#1 2008-01-04 9:41 am

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Fighting Userlist spam

In scouring the spam accounts out of my userlist, I'm finding some pattern, which, unfortunately, I can't add to the database(lacking IP addresses, and, as I delete them, usernames).  Still, in the log I'm building I've found some patterns:

I was getting a fair number of spam hits from these domains:

zotth.cn
and
zimnicki.cn

The email addresses all followed the pattern "l"(that's a lowercase "L") or "k", followed by a number(generally between 1 and 20)

I just found a third domain which follows the same pattern(except the leading letter is "f"): zenxengine.cn

I pinged the three domains and found they all report back from the same IP:

217.11.233.183

(Edit: pasted in the wrong domain for the third address)

Last edited by Captain Red (2008-01-04 9:43 am)

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

Another pattern... not that I think there's much to be done with it:

So far, I've found four spam accounts using emails from three different domains(email.com, e-mail.net, and gmail.org) whose email addresses start with some common name followed by the word "dark"

And another:

A subset of the accounts claiming yahoo.fr addresses seem to be using a "name(dot)name)" pattern.

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

I was getting a fair number of spam hits from these domains:

zotth.cn
and
zimnicki.cn

The email addresses all followed the pattern "l"(that's a lowercase "L") or "k", followed by a number(generally between 1 and 20)

I just found a third domain which follows the same pattern(except the leading letter is "f"): zenxengine.cn

I pinged the three domains and found they all report back from the same IP:

217.11.233.183

So much for my brilliant plan to ban that IP... didn't work.  There's another one:

zinsco.cn

"w" is the leading letter on this one.  Same IP address.  Whois info on each of them is the same too(but for the registration time, which you can follow minute by minute).

I think I'm just going to put .cn next to .ru in the banlist....

[Edit]just pinged another domain or two I've banned... whoever actually owns them owns a lot of them.  It's like I've stuck my head underwater, and I cannot see the end of the iceberg[/Edit]

Last edited by Captain Red (2008-01-04 1:17 pm)

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

.cn blocked, and the spammers  continue to trickle in linking back there.

The most recent one used the address "alexpetrov@mymail.com", and the username "ninesversis" but I've seen a lot of others.

They all fill out four of the profile fields the same way:

Website: one sub-domain or another on zowada.cn

Location: "World"

Occupation: "porn"

Interests: "sex"

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

Since I'm posting an inordinate amount compared to the rest of the forum, I'll condense anything else I find before I sign off into this post:

• "milestts" begins three email addresses I've run into thus far.(one at hotmail.com, one at email.net, and one at email.org)

• I am nearly positive that 66.249.66.200 is associated with username "Barrytikers" and email address "angeljnr@gmail.net", but I have enough doubt not to post it to the database.(the latter two are definitely associated, though)

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

Another collection post:

• Found the username "liaipalarrobe" for a second time.(didn't mark what email address it was attached to the first time, but this time it was attached to mikesavelievskiy@gmail.com, and as this is the second time I've run into that address, I'm guessing they're attached)

• The "name(dot)name" pattern seems to be spread across other yahoos besides .fr.  Currently, I've also found hits on this from yahoo.it, yahoo.es, and yahoo.de.  A fair number of them seem to authenticate, but few, if any, have posted.

• Three hits so far on email addresses led by "(name)yandex".  (one mymail.com, two hotmail.com.

• Six hits so far on email addresses of the form "(name)tex" across four domains(hotmail.com, gmail.com, gmail.net, and mymail.com)

• More to add to the associated .cn sites: zukav.cn, zelmira.cn

• In addition to the three hits on "milestts" addresses, I've found five more addresses with a "(name)tts" pattern.(names are brad, gregor, maxim, anne, and veles)(the former two were @e-mail.com, and the latter three @email.com)

• I just started noting it, but I'm noticing a good number of the spam accounts started with gmail.com addresses end up authenticating(even if they don't post).

• Top offenders: In the past 637 entries I've logged, over 14% of them are from *.cn, 8.7% from *.ru, 7% from gmail.com, and 6.7% from mymail-in.net.

