Ann Elisabeth's blog

Spam my blog and I report your site to Google for banning. You've been warned!

« First search engine to allow blocking of sections on pages | Main | Found another compromised web server »

January 10, 2005

Some insights into spambot behavior

The trackback spam I've been getting seems to be from an army of zombie spambots. That means they are regular home computers (or even business computers), most of them on broadband ISP lines. What that means, is that those computers will normally not have webservers configured. So any time you come across an IP number in your logs trying to spam you, check if they've got a webserver configured. The easiest way to do it is to enter them into your browser and see if they serve up something. But that can be deceptive, so if can, use a tool that shows headers as well.

One of my regular spammers is spamming my deprecated B2 installation. Yes, after a few months of using MT. Smart, eh?

Anyway, one of the IP numbers I caught appears to be a master spambot:

202.134.0.136
webserver2.telkom.net.id
inetnum: 202.134.0.0 - 202.134.3.255
netname: TELKOMNET
descr: PT Telekomunikasi Indonesia (PT. Telkom)
descr: Indonesia

What looks like a webserver in Indonesia. Traceroute goes by Singapore.

What attracted my attention was these two accesses:
POST /blog/archives/000083.html
POST /blog/archives/000083.html

Very curious. A POST request to some blog entries? Very fishy.

So I pulled the IP number, and found a string of accesses to the blog, ranging over the deprecated B2 comment script to blog entries, to actually posting comment spam. The accesses are sporadic and atypical enough so I don't think this is a zombie. I think it's a master bot of some kind. Probably a probing bot.

It REALLY got interesting when I found that the bot had succeeded in posting a few comment spams before I blocked it.

Get this, aside from fidelityfunding, this bot posted URL's on variations of gb.com, which means one thing: It's related to Alexander Morozov, whether he's a real person or a virtual figurehead. That's the domain spammed with those trackbacks too!

I believe the other spambot I caught the other day is related to him too, but this one is as well.

While the trackbacks were vile pornographic URL's, these were the regular gambling, viagra, phentermine, weight loss and mortgage type URL's. Typical Google search term placement.

EDIT: Incidentally, I also found referral spam peddled by this robot. Same main domain as the trackbacks.

You know, this is really weird. Many of the sites in that referral spam are now terminated for misuse of the hosting account. But most of them are coming back to the same server, which has a spammy name:
161.58.59.8

All of those domains are coming back to one
Thomas Reece in New York

While the e-mail address on all of those domain names are coming back to this IP address:
217.70.178.17
support-24x7.biz

The registrar of choice seems to be Moniker.

Unfortunately, the sub domains on gb.com are still operational.

------------

Looks like there are several master bots. What they have in common is that they have less rigid patterns than the zombies, and they all have webservers installed. They may theoretically be open proxies?

Here's another one, in Spain:
213.172.36.62
This one's only been used for comment spam so far, and can be linked to the same domains as the spambot I've been talking about above.

---------

I also have a few clueless bots spamming my old B2 installation. Same outfit:
38.119.107.77
38.119.107.76
Those two are working side by side, sometimes at the same times or alternating.
Since today they've added this one:
66.208.216.53

I logged these in December:
193.151.75.22
212.91.171.252 (adding the correct referrer December 5th, nice touch)
213.91.216.36
213.91.217.116
213.91.217.78
207.44.152.100
207.44.188.57
213.91.217.77

Posted by Ann at January 10, 2005 01:38 PM

Trackback Pings

TrackBack URL for this entry:
http://www.annelisabeth.com/blog/mt-tb.cgi/56

Comments

Posted by: josemoya at January 10, 2005 06:48 PM