abgood

So, he's working his way through the alphabet. He's currently at 'm' and 'n' (haven't seen any abgoodn.info spam here on the site yet, but Google already returns a few hits). He seems to have skipped the 'l', though, for whatever reason.

So far, all the sites are hosted at the same IP address, 209.67.215.82, which seems to belong to a company named Savvis (and if I'm reading the whois info correctly, that's actually in an address range sublet to Layered Technologies).

We're up to 'p' now and hits for "abgoodq" and "abgoodr" can already be found on Google.

Since the subdomains he's using seemed to consist of arbitrary words (such as "la-vie-boheme-lyrics-rent.abgoodp.info") I thought that maybe it would simply take anything and redirect me to those "search engines". So I tried fuck-off.abgoodp.info.

Turns out that doesn't work as expected. Instead, it presents me a list of all the subdomains that are actually configured. And on the top of that page, it reads:

This page is cathegory map. You can see list of all pages, placed in this cathegory:

Yes, it says cathegory, not category.

On closer inspection, that list doesn't seem to be complete, though. For example, I spotted "jeri-ryan-divorce.abgoodp.info" in one of the spam notifications but it's not included in the above list. So whatever the use of that "cathegory" map is, it's not vital and was most likely created manually.

Looking through last night's spam notifications (we're up to abgoodo.info now), I also noticed a completely different domain name used in the same sort of spam: zaagood.cn. It does the same thing (redirects you to questionable search results) and is hosted on the same server (209.67.215.82). So this is the same guy.

And guess what? zabgood.cn, zacgood.cn, etc. also resolve to the same IP address. Add them to your spam filter already.

... and here they are: Spam for zabgood.cn and zacgood.cn started hitting the site last night. Isn't it nice to have such a predictable spammer?

A few hours ago, he also started spamming (in the same manner) for ctaill.com which, at this time, still doesn't resolve ...

He's also still using the other two domain name schemes, currently zafgood.cn and abgoodu.com.

Spam for btaill.info just started hitting this site. This one resolves (to 72.232.57.192, see below) and works (in the usual manner). So looks like ctaill.com was some kind of accident ...

Here's another new domain from our "good" friend: ayhajri.info. This one works but is located on a new server: 72.232.57.192, belonging to Layered Technologies.

Love this entry from the whois for ayhajri.info, btw:

Registrant Name:Jon Michel
Registrant Organization:Cheap Drugs
Registrant Street1:Fagust ave. 32/23
Registrant City:New York
Registrant State/Province:3554
Registrant Postal Code:516541
Registrant Country:US
Registrant Phone:+565.54654564
Registrant Email:jonem@gmail.com

"Organization: Cheap Drugs" - 'nuff said ...

Apparently, the pattern with this name is to change the first letter: Spam for cyhajri.info just started coming in.

* sigh * Just when I thought he had finally given up (hadn't seen anything from this spammer in over a week) - he's back with a new domain: qwnewaw.info. Nice name, I hope it was cheap ...

Same as before: Mostly random collection of words as subdomains, redirecting to dubious "search engine" pages.