Friday, April 29, 2005
GooglePray Unhappy
It seems the GooglePray spammer is upset about Spam Huntress labeling him as a spammer. So he left a comment on her blog, he says, "NO ANY LAW WRITE THAT GUESTBOOK IS PRAVATE LIKE SMSM OR EMAIL." That is one of the more well written part of his comment. As usual he doesn't think he is doing anything wrong even though he is forcing innocent visitors to become spammers for him. I hope Google bans his domains quickly so people can't accidently run into his trap.
He is now spamming guesbooks with the text of Ann and a few other's posts about him. Only he replaces the references to his domains with innocent victims. I can only guess that he is trying to make it impossible to find any relevant information about him from the original sources. Most of the ones I have seen are using taylor-arts and blaming its owner Neil Taylor. Neil is not a spammer.
He is now spamming guesbooks with the text of Ann and a few other's posts about him. Only he replaces the references to his domains with innocent victims. I can only guess that he is trying to make it impossible to find any relevant information about him from the original sources. Most of the ones I have seen are using taylor-arts and blaming its owner Neil Taylor. Neil is not a spammer.
Thursday, April 28, 2005
Firefly: Serenity
I can't think of how to relate this one to spam, but I had to post it anyway. The short lived sci-fi/western TV series, Firefly, is making a come back in theaters under the name Serenity. The trailer came out this week and it looks great. It arrives in theaters this fall.
Darth Vader's Blog
What would you write if you were Lord of the Sith? Find out on The Darth Side.
And to pull off relating this post to spam, a joke from wussu.com
Q: You turn the corner and come face to face with Dr Doom, Darth Vader, and a spammer. You only have 2 bullets. What do u do?
A: Shoot the spammer twice.
And to pull off relating this post to spam, a joke from wussu.com
Q: You turn the corner and come face to face with Dr Doom, Darth Vader, and a spammer. You only have 2 bullets. What do u do?
A: Shoot the spammer twice.
GooglePray Tricks
Ann and I have been trying to understand the GooglePray guestbook spammer better. He has found a way to force visitors to his "search" to send out his spam.
His code is rather confusing and neither of us being javascript experts doesn't help. But we have learned a lot. He has iframes that load about:blank, but they are named after the forms he is using to spam other sites. There is also some ActiveX (clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A) that appears to be an exploit to allow the script to access your clipboard and allows cross frame access. That could be what the empty iframes are for, I wasn't able to figure that part out. There is some other odd javascript that seems to be redirecting to different links, maybe its loading those iframes. That bit of code:
Then he has this script to submit the spam to the forms he has targeted:
The spammer's "forum" is:
http://baikalguide.com/guide/UmaxSearch/
You can see one of the posts directly:
http://baikalguide.com/forum/Tue%20Apr%2026%2005:48:07%202005/UmaxPPC
It seems safe to visit those links in Firefox, but don't do it in IE or you will be helping send out his spams.
The Preacher has been trying to get this spammer's ISP to shut him down but with no luck.
Another blogger really pissed off at this spam is boycotting UMAX in hopes they will go after the spammer for using their name.
Don't miss the discussion in the EV1 forums.
Reporting to Google for abuse seems like the best option for now. So I collected and chongqed a few URLs that are spamvertised by his scripts:
Some examples of his many victims can be seen here:
gmcsrinagar.net
sadlerphoto.com
planets.lamost.org
Update May 5, 2005:
I realized that much of that Javascript code is from Google. It doesn't seem to do what I guessed at all though it does have something to do with links at least. Some of it adds an onMouseOver text on Google Ads that says "go to sitename." I still don't get the ga function, but it also seems Google Ads releated.
The dimattic function is the spammer's own though.
His code is rather confusing and neither of us being javascript experts doesn't help. But we have learned a lot. He has iframes that load about:blank, but they are named after the forms he is using to spam other sites. There is also some ActiveX (clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A) that appears to be an exploit to allow the script to access your clipboard and allows cross frame access. That could be what the empty iframes are for, I wasn't able to figure that part out. There is some other odd javascript that seems to be redirecting to different links, maybe its loading those iframes. That bit of code:
function cs(){
window.status='';
}
function ha(a){ }
function ca(a) {
top.location.href=document.getElementById(a).href;
}
function ga(o,e) {
if (document.getElementById) {
a=o.id.substring(1);
p = "";
r = "";
g = e.target;
if (g) {
t = g.id;
f = g.parentNode;
if (f) {
p = f.id;
h = f.parentNode;
if (h)r = h.id;
}
}
else {
h = e.srcElement;
f = h.parentNode;
if (f) p = f.id;
t = h.id;
}
if (t==a || p==a || r==a) return true;
top.location.href=document.getElementById(a).href;
}
}
Then he has this script to submit the spam to the forms he has targeted:
function dimattic() {
this.obj.submit();
}
dimattic()
The spammer's "forum" is:
http://baikalguide.com/guide/UmaxSearch/
You can see one of the posts directly:
http://baikalguide.com/forum/Tue%20Apr%2026%2005:48:07%202005/UmaxPPC
It seems safe to visit those links in Firefox, but don't do it in IE or you will be helping send out his spams.
