A spammer roundup

September 24, 2005

It's time to do a roundup on the status and activities of various of my perennial spammers and spam sources. (Unfortunately I can't literally round them up, nor use something like Roundup (tm) to make them disappear. Spammers are more persistent than weeds.)

Hotmail's spam problem continues unabated, despite any attempts to get Microsoft's attention. This week alone we rejected 330 attempts by Hotmail to get us to accept non '@hotmail.com' addresses from them. They involved 266 different email addresses from 86 different domains; the clear 'winner' in the domain addresses was msn.com (222 times), but then there were such domains as 'onlineuklotttery.com', 'betterdaysloto.com', and 'unionbanksite.com'.

Hotmail's other spam problem is also still happening every so often. Just today we refused a Hotmail email from 82.169.144.3, part of SBL19800, listed as an advance fee fraud source since April 4th.

The referer spammers still hit me once or twice a day, always for the spam category page and always from compromised machines (often listed on the XBL). Mostly it's for online card game gambling sites, although a couple of times it's been for online pharmacies. The web site hosting has moved to the IP address 161.58.59.8, Verio Web Hosting, with a reverse DNS of 'blackjack-123.com'. (Google shows that this IP address has been hosting Referer spam websites for quite a long time.)

They are getting creative in the domain names; I have to enjoy 'www.evilplots.com'. There doesn't seem to be any particular commonality in the domain registration information. All of the ones for the past week use 209.200.14.204, 64.234.220.141, and/or 161.58.59.8 as their nameservers, under various names; 64.234.220.141 is part of SBL17672, a ROKSO listing for Traffix.

The major comment spammers from CommentSpamWritLarge are still trying to post comments; they've made 182 attempts (from 108 different IP addresses) since the early morning of September 18th. 72 attempts were from just one IP address, 208.62.160.29, 'millwood.simplecom.net', part of Bellsouth's IP range. The claimed user agent was 'libwww-perl/5.803', so apparently one of the spammers has a Perl program to do this sort of stuff. (A Google search shows that we are not the only web site getting hit by these people.)

Of the big previous sources, 209.200.11.96/28 (previously the leading source) seems to have disappeared. Still appearing to at least some extent were 80.237.140.233, 168.143.113.0/24, and 207.248.240.119.

As always, neither group appears to care in the least that their attempts are completely fruitless.

Written on 24 September 2005.
« It's a multi-protocol world after all
Weekly spam summary on September 24th, 2005 »

Page tools: View Source.
Search:
Login: Password:

Last modified: Sat Sep 24 21:17:27 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.