[edit]tossing a bit more on this post below[/edit]

• Found a fair number of spammers who include "online" in their usernames... of course, I am cleaning out a userlist that hasn't been weeded in several years, so that may just be a long accumulation.

• In additions more current: One authenticated spammer in the last batch of deletions:

email: pornotos@intwayz.net
username: enveginedub

(I'm almost positive Ive run across that username at least once before)

*checks database*  oh.  Well, the address is already in there, but there's another name attached.(not that I have an IP to go with it)  Pretty sure he isn't at the address in the database though, as I have everything in the last octet blocked.

Last edited by Captain Red (2008-01-05 4:34 pm)

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

Yet another, collection post:

• poshta.us seems to be Ukranian... oddly enough.  They also seem to be using/connected to mymail-in.net (found through a google translation of their TOS... although looking at their frontpage, I could have just looked at the copyright line... or the "powered by mymail-in.net icon in the lower left.  Goodness but I'm observant)  Mymail-in.net, which is(as might be guessed) also ukranian, shielded most of their frontpage from auto-translation, putting nearly all the text in images.(I've already blocked addresses directly from there, but I was hoping for the longshot that they might list some other partners there)

• Pattern noticed in the database:

rdsdroh-(word)@yahoo.co.uk

A spammer using email address that follow that pattern has been on a tear since the 19th of December.  The IP varies quite a bit, but the email address always starts with "rdsdroh-" and always ends in "@yahoo.co.uk".  He's used several usernames, but hasn't been entered as using anything other than "GeorgSimenon" since the 28th.

• Spammer who is from, or prefers to use, really dislikes mail.com: "replica" is the core of the name, and I've seen five different variants(four have hit me, plus one in the database).  None of my four authenticated, but all of the email address he's/it's used have claimed to be from mail.com.  (usernames not in the database: "replicaexact", "replicacenter", "replicaright" and "replicasy".  Add "@mail.com" to the end, and you've got the associated email addresses)

• Borg moment: The Spammer that went by "(various)2k@gmx.com" has adapted.  New form is "(various)3k@gmx.com".  Creative, huh?

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

Another, much longer collection post:

• mobyportal.com: three hits in the database, all from the Ukraine... which is where the site is owned and operated.  And for .ru fans, the registrant has a .ru email address.

• Are there any legitimate users with gmail addresses who enter their email address as "@googlemail.com"?

• Repeat offender:

Email:        mikesalytinos@gmail.com
username:    tubaudibraTal
IP:            unknown

I've seen this username come up twice, both times associated with the same email address.  Didn't authenticate either time.

I think it might be related to a couple of hits I got on another email address: "mikesaqvelievskiy@gmail.com".  Unfortunately, I didn't record the usernames.

• Spam as a form of extortion: I found the following while searching on a spammer's domain:

Von:    Anikrichard am - 05.09.2007
EMail:    anlikivanna.80@mail.ru
Bemerkung:    hello , my name is Richard and I know you get a lot of spammy comments ,
I can help you with this problem . I know a lot of spammers and I will ask them not to post on your site. It will reduce the volume of spam by 30-50% .In return Id like to ask you to put a link to my site on the index page of your site. The link will be small and your visitors will hardly notice it , its just done for higher rankings in search engines. Contact me icq 454528835 or write me tedirectory(at)yahoo.com , i will give you my site url and you will give me yours if you are interested. thank you

I, uh...  Geeze.  I know there are people that fall for this.  The insidiousness of this disgusts me.

• Spam domain: freeserverweb.com.  I've gotten four hits from this domain so far, and at least three of them authenticated(the fourth one might have too, but it might have come before I started logging that).  In particular, a google search turned up a bunch of guestbook and forum hits on the first page(mostly for a "terra@freeserverweb.com")  In addition, I have to say that with their site: they aren't even really trying to hide it.(the "abuse" page is the home page but with a google search box on it)  Icing: their whois info is all privacyprotect.org.

