Alden Bates' Weblog

Princess Divine Kabore writes:

I am a female student from University of Burkina faso,Ouagadougou,I am 25 yrs old. I like any person who can be caring, loving and home oriented, I will love to have a long-term relationship with you and to know more about you. I would like to build up a solid foundation with you in time coming if you can be able to help me in this transaction.

[Dad died, left six and a half million being paid into Etruscan's Permit In burkina Faso.company(E.P.I.B.F)and Etruscan's Gold company]

Please, note that this transaction is 100% risk free and I hope to commence the transaction as quick as possible, I will send to you my picture as soon as I hear from you.

Yours sincereely,
PRINCESS DIVINE.

100% risk free, hmm? That's enough to convince me! Yes! All my 100% risk free transactions involve a complete stranger offering me 6 million dollars by email!

Ouagadougou? Again? Could Princess Divine merely be Amos Zongo in a dress? He must do it a lot (See also Princess Berryfeso and countless others I saw while googling)...

Mrs. Stella Castillo writes:

Please forgive me if this message comes to you as a surprise I was divinely inspired to pick your name among other names found in the Internet database, after series of prayers or Gods direction.

OMG! The INTERNET DATABASE! The internet has a database?

> select * from Internet where type="PR0N!"
4,563,786,549 rows returned

Hooray!

I'm not even sure I know quite what this one is proposing...

GROUP VILLAGE ORGANIZATION Of EXTRACTION Of GOLD MOROVIA LIBERIA
WEST/AFRICA.

Mister/Madam,

PROPOSAL FOR GOLD SALES In our search for reliable associates in addition to-me, we obtained your contact by the Internet and we are impressed of your profile from there our interest in the management of the businesses with you. We are very sorry as this letter can surprise you. We are minors of group of village organized in gold based in the west africa in Republic of LIBERIA .

I'm shocked. What sort of people use minors to mine gold. Only adults should be miners!

Because of the difficulties of the government of liberia give a licence to the protocols in transactions of sale of gold and for the safety of our goods, we have successfully transferred (65kilos) from gold to the metal which is (purity of 99 % of 22 carats), being stored in the Agency Company for Safety Extracting in Ouagadougou in the Republic of Burkina Faso the West/Africa. Currently we seek the honourable foreign purchasers who will be able to accept and respect the agreement of trade and to treat the business with us. the case so more necessary.

Ummmmm... Tilt. There's a French version of the email included as well, and I suspect that the English version is simply the French version run through an autotranslator (the "minor" goof is present in both language versions). This portion of the email appears to suggest they couldn't get a mining licence and want to sell their gold under the table.

However our price is (6.500 $ per kilo) and the system of operation is after the analysis; the pleasant part of the quantité is paid to us here while one of our representatives will accompany the goods with his final destination for the balance payment or if possible with satisfaction, the quantité can be paid suddenly. The customer will be responsible for all the tax payments in Burkina - Faso in % well pleasant during the payment. The customer is welcome visit us in Burkina - Faso for the full insurance and the modus of operation. We will be happy to have joined and any of your favorable interested associate. You are welcome and hoping to receive news of you at his possible time more the first.

Translation: You give us $6,500 per kilogram of gold, we run away very fast with your money before you realise there is no one coming to give you the gold.

BEST REGARDS
MR.AMOS ZONGO VILLAGE LEADER

And oddly I got another email from Amos Zongo about an hour ago, now claiming to be auditor general of the Bank of Africa and wanting to offload 16 million dollars. Gets around, does Mr Zongo. Interestingly the second scam email was addressed from "OUAGADOUGOU, BURKINA FASO" - the Bozeman, Montana of Mr Zongo's scam emails, evidently.

I got my site stats updated (apparently there's something wrong with the auto-update feature in the latest copy of cpanel, and I've been having to put in support tickets to get the stats updated) only to find that since the 29th, some lousy spammer's been crawling my site with their referrer set to several spam sites.

