There’s a Web spam summit tomorrow.

Wish I could have been there.

spam talks

Hopefully Moniker’s practices will be curbed… And all the spamhosts.

The abuse e-mail address for the Bulgarian spammers’ ISP is:
abuse at btc-net dot bg

I’m hoping several of you will complain about the spammer, and ask that service be terminated. Don’t forget to mention that the spammer has several IP addresses, we don’t know how many.

Recently seen IP addresses (January and February this year) include:

213.91.217.118
213.91.217.78

I saw the last one in my logs January 31, trying to post to my old B2 comment script. And the first one was of course the spammer looking himself up on Google. Verified with old spamruns from that IP address, including ones spamvertizing one of his most cherished domains - an affiliate network program.

I guess they didn’t want to be my human lab rats anymore?

So dear regular readers, I’m relying on you to keep up a steady flow of news about the Bulgarians!

Please keep me updated on their next developments!

UPDATE: I got a few accesses today from the Bulgarians or copycats. 5 to be accurate. Huh, that’s weird.

More about the Bulgarians

MCI is allegedly hosting a site called send-safe dot com. A Russian is selling a program that can be used to turn computers infected by Sobig into spam sending proxies, even using the ISP’s mailserver to send the spam.

MCI has had them on their network for over a year, and now they’re even denying that they’re hosting the site.

I did some digging.

Turns out there are several sites selling spamware on that server, according to whois.sc. I didn’t check ALL the domains, because I don’t have the silver membership. But what I found was enough to let me know something’s wrong here… There was one seemingly innocent site there too, though. A sick joke repository.

The most interesting little item I found was this:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 22 Feb 2005 18:43:24 GMT
X-Powered-By: ASP.NET
Connection: close
Content-type: text/html
X-Powered-By: Electricity
X-Accelerated-By: GeForce4Ti

That’s the headers of the server, when accessing send-safe. I’ve NEVER seen headers like that, and neither had Google. Looks like a joke.

In fact, it seems specific to that site, as other sites hosted on the server has more normal headers. Though I was a bit perturbed by the obscenely long lasting cookie (lasting until 2010) on all sites except the send-safe. It’s actually a server wide setting, since it also affects the IP number, when accessed.

I noticed that MCI also offers colocation. If reading between the lines here, I wonder if that’s what’s going on? A spam friendly outfit has a server there, and MCI are covering for them?

Check out what Spamhaus has to say about this case.

I missed this… until today.

I’ve had two or three Bulgarians in my logs this last month. The first searched Google for:
micro_httpd dsl router
IP address: 213.91.170.2
(no spamming activity according to Google. Relatively normal internet usage)

The second searched Google for
Iavor Zahariev
IP address: 213.91.217.118

The third searched Google for:
ADSL micro_httpd
IP address: 213.91.247.203
(no Google hits at all, so probably innocent bystander)

ISP for all three: btc-net.bg

The one searching for Iavor read a post about Iavor the first day, then came back and read the blog itself the next day. The day after that he tried the archives. No luck (404), so he went back to the blog itself.

The Bulgarian most interested in my site could be anyone, of course. I mean, there’s more than one Iavor out there.

BTW, I found something really funny in his search results:
The spammer is using both Iavor and Zahariev while calling out to Grendal in some spams from November last year

I also noticed the work done by Tao of Dowingba a year ago. There’s a domain there with Iavor as the registrant. The domain is still with Moniker, exactly one year later, but the registrant and other info has been changed.

Anyway, after I discovered I hadn’t received any referral spam from their latest campaign, that’s when I started looking in my logs for anything faintly Bulgarian. And now I’m wondering if this is the explanation. Don’t know, it’s just speculation, of course.

Ah, I did a Google search for the IP number in question, and found it has spammed before. Found preserved examples November 2004 with domains that, although registered by Godaddy, still have DNS servers pointing back to the twins. Most of the samples still preserved are from Wikis or message boards. The IP address normally wouldn’t show up on blogs, of course.

I checked out one of the old domains spamvertized in November, and found cloaking that wasn’t even visible in the served page. The redirect hinges on the referrer. If you found the page on Google, it redirects, if you didn’t, you get the search engine spider fodder. I tricked the server, and here’s the headers served up if you’ve got a Google referrer:

HTTP/1.1 302 Found
Date: Tue, 22 Feb 2005 18:06:12 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) PHP/4.1.2
X-Powered-By: PHP/4.1.2
location: http://www.empirepoker.com/indexnp.htm?wm=1708103
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

In case you’re wondering, that’s an affiliate code URL.

Wow! And the server is named:
tzahariev.orbitel.bg

——-

UPDATE: I found a wiki version that includes both the IP number and the url for partnersmanager.com. I’d like to see Iavor Zahariev wiggle out of that one…

More about the Bulgarians

I don’t know what to think.

The Bulgarians stopped pushing nutzu. And according to Mike, they’ve started pushing two new domains (and I saw the log lines).

But nothing here, so far.

Also, nutzu.com seems to have been banned by Google.

I’ve seen some of us spam fighters say that you can see that by checking page rank. I don’t agree. It’s not reliable. Search for the domain name. Like for instance I were to search for
annelisabeth.com
The results would look like this:

(more…)

A while ago, (eh, looks like he wants to be anonymous) got referrer spammed, and when he looked up the domain, it wasn’t registered yet!

So he quickly registered it, just to mess with the spammer’s mind, thinking he’d figure out what to do with it later.

And now he’s figured it out, it’s a blog anti-spam reference site!

http://jagk.com/

He is probably right in thinking the spamming of non-registered domains is a ploy to avoid lookups foiling their plans.

Incidentally, I believe the spammer in question is the one behind the sites registered and hosted by trkhosting. They took me off the spamming list after February 13, so I never saw the jagk.com spamrun. But I managed to confirm the sending IP through Google. It matches the trkhosting spammer. Funny eh, the spamming of my site stopped a few days after I talked to Tom Koch (head honcho at trkhosting), but continues in other places on the web…

Check this article about a relatively new development in spam trojans:
Spamkings
And an article from News.com

Got an early warning from Mike, about these two being spammed by the Bulgarians:

isacommie dot com
musicbox1 dot com

So if you rely on blacklists, those should be put in as soon as possible.

More about the Bulgarians