All of the the swarms of trackback spam seemed to last an hour give or take a few minutes, so it does look kind of like “rent-a-bot” activity, lots of different IP addresses, trackback spam sites seem to have a common theme – the last batch was insurance type sites…. a sampling of about three or four found that they were all cloaked redirects for the same site/page …. http://www.finance-portal-online.com/insurance.php ALL are registered with moniker.com and all the insurance related domains being spammed (that I checked) redirect to the finance-portal-online.com site above which is registered to a “Bill Bilton” whose email is given as bill at top-support.net ….
Interestingly… Rated-insurance.com, 1time-insurance.com, and Insurance-related.com
which were some of the names used (with subdomains a plenty), had either support-4u.net or marketing-support.info email addresses as tecnical contacts… looking up THOSE domains led to support-2000.net, support-4u.net (from marketing-support.info) and finally support-2000.net had top-support.net emails as the contact information.
Top-support.net seems to be the “lowest common denominator” that all roads lead to… Curtis Joe curtis_joe at top-support.net
The address does not seem legit (at least running it through google), but… it does turn up other stories of the same type swarm..
And that’s just looking at one of the three trackback spam swarms over the last 24 hours. If I have time I may look into the casino spam if I still have some samples…. I forget what the first batch was now.
Just after I posted, I thought I’d better go ahead and look before the casino spam got pushed off the list and into oblivion….
So, it looks like the casino spam subdomains aren’t necessarily cloaked redirects, but slightly different look for each “doorway” subdomain. I just sampled two, so I don’t know about ALL of it… anyway… here’s one domain Secured-casino.com, that was registered with surprise – moniker what a small world. Anyway, the administrative/technical contacts list team-support-24×7.net (hmm… someone really likes -support- domains…) Well WHAT a coincidence…. team-support-24×7.net lists as it’s administrative contact and email address at support-2000.net now this is just too much…. Checking out casino-2u.com which is another of the spammed domains… low and behold their contact emails are at support-2000.net as well. (Which if I recall has top-support.net for it’s contact information.) Seems like all roads lead to top-support.net Now their web site announces that it has been registered at moniker.com and is “coming soon”.
I just can’t wait to see wait useful and interesting products and services they’ll have. Judging by this google search for top-support.net spam, I don’t think I’m the only one to have discovered their “services”.
While looking through the google results, I found a couple interesting “war against spam posts. Also, there’s this outing spammers post which helps put a name to the bulgarian twin spammers responsible. (You just can’t make this stuff up….) Iavor Zahariev and and Todor Zahariev. Spamhuntress has some evasive techniques… apparently they’ve used open proxies. Here’s a page with LOTS of history on the duo…
And as I check the logs I see I’m in the midst of another swarm… They still seem to be on the insurance kick and spam filtering still seems to be working quite well. Here are a couple of log entries covering about a minutes worth of the swarm…
184.108.40.206 - - [18/May/2006:09:57:47 -0600] "POST /2005/07/25/daylight-savings-changes-in-the-works/trackback HTTP/1.1" 200 90 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; NetCaptor 6.5.0RC1)"
220.127.116.11 - - [18/May/2006:09:58:32 -0600] "POST /2005/08/22/the-passing-of-dr-bob-moog/trackback HTTP/1.0" 200 78 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)"
18.104.22.168 - - [18/May/2006:09:58:53 -0600] "POST /2005/08/24/more-on-wireless-networking-security/trackback HTTP/1.0" 200 78 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"
22.214.171.124 - - [18/May/2006:09:58:54 -0600] "POST /2005/07/25/trademark-issue-over-microsoft-vista/trackback HTTP/1.1" 200 91 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M)"
126.96.36.199 - - [18/May/2006:09:58:54 -0600] "POST /2005/08/15/dhsus-certnist-launches-nvd/trackback HTTP/1.0" 200 79 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iRider 2.21.1108; FDM)"
A sampling of IP addresses brings us to (from bottom to top) Pakistan, Kuala Lumpur, Thailand, and another Thailand entry…. interesting a southeast asian sampling this time. The last sampling of IP’s I took were mostly US/European/ entries, with one Asian country of origin that I don’t recall. One ip couldn’t be traced at samspade.org and I really am not energetic enough to follow.
Well…. have fun storming the castle and all…. I’m moving on to other topics.
Can’t help coming back again – this has been a longer sustained storm – “the 2PM eastern hour today brought to you by phentermine….” it seems that http://phenterminehclhere.blogspot.com/ is really heavily promoting in the trackback spam right now. They’re the last 98 or so entries in akismet’s filter and picked up right where the insurance sites left off.
Looks like I may have tagged the wrong spammers… Zahariev spam not done by Zahariev – interesting twist and it will be interesting to see what further info may come out.
BTW, I’m now up to something like 1200 on this site and another 100 or so on another two domains. Akismet has acted like a champ with just 1% getting through. I wish there were a way to tag a trackback as spam and report to akismet. I don’t see a way to do that (without moderating ALL trackbacks… which I may have to look into if this keeps up.) This storm seems to have subsided, the last 10 minutes being quiet – about 3 hours and a few minutes *(15 minutes at the most). The fact that’s it’s relatively closely time to last x hours makes it look quite bot-ish.
If you’re having trouble with trackback spam, I’d highly suggest akismet, it’s free and the API key to use it is free as well. I signed up for a site at wordpress.com and have put maybe 1 post there. At some point in time, if I ever make more than $500 a month from my sites, I’ll be glad to pay them for the service. It’s acted like a true champion…. 1% of the trackback spam has slipped through and I suspect if I can find a way to slip the trackbacks into the moderation queue I should be able to tag that pretty easily.
Related PostsRelated Posts
- The security of remote tech support (ultravnc sc or x11vnc with wrapper script) Well, I've got a nice way of doing "easy" one click (or one cut and paste) light desktop support for windows or linux, one uses ultravnc sc, the other uses x11vnc with a special wrapper script. So, what security flaws are there in this process? Well, for starters, I see......
- The connection between Spam and Viruses After comparing MANY of these delivery failures (a fraction of what has gone out with my domain name forged I'm afraid...) They are all advertising essentially the same site (sometimes different gateways to it, but I've traced it all back to a close group of domains that have been unresponsive......
- Ubuntu Gutsy Gibbon coming The release date for the 7.10 Ubuntu release is coming soon. I've installed a beta into a virtual machine to see what's what and so far haven't had much time to play around. I seem to recall the localization question being new in the installer, but then it's been a......
- In Defense of Guest Posting [/caption] Bloggers should embrace guest posting as an opportunity to expand their blog to more varied content and a wider readership. While some bloggers regard guest posting as too risky of an enterprise since youâ€™re allowing a stranger to post their views on your site, I think the risk......
- Getting Out of Debt Quickly pt 2 This is part 2 of a 4 part series on getting out of debt quickly. Make sure that you read all four parts in order to get the most out of this sequence of hints on getting yourself or your family out of the debt trap. Next you are going......
- Wow, impressive comment spam storm
- Speaking of botnets….
- More details on php exploit from last week
- Trackback spam and countermeasures like Akismet and trackback validation
- The Spam fight turns to blogs….