The Register in UK has managed to get an interview with a blog spammer who lives in London.

Notice how he seems to know the other 7-8 main linkspammers.

———-

And here’s a post from an admin who admits to having turned on proxying by accident. By now it’s turned off, in case anyone is getting ideas. But his earlier post before he figured it out was very funny in a train wreck sort of way.

And here’s his pal’s post about it, and some .htaccess rules that he didn’t explain properly.

———

And finally, an article explaining open proxies.

The Bulgarian spammer has fetched a new batch of proxies. Today I’m seeing many numbers I haven’t seen before. I guess I’ll have to assume my little awareness campaign has resulted in some closed ports…

Many of these proxies are from non-English speaking countries, or countries too far away for me to call them.

I did some searches for Bulgarian spammers. I found some references to Bulgarians connecting from the Bulgarian Telecommunications Company and spamming people. My blog goes back a while, and I caught some accesses that I can verify are from our current spammers:

Sample:
213.91.217.78 - - [17/Sep/2004:12:30:49 -0500] “POST http://www.annelisabeth.com/blog/b2comments.post.php HTTP/1.1″ 302 5 “http://www.google.com” “MSIE 5.0″

Second sample:
213.91.217.13 - - [17/Mar/2004:09:02:26 -0600] “GET http://www.annelisabeth.com/blog/b2pingbackspopup.php?p=9&pb=1 HTTP/1.1″ 200 762 “http://www.google.com” “MSIE 5.0″

One of the domains spammed (in September) was
HOLD{dash}POK{dot}COM (it’s no longer in service, and registered through Gandi)

And here’s the whois info:

owner-address: John Grisham
owner-address: 9100 S. Dadeland Blvd. Ste. 1702
owner-address: 33176
owner-address: Miami
owner-address: Florida
owner-address: United States of America
owner-phone: +1.8888008457
owner-fax: +1.359888245149
owner-e-mail: yavor79@yahoo.com

It’s Ivor/Yavor Zahariev, alright. BTW, he’s online right now, if you want to talk:
http://profiles.yahoo.com/yavor79

Samples from December 2004:

213.91.217.78 - - [20/Dec/2004:01:48:56 -0600] “GET http://www.annelisabeth.com/blog/b2commentspopup.php?p=56&c=1 HTTP/1.1″ 404 245 “http://www.google.com” “MSIE 5.0″

213.91.217.77 - - [17/Dec/2004:04:14:23 -0600] “POST /blog/b2comments.post.php HTTP/1.1″ 404 219 “http://www.annelisabeth.com/blog/b2commentspopup.php?p=65&c=1″ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”

Here’s someone who tried to get them tossed off a while ago: The Media Drop

BTW, our spammer also has a Hollywood career. As gaffer on movies shot in Bulgaria. That could theoretically be another Yavor, but considering Emil Zahariev has that lighting business, I’d be surprised if it was. The chief gaffer is the one in charge of lighting. It’s a prestigious position, with responsibility for (at times) a large crew.

BTW, I checked their IP numbers, and they answer the same way:
Server: micro_httpd
WWW-Authenticate: Basic realm=”DSL Router”

The software is: http://www.acme.com/software/micro_httpd/

213.91.216.36
213.91.217.77
213.91.217.78
This one didn’t answer other than ping:
213.91.217.77

I believe they’re still on Bulgarian Telecommunications Company Plc., which means the abuse e-mail address is:
abuse{at}btc{hyphen}net{dot}bg

More about the Bulgarians

I bought a sofa cushion at Ikea. Put it in the trunk of my car, then took it home. I left it in the entry for a few hours, and the cat came to investigate.

And promptly went nuts.

I don’t know what was in that cushion, but he behaved almost like it had been sprayed with catnip.

So, what was in that thing?

Technorati tag: reffy

Just a little update on the spammers.

M0nkey just got himself a new site to sell his little referrer spammer tool, Reffy. Not hard to guess the URL: reffy dot net. The domain is hosted on the hosting service frogee.com. Their rep re spam could go either way. I’m thinking it’s worth complaining to them. S-PAN, you’ll need to e-mail service at frogee dot com. He didn’t spam my log, so I can’t send it - yet. Here’s the Frogee TOS

Since I last talked about them, I’ve found one of their hangouts.

They used to have a site called adultgods, where they sold spam software. But because they advertised the site URL in the user agent field, GoDaddy took their domain away from them (and somebody else owns it now). Since then they’ve changed registrar, and tells others that you’ll be able to keep your domain (I get the feeling no matter what you do) if you’re with the right registrar. I guess that should be put to the test soon, eh? At the time, the team consisted of Odin and Weigan. Weigan now usually goes by M0nkey. Even as early as October 29, there were links to adminshop and xopy, though. Xopy had the link text: Nationalist Network. Sounds faintly nazi…

(UPDATE: I’ve been thinking about Weigan. I think it’s a misspelling of Norwegian. A sort of joke)

Odin says he’s not really involved in the referrer spamming side of the business. That sounds about right, since it’s M0nkey that keeps doing that (NextGentel IP numbers), but Odin is often defending him in public.

They’re into the adult website business, although I think I’ve seen Odin claim he’s not. Or rather, a weak denial - that he doesn’t own any. I don’t believe him, though.

UPDATE: See the post below about blocking spammers. I’m wondering if Cindy’s block works against this software? From what she’s telling me, that’s a possibility. For those of you that are plagued, you could try it out?

