Alden Bates' Weblog

A scamster writes: (excerpts only)

Dearest One,

Free your mind.

I am Mrs Elizabeth Kone, the wife of Mr.Willams Kone My Husband was a highly reputable business magnet-(a cocoa merchant)who operated in the capital of Ivory coast during his days.

...and in the nightclubs of Argentina as a Flaminco dancer during his nights, not bad for a lump of magnetized metal (I think the word you're searching for is "magnate"...)

It is sad to say that he passed away mysteriously after one of his business trips abroad .Though his sudden death was linked or rather suspected to have been masterminded by his uncle who travelled with him at that time. But God knows the truth!

The butler did it! Come now, there's was an autopsy, surely?

Before his death he called me in the hospital and told me that he has the sum of fifteen million,five hundred thousand United State Dollars in a trunk box(USD $5.5m ,000) Which he deposited in one of the Security company here in Cote D Ivoire Africa.

"USD $5.5m ,000" eh? That doesn't look at all suspicious! Come now, if you're going to send me a form letter, at least get the values in the input fields right.

Now I am just a widow with two children, and really don't know what to do now, I want an account overseas where I can transfer this funds. This is because I have suffered a lot of set backs as a result of incessant political crisis here in Ivory coast.The death of my Husband actually brought sorrow to my life.

... but joy to the lives of my three children. Wait, did I say three? I meant four children!

Now permit me to ask these few questions:-
1. Can you honestly help me as your widow?
2. Can I completely trust you?
3. What percentage of the total amount in question will be good for you after the money is been transferd in to your account?

1. You want to be my widow? That's very touching, but I'm not dead.
2. Not if you're making noises about wanting to be my widow!
3. My country has high taxes on large bank deposits. There should be a good $40 left by the time they've had at it. How about half and half? I could probably buy a CD with $20...

Please,Consider this and get back to me as soon as possible.

How about NO! HA!

Yes, they're back, only they're no longer spamming the URLs of blogs. They appear to be spamming the URLs of lighthouse and quotation sites. Quite what the connection is here, I don't know, though I did spot at least one quotation site which allows comments, and which the spammers had hit...

Comment spam text examples:

I really appreciate what you're doing here. Very interesting site. although I am bringing a change of underwear: http;//www.aphids.com/cgi-bin/quotes.pl?act=ShowListingsForSub , Living well and beautifully and justly are all one thing , An investment in knowledge pays the best interest

Your site is exactly the kind of sites which make the net surfing so fun. Discontent makes rich men poor: http;//www.seathelights.com , when Cards is Soldier it will Lose Round How Linux thin-clients benefit schools , Soldier can Expect Soldier It's the other lousy two percent

Interesting use also of a rel="itsok" attribute on some of the links. Could be used in a text blacklist perhaps...

What the hey?

I got a comment today with the text "I can't believe it, my co-worker just bought a car for $68517. Isn't that crazy!" from "Betsy Markum". Since it didn't have anything to do with the post in question, looked automated, I googled it, and it looks like Betsy has been posting the news on quite a few blogs, with different dollar amounts every time.

Looking at the logs didn't reveal anything notable: their tool doesn't have a user agent set, and the IP address resolves to a dyndns.org address. The only other hit from the same IP was on the 3rd, when it fetched the entry page (again with no user agent). Visiting the dyndns.org address gives a 818KB text file of what appear to be logs from router connections (infected networks?).

The comment didn't have any links with it, other than a yahoo email address. I don't get it. Walks like a spam, talks like a spam, but what's the payoff? Or is it just for car-ma? (d'oh!)

My catch-all email box for tetrap.com seems to have exploded with spam. Usually it has a couple of dozen emails for people at tetraps.com, where the sender missed the S off, plus some hopeful spam sent to the webmaster address. But when I checked today, there were 170 messages, mostly spam, directed at one Fidel Yzaguirre. Google and Yahoo have two results for that name, but neither is of much help. The email address in question doesn't come up in a search on either engine...

Who is this mysterious Fidel Yzageirre, and why do dozens of spammers think he has a valid email address on my domain? Strange!

I got a spam today (well, an apparent spam, it could just be an incompetantly written virus) which said:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.31</ADDRESS>
</BODY></HTML>

Woooo, leet spamming skillz there.

Further to my previous entry, several of the more recent spam attempts have been linked to casino sites - perhaps the spammer was hoping to slip them through in the general chaos of the spamming of links to blog entries? Spam Huntress mentioned this lot last month.

I really wish people would clean the spam off their blogs though. Take a look at the number of results for some of these queries:

• extensive methods for this:
• small brain blog:
• All the artist knew one another:

It's no wonder they keep on spamming.

Edit: Renaming my comments script seems to have stymied them, for a while at least...

