Several of us got lines in our logs, with that IP number as the referrer. No website, just that IP number dressed up as a site address.

It’s similar to the Bulgarian spammer machine, and uses proxies.

So I did some googling, and this one has posted comments a few months ago. With that referrer.

I couldn’t understand what the point was, because there was no site to be accessed.

But then I remembered the nonsense trackbacks prior to Alexander’s massive trackback spam run.

What if this is a test to see how many blogs are still blocking 12.163.72.13? And I’m not talking about blocking it from the referrer log, but blocking someone posting with that referrer.

————-

While researching the above issue, I came on Will’s post about 12.163.72.13. He included a section on the theory set forth by Candy that the user agent Fetch API Request was used to harvest comment link URL’s.

So I grepped my files for that, and found that one person has been pulling ONE post over and over, with that string appended to the usual UA. Occasionally he’ll ask for the whole blog. This might well be one to be banned from access altogether.

I looked at the post being pulled, and my guess is that the reason for that one being chosen, is because it’s linked from the Movable Type blog.

So far I haven’t been able to figure out exactly what this thing is. If you know, please comment.

I just got a spammer like this one in my logs.

static-151-204-254-238.bos.east.verizon.net

UA: Mozilla/3.0 (compatible)

Technorati tag: reffy

I did some checking way beyond the search engines on the person I believe is identical to Odin on Adminshop.

He’s born 1984. About 20 years, in other words. I wonder if his father knows about this?

Pretty depraved 20 year old, I’d say, considering he wrote an article about how to make money on porn sites. Do a google search for adminshop and Odin, and you shall find.

UPDATE:
Oh, and I found an earlier version of the whois info for one of his domains on Rojisan

The phone number looks like a legitimate Norwegian cell phone number. And the rest of the address info still looks misleading but relevant to the guy I’ve been talking about.

SECOND UPDATE: Proof the guy speaks Norwegian. Here’s a post made by M0nkey

I find that M0nkey and Odin are appearing on the same forums at the same time. I don’t know if it’s one and the same using sock puppets, or if they are partners. M0nkey writes Norwegian. So far I haven’t seen Odin do that. I saw a link from a post by Odin going to a pornographic site. I killed it before it fully loaded. Don’t want an eyeful of that stuff.

Although M0nkey is definitely Norwegian, Odin does use Australian type language (mate, for instance). So it’s possible there are two guys here.

I think this one bears repeating:

The spyware that loved me

I talked to an admin today. I’d never heard of the operating system of his server before, so he told me it was essentially a firewall. And yet, that box was serving as an open proxy.

I caught a spammer using it on my blog.

So whatever type of operating system you’re using, there might be a way to turn it against you. Please ensure that whatever you’re using is secure!

Remember the spamming box on Verio?

161.58.59.8

I had a list of 8 domains I verified were on that box on January 21

Today all of those except one has been moved to the Chinese box.

Oiline is still left.

Hey Reid, have you gotten any feedback from them yet? I noticed the domains you’d posted in a comment here are all off the server too?

I’ve become a contributor at Spamfo.

The stuff I write there will probably be mostly stuff I’ve come up with here, but more structured and more geared towards a wider audience. Stuff that’s helpful rather than exciting.

My first article can be found here.

http://www.unspam.com/
http://www.projecthoneypot.org/
http://www.optoutbydomain.com/
http://www.sueaspammer.com/

UPDATE:
One mail from obtoutbydomain didn’t make it. It’s possible one of my webhosts is blocking their mail. Hmmm…

Another site of interest:
http://www.spamfo.co.uk/

Got some accesses in my blog.

Nothing to really mark them as dubious.

Accesing a number of posts around numbers around 183-190, which by now is not completely new. No referrers at all.

70.249.11.86
adsl-70-249-11-86.dsl.rcsntx.swbell.net

So, why am I saying this one is up to no good?

Check out the UA:
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)

Amateur coding project gone terribly wrong, mwuhaha…

I got a new referrer spammer in my logs today.

This one asked for some posts, not the newest. The css file, but not the background image. And an rdf file (feed).
The UA is:
Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)
And IP number:
217.231.232.126
Hm, German dialin ISP. I’ve had guestbook spam from that one since forever.

The domain spammed has whois info that lists an e-mail address at inseosite dot com, which lists phone number and address on the front page, then nothing. Must be a mail drop type site? No evidence of spam on Google for that site.

The spammed site seems to contain hundreds of spammy porn links. Again, nothing in Google. Hmmm, maybe this is a newbie spammer?

Another oddity. The address for the site is in New York. A very swanky address, that bears the Google signs of a maildrop. The server is in Germany:
florenz142.server4free.de (mail)
or
ip-104-255-75-62.inaddr.intergenia.de (dns)

And the phone number is in Seattle, and the fax number (update) is also in Seattle. I know of a fax forwarder service in Seattle that a friend used years ago. Hmmm…

Someone calling himself Rogger has been lightly spamming a site before, giving an inseosite dot net e-mail address. The spammed site no longer works.