Another trackback spam storm overnight….

All of the the swarms of trackback spam seemed to last an hour give or take a few minutes, so it does look kind of like “rent-a-bot” activity, lots of different IP addresses, trackback spam sites seem to have a common theme – the last batch was insurance type sites…. a sampling of about three or four found that they were all cloaked redirects for the same site/page …. ALL are registered with and all the insurance related domains being spammed (that I checked) redirect to the site above which is registered to a “Bill Bilton” whose email is given as bill at ….

Interestingly…,, and
which were some of the names used (with subdomains a plenty), had either or email addresses as tecnical contacts… looking up THOSE domains led to, (from and finally had emails as the contact information. seems to be the “lowest common denominator” that all roads lead to… Curtis Joe curtis_joe at
Mancill Rd
Phone: +1.8993488105

The address does not seem legit (at least running it through google), but… it does turn up other stories of the same type swarm..

And that’s just looking at one of the three trackback spam swarms over the last 24 hours. If I have time I may look into the casino spam if I still have some samples…. I forget what the first batch was now.


Just after I posted, I thought I’d better go ahead and look before the casino spam got pushed off the list and into oblivion….

So, it looks like the casino spam subdomains aren’t necessarily cloaked redirects, but slightly different look for each “doorway” subdomain. I just sampled two, so I don’t know about ALL of it… anyway… here’s one domain, that was registered with surprise – moniker what a small world. Anyway, the administrative/technical contacts list team-support-24× (hmm… someone really likes -support- domains…) Well WHAT a coincidence…. team-support-24× lists as it’s administrative contact and email address at now this is just too much…. Checking out which is another of the spammed domains… low and behold their contact emails are at as well. (Which if I recall has for it’s contact information.) Seems like all roads lead to Now their web site announces that it has been registered at and is “coming soon”.

I just can’t wait to see wait useful and interesting products and services they’ll have. Judging by this google search for spam, I don’t think I’m the only one to have discovered their “services”.

While looking through the google results, I found a couple interesting “war against spam posts. Also, there’s this outing spammers post which helps put a name to the bulgarian twin spammers responsible. (You just can’t make this stuff up….) Iavor Zahariev and and Todor Zahariev. Spamhuntress has some evasive techniques… apparently they’ve used open proxies. Here’s a page with LOTS of history on the duo…

And as I check the logs I see I’m in the midst of another swarm… They still seem to be on the insurance kick and spam filtering still seems to be working quite well. Here are a couple of log entries covering about a minutes worth of the swarm… - - [18/May/2006:09:57:47 -0600] "POST /2005/07/25/daylight-savings-changes-in-the-works/trackback HTTP/1.1" 200 90 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; NetCaptor 6.5.0RC1)" - - [18/May/2006:09:58:32 -0600] "POST /2005/08/22/the-passing-of-dr-bob-moog/trackback HTTP/1.0" 200 78 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)" - - [18/May/2006:09:58:53 -0600] "POST /2005/08/24/more-on-wireless-networking-security/trackback HTTP/1.0" 200 78 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)" - - [18/May/2006:09:58:54 -0600] "POST /2005/07/25/trademark-issue-over-microsoft-vista/trackback HTTP/1.1" 200 91 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M)" - - [18/May/2006:09:58:54 -0600] "POST /2005/08/15/dhsus-certnist-launches-nvd/trackback HTTP/1.0" 200 79 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iRider 2.21.1108; FDM)"

A sampling of IP addresses brings us to (from bottom to top) Pakistan, Kuala Lumpur, Thailand, and another Thailand entry…. interesting a southeast asian sampling this time. The last sampling of IP’s I took were mostly US/European/ entries, with one Asian country of origin that I don’t recall. One ip couldn’t be traced at and I really am not energetic enough to follow.

Well…. have fun storming the castle and all…. I’m moving on to other topics.

Can’t help coming back again – this has been a longer sustained storm – “the 2PM eastern hour today brought to you by phentermine….” it seems that is really heavily promoting in the trackback spam right now. They’re the last 98 or so entries in akismet’s filter and picked up right where the insurance sites left off.

Looks like I may have tagged the wrong spammers… Zahariev spam not done by Zahariev – interesting twist and it will be interesting to see what further info may come out.

BTW, I’m now up to something like 1200 on this site and another 100 or so on another two domains. Akismet has acted like a champ with just 1% getting through. I wish there were a way to tag a trackback as spam and report to akismet. I don’t see a way to do that (without moderating ALL trackbacks… which I may have to look into if this keeps up.) This storm seems to have subsided, the last 10 minutes being quiet – about 3 hours and a few minutes *(15 minutes at the most). The fact that’s it’s relatively closely time to last x hours makes it look quite bot-ish.

If you’re having trouble with trackback spam, I’d highly suggest akismet, it’s free and the API key to use it is free as well. I signed up for a site at and have put maybe 1 post there. At some point in time, if I ever make more than $500 a month from my sites, I’ll be glad to pay them for the service. It’s acted like a true champion…. 1% of the trackback spam has slipped through and I suspect if I can find a way to slip the trackbacks into the moderation queue I should be able to tag that pretty easily.

   Send article as PDF   

Similar Posts