Archive for January, 2005
I bought a sofa cushion at Ikea. Put it in the trunk of my car, then took it home. I left it in the entry for a few hours, and the cat came to investigate.
And promptly went nuts.
I don’t know what was in that cushion, but he behaved almost like it had been sprayed with catnip.
So, what was in that thing?
Just a little update on the spammers.
M0nkey just got himself a new site to sell his little referrer spammer tool, Reffy. Not hard to guess the URL: reffy dot net. The domain is hosted on the hosting service frogee.com. Their rep re spam could go either way. I’m thinking it’s worth complaining to them. S-PAN, you’ll need to e-mail service at frogee dot com. He didn’t spam my log, so I can’t send it - yet. Here’s the Frogee TOS
Since I last talked about them, I’ve found one of their hangouts.
They used to have a site called adultgods, where they sold spam software. But because they advertised the site URL in the user agent field, GoDaddy took their domain away from them (and somebody else owns it now). Since then they’ve changed registrar, and tells others that you’ll be able to keep your domain (I get the feeling no matter what you do) if you’re with the right registrar. I guess that should be put to the test soon, eh? At the time, the team consisted of Odin and Weigan. Weigan now usually goes by M0nkey. Even as early as October 29, there were links to adminshop and xopy, though. Xopy had the link text: Nationalist Network. Sounds faintly nazi…
(UPDATE: I’ve been thinking about Weigan. I think it’s a misspelling of Norwegian. A sort of joke)
Odin says he’s not really involved in the referrer spamming side of the business. That sounds about right, since it’s M0nkey that keeps doing that (NextGentel IP numbers), but Odin is often defending him in public.
They’re into the adult website business, although I think I’ve seen Odin claim he’s not. Or rather, a weak denial - that he doesn’t own any. I don’t believe him, though.
UPDATE: See the post below about blocking spammers. I’m wondering if Cindy’s block works against this software? From what she’s telling me, that’s a possibility. For those of you that are plagued, you could try it out?
UPDATE: I checked the law in Norway, and the way I read it, M0nkey, who is a Norwegian citizen, is in breach of the law. He’s not allowed to send ANY kind of electronic advertisements to any physical person, except those he’s already in a business relationship with (ie his customers). In Norwegian law, that includes companies. M0nkey, I’m putting you on notice - I’m Norwegian, and you’ve been spamming me. You’re in breach of Norwegian law!
One of the machines in your IP space is being abused by a spammer:
(IP address here)
This spammer generally uses open proxies to bounce his spamming off
on. Which means this machine should be secured. If you check the
logs, you may find other types of fraud, spamming and misuse.
Check Google for other instances of misuse of this machine. Just
search for the IP number.
Here’s a fragment from my log:
(as many accesses I have from that IP number in my log here. Real logs, not Latest Visitors. Sometimes sys admins get confused over those)
And the site they tried to spam (I have them blocked from comment
On my site, the blog spam generally comes in two flavors:
1) Referrer spam. Normally, when someone links to me, and someone
cliks on that link, a reference to the linking site appears in my logs. But when a spammer uses a script to fake that, it’s spam and unethical
2) Comment spam. When a spammer uses a script to leave comments laden with links to spammy sites in thousands of comments on blogs. Mimics the behavior of bloggers when they discuss things with each other, but is spam and unethical.
BTW, I’d love a zipped up version of the logs from your server, with the legitimate traffic stripped out (grep -v). I analyze these logs whenever I come across them, to learn more about the kinds of abuse happening on these servers. Extended logs are more useful than simple ones (including referrer).
If you can think of any way to improve it, please let me know.
I did some checking way beyond the search engines on the person I believe is identical to Odin on Adminshop.
He’s born 1984. About 20 years, in other words. I wonder if his father knows about this?
Pretty depraved 20 year old, I’d say, considering he wrote an article about how to make money on porn sites. Do a google search for adminshop and Odin, and you shall find.
Oh, and I found an earlier version of the whois info for one of his domains on Rojisan
The phone number looks like a legitimate Norwegian cell phone number. And the rest of the address info still looks misleading but relevant to the guy I’ve been talking about.
SECOND UPDATE: Proof the guy speaks Norwegian. Here’s a post made by M0nkey
I find that M0nkey and Odin are appearing on the same forums at the same time. I don’t know if it’s one and the same using sock puppets, or if they are partners. M0nkey writes Norwegian. So far I haven’t seen Odin do that. I saw a link from a post by Odin going to a pornographic site. I killed it before it fully loaded. Don’t want an eyeful of that stuff.
Although M0nkey is definitely Norwegian, Odin does use Australian type language (mate, for instance). So it’s possible there are two guys here.
I’ve been talking to an admin for a small server. He says the server is from Apple, and that the head honcho at the local Apple store initially insisted their machine wasn’t hackable.
