MainDoctor WhoMusicSoftware
Main Page

Alden Bates' Weblog

Spam Archives

Page 2 of 4

November 19, 2006

Yet another event to base a scam on

Dear Friend,
I am Mrs. SUHA ARAFAT, the wife of YASSER ARAFAT, the Palestinian leader who died in Paris. Since his death and even prior to the announcement, I have been thrown into a state of antagonism,confusion,humiliation, frustration and hopelessness by the present leadership of the Palestinian Liberation Organization and the new Prime Minister. I have even been subjected to physical and psychological torture. As a widow that is so traumatized, I have lost confidence with everybody in the country at the moment You must have heard over the media reports and the Internet on the discovery of some fund in my husband secret bank account and ompanies and the allegations of some huge sums of money deposited by my husband in my name of which I have refuses to disclose or give up to the corrupt Palestine Government. In fact the total sum allegedly discovered by the Government so far is in the tune of about $6.5 Billion Dollars. And they are not relenting on their effort to make me poor for life. As you know, the Moslem community has no regards for woman, hence my desire for a foreign assistance. You can visit the BBC news broadcast below for better understanding of what I am talking about.

Snip the usual spiel about helping her transfer $6 million out of the country. You'll notice from these two news reports that the authorities are already investigating the whole issue, so actually getting involved at this point would be very silly. Also, although the initial email came from, the email later says to reply via

At the very bottom there's a sig that start out "Mrs Suha Arafat has sent you a link to a page on, the site about nonfiction narrative." and contains a link to a page on that site, indicating whoever send this used the "email this review" feature they have there.

Site owners, please make sure that if you have a feature which allows people to send emails, that it can't be misused!

Posted at 9:37 PM | Comments (3)

September 25, 2006

Spamming through search forms

I've had a few occasions where people have used the MT search.cgi form to search for URLs. Since they've been the only hit I've gotten from that URL (no graphics or style sheets) I suspect it's the work of a spammer. Why though? Are there sites which are publishing the searches made through their search form (other than AOL that is...)? If so, the URLs are unlikely to be published linked.

Domain #1: COMLIVE.BIZ, which is registered to "Mesalina Poling", however the email address attached to that is an admin address for a domain registered to Maximilian Berkovich.

Domain #2: WANTISPYWARE.INFO, registered to "Alexey Andreychenko", Moskva, Tverskaya str., Russia. A search on the email address ( gave me a forum where he's been spamming and the alias "Rukhmanov Sergey".

Also there was a case where someone searched for a <script> tag, presumably trying to inject javascript into my pages. The <script> tag called a javascript file on another domain which redirected the user to google, but could easily have redirected the user to any number of nasties.

Posted at 11:18 PM | Comments (3)

August 29, 2006

"No, really, I DO have used rail..."

Someone googling for railway line buyers found my post back in July and apparently decided that I was, in fact, an interested buyer. I guess the word "scam" in the title was too subtle to tip them off.

... right.

Posted at 8:20 PM | Comments (2)

August 13, 2006

SORBS vs reporting spam

I like reporting spammers. It's fun knocking out their web sites when they spam me.

I tried doing that just now when I got one on the NZDWFC message board, and got this response back:
Diagnostic-Code: smtp; 554 5.7.1 Rejected found in

Looks like Xtra's mail server has been added to SORBS. I'm sending the spam report again via gmail, along with a suggestion they might want to switch to a better system for blocking spams.

[Previously: SORBS strikes back]

Posted at 5:21 PM | Comments (0)

July 20, 2006

The Bank of Africa's money problems

You may recall a while back I got two emails from Amos Zongo, one about some gold he had, and another claiming he was the Auditor General of the Bank of Africa looking for some foreigner to offload $16 million with.

I just got another email from Amos, who is now a doctor and the bill and exchange manager, and has $25 million lying around. Sadly for Dr Zongo, two important pieces of information in his email suggest he's already too late:

"...In an account that belongs to one of our foreign customer who died along with his entire family in November 2000 in a plane crash."
"The Banking law and guideline here stipulates that if such money remained unclaimed after FIVE years, the money will be transferred into the Bank treasury as unclaimed fund."

Missed by 8 months! How sad!

Oddly enough, I got an email a while back from one Dada Oman, who also claimed to be the bill and exchange manager at the Bank of Africa, and has some $20 million handy...

Posted at 11:09 PM | Comments (2)

July 14, 2006

Used Railway Line scam?!

