Alden Bates' Weblog

I like reporting spammers. It's fun knocking out their web sites when they spam me.

I tried doing that just now when I got one on the NZDWFC message board, and got this response back:
Diagnostic-Code: smtp; 554 5.7.1 Rejected 210.54.141.245 found in dnsbl.sorbs.net

Looks like Xtra's mail server has been added to SORBS. I'm sending the spam report again via gmail, along with a suggestion they might want to switch to a better system for blocking spams.

[Previously: SORBS strikes back]

You may recall a while back I got two emails from Amos Zongo, one about some gold he had, and another claiming he was the Auditor General of the Bank of Africa looking for some foreigner to offload $16 million with.

I just got another email from Amos, who is now a doctor and the bill and exchange manager, and has $25 million lying around. Sadly for Dr Zongo, two important pieces of information in his email suggest he's already too late:

"...In an account that belongs to one of our foreign customer who died along with his entire family in November 2000 in a plane crash."
"The Banking law and guideline here stipulates that if such money remained unclaimed after FIVE years, the money will be transferred into the Bank treasury as unclaimed fund."

Missed by 8 months! How sad!

Oddly enough, I got an email a while back from one Dada Oman, who also claimed to be the bill and exchange manager at the Bank of Africa, and has some $20 million handy...

I swear, these scams are getting more and more bizarre.

From: "babiya traore"
Subject: USED RAILS (R50-R65) FOR SALE
Date: Thu, 13 Jul 2006 10:47:53 +0000

Dear Sir/Madam,

RE: USED RAILS (R50-R65) FOR SALE

Our company is the direct selling mandates to Burkina Faso Railway Corporation and have in stock up to 1.4 Million Metric Tons of Used Rails (R50-R65) for clearance sale, at very reasonable prices. the available rails are located in five different Rail Yards in the country.

This clearance sale is necessitated by the impending privatization of the Corporation and the need to decongest our rail yards in preparation for the privatization.

Prices are negotiable on FOB, CNF and CIF basis. Site inspection, physical verification and confirmation of product quality and quantity are allowed before signing of contract. Offers are invited from serious end buyers or Agents that has access to serious potential end users/buyers

Sincerely,

Dr.BABIYA TRAORE
[Address snipped]

WTF would I want with 1.4 million tons of used rails? Are they simply spamming as many people as they can in the hopes of hitting someone with a pressing need to build a railway?

I've been being hit recently by a spammer using urls of the form forex.somefreehostorother.com and using a botnet to avoid giving away their IP address. Fortunately the spammer's stupid script was thrown by a decoy comment form, thus no comments reached my weblog. The target URLs all redirect to this site which has probably fake details:

forex-broker-list dot com
Alexey Petrov (Petrov_Alex@mail.ru)
+7.5734503XXXX
Lenina st. 45
Sochi, 567843
RU

Forex is not Australian beer, BTW, but is short for "foreign exchange".

I suspect that this may be related to an event that occurred late last month when someone unleashed a spider on my site. The spider's user-agent (which had HTML in it. Urgh) included the text "Forex Trading Network Organization" and a link to netforex dot org, a site which currently consists of a front page with a non-functional search form and a broken link to a directory. IncrediBILL wrote about the netforex bot at the time of the spidering.

This comment spammer has been hitting my weblog the last couple of days. An attack involves him hitting the same post a dozen times or so and posting a handful of spam comments. The comments all look the same:

Hi, guys. Very nice site! I saw some interesting pages:

(ten links using [url= format)
(ten links using <a href= format)
(ten bare URLs)
Please look it! Thank.

The comments are all signed "Aariz (antohach@mail.ru)". Both the oncasinogame.com and cubacigar.org domains he uses are hosted in Dallas, Texas, and have the same whois information:

alex gudsf (scrimak@mail.ru)
tverskay street 43
rostov
RU

Only a google search for scrimak@mail.ru turned up anything other than spam, but the pages are all in Russian, which I can't read. Though one included an ICQ number which had little extra information other than the nickname "Scrim", and he's been posting on a Russian forum as "dimvols".

I had 4 hits on a page all from the same IP address with completely different user agents. Two of the referrers were of the form http://mail05.abv.bg/app/j/openmessage.jsp - visiting them just resulted in an error, so it's hard to see what use they'd be. The other two were Google searches for "freesmscenter" and for a phrase in Russian. Seems sorta odd to me, seeing as most stats software seems to represent hits from Google searches as just the search text itself. Presumably the spam was promoting the sites at the top of the results for those phrases, but it seems a very roundabout way of doing it...

If you installed Blue Security's Blue Frog software, you should uninstall it ASAP. Spammers may be able to get control of it any use it to attack other sites or do other nefarious things.

I'm shocked! The NZDWFC general message board got a spam post! Usually spammers don't bother because the forums are blocked from search engines. Of course the anti-spam measures in the board software caught it before it could appear on the site.

