if that's valid info or not. There's a Belpromstroy bank in Minsk...

Contestant number two posts using hotmail addresses like d87s_test994@hotmail.com and d92s_test637@hotmail.com, but all other information is randomised. Comments consist of a random text string followed by four URLs in various formats consisting of links to files on site which allow file uploads. These links redirect to rx-simple.com and rx-simple-pharmacy.com. Both domains have their details protected by WhoisGuard - I've sent them two reports, and also sent abuse reports to the web-hosts the two sites are on.

Posted at 6:49 PM | Comments (0)

January 6, 2007

Spammers using Google Groups beta

I was sifting through the spam comments which my protective measures had stopped, and found to my surprise I was getting spammed with google.com URLs. It looks like there's a security hole in Google Groups beta which allows users to upload files containing Javascript redirects. Observe the following URL:
http://groups-beta.google.com/group/pharmed/

When I tried to report this through the abuse form Google have set up, I got the following error:
The following errors need to be corrected:
• Sorry, we are unable to find the message you specified.

I've sent them a message through the contact form, but had no response, or apparently any action taken so far...

Posted at 9:53 AM | Comments (0)

December 15, 2006

Pukiwiki spammer

So recently one idiot has been attempting to spam my comments here repeatedly. Despite getting 403 errors, he continues to blat the script 150 or so times per go, sometimes 30 or 40 times per second. Most of the hits originated from the RIPE network (Europe, plus bits of Asia and the Middle East), so these are likely compromised computers. Some hits were from IP addresses owned by photobucket.com (I've notified them).

The spam comments were random text from other sites, and random names - the common factor were the links to files on three pukiwiki sites (www.kde.gr.jp, fansub.andrewlb.com, and laszlo.jp). The pages linked to were user uploaded files (webmasters, don't let random people upload files willy nilly! That's just asking for trouble!) containing spammy porn terms and encrypted javascript redirecting users to alien.js on ncfab.org. alien.js fakes an error page and logs the hit if it happens to be coming from a search engine (and probably infects the browser with a nasty virus).

ncfab.org may, at one time, have been owned by the "Nordic Centre For Artists' Books", but the current registration info is fake (the Cyprus address belongs to a real estate agent.) so it's probably either expired or been hijacked.

Bruce Simpson believes that the problem of zombie PCs may ultimately solve itself when terrorists realise they can pay hackers who have networks of compromised PCs to DOS important sites. At this point, the botnet problem would suddenly become very important to the US government. Personally I doubt any terrorist groups would bother...

Posted at 7:33 PM | Comments (5)

<< 1 2 3 4
Search


Categories

Tetrap.com Site Map