Damn Spam!
Search 

User Functions






Lost your password?

Unwelcome new users

    
Thursday, November 30 2006 @ 09:35 CET
Contributed by: Dirk

Just got a bunch of new users on one of my sites. They all used email adresses from porn-related sites and usernames like messiah8055, hough9150, credential8403, etc.

The domain names used for the email addresses are all hosted on the same server: 195.225.176.115, which belongs to NetcatHosting in the Ukraine. In other words: Nothing good will be coming from there.

Domain names used so far (all .com domains): realitypornhouse, topasianporn, webcam-home, orgy-reality.

More tomorrow, as I only get the logfiles for that site once per day. I'm interested in seeing if this was a bot or manual registrations.

Filed under: Miscellaneous
()

View Printable Version

Trackback

Trackback URL for this entry: http://spam.tinyweb.net/trackback.php/unwelcome-new-users

Here's what others have to say about 'Unwelcome new users':

iN8sWoRld.net » Blog Archive » Chinese Spam Mafia?
Tracked on Sunday, January 07 2007 @ 05:32 CET

Unwelcome new users | 3 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Unwelcome new users from Beyond The Network America

Turns out the unwelcome new users all came from some old "friends" of ours, Beyond The Network America.

These particular spammers have been hitting Geeklog sites for several months now. Their bot registers a new user, parses the registration email that is being sent out and logs back into the site with that information a minute later, then immediately starts spamming.

However, none of those new users managed to log in - probably because the email sent out from the site in question is in German.

For the record, here are the IP address ranges owned by Beyond The Network America. We have seen these bots coming from all of those address ranges, so we'd suggest to block them:

205.252.*
206.161.*
209.8.*
209.9.*

In the instance here, the bots came from 7 different IP addresses within the 209.8.* range. Now I only have to find out why my .htaccess rule to block them does not seem to work on that particular site ...

Authored by: Dirk on Friday, December 01 2006 @ 09:51 CET
[ Reply to This | # ]
Unwelcome new users, the sequel

Okay, so fixing my .htaccess blocked any new user registration attempts from the IP addresses in question.

However, last night I got yet another new user with a realitypornhouse.com email address. And this time, he managed to log in a post a spam comment. How did that happen?

210.210.81.250 - - [03/Dec/2006:02:25:44 +0100] "GET /article.php?story=20021109062701984 HTTP/1.0" 200 11077 "http://209.8.22.250/tools/proxer/proxy.txt" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"

Sneaky. Note the 209.8.22.250 IP in the referrer. That's in Beyond The Network America's address range, so it's the same bunch of spammers, only now they're using proxies.

Authored by: Dirk on Sunday, December 03 2006 @ 09:30 CET
[ Reply to This | # ]
More stuff to block

Two more domain names used for account creation: onlygaybutts.com, interracial-porn.biz

I've also noticed that a human went through the signup process (coming from the same network and using one of the domains mentioned here). So someone is monitoring this and noticed my countermeasures. Good to know ...

And IronMax has a list of IP address ranges worth blocking that also includes a few more address ranges belonging to Beyond the Network America that I wasn't aware of.

Authored by: Dirk on Monday, December 04 2006 @ 11:14 CET
[ Reply to This | # ]

Copyright © 2008 Damn Spam! Powered By Geeklog