The Preacher has been trying to get this spammer's ISP to shut him down but with no luck.
Another blogger really pissed off at this spam is boycotting UMAX in hopes they will go after the spammer for using their name.
Don't miss the discussion in the EV1 forums.
Reporting to Google for abuse seems like the best option for now. So I collected and chongqed a few URLs that are spamvertised by his scripts:
gmcsrinagar.net
sadlerphoto.com
planets.lamost.org
Update May 5, 2005:
I realized that much of that Javascript code is from Google. It doesn't seem to do what I guessed at all though it does have something to do with links at least. Some of it adds an onMouseOver text on Google Ads that says "go to sitename." I still don't get the ga function, but it also seems Google Ads releated.
The dimattic function is the spammer's own though.
chongqing anniversary
One year ago today the emmss.com spammer annoyed Manni and I into starting this chongqing project. On that day I made my first post blog post explaining what we were planning. Our project has evolved a lot since that day; we now have our own domain, a wiki, and a blacklist.
Recently we discovered that emmss.com has been banned by Google. We have had a few other big successes. Hakdata is long gone. We upset one spammer into creating chongqed.com to complain about us (now the site just redirects to one of his domains). And we have been hit with a DOS attack. Spammers don't like what we are doing.
Thankfully now most wiki and blog software now has some kind of antispam measure built in. Spammers are getting better tools, but luckily they are still as dumb as ever. The only way these idiots will ever stop is when it does them no good to spam. This is a battle we will never win, but it's still worth fighting. We can only hope search engines can come up with better ways to detect sites that are spamming.
Recently we discovered that emmss.com has been banned by Google. We have had a few other big successes. Hakdata is long gone. We upset one spammer into creating chongqed.com to complain about us (now the site just redirects to one of his domains). And we have been hit with a DOS attack. Spammers don't like what we are doing.
Thankfully now most wiki and blog software now has some kind of antispam measure built in. Spammers are getting better tools, but luckily they are still as dumb as ever. The only way these idiots will ever stop is when it does them no good to spam. This is a battle we will never win, but it's still worth fighting. We can only hope search engines can come up with better ways to detect sites that are spamming.
Sunday, April 24, 2005
Odd Referrer
I got a really odd referrer on my blog:
Whatever it is, it requires a login. The home page's title is "Taiwan - GreenInternet." I did a Google search on that link and found it appears on a lot of heavily spammed pages referrer lists. Even more can be found for a search for that IP Address.
The visitor with that referrer also came from that network:
And a couple days ago I had a different visitor from that network:
They both read my post on unix-girl.com's Spamming Experiment. This and the other oddness makes me wonder if this is a spammer's meeting place or "SEO" business. Either way what does it mean that they are interested in this experiment.
http://220.130.144.194/verify_new/level2_list.php
Whatever it is, it requires a login. The home page's title is "Taiwan - GreenInternet." I did a Google search on that link and found it appears on a lot of heavily spammed pages referrer lists. Even more can be found for a search for that IP Address.
The visitor with that referrer also came from that network:
IP Address: 220.130.145.91
Hostname: 220-130-145-91.HINET-IP.hinet.net
Date: 24 Apr, Sun, 22:23:11
UA: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7) Gecko/20040626 Firefox/0.9.1
And a couple days ago I had a different visitor from that network:
IP Address: 220.130.144.200
Hostname: 220-130-144-200.HINET-IP.hinet.net
Date: 22 Apr, Fri, 01:31:00
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
They both read my post on unix-girl.com's Spamming Experiment. This and the other oddness makes me wonder if this is a spammer's meeting place or "SEO" business. Either way what does it mean that they are interested in this experiment.
Tuesday, April 19, 2005
Slashdot: Google Sues Click Inflators
Slashdot has an article about Google going after AdSense click fraud.
Sunday, April 17, 2005
Cut your wrists
A few weeks ago a couple of LWS loosers stopped by to demonstrate their stupidity. Thanks to the more retarded of the two, Poopdick, this post is now the top result for "cut your wrists."
So far I have had three hits for that phrase, I really hope its not from people actually planning on doing it. If it is I hope they get help. Just remember, your life can't be as bad as Poopdick's.
So far I have had three hits for that phrase, I really hope its not from people actually planning on doing it. If it is I hope they get help. Just remember, your life can't be as bad as Poopdick's.