The URLs spammed included a smattering of beam.to, some MSN spaces, a rapidforum, a bravenet guestbook, a Chinese wiki, and a number of subdomains on sekob.com and osarex.com. Both of these domains are registered to one Jar Duchovni who claims to live on 127 Duane St, New York, but the IP address the spam came from appears to be in Israel (on bezeqint.net). Don't know any more information on this spammer, other than he seems to be spamming mainly guestbooks and message boards.

I got a spam comment today with the following text in it:

My 20 year old said to me the other day that when he grows up, he's going to be a "real entrepreneur, like you used to be." When I asked him why I was no longer a "real" entrepreneur, he said it was because I wasn't making a lot of money. I guess it's more transparent now -- the cash side of things -- since he saw the rewards of a lot of hard work. But we had a long talk about why I am an entrepreneur and what it is that motivates me -- my love of what I do, the flexibility, mature sex creating something and watching it grow. Maybe too often, http://spammysexdomain.com people look at bootstrapping or being an entrepreneur or "doing your own thing" as something "cool" without realizing the energy, love, angst and tenacity that it requires to succeed.

Which only struck me funny because they're spamming a sex site using text which includes phrases like "watching it grow". Yes, I am 12. Not sure where the text originates from, since searching for bits of it just turn up spammed forum and blog entries.

The spammed domain is owned by someone calling themselves Anry who's provided an address in the Donetsk region of the Ukraine (Any relation?). Looks like they're heavily penalised in Google. So sad.

Today's spam quoted the blurb for Ice Age 2 for no apparent reason:

NEWS MOVIES - The Ice Age is coming to an end, and the animals are delighting in the melting paradise that is their new world. Manny, Sid, and Diego quickly learn that the warming climate has one major drawback: a huge glacial dam is about to break, threatening the entire valley.

and had a humorous typo in the user agent: Mozilla/4.0 (compatible; MSIE 5.01; Widows NT)

I thought for a moment when I checked out the registration info for the portal domain they spammed (which has broken graphics all over it) that I had a fellow NZer trying to spam me, but the address and probably the name turned out to be fake:
  Holdings NZ Ltd
  Patrick Rinsvelt (mak7hou@yahoo.com)
  35 Hobson Street
  Auckland
  Not Applicable,10010
  NF
(The address is that of the Heritage Auckland Hotel, and Auckland is definitely not on Norfolk Island)

The IP address, which I suspect is the spammers, is allocated to the Latin American and Caribbean IP address Regional Registry in Uraguay. Googling for identical spam only turned up very few relatively recent spams, so their is probably either a new spammer or an old one using a new style...

My apologies, one of the points in the MO described in the entry for Mike Tison last time is actually the MO of Alexander Morozov. Morozov is the one clusterbombing pages.

Alexander Morozov

• Comment spams with porn URLs. He and the Bulgarians are together responsible for most of the spam hits on my site.
• Has a script which is easily fooled by my on-page measures, but cluster-bombs and loads entries a lot which uses bandwidth.
• As well as the above, the queries he makes to the comment script can be over 11kb in length, including the text twice as a text parameter and a comment parameter. Other parameters used include sk2_time, sk2_my_js_check1, currency_code, business, domains, and item_name. May be a multi-purpose script.
• .com domains spammed: novusdelta, legacyart
• .org domains spammed: holyroodarchaeology
• see also: Spamhuntress Wiki: Dyakon (He's using a (fake?) New York address in domain registrataions now)

Other .com domains spammed:

• 888pokerguru via comment, registered to "Liron Snir" in Israel.
• homeequityloan-zz via trackback, registered to "Javier Navarrete" in Florida (See also: Spamhuntress Wiki: Florida comcast spammer)
• northvip via comment, registered to "Somer" (buglee11@yahoo.com) in Minsk, Belarus

The "Liron Snir" spam actually got to the point where it was almost posted! The domain's now in my blacklist of course.

So, what losers do we currently have trying to spam attack my weblog?

The Bulgarian twins

• Two attack modes:
  1. Irregularly referrer spams, always to the same URL on my site, mostly poker-related URLs but also some financial/pill sites. Easy to block at the .htaccess level.
  2. They've been hitting mt-tb.cgi fairly constantly, despite getting error 403s (I renamed the script over a year ago).
• Registration info leads back to top-support.net and support2000.net which both resolve to the same IP as support-4u.net (See previous post on the Bulgarian twins).
• See also: Chris's Wiki: Those amusing Referer spammers

Kazakhstan spammer Timur Tasbulatov

• May not be his real name. Referrer spams gay porn urls.
• Very irregular attacks, spams two or three links then disappears. Easy to block at the .htaccess level.
• Several of the domain names used lead back to:
    Timur Tasbulatov
    Zhibek Zholy 180-63
    Almaty 480091
    Kazakhstan
• See also: Push Back: REFERER SPAM: Timur Tasbulatov / emedia-omni.com / gay-ethnic-list.com

Russian spammer Mike Tison

• Comment spams with porn URLs.
• Has a script which is easily fooled by my on-page measures, but cluster-bombs and loads entries a lot which uses bandwidth.
• He attempted to spam me using an MSN spaces URL, but the email address used is identical to one I found spamming a health-medical.us subdomain domain. That domain uses name servers belonging to one of the domains on the page linked below.
• See also : Spamhuntress Wiki: Mike Tison

But, despite all that, I remain spam free.

