Spam chongqing

Manni just discovered a pretty upsetting case. There is spam appearing on wikis with a hostname from a .gov address. The spam is for 1stop-cash-advance-payday-loans . com and 1stop-directv-dish-network-satellite-tv . com.

Obviously Manni and I don't think its right to be spamming in the first place, but using government resources to do it is very troubling.

Update 7/28: The spammer in question has apparently stopped and has admitted to spamming to the higher ups. Its nice to see someone taking responsability for their actions. Supposedly this spammer's idea to spam came from Philipp's Nigritude Ultramarine SandBox spamming article. Isn't it nice to see more bad effects comming from that "wonderful" article.

Google is doing something to fight spam, the fake add click kind. Here is the ZDNet story, Google's fraud squad battles phantom clicks. It doesn't say how exactly, but that is good so the spammers have a harder time working around it.

I posted about this problem way back at the begining of this blog as my 5th post, Slashdot: India's Secret Army Of Online Ad 'Clickers'.

It's nice to see Google is doing something about any kind of spam. With their IPO comming up they really had no choice since advertising is their main source of revenue.

Can a fix for wiki spam from Google be near? I don't think so. That spam isn't actually hurting Google's cash flow so its unlikely we will see any major work to fix spamdexing through vandalizing wikis. Its going to be up to the wiki software designers to implement features to solve wiki spam.

Is this really the end of the Casino Spammer?

Stay tuned for more information.

Update 7/19: The poster was from the right IP address range. I just hope they meant they will stop spamming all together (including wikis and guestbooks) rather than just stop spamming blogs because "it is not optimized to work with those forms." Let us know if you are still seeing new spam for Casino-Online-On-Line.

I found TC Advertising's client list at tcads . net/clients.html:

BeTheDealer Casino

btdcasino . com

Casino On Net

888 . com

US Green Card Lottery

usagc . org

Miss Bingo

missbingo . com

Diet Watch

dietwatch . com

Babylon etc

babylon . com

The contact information for TC Advertising is:

Agias Zonis 58
Limassol, Cyprus
elad@tcads . net

Then I discovered this at tcads . net/services.html:

Affiliations - we have strategic affiliations with websites and companies over the globe and in a day to day contact with hundreds of affiliates that we serve through our affiliate program & tracking system - www.DirectedMarket . com

Seems like there was a connection between my email and all the hits and comment bombing.

I wonder if its why we all the sudden got all those hits from the Casino spammer and friends. I got this reply to my spam complaint to DirectedMarketing dot com about one of their affiliates.

From: "Directed Market"
To: "Joe Chongq"
Message-Id: <200407121046.i6CAklQ21644@www02.intervision.co.il>
Subject: RE: When you were offline (via LivePerson)
Date: Mon, 12 Jul 2004 14:48:41 +0300

Hello,

We will try to find those people.
Please let me know the URLs of your websites.

Regards,
Directed Market team

If they are as connected as our suspisions make us think they are they already found my site.

Not very likely. Manni caught on to that fact before I did. Sorry Hakdata. This was the Casino Online spammer trying to disguise his revenge.

This poster's IP address is:
80.230.158.139

He has been spamming all day with:
80.230.158.117

Hakdata (actually it was the Casino Spammer in disguise) has gone on a comment bombing spree on my blog so I have had to disable comments. He also defaced a picture of Manni and posted it and submitted links as a spam submission at chongqed.org.

In other retarded spammer news, the Casino spammer read most of chongqed.org today (from IP 80.230.158.117). And then continued spamming.

Update: Turns out it wasn't really Hakdata, it was the Casino spammer in disguise.

MT BlackList is getting hurt by spammers spamming for good domains for the purpose of making the blacklist unusable. Major news sites like washingtonpost.com and cnn.com were being blocked. Article: Blacklisted Comment Spammers Attack Legitimate Domain

Burningbird has a really good post about the MT Blacklist problem, some advice on removing existing comment spam, and preventing future spam. Post: MT Comment Help

From Burningbird's article this link sounds very useful, its a MoveableType plugin that disables commenting on posts more than a set number of days. Since most spam is on pages listed in Google this should really help: Closing comments on old entries.

