I didn't let it get that far. IP address banned on registration.

The Dutch IP is a data center, a host to a bunch of webservers. As a rule, when a spammer registers and the IP is in a data center like this one is, I block the whole data center. I assume that real people who register at our forum will come from an ISP and not from a data center. In this case in .htaccess it says for this range:
deny 217.23.0.0/20

Sometimes the whois info will tell whether an ip-block solely belongs to a data center, it is not always obvious. When in doubt I google the owner of the ip range. In this case it was easy to determine because I am from the Netherlands too.

I had a registrant at our forum last month from a different IP but from the same data center:
http://www.stopforumspam.com/search?q=217.23.6.233
Other IP's from the same data center as a source of spam reported at stopforumspam:
217.23.14.67
217.23.6.129
217.23.6.233
217.23.3.223
217.23.8.135
217.23.7.95
217.23.6.71
217.23.7.163
217.23.6.66

LadyROOT showed up on my board early this morning .

------------------------------------------------
217.23.14.67    Wed Jan 20, 2010 3:12 am    Attempted spam-bot registration
Username: LadyROOT
E-mail: ilmenit603@antivir-labs.com
Reported successfully
-------------------------------------------------

but she wont be PMing anyone, since my board puts all bots into a member group that has no posting or PM privileges .

I'll take that as a 'No' then... and re-enter the data.

Hi there.

We had that one ourselves not that long ago.  The username sent up a red flag with me instantly.  Lucky for us, the first person to get hit with the PM was on at the same time and sent out a warning to everyone through our shoutbox at the top of the forum.

Hmm, then someone is removing it via the removal page.  I might have to change that page to not remove that IP

edit : Ive just updated the removal script to allow for permanent bans, a guess what the first IP was

http://www.stopforumspam.com/api?ip=188.72.225.209

... now shows 130 hits

I was actually going to blog about 188.72.225.209 earlier, but decided not to.

The reason? This silly little spambot, which FYI, is from a NetDirekt range (surprise surprise), decided it would be fun to register at the Malwarebytes forums, and spam via PM.

I didn't receive a copy of the spam (guess the spammer doesn't like me much ), but one of my friends did, and it contained;

Dear, {USERNAME}!

A virus alert was noticed on your computer. 
We highly recommend you to check your computer and perform online virus check at our site immediately: http://security-tool2010.net/{USERNAME}
----------------------------------------------------
Forum Administration forums.malwarebytes.org.

You've already guessed the "Forum Administration ...." part of their PM is absolute rubbish (pat yourself on the back ....). I followed the URL to see what lovely malicious goodness I'd get, and the path it took was;

1. http://security-tool2010.net/online-scanner/
2. http://security-tool2010.net/online-scanner/pccoin/out.php
3. http://89.248.171.48/hitin.php?&affid=16210
4. http://89.248.171.48/index.php?affid=16210

With the payload being;

http://89.248.171.48/3_334d3f.php?affid=16210

The IP that provides the payload is on a well known Ecatel range (how nice, Ecatel and Netdirekt working together to infect you ....). Just some of the malicious domains this IP is known to have hosted includes;

protectyoursystemnowonline.com
yoursecuritytodayonline.com
createyoursecurityonline.com
commercialssecuritytoolstore.com
infosecuritysite.com
yoursecuritytodayblog.com
bestcommercialssecuritytool.com
mycommercialssecuritytool.com
commercialssecuritytools.com
createwesupport.com
yoursupportnow.com
commercialssecuritytooltoday.com
ursupporttoday.com
infosecuritytoday.com
ursecuritytoday.com
freeyoursecuritytoday.com
theyoursecuritytoday.com
createyoursecuritytoday.com
createyoursafety.com
imageinfosecurity.com
albuminfosecurity.com
censusinfosecurity.com
makeursecurity.com
freecreateyoursecurity.com
adsupporttool.com

Spammer is listed on 3 blacklists thus far;

http://temerc.com/Check_Spammers/?ip=188.72.225.209

Guy's back.

Around 150 guest connections;

I happened to whois this IP; it's the same as the hostname(alone) displays on most of the rest.

http://ip-address-lookup-v4.com/lookup. … .102.63.60
http://www.stopforumspam.com/search.php?q=94.102.63.60

/hosted-by-dot-ecatel-dot-net

all different/bogus userstrings

all looking at/doing different things.

Why does it show this person as from different countries ?  Proxy ?