|
Crawling Across Chaos and Time Without End
|
|
Crawling Across Chaos and Time Without End
|
|
May
26
2008
Combatting WordPress Trackback Comment Spam Posted on 14:21, May 26th, 2008 by StrangelyIntroDuring my little website(‘)s(‘) jiggle over the last two days, I’ve had to turn off various plugins from my WordPress powered setup. Usually, for spam combat, Simple Trackback Validation or TanTanNoodles Simple Spam Filter in combination with Akismet does the business. During this process, I got two trackback spams, both on Saturday 24th May night, about 90 minutes apart. They didn’t manage to appear but they did get to send an admin post. They didn’t actually appear in the comments pending either – they just vaporised – which is nice, but I’ve never had that before… Breakdown of The SpammerThey both came from IP: 195.225.176.177 which is netcathosting.com, a Russian paged outfit. http://netcathosting.com is at http://netcathost.comat easyxhost.com. Easyxhost points back to netcathosting for ownership when a WHOIS is done. A company called Phantographics pops up a lot. Their contact email is email hidden; JavaScript is required. go.com is actually registered to The Walt Disney Company! Charles in this post and Dirk with this one have some interesting info on the dodginess of Phantographics.
Both trackbacks were to a single old post about Rome Total War, 132/install-theme-from-rome-total-war/, probably because it had some external links picked up by a feeder or something. Each trackback comment had a single hyperlink, to the same Google Notebook account but with different links, common in the respect of them being porn links. Accompanying the link, was a small piece of random pseudo-sense wordage to make it look like a genuine trackback, but this doesn’t appear on the account page (see further below)…
Trojan Alert!Link and description for Google Notebooks.  NOD32 Ftrojan This is what happens if you follow the links from Google Notebooks. You’ll see that my anti-virus NOD32 has detected a trojan in the link. It then terminates it. NOD32 calls it a variant of HTML/TrojanClicker.Agent.Ftrojan which doesn’t appear in search engines by itself, but the TrojanClicker, Agent and Ftrojan sub-names appear on Sophos and ESET from a couple of years back. It’s general operation is to switch off your anti-virus software as a starter…
Trojan Source BreakdownThe page that both links go to is on the domain setdevi.net/. Click the link and you’ll get a 403 Forbidden message which is kind of ironic given the nature of the postings and the subject matter of the sub pages. setdevi.net is at IP address 194.110.161.229 It’s registrar is at EST Domains which looks cheap and nasty and is actually in China. The links actually point to debime.net which pulls out a blank page. Some cgi script makes the links hop to setdevi.net Needles to say, debime.net is also hosted at EST Domains. If you do a whois on the est domains website, all the contact addresses are actually little png files called up from a backend database so that there are no live email links. The contact is listed as Steven Gogey and the email address is email hidden; JavaScript is required This is for the sake of completeness in case anyone wants to talk to him (if he exists). There are actually a shed load of clauses after you do a WHOIS search, forbidding the repetition of this information here except if it’s lawful.
 estdomaons whois page The final part of the “terms” is that by submitting a WHOIS query, I accept the terms – but I can only see the terms after I’ve run the query. See the screendump of the whois screen at left. Even the dumbest lawyer can pull that apart. I don’t think they’ll call. ConclusionWhat we have is a spammer setting up a trojan which will either set up a pc as a zombie host by shutting down the anti-virus and relaying the trojan on or maybe key logging for passwords, say. The spammer has hidden himself behind a round-robin of contacts based in Panama but with various names in New York, China and elsewhere. He’s probably Russian and, because he feels pretty safe, his real name is probably Vladislav Radchek. The whole charade is built upon the initial email registration address which is easily obtained from go.com. One from hotmail or yahoo etc could just as easily have been used so it’s no slur on good ol’ Walt and his cartoon characters. AddendumDoing a google search on the IBC tower and it’s address or Vladislav Radchek pulled out some fellow spam inquistitors. Their results and opinions are broadly in line with mine. Please read them for extra insights into the grubby world of spam. Here are three:
Also, I’ve just recently hit on this huge list of bad guys: http://www.malwaredomainlist.com/mdl.php Now that’s gotta be a barrel of laughs. Amazon Related:
Related Posts by TagsImprove the web with Nofollow Reciprocity.
