Okay, so I can be slow sometimes but I've only noticed today that the spam that I've been getting since last December and the spam trying to infect a visitor's PC with trojans has quite a few similarities.
First of all, the form and the destination: Most of that spam comes in as a submission for this site's Links section. It's using "Good site", "Thank you", "Great work", and similar phrases as the title for the link target and then crams the link description full with more links. Okay, so the spambot in question has no idea that Links submissions are working differently from, say, comments here.
Other similarities: The spambot always uses "uk" in the HTTP Accept-Language header. Since this is a language header, the "uk" is for the Ukraine, not for the United Kingdom. Which may give us an indication for the source of at least the spambot (not necessarily the spam itself).
The other constant is the User-Agent header: It's always
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
I'm trying to figure out if all that stuff is coming from just one spammer or if it's several spammers who all happen to use the same spambot. It's hard to say. I'm seeing two sorts of spam posts: One that uses only subdomain links, like the "abgood" spammer did. And one that uses much longer URLs, often located on other sites (e.g. Mr. Obama's).
The "abgood" spammer started spamming for links that redirected to fake search engine result pages. I don't see that any more. Instead, most of the subdomain links seem to go to porn sites now. The links from the other sort of spam are either directly telling you that you need to download a "codec" or they're redirecting you to a page that does that. But I've also seen some of the subdomain links do that, plus a few that redirect to fake antivirus scans (e.g. ending up at scan.powerantivirus2009.com/?aff=1068).
So my guess is that if this is more than one spammer, then they are working together. I haven't even looked at the source of the spam (i.e. the IP addresses that are sending the actual spam) or the registration info for the domains involved (e.g. yahoo-host.com, which is not owned by Yahoo) yet.