Blog Spam
Blog Spam
Hate to do this, but comments are off. I've been getting blog spammed pretty heavily, and I don't have the time to purge the comments. Until the site is upgraded, comments will have to stay off.
Comments are off for a few days while I'm away.
In one of our little blog spam pests's visits to my blog, a new set of domains were tried. These were combinations of the target sites, prepended to domains like 8m [dot] com, 4t [dot] com, etc. I traced these to a division of Juno called Netsky. I sent their abuse line an e-mail describing what the owner of these domains was up to. I received this response in a short period of time:
Hello Rich,
Notice that these sites are not active sites, we caught this guy during signup.
Mega Web Services Customer Service
Bravo!
As mentioned in the comments to a previous post (http://dotnetjunkies.com/WebLog/richard.dudley/archive/2005/01/09/42948.aspx), Verio could use another nudge.
I was paid another visit by our pal, Thomas Reece. Today, he is using Verio as his host. All of his domains are registered with Moniker.com. Interestingly, the WHOIS record seems to have some inaccurate information in it, which is against their terms of service. If you've been blog spammed, pick one of the domains listed, check the WHOIS, and alert Moniker if there is inaccurate information in it. The WHOIS record from today is below. The contact phone number does not correspond to the address listed, and the registrant's address simply does not exist. Make sure to ping the URL, and alert the host du jour what that account is being used for.
One of the (munged) domains in the spam is: personal-loan [dot] ca [dot] fidelityfunding [dot] net
If you just visit fidelityfunding [dot] net, you get a 404. But if you ping personal-loan [dot] ca, that seems to be a live site. I'll bet anyone a nickel there's a redirect script hiding at fidelityfunding [dot] net.
All of the URLs in the spam have the same structure, and they all point back to the same IP at Verio, and all are registered by Moniker. And, it seems we're not the only ones harassed by Thomas Reece. More love here: http://thepete.com/index.php?p=1493
Checking server [whois.crsnic.net]
Checking server [whois.moniker.com]
Results:
Moniker.com Whois Server Version 2.0
The Data in Moniker.com's WHOIS database
is provided for information purposes only, and is
designed to assist persons in obtaining information
related to domain name registration records.
Moniker.com does not guarantee its accuracy.
By submitting a WHOIS query, you agree that you
will use this Data only for lawful purposes and
that, under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the
transmission of mass unsolicited, commercial
advertising or solicitations via e-mail (spam); or
(2) enable high volume, automated, electronic
processes that apply to Moniker.com (or its
systems). Moniker.com reserves the right
to modify these terms at any time. By submitting
this query, you agree to abide by this policy.
Domain Name: FIDELITYFUNDING.NET
Registrant:
Jane Phill
61 Street
NYC
NY
US
10048
Administrative Contact:
Reece, Thomas (NIC-21871) contact100@team-support-24x7.net
Thomas Reece
249 W 89 Street
NYC
NY, US
10024
Phone: 2128732251
Billing Contact:
Reece, Thomas (NIC-21871) contact100@team-support-24x7.net
Thomas Reece
249 W 89 Street
NYC
NY, US
10024
Phone: 2128732251
Technical Contact:
Reece, Thomas (NIC-21871) contact100@team-support-24x7.net
Thomas Reece
249 W 89 Street
NYC
NY, US
10024
Phone: 2128732251
Domain servers in listed order:
NS0.DNS-1995.NET
NS1.DNS-1995.NET
Record created on 1999-08-09 20:29:00.0
Database last updated on 2004-12-31 07:50:51.233
Domain Expires on 2006-08-09 20:29:00.0
www [dot] adminshop [dot] com
Product: Reffy (emphasis mine)
Reffy is a Windows-based mass referrer spammer, which means that it will make a connection to a buttload of sites of your choosing with any referrer URL and User-Agent that you specify. This accomplishes several things. Firstly, it generates webmaster traffic from webmasters checking their referral statistics. Secondly, it boosts your link popularity and thereby your Google PR, because a lot of sites have public referral stats with linked entries. Reffy operates on textfiles with URL-lists, and a textfile of 3047 active blog websites which you can use to start getting free traffic and PR right away is included!
I'm starting to see a lot of referrals to various blog posts from theloanmecca [dot] com/linkexchange/############. Following the link takes you to an empty page. Anyone know what's up with this?
It looks like at least one 'referral' for every post. A couple posts have 2, all starting around 6:50 pm today. Weird. No comments posted that I can trace back. Just weird.
Our little blog spam pest (OLBSP) has been busy. OLBSP comes to us from the CHINANET Guangdong province network. Both IPs used in the last visits map to this ISP. Go figure...Chinese spam.
