A spammer roundup
It's time to do a roundup on the status and activities of various of my perennial spammers and spam sources. (Unfortunately I can't literally round them up, nor use something like Roundup (tm) to make them disappear. Spammers are more persistent than weeds.)
Hotmail's spam problem continues unabated, despite any attempts to get Microsoft's attention. This week alone we rejected 330 attempts by Hotmail to get us to accept non '@hotmail.com' addresses from them. They involved 266 different email addresses from 86 different domains; the clear 'winner' in the domain addresses was msn.com (222 times), but then there were such domains as 'onlineuklotttery.com', 'betterdaysloto.com', and 'unionbanksite.com'.
The referer spammers still hit me once or twice a day, always for the spam category page and always from compromised machines (often listed on the XBL). Mostly it's for online card game gambling sites, although a couple of times it's been for online pharmacies. The web site hosting has moved to the IP address 184.108.40.206, Verio Web Hosting, with a reverse DNS of 'blackjack-123.com'. (Google shows that this IP address has been hosting Referer spam websites for quite a long time.)
They are getting creative in the domain names; I have to enjoy 'www.evilplots.com'. There doesn't seem to be any particular commonality in the domain registration information. All of the ones for the past week use 220.127.116.11, 18.104.22.168, and/or 22.214.171.124 as their nameservers, under various names; 126.96.36.199 is part of SBL17672, a ROKSO listing for Traffix.
The major comment spammers from CommentSpamWritLarge are still trying to post comments; they've made 182 attempts (from 108 different IP addresses) since the early morning of September 18th. 72 attempts were from just one IP address, 188.8.131.52, 'millwood.simplecom.net', part of Bellsouth's IP range. The claimed user agent was 'libwww-perl/5.803', so apparently one of the spammers has a Perl program to do this sort of stuff. (A Google search shows that we are not the only web site getting hit by these people.)
Of the big previous sources, 184.108.40.206/28 (previously the leading source) seems to have disappeared. Still appearing to at least some extent were 220.127.116.11, 18.104.22.168/24, and 22.214.171.124.
As always, neither group appears to care in the least that their attempts are completely fruitless.