Typepad's official post about comment spam Fighting Comment/Trackback Spam

A Referrer Log Spamming story at komar.org

And then here is our friend IrishEyes where I discovered the above links:

Comment spam round 6
Comment spam round 5
Comment spam round 4

http://www.downloadseries.com/owners/16.html

BeTheDealer
Netherlands Antilles
http://www.bethedealer . com
support@BeTheDealer . com

Someone else upset about the casino on-line spam has done a little research of his own.

Here is some more interesting information from BTDCasino.

I have done a bunch more casino chongqing today. Be The Dealer Casino appears to be the main site of a casino affiliate program now run from DirectedMarket dot com and/or privatelabelcasino dot com. For more information about BeTheDealer see this article:
Be the Dealer Unvails Its New Private Label Casino Program.

I just wrote this to DirectedMarket and BTDCasino support addresses:

One of your affiliates is spamming and defacing many websites daily.

The spamming site is:
http://casino-online-on-line . com/
Their DirectedMarket account appears to be:
dm151860

See this Gogole search http://www.google.com/search?hl=en&lr=&ie=UTF-8&c2coff=1&q=%22casino-online-on-line.%2Bcom%22 to see how bad their website spamming is. They deface wikis and add garbage to blogs and message boards completely unrelated to gaming. Attempts to clean up the damage does no good because they spam the same sites again ever day.

Please do something about them.

If I get a response, you know I will post it right away. :-)

Well, the casino moron struck POPFile again. That got Manni agitated enough to do some heavy chongqing research to go along with what I have already done in part 1, part 2, and more on this topic.

I am not 100% certain they are connected, but if you click many of the links on the casino-online-on-line site it takes you to an identical looking site at btdcasino.com. And at the top of the page of both sites it says Be The Dealer Casino. There is little useful whois info on either except they were both registered through GoDaddy which could be more than coincidence. Manni did get some possible clues out of the info though.

I suspect casino online on-line a cover for their spamming. Their real domain looks totally legitimate and non-spammy so if their spam url's host gets complaints they can't be directly connected to the real site. Hopefully we can find a way to prove it.

For more evidence I did a diff between the main pages at casino-online-on-line dot com and btdcasino dot com. Its obvious they are trying to cover their tracks. On casino on-line they removed the note about who wrote the javascript, but they used a lot of identical javascript and HTML code between pages.

Both sites have a link to the same install program on the same server from Netherlands Antilles hidden in some javascript:

http://209.58.23.130/dl/did2090/installBTDcasino.exe
http://209.58.23.130/dl/did1549/installBTDcasino.exe

btdcasino dot com : 193.109.194.162

looking up that IP gives gns.customer.areti.co.uk which has a few links including
the-best-casino-online dot us which looks very familiar.

casino-online-on-line dot com : 63.241.136.201

looking this IP up gives linhost101.mesa1.secureserver.net, sadly there was no website setup for that hostname to compare.

This is btdcasino's HTTP header:

HTTP/1.1 200 OK
Connection: keep-alive
Date: Thu, 08 Jul 2004 19:52:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 19855
Content-Type: text/html
Expires: Wed, 07 Jul 2004 10:32:38 GMT
Set-Cookie: aff=affiliation%5Fcode=1429&language%5Fid=1; expires=Fri, 08-Jul-2005 19:52:38 GMT; path=/
Set-Cookie: ASPSESSIONIDSQRBQCCS=PDKPPHMCBGLNIALIEMMMDHJI; path=/
Cache-control: private

Here is casino-online-on-line's:

HTTP/1.1 200 OK
Date: Thu, 08 Jul 2004 17:55:38 GMT
Server: Apache/1.3.29 (Unix) FrontPage/5.0.2.2634
Last-Modified: Tue, 06 Jul 2004 16:59:26 GMT
ETag: "2cba4ac-6f3f-40eada6e"
Accept-Ranges: bytes
Content-Length: 28479
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

Also take a look at:

casino-online-on-line dot com/online-casino-online-news.html
That looks very spammy to me. All 3000 something pages were edited on the same time and day and all I looked at had the same content. That obvious spamdexing for Google PageRank.