Tuesday, April 12, 2005
In the beginning there was emmss.com
Now as far as Google shows, there isn't!
A few days ago I noticed that the inspiration (who we called Mr. Chongqing) for our whole chongqing plan's main domains (emmss.com and emmss.net) appear to have been banned by Google. Search Google by link or site and they aren't listed. Looking up their PageRank gives 0. Sadly the .org version is still around, but that one was not his perfered domain for spam.
Then Manni thought to try inurl:emmss for the term emmss itself. Both return chongqed.org results.
He even seemed to have improved his spamming ways a few months ago. He was still spamming wikis, but he seemed to be at least limiting it to SandBox pages (last I checked) so it was only annoying and unwanted rather than destructive. Maybe he expanded into some other form of spam that got him banned, I don't know. But I am happy Google took notice.
WebSpam doesn't pay!
A few days ago I noticed that the inspiration (who we called Mr. Chongqing) for our whole chongqing plan's main domains (emmss.com and emmss.net) appear to have been banned by Google. Search Google by link or site and they aren't listed. Looking up their PageRank gives 0. Sadly the .org version is still around, but that one was not his perfered domain for spam.
Then Manni thought to try inurl:emmss for the term emmss itself. Both return chongqed.org results.
He even seemed to have improved his spamming ways a few months ago. He was still spamming wikis, but he seemed to be at least limiting it to SandBox pages (last I checked) so it was only annoying and unwanted rather than destructive. Maybe he expanded into some other form of spam that got him banned, I don't know. But I am happy Google took notice.
WebSpam doesn't pay!
Monday, April 11, 2005
Slashdot: Microsoft Researchers on Stopping Spam
Slashdot has a post about MS' email antispam research. I haven't read it yet, but looks interesting.
Saturday, April 09, 2005
Back to the Future II
What does Marty McFly have to do with spamming? Well, not much actually. But there is a really weird spammer going around searching for names of the movie crew when he spams.
A while after he was first reported he happened upon the chongqed wiki. Since then he has hit us daily (usually more frequently) from IP addresses around the world through his zombie army. When first reported he was spamming for URLs at redirect services, not being smart enough to know that wouldn't help his PageRank. He seems to have figured that part out. He still understands little about wikis since his spam is in HTML rather than wiki syntax.
After his first bunch of hits to our wiki over two days he was finally blocked. It wasn't easy since each spam was a new URL posted from a totally unrelated network. Each new URL is being chongqed, but we have had to use other methods to block each new spam.
Now back to the Back to the Future stuff. It took us a long while to understand what was going on, but Manni finally figured out that he was using the names when he spams guestbooks. Then when the spammer started hitting our wiki he was using the names as logins there too. I suppose he does this so his spams look more legitimate. But his repeated spamming gives it away quickly even if someone was dumb enought to believe a single message of his wasn't spam. He certainly is not a graduate of Spammer U.
Much more detail on this weirdo can be found on our wiki.
Here are some of the many spams he has hit the chongqed wiki with in the last few days:
And here are the names we have seen him using so far:
A while after he was first reported he happened upon the chongqed wiki. Since then he has hit us daily (usually more frequently) from IP addresses around the world through his zombie army. When first reported he was spamming for URLs at redirect services, not being smart enough to know that wouldn't help his PageRank. He seems to have figured that part out. He still understands little about wikis since his spam is in HTML rather than wiki syntax.
After his first bunch of hits to our wiki over two days he was finally blocked. It wasn't easy since each spam was a new URL posted from a totally unrelated network. Each new URL is being chongqed, but we have had to use other methods to block each new spam.
Now back to the Back to the Future stuff. It took us a long while to understand what was going on, but Manni finally figured out that he was using the names when he spams guestbooks. Then when the spammer started hitting our wiki he was using the names as logins there too. I suppose he does this so his spams look more legitimate. But his repeated spamming gives it away quickly even if someone was dumb enought to believe a single message of his wasn't spam. He certainly is not a graduate of Spammer U.
Much more detail on this weirdo can be found on our wiki.