Princess Divine Kabore writes:

I am a female student from University of Burkina faso,Ouagadougou,I am 25 yrs old. I like any person who can be caring, loving and home oriented, I will love to have a long-term relationship with you and to know more about you. I would like to build up a solid foundation with you in time coming if you can be able to help me in this transaction.

[Dad died, left six and a half million being paid into Etruscan's Permit In burkina Faso.company(E.P.I.B.F)and Etruscan's Gold company]

Please, note that this transaction is 100% risk free and I hope to commence the transaction as quick as possible, I will send to you my picture as soon as I hear from you.

Yours sincereely,
PRINCESS DIVINE.

100% risk free, hmm? That's enough to convince me! Yes! All my 100% risk free transactions involve a complete stranger offering me 6 million dollars by email!

Ouagadougou? Again? Could Princess Divine merely be Amos Zongo in a dress? He must do it a lot (See also Princess Berryfeso and countless others I saw while googling)...

Mrs. Stella Castillo writes:

Please forgive me if this message comes to you as a surprise I was divinely inspired to pick your name among other names found in the Internet database, after series of prayers or Gods direction.

OMG! The INTERNET DATABASE! The internet has a database?

> select * from Internet where type="PR0N!"
4,563,786,549 rows returned

Hooray!

I'm not even sure I know quite what this one is proposing...

GROUP VILLAGE ORGANIZATION Of EXTRACTION Of GOLD MOROVIA LIBERIA
WEST/AFRICA.

Mister/Madam,

PROPOSAL FOR GOLD SALES In our search for reliable associates in addition to-me, we obtained your contact by the Internet and we are impressed of your profile from there our interest in the management of the businesses with you. We are very sorry as this letter can surprise you. We are minors of group of village organized in gold based in the west africa in Republic of LIBERIA .

I'm shocked. What sort of people use minors to mine gold. Only adults should be miners!

Because of the difficulties of the government of liberia give a licence to the protocols in transactions of sale of gold and for the safety of our goods, we have successfully transferred (65kilos) from gold to the metal which is (purity of 99 % of 22 carats), being stored in the Agency Company for Safety Extracting in Ouagadougou in the Republic of Burkina Faso the West/Africa. Currently we seek the honourable foreign purchasers who will be able to accept and respect the agreement of trade and to treat the business with us. the case so more necessary.

Ummmmm... Tilt. There's a French version of the email included as well, and I suspect that the English version is simply the French version run through an autotranslator (the "minor" goof is present in both language versions). This portion of the email appears to suggest they couldn't get a mining licence and want to sell their gold under the table.

However our price is (6.500 $ per kilo) and the system of operation is after the analysis; the pleasant part of the quantité is paid to us here while one of our representatives will accompany the goods with his final destination for the balance payment or if possible with satisfaction, the quantité can be paid suddenly. The customer will be responsible for all the tax payments in Burkina - Faso in % well pleasant during the payment. The customer is welcome visit us in Burkina - Faso for the full insurance and the modus of operation. We will be happy to have joined and any of your favorable interested associate. You are welcome and hoping to receive news of you at his possible time more the first.

Translation: You give us $6,500 per kilogram of gold, we run away very fast with your money before you realise there is no one coming to give you the gold.

BEST REGARDS
MR.AMOS ZONGO VILLAGE LEADER

And oddly I got another email from Amos Zongo about an hour ago, now claiming to be auditor general of the Bank of Africa and wanting to offload 16 million dollars. Gets around, does Mr Zongo. Interestingly the second scam email was addressed from "OUAGADOUGOU, BURKINA FASO" - the Bozeman, Montana of Mr Zongo's scam emails, evidently.

I got my site stats updated (apparently there's something wrong with the auto-update feature in the latest copy of cpanel, and I've been having to put in support tickets to get the stats updated) only to find that since the 29th, some lousy spammer's been crawling my site with their referrer set to several spam sites.

Coming from random IP addresses (probably open proxies or zombie computers, they burned through some 50mb of bandwidth on the 30th, all to spam a couple of sites in the referrer. And I don't even publish referrer stats for my site, so they wasted their time and my bandwidth for nothing.

An unrelated spammer also hit me recently: I had some odd referrers from a few other blogs - when I checked the entries didn't have links to here on them (though one was clogged with comment spam) so I checked my logs, and found it Mr 61.234.149.52. He would hit my site once to load an entry page (with the referrer set to a random blog entry from elsewhere), then attempt to post to the comments script. As I've put a couple of extra commented-out <form> tags in my HTML, he was hitting the wrong URL and so didn't get anywhere. Fortunately he always came from the same IP address and so was dead easy to ban.

What a pain.