Here are just a small sample of the blog comment spam I just found at craigblog:

upskirt-school dot com upskirt school girls fuckingmachines-fucking-machines dot com fucking machines free-inthevip dot com sex vip free realitysexo dot com reality sexo give-u-the-perfect-mortgage dot com give you the perfect mortgage linkspider dot us linkspider links adult-dvd-dot dot com adult dvd jinlong dot co dot uk horse buy news racing bet waldner-msa dot co dot uk order purchase cheapest diet adipex prescription pill phentermine texasholdem-flip-flop dot com texas holdem casino-gambling dot inforceable dot com casino gambling online-casinos dot go dot ro online casinos

1-online-casino-portal dot com casino portal videopoker-online-casino dot com video poker online casino happy-shopping-online dot com order 4gb ipod music players tramadol-ultram dot cjb dot net Buy Tramadol pilldrugs dot com Phentermine buy-generic-viagra-sildenafil-citrate dot com Generic Viagra kontaktanzeigen-bild dot de dot ms Kontaktanzeigen loans dot de dot vu loans buy-discount-cheap-cigarettes-online dot com Discount Cigarettes mms dot gongi dot pl dzwonki polifoniczne nokia waterbeds-dot dot com waterbeds idebtconsolidation dot org debt relief

I got a comment about the casino-online-on-line dot com spammer. Thanks to whoever sent it in. I hadn't Googled him yet and had no clue how big this guy is. So far it appears he is not quite as widespread as Mr. Chongqing, but still really bad. His tactics are worse and dumber. I have seen him spam the top of a RecentChanges page. The main difference is Mr. Chongqing won't continue spamming if spammy links are somehow prevented, this guy just keeps going and going. He is a much bigger spammer in the forum / bulitin board area than Mr. Chongqing though. He has been spamming forums at least since December 10, 2003, that was the earliest I saw quicly.

From the anonymous commenter:

"There are some inconsistent behaviors that make me think it's a human rather than a fully automated script, but I'm not certain. Also, this spammer seems to favor sites running UseModWiki, so he may be using a script that is tailored to that software."

I wouldn't be that supprised. Many other wiki users believe any heavy spamming is done by automated bots, but after experiencing Mr. Chongqing I am 100% certain that is not the case. Any big time spammer would have some sort of automation, but Mr. Chongqing is certainly human driven. I have not done enough researching of how the casino spammer works, but he/she/they may be human using mostly automated software. He is far more consistant in his spams than I usually see. But as with POPFile he does not notice his spams didn't work. Perhapse his spamming program doesn't even display the page after editing so he never knows when the spam is blocked only from displaying. The POPFile wiki will let him post as many links as he wants, but until they are whitelisted (custom addition by the POPFile author AFAIK) they won't display when viewing the Wiki. From what I have seen in Google the wikis he appear to be going after most are UseModWiki sites.

While I doubt either Casino Online On-Online or Mr. Chongqing are going to pull a Hakdata and close up shop, we will continue to do all we can to hurt their PageRank and get our sites above them in Google for their favorite keywords.

Some more of his hostnames:

CBL217-132-88-251.bb.netvision.net.il
CBL217-132-115-90.bb.netvision.net.il
80.179.168.129.forward.012.net.il

I just cleaned spam from an in-quito dot com spammer who hit the Wikipedia's blogspam page. Spamming an antispam wiki page is just about as stupid as you can get! And this isn't the first spammer to spam this page.

Some keywords from in-quito dot com's site:
Quito hotels review
vacation resorts deals
Ecuador Quito embassies

Today after being online for about 3 years Wikipedia reached 300,000 articles. Thanks for the links here and there. :-)

Well, the casino online on-line spammer hit the POPFile Wiki again twice early this morning. Luckily for Manni thats middle of the day so he cleaned the first spam less than an hour after it appeard. Then the spammer noticed his missing spam and respammed the same page which again didn't stay messed up long thanks to Manni. This guy is a real jerk though, not only is he spamming repeatedly he is replacing the entire page with his spam text so its completely unusable. He even leaves www dot casino-online-on-line dot com as the comment of the spam, hoping I guess for a link (which doesn't work).

casino-online-on-line dot com's wikispam text:

Online Casino, games, internet casino, casino online casino, poker, games, internet casino, casino online casino, poker i want to play with sandbox... online casino it"s a very nice keyboard casino online the casino roulette as well Internet Casino sopranos is pretty exciting Casino money jesus christ casino-online with gir online-casino i would google family Google about my alone gambling

casino-online-on-line dot com is just a frontpage for btdcasino dot com which stands for Be the Dealer Casino. Some of their keywords are:

casino, online casino, betting, blackjack, casino game, casinos online, gambling casino, gambling casinos, gambling games, gambling on line, gambling online, internet casino, internet gambling, online blackjack, online casino, online casinos, online poker, poker, slot machines, video poker, virtual casino