Here are some of the many spams he has hit the chongqed wiki with in the last few days:
- I need timeshare who is <a href="http://timeshare.mordovia.ru/" target=_blank>timeshare</a> to be the most from now. http://timeshare.mordovia.ru/
- We appreciate luxor hotel but <a href="http://luxor-hotel.vladimir.su/" target=_blank>luxor hotel</a>! http://luxor-hotel.vladimir.su/
- diabetes supplies get some information on <a href="http://diabetes-supplies.spb.su/" target=_blank>diabetes supplies</a> and on. http://diabetes-supplies.spb.su/
- Best offer today is banking software <a href="http://banking-software.nalchik.ru/" target=_blank>banking software</a> and on. http://banking-software.nalchik.ru/
- The air purifier is able to provide <a href="http://air-purifier.bashkiria.ru/" target=_blank>air purifier</a>. http://air-purifier.bashkiria.ru/
- Anyone can do timeshare <a href="http://timeshare.nalchik.ru/" target=_blank>timeshare</a>. http://timeshare.nalchik.ru/
- To begin with air purifier <a href="http://air-purifier.vladimir.su/" target=_blank>air purifier</a>! http://air-purifier.vladimir.su/
- Well, diabetes supplies who is <a href="http://diabetes-supplies.bashkiria.ru/" target=_blank>diabetes supplies</a>! http://diabetes-supplies.bashkiria.ru/
- Well, pennsylvania lawyer takes focus on <a href="http://pennsylvania-lawyer.cbg.ru/" target=_blank>pennsylvania lawyer</a> and on. http://pennsylvania-lawyer.cbg.ru/
- I suppose domain hosting and find details of <a href="http://domain-hosting.ivanovo.su/" target=_blank>domain hosting</a>. http://domain-hosting.ivanovo.su/
- ravens get some information on <a href="http://ravens.vladimir.ru/" target=_blank>ravens</a> and on. http://ravens.vladimir.ru/
- ecommerce and <a href="http://ecommerce.vladimir.ru/" target=_blank>ecommerce</a>. http://ecommerce.vladimir.ru/
- Get some information on domain hosting might want to be informed on <a href="http://domain-hosting.ivanovo.su/" target=_blank>domain hosting</a>. http://domain-hosting.ivanovo.su/
And here are the names we have seen him using so far:
|
|
|
Tuesday, April 05, 2005
Porn hits
It seems that recent post of bunches of chongqed spammer keywords has made it to the search engines. I am getting a few hits a day from people searching for porn (which is more that usual though I was getting some already). Its interesting that some of these hits are from pages deep in the search engine results. Usually searchers don't go past the first couple pages of results. I guess people searching for porn are more desperate. Makes you wonder why porn spammers need to be so agressive. People are searching for such odd combination of terms and still visiting sites that are way down in the results anyway.
Well, here are the porn referrers I have had so far this month (5 days):
lesb xxxx free
site lesb play
virgin lolita
sex cum
adult movie actress nude
free yong ladys been bad
lollita american porno
sex women quito ecuador escorts
sucking on penises
photos of big boob girls
teen nude girls free
http://pam-and-tommy-sex-video.video-4-free.com
big japanese boobs
incest blogspot
japanese scat movies
japenese women
Then here is a weird nonporn one:
are ghosts real spam
Have fun Googlebot.
Well, here are the porn referrers I have had so far this month (5 days):
lesb xxxx free
site lesb play
virgin lolita
sex cum
adult movie actress nude
free yong ladys been bad
lollita american porno
sex women quito ecuador escorts
sucking on penises
photos of big boob girls
teen nude girls free
http://pam-and-tommy-sex-video.video-4-free.com
big japanese boobs
incest blogspot
japanese scat movies
japenese women
Then here is a weird nonporn one:
are ghosts real spam
Have fun Googlebot.
Monday, April 04, 2005
Another Spammer Owned Antispam Site
I just had to remove another antispam link from my sidebar. The wecanstopspam.org site no longer exits for spam fighting purposes. A spamdexer is now benifiting from the PageRank the antispam site was able to build up through links. Spammers shouldn't benifit from this, please remove links to this site if you find them. From c2 I found out it was down in January and whois told me it was bought by the spammer in late Febuary.
I hate that spam fighters let this happen. The WikiBlackList blog did the same thing. I can understand that spam fighters give up, it takes a lot of time and effort and gets few if any visible results. But don't just drop the site so a spammer can grab it. You can park a domain very cheeply now or find some other antispammer you trust to transfer it to.
I hate that spam fighters let this happen. The WikiBlackList blog did the same thing. I can understand that spam fighters give up, it takes a lot of time and effort and gets few if any visible results. But don't just drop the site so a spammer can grab it. You can park a domain very cheeply now or find some other antispammer you trust to transfer it to.
LWS Loosers
A few loosers from LWS stopped by recently. They couldn't handle anything negative about LWS so left stupid comments. The first comment bombed me with 30 retarded posts. He didn't even bomb the one where I wrote about TheGunOwner's questionable practices. He only attacked the one about Raindog's spamming my blog. I guess its fitting he is named Poopdick since he is apparently in love with Raindog. A bit later an Anonymous retard posted a few more crap posts. Luckily most of the LWS readers that visited that day wern't so childish. Several in their forums wrote crap there, but I really don't care what these loosers write in their own stupid forums.