But that IP number was still spamming me as late as [25/Jan/2005:04:45:58 -0600]. And the local admin could see the activity as well. He’s been frantic to get it shut off.
Apple helped them shut off all services that weren’t immediately needed, but they don’t know yet if the server is secure.
Not knowing much about Apple, I couldn’t help him except giving him tips on monitoring software - which should be in any admin’s tool kit. With that you can figure out what ports they’re hitting, and that way narrow down the list of services exploited.
So, guys, now we have a tentative confirmation: Apple machines have also been misused by spammers…
I talked to his ISP. They’d just resolved a complaint against him. I don’t know what they decided, because the abuse rep wouldn’t say.
He was very interested in hearing if there were any new instances of spamming.
So, any logs from today on showing Reffy activity that can be traced back to the so called “William Indre” or adminshop related domains, please let me know here.
I’m in Norway, which makes going after this one a whole lot easier…
Although I’m not on the hit list of the this spammer, my other site is. In December I got a whopping number of hits!
85 xopy, 13 adminshop referrers, to be exact!
Managed Solutions Group is hosting adminshop. They’ve had complaints and have ignored them.
There’s a Norwegian spammer out and about, I’m ashamed to say (I’m Norwegian).
Let’s see. I’ve found three domains through Google:
adminshop dot com
acyon dot com
blogincome dot com
Thanks to Alfons, who gave me the IP number and UA:
Mozilla/4.0 (compatible; MSIE 6.0; AmigaOS)
The IP is from NextGentel, a popular Norwegian DSL provider. Fast, cheap lines. Wish I could get NG here, actually.
There have also been some accesses to my blog from this IP number. I can’t be sure if it’s the same person. But if it is, he’s also got a machine running Windows XP and the Opera browser. Looked at my blog yesterday, actually.
E-mail spamming is illegal in Norway. And a spam law will go into effect February 1. The previous law only protected private citizens, but the updated one also protects companies.
Anyway, the whois info is bogus:
William Indre (acyon at acyon dot com)
Bergen, ST 5244
The whois of some of the older domains are protected with whoisguard. That includes adminshop.
There’s no Austrevaagen 40 in Bergen
I’ll call the ISP tomorrow.
UPDATE: Well, well, looks like he wasn’t so hard to track down after all. This is what’s called misdirection. Those familiar with the area would have no trouble getting mail to the correct person, but foreigners wouldn’t have a chance at finding the right person.
Hmmm, plotting schemes.
This is why I couldn’t sleep….
More about the spammer.
What he’s peddling is Reffy, a little app to referrer spam websites. It’s got a whole lot of different UA’s, so that weird Amiga UA I found was probably fake. Which probably means the other Amiga UA I found spamming the hentai domain earlier today was probably another user of Reffy. I guess you could say the occasional weird UA is a pretty reliable marker of Reffy.
I did some digging on the Bulgarian twin spammers.
They’ve been running a lighting shop since around 2000. An e-shop most of the time. By now they’ve shifted that part of the business over to another domain:
wins dot bg
But it used to be housed on the main site, which is now used for software sales. You can find contact info for the shop on the website. Just click on the English flag to understand what’s on there…
Their main site at one time stated they provided internet access as well as webdesign.
I rummaged through archive.org’s cache, and found a page last modified 18-Apr-2003. It contained one spammy link as well as the link to the lighting site and some others. Actually, the list is identical for the client page today, except for the spammy link - which has been removed.
That spammy domain was registered to:
But the admin e-mail address was for one-cialis. That domain is registered to Saban along with Peter Kovach. But that domain name is still linked to from the twins’ main site. On all pages as I surfed the site.
One of the site, that is in Bulgarian and still operational balkanbg dot com lists Yavor as the owner. And it also lists a nameserver named: NEW dot TWINS dot BG. It pings 184.108.40.206 which is ds194-90.ipowerweb.com.
www dot twins hyphen bg dot com/pharmacy
drypills dot com/viagra dot html
Registered to Peter Kovach.
The pages are actually on different IP numbers, and they’re not 100 % identical. But the fact still remains, there’s a spammy site on the twins’ domain.
I rest my case…
A few more examples for good measure:
A wiki spammed, now visible only in Google’s cache. partnersmanager is spammed along with the other trash here. That domain is also in plenty of blacklists published here and there.
I think I need to make another post with the short version and some keywords.
As best as I can tell, the identity of the comment spammer is a set of twins in Bulgaria.
twins hyphen bg dot com
Last name Zahariev.
They have a Bulgarian and a US website for an affiliate network program, and I suspect they’re behind all comment spam perpetrated with a UA containing: NT 5.2 , and a few UA’s before that.
To recap, they’re behind the fake whois personas:
They’ve been at the comment spamming for a long time.
See one of the posts below for the whole story on how I figured out how the circumstantial evidence points to them.