Coming from random IP addresses (probably open proxies or zombie computers, they burned through some 50mb of bandwidth on the 30th, all to spam a couple of sites in the referrer. And I don't even publish referrer stats for my site, so they wasted their time and my bandwidth for nothing.

An unrelated spammer also hit me recently: I had some odd referrers from a few other blogs - when I checked the entries didn't have links to here on them (though one was clogged with comment spam) so I checked my logs, and found it Mr 61.234.149.52. He would hit my site once to load an entry page (with the referrer set to a random blog entry from elsewhere), then attempt to post to the comments script. As I've put a couple of extra commented-out <form> tags in my HTML, he was hitting the wrong URL and so didn't get anywhere. Fortunately he always came from the same IP address and so was dead easy to ban.

What a pain.

A scamster writes: (excerpts only)

Dearest One,

Free your mind.

I am Mrs Elizabeth Kone, the wife of Mr.Willams Kone My Husband was a highly reputable business magnet-(a cocoa merchant)who operated in the capital of Ivory coast during his days.

...and in the nightclubs of Argentina as a Flaminco dancer during his nights, not bad for a lump of magnetized metal (I think the word you're searching for is "magnate"...)

It is sad to say that he passed away mysteriously after one of his business trips abroad .Though his sudden death was linked or rather suspected to have been masterminded by his uncle who travelled with him at that time. But God knows the truth!

The butler did it! Come now, there's was an autopsy, surely?

Before his death he called me in the hospital and told me that he has the sum of fifteen million,five hundred thousand United State Dollars in a trunk box(USD $5.5m ,000) Which he deposited in one of the Security company here in Cote D Ivoire Africa.

"USD $5.5m ,000" eh? That doesn't look at all suspicious! Come now, if you're going to send me a form letter, at least get the values in the input fields right.

Now I am just a widow with two children, and really don't know what to do now, I want an account overseas where I can transfer this funds. This is because I have suffered a lot of set backs as a result of incessant political crisis here in Ivory coast.The death of my Husband actually brought sorrow to my life.

... but joy to the lives of my three children. Wait, did I say three? I meant four children!

Now permit me to ask these few questions:-
1. Can you honestly help me as your widow?
2. Can I completely trust you?
3. What percentage of the total amount in question will be good for you after the money is been transferd in to your account?

1. You want to be my widow? That's very touching, but I'm not dead.
2. Not if you're making noises about wanting to be my widow!
3. My country has high taxes on large bank deposits. There should be a good $40 left by the time they've had at it. How about half and half? I could probably buy a CD with $20...

Please,Consider this and get back to me as soon as possible.

How about NO! HA!

Yes, they're back, only they're no longer spamming the URLs of blogs. They appear to be spamming the URLs of lighthouse and quotation sites. Quite what the connection is here, I don't know, though I did spot at least one quotation site which allows comments, and which the spammers had hit...

Comment spam text examples:

I really appreciate what you're doing here. Very interesting site. although I am bringing a change of underwear: http;//www.aphids.com/cgi-bin/quotes.pl?act=ShowListingsForSub , Living well and beautifully and justly are all one thing , An investment in knowledge pays the best interest

Your site is exactly the kind of sites which make the net surfing so fun. Discontent makes rich men poor: http;//www.seathelights.com , when Cards is Soldier it will Lose Round How Linux thin-clients benefit schools , Soldier can Expect Soldier It's the other lousy two percent

Interesting use also of a rel="itsok" attribute on some of the links. Could be used in a text blacklist perhaps...

What the hey?

I got a comment today with the text "I can't believe it, my co-worker just bought a car for $68517. Isn't that crazy!" from "Betsy Markum". Since it didn't have anything to do with the post in question, looked automated, I googled it, and it looks like Betsy has been posting the news on quite a few blogs, with different dollar amounts every time.

Looking at the logs didn't reveal anything notable: their tool doesn't have a user agent set, and the IP address resolves to a dyndns.org address. The only other hit from the same IP was on the 3rd, when it fetched the entry page (again with no user agent). Visiting the dyndns.org address gives a 818KB text file of what appear to be logs from router connections (infected networks?).

