| Ann Elisabeth |
| writes about tech, faith and whatever |
Still nothing from the Bulgarians. Hmmm…
This isn’t normal. Something must have happened that made them reevaluate their strategies. Of all the spammers, they’re the most adaptive bunch out there.
UPDATE:
Check out Cindy’s fun little poll on what could have happened to them:
spammers are MIA
I’ve started noticing bigtime linkrot today. The Bulgarians for sure, but also some other spammers.
In the past we assumed the gb.com belonged to the spammer. Well, that aint so. It’s a UK based sort of top level domain. So any of those we thought were subdomains, were actually bought by the Bulgarians as regular domains. And at least one of them no longer responds.
Heh, and when I did a whois lookup on one of their domains, I notice a link to this:
What this means, is that the server has been added into the SPEWS, SORBS and possibly other spam blacklists.
Turns out the Bulgarians are in the same netblock as a couple of other spammers. Heh, that’s what you get for using a spamhost…
I hadn’t bothered looking at the sites the Bulgarians spamvertized until now. But now I did, aiming to find out what the scheme was.
At least for the gambling sites, the scheme is affiliate marketing.
So the way to hit them where it hurts is to complain to the affiliate programs, trying to get their ID’s suspended.
Some of the links were pretty hard to figure out. We’ll need someone who’s really good at decoding javascript to figure it out.
But others have the affiliate ID in the link, so that’s easy.
What I don’t know is if the affiliate programs care at all? Have any of you ever tried this? Any results?
I found this collection (not in chronological order) of spam news:
So, what’s up?
Apart from the unrelenting referrer spam, I haven’t had a comment spam attempt from the Bulgarians since a long time. Latest trackback run was February 12.
How about you guys?
Actually, Rojisan has a few more outings. He’s been at it for a while. Just check his archives. Go, go!!
Rojisan’s spam section
I reported a spam blog to Blog-City today. Got a reply from one of the top guys. Checked the blog a few hours later, and it was already gone.
This was for SURE a spamblog, because it even redirected to an affiliate site with javascript.
That’s how it’s done webhosts… Get a tip, check it out, and get the axe out!
I was reading Cindy’s post about using SORBS to check for open proxies.
And my mind started freewheeling.
How about someone built a script that uses SORBS or any other suitable list of proxies. And then used it against ALL human hits to the site.
If there’s a match between a visitor and the database, up pops an annoying notice or banner, saying the visitor is coming through an open proxy, and to please notify the admin and ask him/her to secure it.
That would be more humane than just 403′ing all open proxies. Though that could of course also be done, if you place the htaccess in a blog directory, and the 403 page and some links leading to places not blocked with explanations and resources.
There could be links to resources, so the visitor could get help in understanding what’s happening.
This might consume some resources, so may not be for the busiest sites, but I’d LOVE to see this come to fruition!!!
Any takers?
Oh, and it could also be possible to make human intervention checks. IE, if you’ve got a large site, you could ask the visitors to visit a special link, where there’s a test.
Hmmm, sounds like a plan too.
You can find your IP address here on What’s My IP
But you can also go straight here and see if it’s an open proxy (they maintain a list). Use the right most button:
Blitzed
I checked some IP numbers there. And I found IP numbers not in their list. Even some I know are proxies, which they’d tested and thought weren’t. So the list isn’t fool proof. But it’s a start.
MAJOR UPDATE:
Tom Koch has suspended the first domain by this spammer (one not mentioned in this post). Let’s just hope the rest gets suspended after an e-mail from me and maybe from some of you?
———-
I got lemonrider.com in my referrer log. Yet it isn’t registered according to whois. But it still pings - an empty site.
Ah, that’s interesting.
The pinged IP number resolves to
lucy2.trkhosting.com
I had a little talk with the admin earlier this week - Tom Koch.
He’s got another spammer on his hosting service. That site is still operational. Hopefully he’s given the owner a warning.
Heh, grep my logs to find there are two more:
lemonrider01.com
lemonrider02.com
And they’re all on different servers, and none of them are registered. The thing of it is, that even if they are registered, and the whois info hasn’t propagated, the spamming would have started BEFORE they were registered no matter what. Because it doesn’t take several days for it to propagate, as far as I know. Pages cached by Google February 11 had the lemonrider.com referrer in them.
Ah, the others do have a site configured. And it’s made with the same template as the other domain I notified Tom of.
The text on these pages have been stolen from somewhere else.
That’s a sure sign of spam.
————
UPDATE: I just checked another domain I remembered for having the same template. It’s also hosted at trkhosting. And Tom Koch is in the whois data as the owner of the domain. Which may or may not be a way of anonymizing the whois data.
UPDATE 2: I did some more checking. They do adult hosting, and their TOS contains double standards when it comes to spam. I think we need more than me complaining to trkhosting. So if you get stuff in your logs with domains hosted by them, complain to admin at trkhosting.com. If no sites go offline after a while, I think it’s time to complain upstream.
UPDATE 3: According to Enom, the domain name isn’t available. So it is registered (Enom has been used by the same spammer before, through the hosting company).
UPDATE 4 (February 20): I was optimistic when I noticed that Tom had yanked one of the spamvertized domains hosted at his company. I hoped that meant he wasn’t the spammer. Now I’m not so sure.
You know why? exitq dot com has been banned by Google! That’s the spamvertized domain I found that he’s suspended hosting for! If he’s not the spammer, he’s helping the spammer by providing hosting. Can anyone suggest somewhere we could complain about this company?
I’m not sure I’ll have time to continue notifying proxies. Maybe now and then, but not on an ongoing basis. They just keep coming.
So if anyone has any ideas on continuing that work, let us know.
Automated systems, possibly? That’s not really my area anyway. I’m a better sleuth than programmer, to put it mildly.
Next step for me is to write about the issue, and try to get some attention going.