I swear, these scams are getting more and more bizarre.

From: "babiya traore"
Subject: USED RAILS (R50-R65) FOR SALE
Date: Thu, 13 Jul 2006 10:47:53 +0000

Dear Sir/Madam,


Our company is the direct selling mandates to Burkina Faso Railway Corporation and have in stock up to 1.4 Million Metric Tons of Used Rails (R50-R65) for clearance sale, at very reasonable prices. the available rails are located in five different Rail Yards in the country.

This clearance sale is necessitated by the impending privatization of the Corporation and the need to decongest our rail yards in preparation for the privatization.

Prices are negotiable on FOB, CNF and CIF basis. Site inspection, physical verification and confirmation of product quality and quantity are allowed before signing of contract. Offers are invited from serious end buyers or Agents that has access to serious potential end users/buyers


[Address snipped]

WTF would I want with 1.4 million tons of used rails? Are they simply spamming as many people as they can in the hopes of hitting someone with a pressing need to build a railway?

Posted at 6:31 PM | Comments (15)

July 6, 2006

Forex spam

I've been being hit recently by a spammer using urls of the form and using a botnet to avoid giving away their IP address. Fortunately the spammer's stupid script was thrown by a decoy comment form, thus no comments reached my weblog. The target URLs all redirect to this site which has probably fake details:

forex-broker-list dot com
Alexey Petrov (
Lenina st. 45
Sochi, 567843

Forex is not Australian beer, BTW, but is short for "foreign exchange".

I suspect that this may be related to an event that occurred late last month when someone unleashed a spider on my site. The spider's user-agent (which had HTML in it. Urgh) included the text "Forex Trading Network Organization" and a link to netforex dot org, a site which currently consists of a front page with a non-functional search form and a broken link to a directory. IncrediBILL wrote about the netforex bot at the time of the spidering.

Posted at 9:41 PM

June 4, 2006

oncasinogame spammer

This comment spammer has been hitting my weblog the last couple of days. An attack involves him hitting the same post a dozen times or so and posting a handful of spam comments. The comments all look the same:

Hi, guys. Very nice site! I saw some interesting pages:

(ten links using [url= format)
(ten links using <a href= format)
(ten bare URLs)
Please look it! Thank.

The comments are all signed "Aariz (". Both the and domains he uses are hosted in Dallas, Texas, and have the same whois information:

alex gudsf (
tverskay street 43

Only a google search for turned up anything other than spam, but the pages are all in Russian, which I can't read. Though one included an ICQ number which had little extra information other than the nickname "Scrim", and he's been posting on a Russian forum as "dimvols".

Posted at 11:48 AM | Comments (0)

May 27, 2006

Interesting referrer spam

I had 4 hits on a page all from the same IP address with completely different user agents. Two of the referrers were of the form - visiting them just resulted in an error, so it's hard to see what use they'd be. The other two were Google searches for "freesmscenter" and for a phrase in Russian. Seems sorta odd to me, seeing as most stats software seems to represent hits from Google searches as just the search text itself. Presumably the spam was promoting the sites at the top of the results for those phrases, but it seems a very roundabout way of doing it...

Posted at 1:39 PM | Comments (2)

May 19, 2006

Public Service Announcement

If you installed Blue Security's Blue Frog software, you should uninstall it ASAP. Spammers may be able to get control of it any use it to attack other sites or do other nefarious things.

Posted at 7:26 PM | Comments (0)

May 16, 2006

Message board spam!

I'm shocked! The NZDWFC general message board got a spam post! Usually spammers don't bother because the forums are blocked from search engines. Of course the anti-spam measures in the board software caught it before it could appear on the site.

The URLs spammed included a smattering of, some MSN spaces, a rapidforum, a bravenet guestbook, a Chinese wiki, and a number of subdomains on and Both of these domains are registered to one Jar Duchovni who claims to live on 127 Duane St, New York, but the IP address the spam came from appears to be in Israel (on Don't know any more information on this spammer, other than he seems to be spamming mainly guestbooks and message boards.

Posted at 10:58 PM | Comments (3)

May 1, 2006

Spam post #456345672

I got a spam comment today with the following text in it:

My 20 year old said to me the other day that when he grows up, he's going to be a "real entrepreneur, like you used to be." When I asked him why I was no longer a "real" entrepreneur, he said it was because I wasn't making a lot of money. I guess it's more transparent now -- the cash side of things -- since he saw the rewards of a lot of hard work. But we had a long talk about why I am an entrepreneur and what it is that motivates me -- my love of what I do, the flexibility, mature sex creating something and watching it grow. Maybe too often, people look at bootstrapping or being an entrepreneur or "doing your own thing" as something "cool" without realizing the energy, love, angst and tenacity that it requires to succeed.

