And this time they’re flogging nutzu dot com.

Which probably means the trackback attack yesterday was from them too.

I first heard about nutzu from two other bloggers yesterday, but they got to me after a while as well.

Yesterday the domain didn’t ping anything, but today it’s got one of those account suspended notices. And this one looks a lot more legit. But considering their prior tricks, I don’t believe it.

Especiallly since the contact form on there leads to a nonexistent address at Gandi. The top level domain doesn’t look right. The site itself is hosted on the spamhost in China.

This is actually one of the most massive referrer spam runs I’ve ever seen. Only one domain, no subdomains, and many different pages on that domain.

More about the Bulgarians

I noticed yesterday that Alexander Morozov topped my search queries in Awstats. I checked again today, and the situation’s changed:

w3crobot 51 2.7 %
alexander morozov 31 1.6 %
rugged cell phone 23 1.2 %
pusur 22 1.1 %
reffy 15 0.8 %
how to build a cat tree 15 0.8 %
sony trv65 14 0.7 %
guestbook spamming 14 0.7 %
pinappleproxy 14 0.7 %
parabol 14 0.7 %

w3crobot has gotten a lot of action there!

There was a new trackback spam run two hours ago. My blocks caught them, but I don’t know why. Don’t know for sure who these were. If any of you managed to snag one of these, I’d like to see a sample.

At least some were open proxies, and different user agents. That points to the Bulgarians, or someone using similar programs.

No more referrer spam, though, so it’s hard to say.

AND, I’ve got quite a few Google queries for people looking for mt-tb.cgi. I’ve got a top ten Google placement for that query. So it might be a new one. Will have to look into that.

I got this in my log today:

83.108.174.176 - - [15/Feb/2005:18:42:21 -0600] “GET /blog/ HTTP/1.1″ 200 137477 “From a land far, far away - or not.” “Ann Elisabeth’s Secret Fan (V 0.1 alpha)”

This must be a test to see if I’m paying attention.

This one also accessed post number 298, thus implicating that it’s a spammer.

Hmmm, just asked the one I thought it was. He doesn’t admit to it.

Well, I’m officially stumped. I thought it was a prank by someone I know.

UPDATE: Lot’s of interesting people at kuro5hin. Here’s another user agent from there:
SiteHackerPro 2005

That’s a regular browser, looks like. But the one with the personalized user agent and referrer, is not. That’s some other kind of program or request. Very obvious, since it never requested any images or css files. And for some other reasons…

I got an entry in my log today with the telling user agen: SBP

AKA Simple Browser Proxy

In this instance, it’s running on a hostdime server.

I can’t imagine what the point is. I’m guessing the browser came in through the kuro5hin link, though.

But using a proxy just to check out a stranger’s blog? Not sitting well with me. So up in the .htaccess it goes…

I don’t advocate violence. And I feel it’s much better to beat them some other way. But I had to snicker at this discussion:
Cold Fury
Quite a lot of anger! And considering we DO track them down given enough time, I guess they should feel very lucky they’re not close by some of the bloggers.

Alexander is in the middle of a new trackback spam run.

I deleted one of my blocks on purpose, to see what he was peddling next time.

And found out that all the sites he was peddling had a 404 error.

But now I’m starting to wonder. I mean, he JUST started, and I doubt the free hosts would manage to get him yanked THAT fast, unless he just didn’t get to my blog until day two of his campaign?

No, I’m starting to think he hasn’t even registered the accounts yet, or he’s just registered but hasn’t started building yet. I think he’s counting on us thinking the sites have been yanked already. And notice how he’s using Spanish and Polish language sites, so it would be hard for us to communicate with the site owners, and hard to figure out what the pages actually say? Can be done, though.

I’ll keep the trackbacks safe for a few days, then check them out and then report him to the free hosts.

Now I’m off to clean my trackbacks.

How about a plugin or MT update so I can moderate those trackbacks?

UPDATE: Yes, Alexander is using a variation of the account terminated technique. I dug in my mailbox, and found a conversation I’d had with one of the other bloggers about one of Alexander’s trackbacks. I said it looked like the portal had already managed to yank Alexander’s site. That’s how it looked at the time. But I rechecked it today, and it’s being served today. So, he was doing this already back in the beginning of February. In other words, expect the URL’s spammed today to start working in a while.

I found this nifty tool, to see how your site is doing. Just one word of caution. It says my site isn’t even indexed in MSN, but that’s not true. Probably some query problem

Uptimebot

And here’s a quick check for Google pagerank:

Pagerank

Useful if you don’t want to install the toolbar.

BTW, this blog is only a 4. You’d think the bloggers would leave it alone, eh? The site itself is 5, and another site I have is 6 (index pages)

Hehe, reffy? A big fat 0!!!!

Still nothing from the Bulgarians. Hmmm…

This isn’t normal. Something must have happened that made them reevaluate their strategies. Of all the spammers, they’re the most adaptive bunch out there.

UPDATE:
Check out Cindy’s fun little poll on what could have happened to them:
spammers are MIA

More about the Bulgarians

I’ve started noticing bigtime linkrot today. The Bulgarians for sure, but also some other spammers.

In the past we assumed the gb.com belonged to the spammer. Well, that aint so. It’s a UK based sort of top level domain. So any of those we thought were subdomains, were actually bought by the Bulgarians as regular domains. And at least one of them no longer responds.

Heh, and when I did a whois lookup on one of their domains, I notice a link to this:

blacklist.

What this means, is that the server has been added into the SPEWS, SORBS and possibly other spam blacklists.

Turns out the Bulgarians are in the same netblock as a couple of other spammers. Heh, that’s what you get for using a spamhost…

More about the Bulgarians