Yesterday I figured out a way to block my most prolific comment spammer. Hopefully he’ll wonder for a long time what I did. And no, I’m not going to say on here.

And today I got my first trackback spam. It’s one of my old comment spammers who got tired of the constant musical chairs of trying to keep up with me. Comments are moderated, trackbacks are not. Grrr!

So, I’ll be forced to come up with an answer to this too.

And no, I won’t tell how. Just that I hope the spammer goes away rather than trying to foil me. I will NOT give up!

Hehe, this is funny. I watch the trackback spammer going crazy in my log. Trying to get through… Won’t happen, my foe!

Be my guest, grab a few of the spammer’s IP numbers for your blocking pleasure:

66.30.122.247
24.155.107.102
67.23.106.13
24.17.35.216
68.108.173.158
24.59.54.128
24.193.23.58
201.249.28.91
24.211.92.232
67.160.57.221
24.17.35.216
81.82.58.95

I checked some of these. They look pretty normal, like regular dynamic ISP IP addresses. So take care, you may block regular users by blocking these…

More IP numbers:

81.82.58.95
24.17.35.216
69.164.157.126
24.90.184.92
68.229.246.43
24.13.185.46
62.163.180.196
68.36.59.234
24.151.214.31
68.174.137.192
24.30.107.215
24.151.214.31
80.216.83.206

24.13.185.46
80.57.212.220
68.59.144.215
24.17.35.216
68.39.66.137
68.194.120.218
68.102.11.144
68.36.59.234
67.22.46.193
24.21.134.146
83.144.120.137
24.13.185.46

He keeps coming. Sometimes four IP numbers almost the same second, then wait a few minutes for a new batch:

81.164.159.192
68.86.203.30
68.194.120.218
24.90.184.92
24.58.155.130
84.10.59.88
68.0.56.167
24.15.88.195
80.99.45.105
66.25.162.2

Someone who knows more than me said that all these IP numbers probably are from virus infected computers being used for spamming. Poor suckers! If you find your IP number here, check your computer!

More:
68.194.120.218
80.198.253.63
82.147.174.96
213.114.64.23
24.151.214.31

I followed one of the URL’s that got through before I blocked access for the spammer. That URL led to a maze of stuff, that eventually leads to porn affiliate programs. I traced one back to it’s parent site, and did a modified Google search. I found a ripoff report filed by a former employee who talked about how the owner of the site founded it on spam. In other words, there’s no point in complaining to the mother site about the spammer. Bummer! On the other hand, this guy has apparently been charged under the anti-spam laws. Hmm, wonder how I can use that?

The domain name used to spam was allegedly registered by:

Alexander Morozov
Volgogradsky prospekt, 16
Moscow
null,126003
RU
Tel. +1.4156656387

More IP’s:

24.218.130.155
68.15.109.5
24.155.107.102
24.17.35.216
24.19.197.127
24.90.111.15
69.200.118.96
68.44.106.218
68.102.11.144
24.13.185.46
68.36.59.234
67.180.216.132
62.57.162.104
24.151.214.31
68.42.252.95
67.160.57.221
24.17.35.216
67.160.36.45
69.240.247.33
81.164.159.192
69.240.247.33
68.59.144.215
68.91.90.45
68.229.246.43
24.48.54.60
67.23.106.13
24.132.133.183
24.231.241.160

Seems like this Alexander is pretty famous for blogspam. He’s pulled some pretty elaborate spam attempts in the past year.

158.75.215.41
24.107.152.203
69.113.79.161
81.82.58.95
69.244.178.34
68.194.120.218
24.61.61.48
81.172.34.117
24.90.111.15
69.244.178.34
69.240.247.33
24.19.197.127
68.229.246.43
82.147.174.96
81.164.159.192
69.113.79.161
24.13.185.46
24.193.23.58
66.30.122.247
24.251.45.133
68.97.7.118
69.200.118.96
68.194.120.218
69.180.136.105
62.163.180.196
68.46.87.143
80.198.253.63
68.96.119.231
68.85.175.142
68.34.238.76
24.250.102.125
81.164.159.192
24.23.115.36
68.229.246.43
24.30.120.71

I sorted all the numbers, and can say so far that some of the numbers are used up to 4 times (so far), and others have not been reused so far. I’ll resolve them and post them soon, I think.

