All of the the swarms of trackback spam seemed to last an hour give or take a few minutes, so it does look kind of like “rent-a-bot” activity, lots of different IP addresses, trackback spam sites seem to have a common theme – the last batch was insurance type sites…. a sampling of about three or four found that they were all cloaked redirects for the same site/page …. http://www.finance-portal-online.com/insurance.php ALL are registered with moniker.com and all the insurance related domains being spammed (that I checked) redirect to the finance-portal-online.com site above which is registered to a “Bill Bilton” whose email is given as bill at top-support.net ….
Interestingly… Rated-insurance.com, 1time-insurance.com, and Insurance-related.com
which were some of the names used (with subdomains a plenty), had either support-4u.net or marketing-support.info email addresses as tecnical contacts… looking up THOSE domains led to support-2000.net, support-4u.net (from marketing-support.info) and finally support-2000.net had top-support.net emails as the contact information.
Top-support.net seems to be the “lowest common denominator” that all roads lead to… Curtis Joe curtis_joe at top-support.net
The address does not seem legit (at least running it through google), but… it does turn up other stories of the same type swarm..
And that’s just looking at one of the three trackback spam swarms over the last 24 hours. If I have time I may look into the casino spam if I still have some samples…. I forget what the first batch was now.
Just after I posted, I thought I’d better go ahead and look before the casino spam got pushed off the list and into oblivion….
So, it looks like the casino spam subdomains aren’t necessarily cloaked redirects, but slightly different look for each “doorway” subdomain. I just sampled two, so I don’t know about ALL of it… anyway… here’s one domain Secured-casino.com, that was registered with surprise – moniker what a small world. Anyway, the administrative/technical contacts list team-support-24×7.net (hmm… someone really likes -support- domains…) Well WHAT a coincidence…. team-support-24×7.net lists as it’s administrative contact and email address at support-2000.net now this is just too much…. Checking out casino-2u.com which is another of the spammed domains… low and behold their contact emails are at support-2000.net as well. (Which if I recall has top-support.net for it’s contact information.) Seems like all roads lead to top-support.net Now their web site announces that it has been registered at moniker.com and is “coming soon”.
I just can’t wait to see wait useful and interesting products and services they’ll have. Judging by this google search for top-support.net spam, I don’t think I’m the only one to have discovered their “services”.
While looking through the google results, I found a couple interesting “war against spam posts. Also, there’s this outing spammers post which helps put a name to the bulgarian twin spammers responsible. (You just can’t make this stuff up….) Iavor Zahariev and and Todor Zahariev. Spamhuntress has some evasive techniques… apparently they’ve used open proxies. Here’s a page with LOTS of history on the duo…
And as I check the logs I see I’m in the midst of another swarm… They still seem to be on the insurance kick and spam filtering still seems to be working quite well. Here are a couple of log entries covering about a minutes worth of the swarm…
22.214.171.124 - - [18/May/2006:09:57:47 -0600] "POST /2005/07/25/daylight-savings-changes-in-the-works/trackback HTTP/1.1" 200 90 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; NetCaptor 6.5.0RC1)"
126.96.36.199 - - [18/May/2006:09:58:32 -0600] "POST /2005/08/22/the-passing-of-dr-bob-moog/trackback HTTP/1.0" 200 78 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)"
188.8.131.52 - - [18/May/2006:09:58:53 -0600] "POST /2005/08/24/more-on-wireless-networking-security/trackback HTTP/1.0" 200 78 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"
184.108.40.206 - - [18/May/2006:09:58:54 -0600] "POST /2005/07/25/trademark-issue-over-microsoft-vista/trackback HTTP/1.1" 200 91 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M)"
220.127.116.11 - - [18/May/2006:09:58:54 -0600] "POST /2005/08/15/dhsus-certnist-launches-nvd/trackback HTTP/1.0" 200 79 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iRider 2.21.1108; FDM)"
A sampling of IP addresses brings us to (from bottom to top) Pakistan, Kuala Lumpur, Thailand, and another Thailand entry…. interesting a southeast asian sampling this time. The last sampling of IP’s I took were mostly US/European/ entries, with one Asian country of origin that I don’t recall. One ip couldn’t be traced at samspade.org and I really am not energetic enough to follow.
Well…. have fun storming the castle and all…. I’m moving on to other topics.
Can’t help coming back again – this has been a longer sustained storm – “the 2PM eastern hour today brought to you by phentermine….” it seems that http://phenterminehclhere.blogspot.com/ is really heavily promoting in the trackback spam right now. They’re the last 98 or so entries in akismet’s filter and picked up right where the insurance sites left off.
Looks like I may have tagged the wrong spammers… Zahariev spam not done by Zahariev – interesting twist and it will be interesting to see what further info may come out.
BTW, I’m now up to something like 1200 on this site and another 100 or so on another two domains. Akismet has acted like a champ with just 1% getting through. I wish there were a way to tag a trackback as spam and report to akismet. I don’t see a way to do that (without moderating ALL trackbacks… which I may have to look into if this keeps up.) This storm seems to have subsided, the last 10 minutes being quiet – about 3 hours and a few minutes *(15 minutes at the most). The fact that’s it’s relatively closely time to last x hours makes it look quite bot-ish.
If you’re having trouble with trackback spam, I’d highly suggest akismet, it’s free and the API key to use it is free as well. I signed up for a site at wordpress.com and have put maybe 1 post there. At some point in time, if I ever make more than $500 a month from my sites, I’ll be glad to pay them for the service. It’s acted like a true champion…. 1% of the trackback spam has slipped through and I suspect if I can find a way to slip the trackbacks into the moderation queue I should be able to tag that pretty easily.
Related PostsRelated Posts
- Mozilla Firefox 1.5 for Mandriva 2006 Mandriva 2006 released without Mozilla Firefox 1.5, it came with 1.0.6 (which included security fixes and other patches from 1.0.7).... anyway, source rpm's for Firefox 1.5 became available in cooker, so I've built rpm's for Mandriva 2006 for easy management on my systems. I'll post links here as they may......
- Bad malware storms brewing ADTMAG.com has an interesting article talking of the convergance of spyware and more sophisticated phishing attacks. They talk about the convergance of viruses and spam engines that happened in 2003 as a real shift in the dynamic of WHERE junk mail was coming from. Today botnets account for about 90%......
- Ubuntu Gutsy Gibbon coming The release date for the 7.10 Ubuntu release is coming soon. I've installed a beta into a virtual machine to see what's what and so far haven't had much time to play around. I seem to recall the localization question being new in the installer, but then it's been a......
- CitySights NY getFlashHtml('eplay', 300, 250, 'http://www.ftjcfx.com/flash-4322874-10642400?clickTag=http://www.jdoqocy.com/click-4322874-10642400', '', 'http://www.lduhtrp.net/image-4322874-10642400', 'http://www.jdoqocy.com/click-4322874-10642400') CitySights NY is one of the leading sightseeing tour companies in New York City. We offer hop-on hop-off double-decker bus tours in Manhattan and Brooklyn as well as night tours and daily trips from New York City to Woodbury Commons Premium Outlets,......
- How To Get Guest Bloggers For Free Getting guest bloggers is a great way to diversify your blog posts and also get fresh content for your blog (especially nice when you're running a bit dry of blogging ideas.) One of the few Internet Marketer blogs I subscribe to is Lynn Terry. I get a lot of great ideas......
- Wow, impressive comment spam storm
- Speaking of botnets….
- More details on php exploit from last week
- Trackback spam and countermeasures like Akismet and trackback validation
- The Spam fight turns to blogs….