The comment didn't have any links with it, other than a yahoo email address. I don't get it. Walks like a spam, talks like a spam, but what's the payoff? Or is it just for car-ma? (d'oh!)

My catch-all email box for tetrap.com seems to have exploded with spam. Usually it has a couple of dozen emails for people at tetraps.com, where the sender missed the S off, plus some hopeful spam sent to the webmaster address. But when I checked today, there were 170 messages, mostly spam, directed at one Fidel Yzaguirre. Google and Yahoo have two results for that name, but neither is of much help. The email address in question doesn't come up in a search on either engine...

Who is this mysterious Fidel Yzageirre, and why do dozens of spammers think he has a valid email address on my domain? Strange!

I got a spam today (well, an apparent spam, it could just be an incompetantly written virus) which said:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.31</ADDRESS>
</BODY></HTML>

Woooo, leet spamming skillz there.

Further to my previous entry, several of the more recent spam attempts have been linked to casino sites - perhaps the spammer was hoping to slip them through in the general chaos of the spamming of links to blog entries? Spam Huntress mentioned this lot last month.

I really wish people would clean the spam off their blogs though. Take a look at the number of results for some of these queries:

• extensive methods for this:
• small brain blog:
• All the artist knew one another:

It's no wonder they keep on spamming.

Edit: Renaming my comments script seems to have stymied them, for a while at least...

A particularly annoying comment spammer seems to have decided to target my site - the same one who's been spamming legitimate blog URLs. I blocked a bunch of open proxies in my .htaccess file last night, but still had some 74 comments get through overnight. Of those, 38 ended up in the junk folder, 35 were moderated, and 1 got through.

I'd added some phrases to SpamLookup last night as well, but I must have done them wrong, as SpamLookup didn't match them in the comments. I changed the phrases to regular expressions instead, and hopefully that should lower the number of comments that escape the junk folder. I've also added a bunch more open proxies to the .htaccess, and (temporarily) lowered the limits for moderating/junking comments based on number of URLs.

The spams typically start with a piece of generic praise, some random gibberish, then a raw URL, and a piece of random text linked to another URL. The URLs are usually entries from innocent blogs (either the spammers are intending to spam those entries at a later date, or perhaps they just want to muddy the waters of spam blacklists. Example comment openings are:

• your site is exactly the kind of sites which make the net surfing so fun. keep scrolling down for pastry cream recconsequentlyipe:
• Just letting you know - your site is fantastic! 1 small clove garlic:
• your site is a very nice source of info. extensive methods for this:
• brilliant site! happy to be here. about a year ago i started:
• Reading your content just made my day. Keep the good work. quilt Your fabric yoyo:

The text before the ':' seems to be used a lot, so adding those to blacklists should help. There's also a wee discussion going on in the comments of the spammed entries on Andrew's Blog.

Current trackback spammers attacking me:

• 66.159.239.140 - using Snoopy v1.0
• 69.50.187.242 - using Snoopy v1.2
• 195.95.219.6 - using Net::Trackback/1.01
• 85.255.113.78 - using Net::Trackback/1.01

Emailing 66.159.239.140's host doesn't appear to have done any good - their last spam attempt was on ther 13th. 69.50.187.242 appears to be using a really old list of trackback urls to spam, is it's using the old mt-tb.cgi filename (which returns a 403). I'm also getting a lot of hits on entries using Net::Trackback/1.01 as a user agent from three IP addresses in the 69.50.*.* range, which resolve to .esthost.com. These may be the software collecting URLs to trackback spam.

85.255.113.78 is new and was first seen here on the 14th... The IP address doesn't resolve but five trackbacks got through to MT's junk folder, and registration info on the domain they spammed (incestpassion.net) is:

solar
Andre (en229933@yahoo.com)
Italy, Rome
Rome
null,2423423
IT
Tel. +34.3467####

I really hate when they have fake details. Takes the fun out of it. It was registered through estdomains.com. Yes, I think that explains the hits from esthost.com... BANNED!