• Ziram.org: this place shows up on the first page of hits for a google search on it.  The registrant's email is from wp.pl(quite spammy), and is located in Bulgaria.  email address and usernames seen from ziram.org:

email:        dewomnews@...
username:    theSigsesia

email:        Greaxy@...
username:    theFubduern

(Likely an obvious username pattern... but not very helpful for selective blocking)

• semi-random suspicion: two spam accounts opened in a row with the usernames "Jago" and "Jagger"(email addresses were "cool678sexy@yahoo.com" and "patteryuiuc@mail.com" respectively).  Neither authenticated.  My random suspicion is that the two are related.

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

Still another collection post:

• sofochka: I have two hits on spammers with email addresses of the form "sonechka(number)@gmail.com".  The more recent hit actually posted.(I also have a hit on a "sofochka(number)@gmail.com" whichI think is associated)

• childrenfurniture: I just got a second hit on an email of the form "(ch.ildrenfurniture144)(/children.furniture144)@googlemail.com"(the period was at the first position for one, and the second for the other).  Both times they authenticated, and the first one(ch.ildren...) posted.

• stavros: two hits on "stavros(number)@gmail.com".  Authenticated both times.

• buincchotourb: two hits on "buincchotourb(ss)@gmail.com".  Both authenticated, "Buincchotourbss"  posted.

• bsuir.net: Belarusian.  Registrant's email is from tut.by.

• flizzer.net: only one hit received(email: "subscriber@flizzer.net" username: "supersusi"), and it didn't authenticate, but the reg info is through "domainsbyproxy.com".

• zeos.net: Ukranian.  One hit, non-authenticated.  (email: "demonst99@zeos.net" username: "Sorahaphorn")  Plus two hits in the database.

TeMerc

Member

From: Phx. AZ

Registered: 2007-12-19

Posts: 51

Website

Re: Fighting Userlist spam

The amount of time you're spending chasing these GMail accounts as well as the .cn, .ru ones are the exact reason I banned them all.

Unless you run an international company\business there isn't any reason not to. There is far more abuse coming from those TLDs than is good.

Since banning them, my life got way easier and a heck of a lot less stressful.

Those guys really tick me off when the register even if they can't reply. Just having their links or user names on my site makes me feel scummy.

And of course you also need to know the bulk of these spammer are fully automated bots, just running scripts pulling random names alphabetically. That's why you see so many that appear similar. Dictionary attacks.

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

And... a collection post:

• ghklioghklo:    two hits on "ghklioghklo@yahoo.com" both using the same username, "ghklioghklo".  Neither authenticated.  Both have occured within about a day and a half of each other.

• ahmad*na*ad*@gmail.com: Apparently sent by cable news personalities(laugh? no laugh).  Asterisks are (as most probably know already) wildcards.  The two hits I've seen plus the one different one I found in the database all fall under that pattern.  My two were both authenticators.  (last seen 12/20/07)

• Adobe Acrobat: "ACROBATADOBEPRO" is a new variation on the "cheapadobeacrobat" username thats been plopping around for the past couple weeks.  All hits in the database, as well as the one I just got, were from gmail addresses.(this is the second I've seen.  The first authenticated, the second did not)   The most recent hit in the database along with the two I've seen have had the username in all caps. (seen today)

The two email addresses I've seen are: hmelnovosopola@gmail.com and harlapovasoftru@gmail.com

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

The amount of time you're spending chasing these GMail accounts as well as the .cn, .ru ones are the exact reason I banned them all.

Unless you run an international company\business there isn't any reason not to. There is far more abuse coming from those TLDs than is good.

Since banning them, my life got way easier and a heck of a lot less stressful.

Those guys really tick me off when the register even if they can't reply. Just having their links or user names on my site makes me feel scummy.

And of course you also need to know the bulk of these spammer are fully automated bots, just running scripts pulling random names alphabetically. That's why you see so many that appear similar. Dictionary attacks.