A particularly annoying comment spammer seems to have decided to target my site - the same one who's been spamming legitimate blog URLs. I blocked a bunch of open proxies in my .htaccess file last night, but still had some 74 comments get through overnight. Of those, 38 ended up in the junk folder, 35 were moderated, and 1 got through.

I'd added some phrases to SpamLookup last night as well, but I must have done them wrong, as SpamLookup didn't match them in the comments. I changed the phrases to regular expressions instead, and hopefully that should lower the number of comments that escape the junk folder. I've also added a bunch more open proxies to the .htaccess, and (temporarily) lowered the limits for moderating/junking comments based on number of URLs.

The spams typically start with a piece of generic praise, some random gibberish, then a raw URL, and a piece of random text linked to another URL. The URLs are usually entries from innocent blogs (either the spammers are intending to spam those entries at a later date, or perhaps they just want to muddy the waters of spam blacklists. Example comment openings are:

• your site is exactly the kind of sites which make the net surfing so fun. keep scrolling down for pastry cream recconsequentlyipe:
• Just letting you know - your site is fantastic! 1 small clove garlic:
• your site is a very nice source of info. extensive methods for this:
• brilliant site! happy to be here. about a year ago i started:
• Reading your content just made my day. Keep the good work. quilt Your fabric yoyo:

The text before the ':' seems to be used a lot, so adding those to blacklists should help. There's also a wee discussion going on in the comments of the spammed entries on Andrew's Blog.

Current trackback spammers attacking me:

• 66.159.239.140 - using Snoopy v1.0
• 69.50.187.242 - using Snoopy v1.2
• 195.95.219.6 - using Net::Trackback/1.01
• 85.255.113.78 - using Net::Trackback/1.01

Emailing 66.159.239.140's host doesn't appear to have done any good - their last spam attempt was on ther 13th. 69.50.187.242 appears to be using a really old list of trackback urls to spam, is it's using the old mt-tb.cgi filename (which returns a 403). I'm also getting a lot of hits on entries using Net::Trackback/1.01 as a user agent from three IP addresses in the 69.50.*.* range, which resolve to .esthost.com. These may be the software collecting URLs to trackback spam.

85.255.113.78 is new and was first seen here on the 14th... The IP address doesn't resolve but five trackbacks got through to MT's junk folder, and registration info on the domain they spammed (incestpassion.net) is:

solar
Andre (en229933@yahoo.com)
Italy, Rome
Rome
null,2423423
IT
Tel. +34.3467####

I really hate when they have fake details. Takes the fun out of it. It was registered through estdomains.com. Yes, I think that explains the hits from esthost.com... BANNED!

Subject: Mr 66.159.239.140 (porsche.elinuxservers.com), using the User agent "Snoopy v1.0", hitting ~5 times a day with trackback attempts. Now blocked in .htaccess.

Likely identity: using Network Solutions, I checked some of the domains he'd been spamming. They all had the following registration info:

Name: Maximilian Berkovich
Organization: Rasta Community
Street1: Ann Karelina street 123
City: DeepTown
Postal Code: 34543534
Country: Ethiopia
Phone: +21.4353XXXX
Email: admin@smokaz.com

Googling turned up no further information, and unfortunately there's not enough there to make a fake-or-not decision. Like Net::TrackBack, Snoopy v1.0 looks to be legitimate software twisted for evil use.

I took the liberty of emailing elinuxserver.com's admin address, but haven't had a response yet...

Here's an interesting comment spam attempt. The spammer loaded a post, then attempted to comment to it (in the same second) but fell for the fake comment form which normal surfers don't see because it's commented out in the source. The interesting part was that the referrer they userd when fetching the post seemed to indicate that they had come from an email in a web-based mailbox. The spammers are sharing URLs, perhaps?

Also today I got around to banning Mr 195.95.219.6, who's been trackback spamming me for a while now using the user agent "Net::Trackback/1.01". I'm not banning on user agent as Net:Trackback appears to be a Perl project to enable people to create Trackback applications more easily and therefore it's not necessarily true that anyone using it will be a spammer. I wonder if the creator knows his work is being used for evil purposes. This spammer appears to be using one IP address all the time, so until they discover open proxies, I'll be safe from them for a while.

With the increasing amount of trackback spam, it's no wonder people are claiming Trackback is dead. So far, over the life of this weblog, I've had one legitamite trackback... Of course, I probably just need to be more interesting. :) I don't think trackback is dead, I think it just needs to adapt.

I discovered today that one particular spammer seems to be attempting to use the feedback script on the NZDWFC site to send spam. They have some sort of program set up to post crap to it, which is hitting my site daily, sometimes up to 30 times in the same day.

Sadly, because of the way they're calling the script, all they get back is a perminant redirect, which they're not bothing to follow, therefore it never actually gets to the point where the script runs. Of course, if they did follow the redirection, my script would give them a nice Access Denied error for being a spammer, but they don't know that unless they try it.