Subject: Mr 66.159.239.140 (porsche.elinuxservers.com), using the User agent "Snoopy v1.0", hitting ~5 times a day with trackback attempts. Now blocked in .htaccess.

Likely identity: using Network Solutions, I checked some of the domains he'd been spamming. They all had the following registration info:

Name: Maximilian Berkovich
Organization: Rasta Community
Street1: Ann Karelina street 123
City: DeepTown
Postal Code: 34543534
Country: Ethiopia
Phone: +21.4353XXXX
Email: admin@smokaz.com

Googling turned up no further information, and unfortunately there's not enough there to make a fake-or-not decision. Like Net::TrackBack, Snoopy v1.0 looks to be legitimate software twisted for evil use.

I took the liberty of emailing elinuxserver.com's admin address, but haven't had a response yet...

Here's an interesting comment spam attempt. The spammer loaded a post, then attempted to comment to it (in the same second) but fell for the fake comment form which normal surfers don't see because it's commented out in the source. The interesting part was that the referrer they userd when fetching the post seemed to indicate that they had come from an email in a web-based mailbox. The spammers are sharing URLs, perhaps?

Also today I got around to banning Mr 195.95.219.6, who's been trackback spamming me for a while now using the user agent "Net::Trackback/1.01". I'm not banning on user agent as Net:Trackback appears to be a Perl project to enable people to create Trackback applications more easily and therefore it's not necessarily true that anyone using it will be a spammer. I wonder if the creator knows his work is being used for evil purposes. This spammer appears to be using one IP address all the time, so until they discover open proxies, I'll be safe from them for a while.

With the increasing amount of trackback spam, it's no wonder people are claiming Trackback is dead. So far, over the life of this weblog, I've had one legitamite trackback... Of course, I probably just need to be more interesting. :) I don't think trackback is dead, I think it just needs to adapt.

I discovered today that one particular spammer seems to be attempting to use the feedback script on the NZDWFC site to send spam. They have some sort of program set up to post crap to it, which is hitting my site daily, sometimes up to 30 times in the same day.

Sadly, because of the way they're calling the script, all they get back is a perminant redirect, which they're not bothing to follow, therefore it never actually gets to the point where the script runs. Of course, if they did follow the redirection, my script would give them a nice Access Denied error for being a spammer, but they don't know that unless they try it.

Idiots.

I see the features for Movable Type 3.2 include some nice spam-fighting stuff, like Trackback moderation and some sort of junk folder. I have my fingers crossed for OpenID support, but I suspect it won't appear until the next release...

First trackback spam in a while got through today... It managed to get past MT-Blacklist, but was moderated by MT-Moderate before it could appear on the entry.

At least (as far as I can tell from my logs anyway) the Bulgarians have given up trying to comment spam me constantly - the last hit from that was around the 16th of last month. The .htaccess filters I got from Spamhuntress' site were pretty much blocking their hits...

It looks like they're concentrating on trying to trackback spam me - I'm still getting plenty of spam trackback pings, though I don't think the one that got through was from them... Many of the pings are coming through alestra.net.mx, which I have blocked in .htaccess, of course. Those pings which have gotten through have been stopped by MT-Blacklist.

I have a regex set up in MT-Blacklist which stops all of their trackbacks. The software they're using generates random sentences all in the same format using a small collection of phrases:
(check|visit|check out) (the|some) (sites|pages|relevant pages|helpful info|information) (in the field of|dedicated to|about)

808 hits blocked so far (though that's not accurate because I refined the regex a couple of times). I'd like to just block pings with links in the body, but (a) I'm not sure if that would block valid pings, and (b) MT-Blacklist doesn't have any way to specify comment versus trackback or specific fields thereof.

I'm also tempted to try hacking MT-Blacklist to return a 403 when it blocks a ping, on the off-chance it might discourage the spammers further...