Not quite ready to ban Gmail, but I've had .ru banned for a while, and .cn for probably about a week now.(besides, the email address I use for moderation is a gmail one :¬/ )

A lot of what I'm doing comes from taking over a forum with a userlist that's gone untended for several years(and that's gone with few very few efforts to deter the spam for about as long).  To give you an idea: the userlist had more than 12,000 "members" before I started in on it.  Mostly I think I'm spinning my wheels before upgrading to phpbb3.0.

Still, I get some kind of bizarre satisfaction in looking for patterns in the spam.  The actions I've taken based on them have cut the new spam down significantly so far.(.ru/.cn banning being a large contributor to that)

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

The amount of time you're spending chasing these GMail accounts as well as the .cn, .ru ones are the exact reason I banned them all.

Not quite ready to ban Gmail, but I've had .ru banned for a while, and .cn for probably about a week now.(besides, the email address I use for moderation is a gmail one :¬/ )

aaannnnddd another day and another two spam posts has swayed me.  The amount of Gmail spam is ridiculous. Just looking at my own log, there are more hits for gmail.com than for all but the worst offenders on my banned list.  Looking at the database here, it is second only to mail.ru for spam reports.

Gah!  Frustrating.

TeMerc

Member

From: Phx. AZ

Registered: 2007-12-19

Posts: 51

Website

Re: Fighting Userlist spam

Yeah after dealing with these for along time, like months and months I gave it up. I'm far too busy to bother chasing these guys. One ban and pow, they're all done

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

Haven't posted to this in a while... but I found another pattern:

• ua****.fm/net/biz: 40 hits in the database, plus one or two more that I don't have enough info to post, which all include email addresses from the following domains:

ua.fm
uastar.net
uaclub.net
ua-news.net
ua-net.biz

susato

Member

Registered: 2007-12-01

Posts: 18

Re: Fighting Userlist spam

Sheesh, Captain Red, what do you expect from a free mail domain in Ukraine?

Don't even bother reacting, much less getting upset. Life's too short. Eastern European spambots are a fact of life on the 'net.  Unless you're running a board with special appeal for Russian or Ukrainian speakers, just chuckle quietly to yourself and ban their buns.

One spambot from a domain featuring "ua", and the domain goes straight to my banlist.   Lah dee dah.

And as for the company who regularly parse our emails in order to deliver ads?  Who ought to have the world's best technology for detecting spambots based on keywords in mail entering the bots' inboxes? Who could add forum spamming to the list of no-no's on their TOS,  and suspend any email account in which a certain proportion of emails were forum registration messages? Who despite all of this do nothing?   Save your outrage for them.

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

Sheesh, Captain Red, what do you expect from a free mail domain in Ukraine?

Just what I get. :¬)

Don't even bother reacting, much less getting upset. Life's too short. Eastern European spambots are a fact of life on the 'net.  Unless you're running a board with special appeal for Russian or Ukrainian speakers, just chuckle quietly to yourself and ban their buns.

One spambot from a domain featuring "ua", and the domain goes straight to my banlist.   Lah dee dah.

And as for the company who regularly parse our emails in order to deliver ads?  Who ought to have the world's best technology for detecting spambots based on keywords in mail entering the bots' inboxes? Who could add forum spamming to the list of no-no's on their TOS,  and suspend any email account in which a certain proportion of emails were forum registration messages? Who despite all of this do nothing?   Save your outrage for them.

No outrage here.  I'm like a Buddha Fonzie: calm and cool.  Just highlighting a pattern I found.(since it is less obvious than flat-banning *.ua )

Captain Red

Member

Registered: 2008-01-04

Posts: 59

Re: Fighting Userlist spam

• A cluster of hits from IP addresses in the range 87.99.92.34-87.99.92.37.  Five in the database in the past day, plus two more that I got that I'm adding now(also from today).

Additionally, the email addresses seem to be linked to the IP addresses.(each IP address so far only has one email address attached even if there are multiple reports)

... and a further search reveals that there have been 83 entries for IP addresses which start with "87.99." since the beginning of the year.

Last edited by Captain Red (2008-02-28 3:48 am)