Damn Spam!
Search 

Topics

User Functions






Lost your password?

Similarities

    
Saturday, August 09 2008 @ 14:45 CEST
Contributed by: Dirk

Okay, so I can be slow sometimes but I've only noticed today that the spam that I've been getting since last December and the spam trying to infect a visitor's PC with trojans has quite a few similarities.

First of all, the form and the destination: Most of that spam comes in as a submission for this site's Links section. It's using "Good site", "Thank you", "Great work", and similar phrases as the title for the link target and then crams the link description full with more links. Okay, so the spambot in question has no idea that Links submissions are working differently from, say, comments here.

Other similarities: The spambot always uses "uk" in the HTTP Accept-Language header. Since this is a language header, the "uk" is for the Ukraine, not for the United Kingdom. Which may give us an indication for the source of at least the spambot (not necessarily the spam itself).

The other constant is the User-Agent header: It's always
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

I'm trying to figure out if all that stuff is coming from just one spammer or if it's several spammers who all happen to use the same spambot. It's hard to say. I'm seeing two sorts of spam posts: One that uses only subdomain links, like the "abgood" spammer did. And one that uses much longer URLs, often located on other sites (e.g. Mr. Obama's).

The "abgood" spammer started spamming for links that redirected to fake search engine result pages. I don't see that any more. Instead, most of the subdomain links seem to go to porn sites now. The links from the other sort of spam are either directly telling you that you need to download a "codec" or they're redirecting you to a page that does that. But I've also seen some of the subdomain links do that, plus a few that redirect to fake antivirus scans (e.g. ending up at scan.powerantivirus2009.com/?aff=1068).

So my guess is that if this is more than one spammer, then they are working together. I haven't even looked at the source of the spam (i.e. the IP addresses that are sending the actual spam) or the registration info for the domains involved (e.g. yahoo-host.com, which is not owned by Yahoo) yet.

Filed under: Bots
()

What's Related

Story Options

Trackback

Trackback URL for this entry: http://spam.tinyweb.net/trackback.php/similarities

No trackback comments for this entry.
Similarities | 1 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Similarities

Here's another connection: A URL in a spam post pointing to a porn site is http://kapuchino.info/porno.htm. The animated GIFs that are used to make a visitor think he's about to see some video are also used on that site, e.g. http://kapuchino.info/clip.gif (I got that URL from one of the fake blogs on the Barack Obama site).

kapuchino.info has some incomplete whois info, but does appear to be registered to a person in the Ukraine. And it's hosted on 92.48.112.86, with BlueConnex.

Authored by: Dirk on Sunday, August 10 2008 @ 10:17 CEST
[ Reply to This | # ]

Copyright © 2010 Damn Spam! Powered by Geeklog