Combatting WordPress Trackback Comment Spam

Intro

During my little website(‘)s(‘) jiggle over the last two days, I’ve had to turn off various plugins from my WordPress powered setup. Usually, for spam combat, Simple Trackback Validation or TanTanNoodles Simple Spam Filter in combination with Akismet does the business.

During this process, I got two trackback spams, both on Saturday 24th May night, about 90 minutes apart. They didn’t manage to appear but they did get to send an admin post. They didn’t actually appear in the comments pending either – they just vaporised – which is nice, but I’ve never had that before…

Breakdown of The Spammer

They both came from IP: 195.225.176.177 which is netcathosting.com, a Russian paged outfit. http://netcathosting.com is the supposed source but a WHOIS search reveals that the contact address is at http://netcathost.com, another Russian paged outfit. This gives another contact at easyxhost.com.

Easyxhost points back to netcathosting for ownership when a WHOIS is done. A company called Phantographics pops up a lot. Their contact email is [email protected] go.com is actually registered to The Walt Disney Company! Charles in this post and Dirk with this one have some interesting info on the dodginess of Phantographics.

All three domains have an address which is IBC Tower Floor 9 on Manuel Espinosa Batista Avenue in Panama. Each domain has a separate PO Box number! (why do they bother?)

PO Box 901-2389, PO Box 901-2484, PO Box 55-2484

The IBC Tower seems to be a mish-mash of legal and not-so-legal concerns. There are shipping and other companies and even the dodgy sounding Bertrand Russell University which provides a picture of the tower, at least!

Both trackbacks were to a single old post about Rome Total War, 132/install-theme-from-rome-total-war/, probably because it had some external links picked up by a feeder or something.

Each trackback comment had a single hyperlink, to the same Google Notebook account but with different links, common in the respect of them being porn links. Accompanying the link, was a small piece of random pseudo-sense wordage to make it look like a genuine trackback, but this doesn’t appear on the account page (see further below)…

Why am I reporting this here?

Well, it’s the first instance I’ve had of this sort of spam and with links pointing back to Google Notebooks which in turn have a link pointing to a porn site. Also, I decided to trace through the spam source – just for fun!

Trojan Alert!

Link and description for Google Notebooks.

NOD32_Ftrojan

NOD32 Ftrojan

This is what happens if you follow the links from Google Notebooks. You’ll see that my anti-virus NOD32 has detected a trojan in the link. It then terminates it.

NOD32 calls it a variant of HTML/TrojanClicker.Agent.Ftrojan which doesn’t appear in search engines by itself, but the TrojanClicker, Agent and Ftrojan sub-names appear on Sophos and ESET from a couple of years back. It’s general operation is to switch off your anti-virus software as a starter…

The porn spammer and trojan launcher is here on Google Notebooks, i.e. user ID #13497754368789561429. The Google Notebook terms and conditions section 2, can just about accommodate this “person”‘s activities – apart from the bad code launcher. This I think falls foul of the phrases purposes that are legal, proper and “any activity that interferes with or disrupts Google services or servers or networks – but hey! I doubt they care.

Trojan Source Breakdown

The page that both links go to is on the domain setdevi.net/. Click the link and you’ll get a 403 Forbidden message which is kind of ironic given the nature of the postings and the subject matter of the sub pages.

setdevi.net is at IP address 194.110.161.229 It’s registrar is at EST Domains which looks cheap and nasty and is actually in China. The links actually point to debime.net which pulls out a blank page. Some cgi script makes the links hop to setdevi.net Needles to say, debime.net is also hosted at EST Domains.

If you do a whois on the est domains website, all the contact addresses are actually little png files called up from a backend database so that there are no live email links. The contact is listed as Steven Gogey and the email address is [email protected] This is for the sake of completeness in case anyone wants to talk to him (if he exists). There are actually a shed load of clauses after you do a WHOIS search, forbidding the repetition of this information here except if it’s lawful.

They say in the WHOIS t&c, that I’m not supposed to load systems – but it’s okay for them to host systems and activities that do exactly that to other people’s websites and personal computers.

estdomaons whois page

estdomaons whois page

The final part of the “terms” is that by submitting a WHOIS query, I accept the terms – but I can only see the terms after I’ve run the query. See the screendump of the whois screen at left.

Even the dumbest lawyer can pull that apart.

I don’t think they’ll call.

Conclusion

What we have is a spammer setting up a trojan which will either set up a pc as a zombie host by shutting down the anti-virus and relaying the trojan on or maybe key logging for passwords, say. The spammer has hidden himself behind a round-robin of contacts based in Panama but with various names in New York, China and elsewhere. He’s probably Russian and, because he feels pretty safe, his real name is probably Vladislav Radchek.

The whole charade is built upon the initial email registration address which is easily obtained from go.com. One from hotmail or yahoo etc could just as easily have been used so it’s no slur on good ol’ Walt and his cartoon characters.

Addendum

Doing a google search on the IBC tower and it’s address or Vladislav Radchek pulled out some fellow spam inquistitors. Their results and opinions are broadly in line with mine. Please read them for extra insights into the grubby world of spam. Here are three:

  1. http://jamesfriesen.net/article.php/2007101713400524
  2. http://spamhuntress.com/
  3. http://timbuk3.com/blog/index.php?blog=2&title=test&more=1&c=1&tb=1&pb=1#c1197

Also, I’ve just recently hit on this huge list of bad guys: http://www.malwaredomainlist.com/mdl.php Now that’s gotta be a barrel of laughs.

Related Posts:

8 responses .

  1. sowhat-x says:

    Holy crap,now that’s really awesome,he-he…
    Merely a couple of years ago,
    I would certainly haven’t imagined something like this…
    I was actually raised with stuff from Factory Records,
    and the earlier records from 4AD as well…

    What can someone possibly say in this occasion…
    Maybe simply…a “Thank you Martin”,
    your work has been a real inspiration for me,
    through all these years…

  2. Strangely says:

    Thanks Dude.

    Co-incidentally I had another email spam purge today, tracing some new-ish looking things through and all.. They may be old hat now, but it’s the first time I noticed them and then looked in earnest as usually everything is binned without a second thought.

    This spam lark has certain similarities with record label machinations – I’ve just checked out the 4AD history. It’s all wheels within wheels and there’s a LOT of purely criminal activity behind much of it. Some of it is bright, some completely clueless, which is what you get when a load of chancers are after a quick buck.

    Rees

  3. emoboy says:

    hi, Check out the pics of my new emo hair style
    on all links removed by Strangely Perfect

  4. sandrar says:

    Hi! I was surfing and found your blog post… nice! I love your blog. :) Cheers! Sandra. R.

  5. sony vaio says:

    Yes, Honestly I think you are right about this. I wish you will let us know more about this in future posting as well. Waiting for that.. Thanks again ;) ;)

    • Strangely says:

      And another spammer. This time from 109.230.245.220
      (I’ve had heaps to this post, just I block nearly all of them or edit the back-link out, as I’ve done here).

Leave a Reply

© 2007-2017 Strangely Perfect All Rights Reserved