Which only struck me funny because they're spamming a sex site using text which includes phrases like "watching it grow". Yes, I am 12. Not sure where the text originates from, since searching for bits of it just turn up spammed forum and blog entries.

The spammed domain is owned by someone calling themselves Anry who's provided an address in the Donetsk region of the Ukraine (Any relation?). Looks like they're heavily penalised in Google. So sad.

Posted at 7:43 PM | Comments (0)

April 10, 2006

Today's spam

Today's spam quoted the blurb for Ice Age 2 for no apparent reason:

NEWS MOVIES - The Ice Age is coming to an end, and the animals are delighting in the melting paradise that is their new world. Manny, Sid, and Diego quickly learn that the warming climate has one major drawback: a huge glacial dam is about to break, threatening the entire valley.

and had a humorous typo in the user agent: Mozilla/4.0 (compatible; MSIE 5.01; Widows NT)

I thought for a moment when I checked out the registration info for the portal domain they spammed (which has broken graphics all over it) that I had a fellow NZer trying to spam me, but the address and probably the name turned out to be fake:
  Holdings NZ Ltd
  Patrick Rinsvelt (
  35 Hobson Street
  Not Applicable,10010
(The address is that of the Heritage Auckland Hotel, and Auckland is definitely not on Norfolk Island)

The IP address, which I suspect is the spammers, is allocated to the Latin American and Caribbean IP address Regional Registry in Uraguay. Googling for identical spam only turned up very few relatively recent spams, so their is probably either a new spammer or an old one using a new style...

Posted at 9:44 PM | Comments (0)

April 6, 2006

The War Against Spam Part 2

My apologies, one of the points in the MO described in the entry for Mike Tison last time is actually the MO of Alexander Morozov. Morozov is the one clusterbombing pages.

Alexander Morozov

  • Comment spams with porn URLs. He and the Bulgarians are together responsible for most of the spam hits on my site.
  • Has a script which is easily fooled by my on-page measures, but cluster-bombs and loads entries a lot which uses bandwidth.
  • As well as the above, the queries he makes to the comment script can be over 11kb in length, including the text twice as a text parameter and a comment parameter. Other parameters used include sk2_time, sk2_my_js_check1, currency_code, business, domains, and item_name. May be a multi-purpose script.
  • .com domains spammed: novusdelta, legacyart
  • .org domains spammed: holyroodarchaeology
  • see also: Spamhuntress Wiki: Dyakon (He's using a (fake?) New York address in domain registrataions now)

Other .com domains spammed:

  • 888pokerguru via comment, registered to "Liron Snir" in Israel.
  • homeequityloan-zz via trackback, registered to "Javier Navarrete" in Florida (See also: Spamhuntress Wiki: Florida comcast spammer)
  • northvip via comment, registered to "Somer" ( in Minsk, Belarus

The "Liron Snir" spam actually got to the point where it was almost posted! The domain's now in my blacklist of course.

Posted at 8:49 PM | Comments (2)

April 4, 2006

The War Against Spam

So, what losers do we currently have trying to spam attack my weblog?

The Bulgarian twins

  • Two attack modes:
    1. Irregularly referrer spams, always to the same URL on my site, mostly poker-related URLs but also some financial/pill sites. Easy to block at the .htaccess level.
    2. They've been hitting mt-tb.cgi fairly constantly, despite getting error 403s (I renamed the script over a year ago).
  • Registration info leads back to and which both resolve to the same IP as (See previous post on the Bulgarian twins).
  • See also: Chris's Wiki: Those amusing Referer spammers

Kazakhstan spammer Timur Tasbulatov

Russian spammer Mike Tison

  • Comment spams with porn URLs.
  • Has a script which is easily fooled by my on-page measures, but cluster-bombs and loads entries a lot which uses bandwidth.
  • He attempted to spam me using an MSN spaces URL, but the email address used is identical to one I found spamming a subdomain domain. That domain uses name servers belonging to one of the domains on the page linked below.
  • See also : Spamhuntress Wiki: Mike Tison

But, despite all that, I remain spam free.

Posted at 10:45 PM | Comments (0)

1 2 3 4

Categories Site Map