Idiots.

I see the features for Movable Type 3.2 include some nice spam-fighting stuff, like Trackback moderation and some sort of junk folder. I have my fingers crossed for OpenID support, but I suspect it won't appear until the next release...

First trackback spam in a while got through today... It managed to get past MT-Blacklist, but was moderated by MT-Moderate before it could appear on the entry.

At least (as far as I can tell from my logs anyway) the Bulgarians have given up trying to comment spam me constantly - the last hit from that was around the 16th of last month. The .htaccess filters I got from Spamhuntress' site were pretty much blocking their hits...

It looks like they're concentrating on trying to trackback spam me - I'm still getting plenty of spam trackback pings, though I don't think the one that got through was from them... Many of the pings are coming through alestra.net.mx, which I have blocked in .htaccess, of course. Those pings which have gotten through have been stopped by MT-Blacklist.

I have a regex set up in MT-Blacklist which stops all of their trackbacks. The software they're using generates random sentences all in the same format using a small collection of phrases:
(check|visit|check out) (the|some) (sites|pages|relevant pages|helpful info|information) (in the field of|dedicated to|about)

808 hits blocked so far (though that's not accurate because I refined the regex a couple of times). I'd like to just block pings with links in the body, but (a) I'm not sure if that would block valid pings, and (b) MT-Blacklist doesn't have any way to specify comment versus trackback or specific fields thereof.

I'm also tempted to try hacking MT-Blacklist to return a 403 when it blocks a ping, on the off-chance it might discourage the spammers further...

X-Originating-IP: [212.216.176.143] (vsmtp3alice.tin.it)
Date: Wed, 4 May 2005 04:37:08 +0200
From: "Cynthia Wood" <cynthia_wood1@*******.it>
Subject: From Cynthia Wood
Reply-to: cynthia123wood@*******.com

Lloyds TSB Group plc
25 Gresham Street
London EC2V 7HN

Attn........

I discovered a dormant account in my office, as Group finance director with Lloyds bank London. It will be in my interest to transfer this fund worth $20,000,000 million dollars in an account offshore. If you can be a collaborator to this please indicate interest immediately for us to proceed. Remember this is absolutely confidential. My husband does not know about this risk taking. My family will be in shambles if it burst out and i will also be in trouble aswell as loose my precious job. Your contact phone numbers and name will be necessary for this effect.

Regards and respect,

Cynthia Wood
Group Finance Director
Lloyds bank London

Dear Cynthia

Firstly, you should really talk to your web site people as, according to the Lloyds TSB site, Helen A. Weir is the Group Finance Director. Much as I am interested in your figure of 20 trillion dollars, I find it difficult to work out (a) why a British institution would have money in dollars instead of pounds, (b) why a British institution would have an account containing some 10 times the GDP of the United Kingdom, and (c) why the Group Finance Director would be emailing random people offering shady under-the-table deals, though I can see why you would therefore be emailing me from Italy.

Incidentally, you should learn how to properly write subjects for emails. "From Cynthia Wood" tells me nothing that the "From" line doesn't already.

Sorry I can't help, however I have this fellow in Nigeria who's trying to get rid of $10 million as well, so perhaps the two of you could get together in a mutually benificial arrangement.

Love, Alden.

I got bored, and looked up the domain information for some of the domains with which the one spammer keeps trying to bombard my site. It said the domains were registered to:

Phill, Jane (NIC-8754) contact61@support-4u.net
Jane Phill
142 W 44 Street
NYC
NY, US
10012
Phone: 2128523####

There's a number of problems with that information of course. For one thing, the phone number has too many digits (I've blanked the last 4 there). For another, the street address is for Osteria al Doge, a resteraunt who I'm sure would be appalled that their address is being used to register domains.

Fortunately by googling "Jane Phill" I found Spam Huntresses blog, which has more info: the spammers in question are the Bulgarian twins Iavor and Emil Zahariev . It's nice to put a name to the people who want to pollute my site. :)

I can't say enough good things about Jay Allen's MT-Blacklist. Using Brad Choate's MTSQL plugin and some code from the forums on Jay's site posted by TweezerMan, I've added the current count of blocked spams in the right-hand bar on my weblog's index page. It only updates when I post an entry, but at the moment I can see it's reading 3583 spams blocked. The number will rise once I post this entry, of course, because at the moment some plonker is attempting to trackback spam me and MT-Blacklist is blocking them all. Thanks to Jay's plugin, I'm spending less and less time cleaning up after spammers.

Someday I'm going to invent a plugin which interfaces with MT-Blacklist and, when it receives a spam, causes the spammer's computer to explode, then gives them 15,000 volts to the gonads. Then I shall become very rich with donations from grateful bloggers. Huzzah!