« Interview with a blog spammer and more
As of today the Bulgarians have switched to trackback spam »

Alexander Morozov back at it

Remember we talked about Alexander Morozov a long time ago? He was responsible for a lot of grief after targeting among others Movable Type blogs. He sent trackbacks full of bestiality and other porn links. When that got enough attention the trackbacks were deleted on site, he moved on to putting those links in Geocities pages instead, and trackbacked with those addresses.

Now he’s back, trackbacking Typepad users. They’ve already been removed by Typepad, but I got a few samples from A Welsh View and had a look at the URL in them.

The URL in the trackbacks look to me to be a free site at a Polish portal. On that page, there are oodles of really bad links. The link that attracted my attention first was the fake blogspot link that Alexander has been associated with before. Check out Phil Ringnalda’s post about that.

Off to find an abuse address for that portal.

I’ve seen a few innocent accesses from Alexander lately, so I was wondering if he was plotting something. I’ve been half expecting another trackback attack on MT.

BTW, Alexander is using compromised windows computers. Trojaned boxes. The other spammers I’ve come across so far have used open proxies. Servers.

UPDATE: I’m pleased to see that the spamvertized freebie site is down. I was one of the people who sent the portal an abuse message. I’m sure I wasn’t the only one…

This entry was posted on Tuesday, February 1st, 2005 at 1:04 am and is filed under spamhuntress. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

3 Responses to “Alexander Morozov back at it”

  1. orangeguru Says:
    February 1st, 2005 at 2:20 am

    Thanks for the good work!

  2. MsCantBWrong Says:
    February 1st, 2005 at 3:14 am

    Hi Ann Elisabeth.

    Really great work that you are doing to help others combat spam.

    I think I have implemented everything you have posted to keep these guys off my site and out of my referral logs and gmail trash. Since I have done so, I have seen none of the usual referrers and NO COMMENT SPAM that has been sent to moderation!

    I have two questions for you.
    1. Today I found a UA in my referral log as follows:
    Agent: Mozilla/5.0 (compatible; Konqueror/3.1; i686 Linux; 20021015)
    From the research I have done, this looks highly suspect. Do you have any information?

    2. I have added the code to ban the Bulgarians from my site as well as CandyGenius’s spampop(http://www.candygenius.com/spampop), but there is one referrer that seems to be making it though my filters. I even have it listed on my partial url block (found here: http://cavlec.yarinareth.net/archives/category/spam/)

    The UA is as follows:
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322) and the name flagged in the partial URL block is learntoplay. Why is he still able to access my site?

    Help?

    TIA

  3. alfons Says:
    February 1st, 2005 at 11:26 pm

    I’ve been using konqueror pretty much over the past 5 years. The UA is definitely wrong; the current version of Konqueror identifies itself with:

    Mozilla/5.0 (compatible; Konqueror/3.3; Linux) KHTML/3.3.2 (like Gecko)

    It should have a “KHTML” and a “like Gecko” string in the UA string.

Search
Categories
Archive
Bookmarks