I’ve been talking to an admin for a small server. He says the server is from Apple, and that the head honcho at the local Apple store initially insisted their machine wasn’t hackable.

But that IP number was still spamming me as late as [25/Jan/2005:04:45:58 -0600]. And the local admin could see the activity as well. He’s been frantic to get it shut off.

Apple helped them shut off all services that weren’t immediately needed, but they don’t know yet if the server is secure.

Not knowing much about Apple, I couldn’t help him except giving him tips on monitoring software - which should be in any admin’s tool kit. With that you can figure out what ports they’re hitting, and that way narrow down the list of services exploited.

So, guys, now we have a tentative confirmation: Apple machines have also been misused by spammers…

Technorati tag: reffy

I talked to his ISP. They’d just resolved a complaint against him. I don’t know what they decided, because the abuse rep wouldn’t say.

He was very interested in hearing if there were any new instances of spamming.

So, any logs from today on showing Reffy activity that can be traced back to the so called “William Indre” or adminshop related domains, please let me know here.

I’m in Norway, which makes going after this one a whole lot easier…

———-

Although I’m not on the hit list of the this spammer, my other site is. In December I got a whopping number of hits!

85 xopy, 13 adminshop referrers, to be exact!

Managed Solutions Group is hosting adminshop. They’ve had complaints and have ignored them.

Guys, I want a script that dumps whatever Reffy or any other script tries to pump into my comment script or formmail, and then either mails it to me or puts it on a hidden page.

No prettyfying, nothing. Whatever gets pumped by the script is what ends up in the output, in addition to a time stamp, UA and IP address. Oh, and that little thing that gives me real IP number if it was entered via a proxy. Of course, that won’t work for all, but for some.

Do we have anyone here able to make a script like that?

I’ll most likely redirect some spammers to this script, even though they themselves will think they’re accessing my comment script…

Technorati tag: reffy

There’s a Norwegian spammer out and about, I’m ashamed to say (I’m Norwegian).

Let’s see. I’ve found three domains through Google:
adminshop dot com
acyon dot com
blogincome dot com

Thanks to Alfons, who gave me the IP number and UA:
80.202.225.70
Mozilla/4.0 (compatible; MSIE 6.0; AmigaOS)

The IP is from NextGentel, a popular Norwegian DSL provider. Fast, cheap lines. Wish I could get NG here, actually.

There have also been some accesses to my blog from this IP number. I can’t be sure if it’s the same person. But if it is, he’s also got a machine running Windows XP and the Opera browser. Looked at my blog yesterday, actually.

E-mail spamming is illegal in Norway. And a spam law will go into effect February 1. The previous law only protected private citizens, but the updated one also protects companies.

Anyway, the whois info is bogus:

William Indre (acyon at acyon dot com)
+1.5555555555
Fax: +1.5555555555
Austrevaagen 40
Bergen, ST 5244
NO

The whois of some of the older domains are protected with whoisguard. That includes adminshop.

———-

There’s no Austrevaagen 40 in Bergen

I’ll call the ISP tomorrow.

UPDATE: Well, well, looks like he wasn’t so hard to track down after all. This is what’s called misdirection. Those familiar with the area would have no trouble getting mail to the correct person, but foreigners wouldn’t have a chance at finding the right person.

Hmmm, plotting schemes.

This is why I couldn’t sleep….

———–

More about the spammer.

What he’s peddling is Reffy, a little app to referrer spam websites. It’s got a whole lot of different UA’s, so that weird Amiga UA I found was probably fake. Which probably means the other Amiga UA I found spamming the hentai domain earlier today was probably another user of Reffy. I guess you could say the occasional weird UA is a pretty reliable marker of Reffy.

According to the Head Guru at one of my webhosts, there’s a new version of Sanity (Remember NeverEverNoSanity webworm, also called Santy.A ?) out today, and they’re running around like headless chicken trying to fix things.

Here’s the HG’s link about it:
Sanity thread on phpBB

I’m off to notify some friends using phpBB…

I should probably put up a screenshot of the tzahariev error messages on Google, just in case they disappear soon.

The Google screenshot of the tzahariev MySQL errors

More about the Bulgarians

Jim Elve had a post about comment spamming, and got a response from Doug Alder about the most effective way to write abuse complaints to the webhosts hosting spammy domains.

I know I will probably write the notices to the hosts a bit differently now.

The articles (remember to read the comments as well)

http://www.blogscanada.ca/blog/CommentView.aspx?guid=2a322574-eb8d-4002-9dd0-788dcefc59c7
http://www.blogscanada.ca/blog/CommentView.aspx?guid=f84b569b-652e-4311-bfd3-f6ae4ef30735
http://www.thealders.net/blogs/2005/01/20/fighting-the-c-spammers/

I found another blog spammer in my log today. A referrer spammer, using this UA:

Mozilla/4.0 (compatible; AWEB 3.4 SE; AmigaOS)

And the spam was for some hentai stuff. The IP number was 69.228.154.198, which may be a home machine.

Huh, I wasn’t aware Amiga was still in use?

UPDATE: The UA is probably fake, and a possible marker of the little app Reffy, which I’ve written about in a later post.

I did some digging on the Bulgarian twin spammers.

They’ve been running a lighting shop since around 2000. An e-shop most of the time. By now they’ve shifted that part of the business over to another domain:
wins dot bg
But it used to be housed on the main site, which is now used for software sales. You can find contact info for the shop on the website. Just click on the English flag to understand what’s on there…

Their main site at one time stated they provided internet access as well as webdesign.

I rummaged through archive.org’s cache, and found a page last modified 18-Apr-2003. It contained one spammy link as well as the link to the lighting site and some others. Actually, the list is identical for the client page today, except for the spammy link - which has been removed.

That spammy domain was registered to:
Saban Mihailovic

But the admin e-mail address was for one-cialis. That domain is registered to Saban along with Peter Kovach. But that domain name is still linked to from the twins’ main site. On all pages as I surfed the site.

One of the site, that is in Bulgarian and still operational balkanbg dot com lists Yavor as the owner. And it also lists a nameserver named: NEW dot TWINS dot BG. It pings 66.235.194.90 which is ds194-90.ipowerweb.com.

UPDATE:
www dot twins hyphen bg dot com/pharmacy
is hosted on their site. The source code contains javascript that replaces the URL in the browser with:
drypills dot com/viagra dot html
Registered to Peter Kovach.

The pages are actually on different IP numbers, and they’re not 100 % identical. But the fact still remains, there’s a spammy site on the twins’ domain.

I rest my case…

———-

UPDATE:

A few more examples for good measure:

A wiki spammed, now visible only in Google’s cache. partnersmanager is spammed along with the other trash here. That domain is also in plenty of blacklists published here and there.

An article about a spam incident on a wiki. Partnersmanager was also included here. They even give the spammy domains their own pages.

More about the Bulgarians

I checked usenet in regards to open proxies, because that’s arguably the largest open forum on the internet, and frequented by a lot of admins. I may post on a group, once I’ve identified the best group to post to.

But so far, I’m concentrating on what’s been done relating to open proxies before.

Paul McCue did a study on LART’ing (sending mail detailing the problem to the abuse address) open proxies. The machines were probably open mail relays rather than open proxies, but I guess some may have been both.

Dan Oetting theorizes on how to make admins aware there’s a problem with their machine, the brutal way.

During this search, I found a list of proxies and exploits, run by Spamhaus. I tested one of the Bahrain proxies, and it wasn’t in the list.

It appears that a lot of mail spammers use open proxies when sending mail through another open relay. The IP addresses of the open proxies used this way will end up in lists like that one.