More posts on the dynamic duo, also called “The Norwegian spammer”
Post 214
Post 216
Post 225

UPDATE: I checked the law in Norway, and the way I read it, M0nkey, who is a Norwegian citizen, is in breach of the law. He’s not allowed to send ANY kind of electronic advertisements to any physical person, except those he’s already in a business relationship with (ie his customers). In Norwegian law, that includes companies. M0nkey, I’m putting you on notice - I’m Norwegian, and you’ve been spamming me. You’re in breach of Norwegian law!

First notice:

One of the machines in your IP space is being abused by a spammer:
(IP address here)

This spammer generally uses open proxies to bounce his spamming off
on. Which means this machine should be secured. If you check the
logs, you may find other types of fraud, spamming and misuse.

Check Google for other instances of misuse of this machine. Just
search for the IP number.

Here’s a fragment from my log:

(as many accesses I have from that IP number in my log here. Real logs, not Latest Visitors. Sometimes sys admins get confused over those)

And the site they tried to spam (I have them blocked from comment
spamming), is:
http://www.annelisabeth.com/

On my site, the blog spam generally comes in two flavors:
1) Referrer spam. Normally, when someone links to me, and someone
cliks on that link, a reference to the linking site appears in my logs. But when a spammer uses a script to fake that, it’s spam and unethical
2) Comment spam. When a spammer uses a script to leave comments laden with links to spammy sites in thousands of comments on blogs. Mimics the behavior of bloggers when they discuss things with each other, but is spam and unethical.

BTW, I’d love a zipped up version of the logs from your server, with the legitimate traffic stripped out (grep -v). I analyze these logs whenever I come across them, to learn more about the kinds of abuse happening on these servers. Extended logs are more useful than simple ones (including referrer).

Regards
Ann Elisabeth

———-

If you can think of any way to improve it, please let me know.

UPDATE: Turns out Cindy’s block is the one that works against the Bulgarians

———-

# Other block
RewriteCond %{HTTP:VIA} ^1\.1\ symantec\ web\ security\ (2\.01\.060)
RewriteRule .* - [L,F]

———–

The block below is for another spammer. Cindy hasn’t yet told me which one.

Cindy from Candygenious has figured out a way to block these spammers.

She captured some more data on them, and from that figured out how to block them.

Her solution is to block the particular proxy software they’re using.

See all about it on her blog.

Her solution is more elegant than mine, that’s kept my blog spam free, but my referrer logs full.

Remember that this will only stop spammers using that particular software. Other spammers will sail past the block.

We’ve been talking about some sort of blacklist related to blog spamming before.

I propose that we center that list on the name and contact info of the companies instead of the IP numbers. In other word, a list not meant to be used as an automated blacklist. There are a few of those already.

But rather a list meant to attract the attention of companies, so that they will know their network isn’t ship shape.

And I propose one main list:
A list of networks with proxies on them. And those placing on that list must be notified first. If we don’t receive any acknowlegement, and the IP numbers keep spamming, they get placed on that list.

As for a list of hosts harboring spammers, that could be misused, so we may need to work on that a bit more.

What do you think?

UPDATE:
After having struck out with all other addresses I tried, I did a search for the admins in the whois info. Hussain seemed the most recent contributor to online discussion lists, so I fired off an e-mail to him. Got a reply today. He’s closing down the proxying. YES!!!

Actually, the e-mail address I ended up using isn’t the one in the whois info. Search for Hussain Makhlooq and you’ll find the one he uses for lists.

——-

Please, can we somehow find someone in a country close to Bahrain to call the people responsible for running these misused open proxies?

Here’s the info:

193.188.105.17
193.188.105.16

I’ll delete duplicate or nonessential info. I believe the numbers outside some of the e-mail addresses are the dates they were added:

inetnum: 193.188.105.0 - 193.188.105.255
netname: AIT
descr: Alnadeem Inforamtion technology
notify: aamutawa at batelco dot com dot bh

descr: Bahrain Telcommunication Company
notify: batelco at batelco dot com dot bh
changed: hussain at batelco dot com dot bh 20040824

person: Moh’d Bubshait
address: P.O.box : 3294
address: Manama - Bahrain
phone: +973 215661
phone: +973 215660
fax-no: +973 213537
e-mail: alnadeem at batelco dot com dot bh

person: Hassan Haider

82.194.62.16
82.194.62.17

inetnum: 82.194.32.0 - 82.194.63.255
descr: Batelco
descr: PROVIDER
org-name: Batelco
org-type: LIR
address: PO Box 14,
address: Manama, Bahrain
phone: +973 883474
fax-no: +973 246221

person: Ali Almutawa
address: Batelco Telegraph House
address: Salmanya
address: PO Box 14 Manama
address: Bahrain
phone: +0973 883474
fax-no: +0973 246221
e-mail: aamutawa at batelco dot com dot bh
nic-hdl: AA935-RIPE
changed: hussain at batelco dot com dot bh 20040928

To those of you not using a firewall. Please reconsider.

Here are samples of probed ports in my firewall log TODAY:

4899 - Radmin remote administration worm
15118 - Botnet
139 - Netbios. File and Printer Sharing and windows messenger
135 - Netbios, messenger.
445 - Netbios, used for sharing, messenger
1025 - Worm
2745 - Bagle / Beagle / Tanx backdoor
1023 - Not sure of this one. It’s ordinarily related to a passive FTP connection. Could be scanning for a server.

IP number are from Taiwan, Saudi Arabia and the US.