So far he has spammed us as:

CBL217-132-115-90.bb.netvision.net.il
CBL217-132-89-133.bb.netvision.net.il
CBL217-132-89-125.bb.netvision.net.il
host84-205.pool80205.interbusiness.it

First we have another fantasy attempt at ending spam, this time by the UN. Its a good fantasy, but it won't work. Computer crimes just aren't delt with seriously enough when someone is caught (which is far too rare if you don't count the RIAA's going after kids and grandmothers). Even a large fine is nothing to a spammer who is making millions off of the small percentage of idiots who buy their crap. Jail time might be a bigger deterant, but for every spammer they catch there will be hundereds to take his place. And compared to drugs and murder cyber crimes aren't taken very seriously because they don't physically hurt people and police forces are often short on manpower and the knowledge to go after cyber crimes.

Well, here is the link I have been babbling about UN takes aim at spam epidemic, and here is the Slashdot coverage.

And now another email spam story, Comcast Port 25 Blocks Result In Less Spam (port 25 is the port outgoing mail is sent on). It is only done when they notice a problem IP address and they try to contact the user first. This is a really good step. I hope they can keep it up, this fix is no fantasy. People are already seeing the results. For lots of discussion about this see Slashdot.

When are people going to wake up and see that email spam is not the only kind of spam? Other than us Wiki and Blog users no one else even knows it exists. And most blogs now prevent comment spamming so its getting less attention now. I wish I had more actual chongqing news to post here, but obviously as connected as Manni and I are to POPFile email spam is of great interest to us too. So thats why you see so much email spam news on our pages.

I should have posted about this guy a week ago, but hadn't found the time yet. Now that he struck again I couldn't put it off any longer. This spammer had struck the POPFile wiki twice already and this morning he hit a bunch of pages. Its obviously an automated spammer since urls are only visible after being whitelisted. If this guy isn't automated he sure is stupid. Even Mr. Chongqing quit bothering us when he realized he couldn't get any links there.

So now its time to talk about online casino gambling on-line and how playing poker and roulette is fun and easy over the internet. As you can probably tell that sentance is just loaded with his keywords. And just in case I haven't used enough of his keywords yet:

• Online Casino
• online games
• online poker
• internet casino
• casino roulette
• casino-online-on-line
• gambling
• blackjack betting
• gambling games
• slot machines
• World Poker Tour
• play slots
• virtual casino

For ways of blocking idiots like this see Meatball Wiki: WikiSpam. For fighting back against them, link to our sites with their keywords and let us know about them if we don't have them on the Spammers pages.

For more info on wikispam visit Wikipedia:Spam and c2.com's WikiSpam page.

Not exactly chongqing, but some related topics:

• A short article on how spam is still increasing even with the "wonderful" CAN-SPAM Act:
  Amount of Spam Still Skyrocketing: CAN-SPAM law hasn't slowed the spread of unwanted e-mail at PC World.


• Some fancy new memorandum that is going to "fix" the worldwide spam problem:
  USA, UK, Australia Sign Anti-Spam Memorandum at Slashdot.
  U.S., U.K., Australia join to fight international spam at Computerworld.


• An example of how blacklists can go really wrong:
  Endangered Countries On The Internet at Slashdot.

I recently started getting a bunch of Delivery Failure and Undeliverable Mail messages for email I am not sending. Some spammer has started spamming with my antispam subdomain at Mailshell. I don't think its retaliation related to having this site, its just coincidence since that address isn't listed here.

I am still trying to figure the best way to deal with it. Mailshell has a way to work around it, but it won't be as convinant to use as before. And it won't do anything to stop the spammer or prevent getting the undeliverable messages, I just wont seem them.

Mailshell definatly makes my life easier. They don't appear to encourage personal users to sign up anymore as the link to sign up is well hidden. Just like other big antispam services are only after the business market now. I am still using only the Free option, which may not exist anymore, when you sign up you are getting a 30 day Premium trial, which I assume turns into the free option afterwards, but I am not sure.