Damn Spam!
Search 

Topics

User Functions






    Lost your password?

Fake Firefox Trackback spam attempts

    
Sunday, September 03 2006 @ 10:30 CEST
Contributed by: Dirk

We're seeing a slew of Trackback spam attempts all using the user agent string 

Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1

The attempts are coming via proxies all over the place and since Bad Behavior is blocking them, I can't tell what they're trying to spam for. Since nobody would seriously use such an old Firefox version any more, it should be safe to block that user agent if you don't have any other protection against these trackbacks.

Filed under: Comment Spam
()

View Printable Version

Trackback

Trackback URL for this entry: http://spam.tinyweb.net/trackback.php/fake-firefox-trackback-spam

No trackback comments for this entry.
Fake Firefox Trackback spam attempts | 3 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Fake Firefox Trackback spam attempts
Here's another bit of info for you ... pitching in to help the cause.

There's a server in Herndon, VA with IPs registered to Beyond the Network which I have tracked to this mess of information:
IP Location: Russian Federation - Sankt-peterburg - St. Petersburg - Beyond The Network America Inc.
Reverse DNS: ah1-p4id-56.advancedhosters.com
Tech Contact: Kim, Joon

I believe this source of spam is related the Captain Crunch Team out of the Ukraine that previously hacked sites with a c99.php shell script, possibly using hacked machines like the one in Virginia. These new spams only started after I caught the hack on my own site and cleaned it out. They're about the only ones getting through anymore and gratefully trip the speedlimit after the first post. They can get around just about any fix/plugin and I have to ban the ips by hand and, even then, it doesn't always stop the spam from posting.

They all contain the header you mention in your post.

I'll check back for replies.
TechnoHippie
Authored by: Anonymous on Tuesday, September 12 2006 @ 21:01 CEST
[ Reply to This | # ]
Fake Firefox Trackback spam attempts

Hmm, so this doesn't quite tie in with what I was seeing (see post below).

However, "Beyond the Network America" does ring a bell. They were the source of a recent mass signup of users on various Geeklog sites. In essence, a bot created a new account, waited for the password email to arrive, logged in with that info and went right on to post spam. And all that came out of IP ranges owned by Beyond the Network America. I've sent them an abuse report, but haven't heard back and the signup attempts didn't stop either. Consequentially, their IP ranges are now blocked.

Authored by: Dirk on Tuesday, September 12 2006 @ 21:40 CEST
[ Reply to This | # ]
What they were spamming for ...

Okay, so I did find out eventually what that trackback spam was for. Turned out to be quite interesting, actually.

The actual spam post contained only gibberish (none of the usual keywords, not even any interesting words, just nonsense). They all pointed to some .info domain which, when called up, redirected you to my2ch.info. That domain and all the others (e.g. saxto.info) are registered to a certain Vyacheslav Berezkin from Moscow, Russia.

The most interesting aspect, though, was that this was the first time that some spammer managed to circumvent our backlink check for trackbacks. I.e. the sites did actually contain a link back to the site they were spamming - but only for a short time. Other than that, the sites didn't contain any useful content, but only a JavaScript redirect to my2ch.info.

Authored by: Dirk on Tuesday, September 12 2006 @ 21:30 CEST
[ Reply to This | # ]

Copyright © 2008 Damn Spam! Powered By Geeklog