Here:

158.75.215.41
201-249-28-91.genericrev.cantv.net
c-174072d5.020-32-6f72651.cust.bredbandsbolaget.se
pcp04959379pcs.plmthm01.pa.comcast.net
c-24-13-185-46.client.comcast.net
c-24-13-185-46.client.comcast.net
c-24-13-185-46.client.comcast.net
c-24-13-185-46.client.comcast.net
c-24-13-185-46.client.comcast.net
h0050da1d31fd.ne.client2.attbi.com
ip68-96-119-231.lu.dl.cox.net
midsouth-24-151-214-31.westtn.chartertn.net
midsouth-24-151-214-31.westtn.chartertn.net
midsouth-24-151-214-31.westtn.chartertn.net
midsouth-24-151-214-31.westtn.chartertn.net
adsl-68-91-90-45.dsl.snantx.swbell.net
adsl-68-91-90-45.dsl.snantx.swbell.net
24.17.35.216
24.17.35.216
24.17.35.216
24.17.35.216
24.17.35.216
24.17.35.216
24.19.197.127
24.19.197.127
24-193-23-58.nyc.rr.com
24-193-23-58.nyc.rr.com
c-24-21-134-146.client.comcast.net
24.211.92.232
c-24-19-197-127.client.comcast.net
24.23.115.36
24.231.241.160.gha.mi.chartermi.net
c-24-17-35-216.client.comcast.net
ip68-0-56-167.no.no.cox.net
c-24-30-107-215.we.client2.attbi.com
c-24-30-120-71.we.client2.attbi.com
h0050da1d31fd.ne.client2.attbi.com
81-172-34-117.usuarios.retecal.es
syr-24-59-54-128.twcny.rr.com
24.61.61.48
24.90.111.15
24.90.111.15
24.90.184.92
24.90.184.92
syr-24-58-155-130.twcny.rr.com
syr-24-58-155-130.twcny.rr.com
h0050da1d31fd.ne.client2.attbi.com
ip24-250-102-125.dc.dc.cox.net
h0004accb8c93.ne.client2.attbi.com
h0004accb8c93.ne.client2.attbi.com
dhcp-174-96.cable.infonet.ee
c-67-160-57-221.client.comcast.net
c-67-160-57-221.client.comcast.net
d51523A5F.kabel.telenet.be
67.22.46.193
syr-24-59-54-128.twcny.rr.com
syr-24-59-54-128.twcny.rr.com
c-24-17-35-216.client.comcast.net
h0050da1d31fd.ne.client2.attbi.com
h0050da1d31fd.ne.client2.attbi.com
ip68-108-173-158.lv.lv.cox.net
68.15.109.5
c-24-15-88-195.client.comcast.net
24.107.152.203.charter-stl.com
24.107.152.203.charter-stl.com
24.107.152.203.charter-stl.com
24.107.152.203.charter-stl.com
24.107.152.203.charter-stl.com
ip68-229-246-43.ok.ok.cox.net
ip68-229-246-43.ok.ok.cox.net
ip68-229-246-43.ok.ok.cox.net
ip68-229-246-43.ok.ok.cox.net
c-24-30-120-71.we.client2.attbi.com
201-249-28-91.genericrev.cantv.net
201-249-28-91.genericrev.cantv.net
201-249-28-91.genericrev.cantv.net
ip68-97-7-118.ok.ok.cox.net
chello083144120137.chello.pl
h0010b5c2e36b.ne.client2.attbi.com
68.46.87.143
co-ratlsnk-67-23-106-13.clspco.adelphia.net
co-ratlsnk-67-23-106-13.clspco.adelphia.net
pcp04959379pcs.plmthm01.pa.comcast.net
pcp03994983pcs.milfrd01.pa.comcast.net
c-24-19-197-127.client.comcast.net
68.96.119.231
c-67-180-216-132.client.comcast.net
g212220.upc-g.chello.nl
g212220.upc-g.chello.nl
24.231.241.160.gha.mi.chartermi.net
c-24-17-35-216.client.comcast.net
69.200.118.96
69.200.118.96
pcp09038424pcs.waldlk01.mi.comcast.net
pcp09038424pcs.waldlk01.mi.comcast.net
pcp09038424pcs.waldlk01.mi.comcast.net
catv-50632d69.catv.broadband.hu
catv-50632d69.catv.broadband.hu
c-67-160-36-45.client.comcast.net
c-67-160-36-45.client.comcast.net
bgp982045bgs.stclar01.mi.comcast.net
g212220.upc-g.chello.nl
catv-50632d69.catv.broadband.hu
d51A49FC0.kabel.telenet.be
d51A49FC0.kabel.telenet.be
d51A49FC0.kabel.telenet.be
d51A49FC0.kabel.telenet.be
81-172-34-117.usuarios.retecal.es
d51523A5F.kabel.telenet.be
d51523A5F.kabel.telenet.be
d51523A5F.kabel.telenet.be
82.147.174.96
82.147.174.96
chello083144120137.chello.pl
chello084010059088.chello.pl