|
|
 |
© 2008 Strangely Perfect StarScape Theme (1.5.11: Scorpius) | Design by: GDragoN Valid XHTML Valid CSS |
© 2007-2010 Strangely Perfect All Rights Reserved
Strangely Perfect is Digg proof thanks to caching by WP Super Cache
Posted in 
Acute Records
Alistairs Dream (check out the gallery!)
Collective Voice
Crawling Chaos
Denyse Willem
Ikeda
Mailwasher Pro
Project Honey Pot
Universal Declaration of Human Rights
What Really Happened?
WND
Holy crap,now that’s really awesome,he-he…
Merely a couple of years ago,
I would certainly haven’t imagined something like this…
I was actually raised with stuff from Factory Records,
and the earlier records from 4AD as well…
What can someone possibly say in this occasion…
Maybe simply…a “Thank you Martin”,
your work has been a real inspiration for me,
through all these years…
Like or Dislike:
0 
0
Thanks Dude.
Co-incidentally I had another email spam purge today, tracing some new-ish looking things through and all.. They may be old hat now, but it’s the first time I noticed them and then looked in earnest as usually everything is binned without a second thought.
This spam lark has certain similarities with record label machinations – I’ve just checked out the 4AD history. It’s all wheels within wheels and there’s a LOT of purely criminal activity behind much of it. Some of it is bright, some completely clueless, which is what you get when a load of chancers are after a quick buck.
Rees
Like or Dislike:
0 
0
hi, Check out the pics of my new emo hair style
on all links removed by Strangely Perfect
Like or Dislike:
0 
0
[...] Combatting WordPress Trackback Comment Spam Strangely Perfect Posted by root 37 minutes ago (http://strangelyperfect.tv) Comment on shutter reloaded wordpress plugin by erick s i 39 ve had to turn off various plugins from my wordpress powered setup host systems and activities that do exactly that to other people websites and personal computers Discuss | Bury | News | Combatting WordPress Trackback Comment Spam Strangely Perfect [...]
Like or Dislike:
0 
0
[...] Combatting WordPress Trackback Comment Spam Strangely Perfect Posted by root 20 minutes ago (http://strangelyperfect.tv) Comment on shutter reloaded wordpress plugin by erick s i 39 ve had to turn off various plugins from my wordpress powered setup host systems and activities that do exactly that to other people websites and personal computers Discuss | Bury | News | Combatting WordPress Trackback Comment Spam Strangely Perfect [...]
Like or Dislike:
0 
0
[...] downloadEr din pc blevet langsom?Gør din pc hurtigere, gratis downloadGør din computer hurtig igenEr din computer langsom?Gør din pc hurtigere, gratis download var gaJsHost = (("https:" == document.location.protocol) ? [...]
Like or Dislike:
0 
0
This comment above came from slow-pc-tuneup.webhop.net/langsom-pc.htm which you’ll find also is the homepage of the Renault Megane….
So the irony is again not lost on me considering the post title is about combatting wordpress comment spam – ha ha!
FYI, the IP address of the spammer is 80.167.115.198 which is in Copenhagen. However, webhop.net is a Manchester USA company – you work it out!
Like or Dislike:
0 
0
Hi! I was surfing and found your blog post… nice! I love your blog. :) Cheers! Sandra. R.
Like or Dislike:
0 
0
Ha Ha.
This is another spam comment to this post… It seems that the way to attract comment spam is to talk about it!
The IP address, 89.28.6.33, is logged as a spammer at Project Honeypot here, http://www.projecthoneypot.org/ip_89.28.5.254 which is in Moldova.
Like or Dislike:
0 
0