6/11/2004 9:47AM
Sender: ??
Url: www [dot] 18show [dot] cn
IP Address: 219.131.242.240 =====================================
re: Those (not so) random comments
Come on,give me answer,don't be foooool.
6/11/2004 9:48AM
Sender: ??
Url: www [dot] 18show [dot] cn
IP Address: 219.131.242.240 =====================================
re: Return of the Blog Spam Pest
I don't know why you said those foolish words
I be here read your article about .NET,Please don't scare...
6/11/2004 9:50AM
Sender: ??
Url: www [dot] 18show [dot] cn
IP Address: 219.131.242.240 =====================================
re: Return of the Blog Spam Pest
Your page rank is so low,why do you afraid?
6/11/2004 9:53AM
Sender: ??
Url: www [dot] 18show [dot] cn
IP Address: 219.131.242.240 =====================================
re: Return of the Blog Spam Pest
<edited attempt to cut and paste code>
6/12/2004 2:32AM
Sender: ??
Url: www [dot] 18show [dot] cn
IP Address: 218.13.193.105 =====================================
re: Another blog spam reducing suggestion
Your page rank is 0000000000000,OK??Ridiculous bloggggger,please spend more your time on your significative work!
6/12/2004 2:33AM
Sender: ??
Url: www [dot] 18show [dot] cn
IP Address: 218.13.193.105 =====================================
re: Another blog spam reducing suggestion
Why do u delete my comment?
Cann't I post comment in your blog?
6/12/2004 2:26AM
Sender: ??
Url: www [dot] 18show [dot] cn
IP Address: 218.13.193.105 =====================================
re: Return of the Blog Spam Pest
Ridiculous Richard Dudley
This came to me after another visit from out little blog spam pest (LBSP). The main point of much of LBSP's efforts seems to be a link building campain to boost SE rankings. Critical in this is the contents of the URL field. I think a good feature might be a URL blacklist table, where bloggers could report a comment on one of their own posts as spam, and have the URL added to the blacklist table.
Then, whenever a comment is posted to any blog, the URL is compared to the blacklist table. If they match, the comment is either not entered, or stashed in some reference table only admins can access (CYA). Additionally, the feature would also scan the subject or comments section for the offending URL and treat accordingly.
Combine this with some sort of CAPTCHA or human identification test, and it will make LBSPs work much harder to be the vermin they are.
Maintaining the blacklist table doesn't necessarily have to fall on the site admin's shoulders. Donny's busy enough. Maybe a dozen or so other bloggers would volunteer on a rotating basis to keep on top of the blacklist. I'm game.
It would be nice also if we could communicate the black list to Google also, and they could drop the offendnig URLs from their index. That would make the whole exercise fruitless (but increase the importance of someone watching the black list).
Comment: re: Those (not so) random comments (via Richard Dudley)
Sender: ??
Url: www [dot] 18show [dot] cn
IP Address: 219.131.242.240
=====================================
re: Those (not so) random comments
What's wrong with u,men?
Oh look, two more posts by our little blog spam pest. The little twerp even put on on my CAPTCHA post! Characters in question marks are some sort of oriental character.
Sender: ??
Url: www [dot] 18show [dot] cn
IP Address: 218.13.194.11
=====================================
re: Those (not so) random comments
????
Sender: ??
Url: www [dot] 18show [dot] cn
IP Address: 218.13.194.11
=====================================
re: CAPTCHA Images for your website
it can use for avoiding robot registers
I've been getting some of those stupid little comments, like “intertesting” and “none”, to some of my posts. Only, I don't think these are so random. Some of the URLs point to sites selling things like HGH, etc. I think these random comments are part of a guerilla SEO campaign. Leaving dumb little comments on popular blog sites to try and fool the SEs into ranking the sites higher. Since .TEXT turns the Sender into a link, it's pretty clever (albeit slimy).
I say we start keeping track, using munged URLs. I'll start. Today's was from humangrowthhormone [dot] com, with the sender 'hgh'. The culprit comes to us by way of 66.235.202.61.
Pitch in, maybe we can track the buggers down.
<edit>
Talk about coming late to the party!
Spammers Clog Up The Blogs (Nov 6, 2003)
Summer Project: Destroy Blog Spam (Scott Watermasysk, May 22, 2004)
May I suggest a CAPTCHA image?
In the meantime, delete.
<edit>
Here's another one:
Sender= (two asian characters)
Message = doom and ID Software
IP = 61.145.232.36
URL = www [dot] 18show [dot] cn