And the zombies are still at it:

81.82.135.132
67.160.36.45
62.163.180.196
68.194.120.218
24.19.197.127
68.102.11.144
201.248.11.214
82.147.174.96
24.30.120.71
67.160.36.45
68.85.175.142
24.21.98.136
24.17.35.216
66.25.162.2
80.99.45.105
24.30.120.71
81.82.135.132
66.25.162.2
80.99.45.105
69.119.236.38
24.155.107.102
69.92.91.241
68.37.250.88
68.86.203.30
24.48.54.60
69.164.157.126
66.25.162.2
24.3.4.232
68.59.144.215
24.247.37.201
24.155.107.102
24.90.184.92
68.97.7.118
24.13.185.46
66.30.122.247
68.96.119.231
24.251.45.133
24.214.102.122
81.190.71.18
24.3.4.232
24.155.107.102
66.31.89.81
67.160.36.45
24.218.130.155
67.160.57.221
66.30.122.247
213.224.138.94
158.75.215.41
69.113.79.161
24.3.4.232
67.22.46.193
68.59.144.215
69.92.91.241
24.155.107.102
24.30.67.171
24.155.107.102
24.214.102.122
24.250.102.125
24.250.102.125
68.52.72.71
68.96.119.231
217.217.254.213
68.37.250.88
24.151.214.31

Lisa had an interesting observation. She’d noticed some nonsensical trackbacks yesterday. I did too, but didn’t think to mention them. Just a random sequence of letters, forming username, a one word comment and a URL. She saw it as a test prior to an attack, which it probably was. Same guy that sent his army of zombies after me later on. Lisa’s blog entry. She’s disabled trackbacks for now, so I can’t ping her
—-

YAY!!! He’s giving up for now! No more trackback attempts for about an hour!!!!!!

Oh, and maybe I should add something useful for those who come on here desperate to turn him off. If you’ve got a Movable Type blog, just rename mt-tb.cgi for the time being, and nobody will be able to make trackbacks.

Here are some other people reporting the same type of attack:

Street Computing”>
Ryan Prins’ blog
Photomatt
Sparticis has an interesting idea for the program makers on how to make trackback spam more difficult.

In fact, check Technorati for an abundance of recent postings on the topic!

Also check this forum if you’re using MT:
Discussion on trackbacks

This entry was posted on Wednesday, January 5th, 2005 at 4:58 pm and is filed under spamhuntress. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.