Thursday, August 24, 2006

Inhoster Spammer Hits My Unprotected Contact Form

To allow visitors to let me know that my bot blocker MIGHT be making a mistake, which has happened now and then as it evolved, I had to leave one email contact form unprotected and wide open to potential bot abuse.

This has never been a problem for a long time and suddenly some jerk hosted on Inhoster started fucking with me which has actually been quite interesting.

85.255.117.253 [85.255.117.253-xbox.dedi.inhoster.com]
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Of course my page requires a POST method and isn't abused by the simple GETs, and for my own reasons I didn't think a CAPTCHA was appropriate on this page as I wanted feedback without making it too hard for people.

I was breaking my own anti-spam rules on this page just because I didn't want to reject any legit posts by accident as I was trying to collect all the information I could, but now I'm implementing a few of the filters.

This first thing I did after the spambot started messing with the form was to simply start rejecting all posts with specific HTML tags. To further filter the spam, I'm rejecting any post that is nothing more than a pile of links as they were dumping a bunch of links per post, but still allowing people to send me a link or two as long as it falls within my framework of what legit content looks like.

This seems to be bouncing them at the moment and I'm not sure what the purpose would be for them to continue to spam my form if I don't allow them to dump links, but we'll see what happens.

One added benefit discovered when I was testing was it even bounced a couple of those spammy "link request" emails because they have too many links in them.

Sweet.

Try the javascript trick...

A really cute trick to play on spammers is to make the form submit activate javascript that includes additional data fields that wouldn't be submitted unless they run the javascript as another way to verify human vs. bot without using a CAPTCHA.

The only drawback to this trick, which is inconsequential IMO, is that the Google and Yahoo translation proxies bust this all to hell as they replace all of your links with links back to their translation proxy, which of course doesn't send the data through the proxy properly.

SCRAPER BUSTED #3 - UPDATE Cloaker Surfaces on Netfirms

The same cloaking bullshit artist I wrote about before has surfaced on Netfirms server.

Details:

IP Address: 80.77.80.103
User Agent: "" [blank]
Where scraping content and redirect appear:
rbmusicartist.netfirms.com/artistic-family-portrait.html
Which redirects to some Ukranian or Russian bullshit artist's site:
Domain Name: DEVAMATRI.COM

Registrant:
Oleg Povaljaev
Oleg Povaljaev (anandasat@narod.ru)
Tereshkovoj
Odessa
null,65072
UA
Tel. +380.482648166
Guess what?

They host it on ThePlanet.com, you could knock me over with a feather, I'm so surprised.

DEVAMATRI.COM (70.87.136.118)
OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US
NetRange: 70.84.0.0 - 70.87.255.255
Guess we should drop Netfirms in our blocked list too just to be safe:

rbmusicartist.netfirms.com (64.34.66.18)
Netfirms Inc PEER1-NETFIRMS-02 (NET-64-34-66-0-1)
64.34.66.0 - 64.34.66.255
Well, it's not much, but a little blocking each day will keep the scrapers away.

Now, here comes the real fun...

I was curious what else was on the server with DEVAMATRI.COM (70.87.136.118) and found a shitload of cloaking spam sites:
derrdek1234.info
devamatri.com
fred00med.info
fredodermok2.info
goramon.com
greddertrniko.info
koljazzza.info
nikkasder4ee.info
nikkrongz.info
niko0lwerty.info
nikolannsw12.info
nikolansedd.info
nikolas1qqq4.info
nikolas1qwe.info
nikolazqwii.info
nikolfdsaz.info
ringvvv.info
vvvorgs.org
vwwvcom.info
wvvver54.info
xkoljazzzao.info
Note: The sites are indexed in both Yahoo and MSN but they aren't in Google.

Probably not the last of the sites from this slimeball, most likely the tip of the iceberg, but it's definitely a start to unearthing his network of crap.

SCRAPER BUSTED #11- Inhoster Scraper Indexed by Yahoo

Couple of weeks back I posted about blocking Inhoster which was oozing with spambots with one scraper in their midst and that scraper has finally surfaced.

The scraper's ID is:

IP Address: 85.255.116.178
User Agent: Snoopy v1.2
Which showed up on a page buried on this domain:
index-se.com (85.255.116.182)
What a concept, 2 IPs in Inhoster for one scraper.

Now let's dig for some dirt!

A reverse-IP lookup reveals the scraping IP address 85.255.116.178 is also the IP for FINDALLBEST.COM which looks just like index-se.com.

85.255.116.178: FINDALLBEST.COM
Domain Name: FINDALLBEST.COM
Registrant:
N/A
Nekto (nekto@utopia.com)
Jamaica 17
Cuba
null,12476
CU
Tel. +543.56576767
The info for index-se.com claims to be from the US:
Domain Name: INDEX-SE.COM
Registrant:
Index SE
Index SE (admin@index-se.com)
67 Mt. Auburn St.
Cambridge
,02138
US
Tel. +617.4959659
85.255.116.182: SEARCHADULTSEX.COM:
Domain Name: SEARCHADULTSEX.COM
Registrant:
N/A
Nekto (nekto@utopia.com)
Jamaica 17
Cuba
null,12476
CU
Tel. +543.56576767
So I got curious what else was between 85.255.116.178 - 182 and it was all the same crap:

85.255.116.179: right-pharmacy.com

Different registrant but domain redirects to buy-soma-online.findallbest.com, there's a shock:
Registrant:
N/A
Alexei Aniskevich (alex@coolsearch.biz)
Sopruse pst 15
Tallinn
Harjumsa,50707
EE
Tel. +372.715713
85.255.116.180: wagemax.com

This one is just a Plesk domain placeholder page at this time and another registrant.
Domain Name: WAGEMAX.COM
Registrant:
N/A
Alexei Aniskevich (alex@coolsearch.biz)
Sopruse pst 15
Tallinn
Harjumsa,50707
EE
Tel. +372.715713
85.255.116.180: search-paga.com

Yes, same registrant and site looks like all the rest of the crap.
Domain Name: SEARCH-PAGA.COM
Registrant:
N/A
Alexei Aniskevich (alex@coolsearch.biz)
Sopruse pst 15
Tallinn
Harjumsa,50707
EE
Tel. +372.715713
85.255.116.181: coolsearch.biz

Pay dirt! We found the domain linked to the other domains on 85.255.116.180
Domain Name: COOLSEARCH.BIZ
Domain ID: D6614592-BIZ
Sponsoring Registrar: ESTDOMAINS INC
Sponsoring Registrar IANA ID: 832
Domain Status: ok
Registrant ID: DI_2271261
Registrant Name: Alexei Aniskevich
Registrant Organization: N/A
Registrant Address1: Moisavahe 64-1
Registrant City: Tartu
Registrant State/Province: Tartumsa
Registrant Postal Code: 50707
Registrant Country: Estonia
Registrant Country Code: EE
Registrant Phone Number: +372.715713
Registrant Email: alex@coolsearch.biz
When you go to coolsearch.biz it automatically takes you to: www.gigasearch.biz
Domain Name: GIGASEARCH.BIZ
Domain ID: D7182275-BIZ
Sponsoring Registrar: ESTDOMAINS INC
Sponsoring Registrar IANA ID: 832
Domain Status: clientTransferProhibited
Registrant ID: DI_2191316
Registrant Name: Alexei Aniskevich
Registrant Organization: N/A
Registrant Address1: Sopruse pst 15
Registrant City: Tallinn
Registrant State/Province: Harjumsa
Registrant Postal Code: 50707
Registrant Country: Estonia
Registrant Country Code: EE
Registrant Phone Number: +372.715713
Registrant Email: alex@coolsearch.biz
85.255.116.181: your-searcher.com
Domain Name: YOUR-SEARCHER.COM

Registrant:
N/A
Alexei Aniskevich (alex@coolsearch.biz)
Sopruse pst 15
Tallinn
Harjumsa,50707
EE
Tel. +372.715713
Let us continue with more of this puzzle...

Let's explore gigasearch.biz a bit more:

69.50.163.9: gigasearch.biz

We did find some similar scraping in this range:
69.50.190.242 "Snoopy v1.2"
Actually, the range 69.50.*.* has a ton of scraping so seeing a link to this scraper and the Snoopy user again yet again was no surprise.

GigaSearch.biz is hosted on our old friends Intercage which hosted Scraper #4 and Scraper #6 which I think may be all the same scraper as everything just keeps linking them together from host to host, some similar IP ranges and the same user agent. Nothing concrete but all the circumstantial evidence is overwhelming that they may be somehow related.

Most amusing is all the links on gigasearch.biz redirect to find.fm, and this relationship could be interesting but I'm getting sick of chasing this scraper / spammer at this point.

The host of our busted scraping pals #4, #6 and #11:
OrgName: InterCage, Inc.
OrgID: INTER-359
Address: 1955 Monument Blvd.
Address: #236
City: Concord
StateProv: CA
PostalCode: 94520
Country: US
NetRange: 69.50.160.0 - 69.50.191.255
Let's see what else is on the Gigasearch.biz server:

69.50.163.9: blanksearch.biz

This domain is NSFW with raw porn all over it.
Domain Name: BLANKSEARCH.BIZ
Domain ID: D6761115-BIZ
Sponsoring Registrar: ESTDOMAINS INC
Sponsoring Registrar IANA ID: 832
Domain Status: ok
Registrant ID: DI_3009123
Registrant Name: Ivars Kaupers
Registrant Organization: No
Registrant Address1: Skirgailos 15
Registrant City: Kaunas
Registrant Postal Code: 75128
Registrant Country: Lithuania
Registrant Country Code: LT
Registrant Phone Number: +370.571689
Registrant Email: ivars@blanksearch.biz

69.50.163.9: tgp-porno.net

This site brings up another of the same old porn links again.
Domain Name: TGP-PORNO.NET
Registrant:
N/A
Alexei Aniskevich (alex@coolsearch.biz)
Moisavahe 64-1
Tartu
Tartumsa,50707
EE
Tel. +372.715713
Last but not least, the server with find.fm hosts a few other garbage domains with the same links about pills and porn on them all, with "find.fm" on the bottom of the page which was a big shocker as well:

Domains on 64.111.196.119 (Find.fm)

adultwebfind.com
carwebsearch.com
cashwebsearch.com
dmns4sale.com
gamblingwebsearch.com
pharmacywebsearch.com
travelwebsearch.com
your-needs.info

Well, that's all for now.

Needless to say, they can't hide for long as they leave a slimey trail that can be followed.

Scrape me again assholes, let's unravel the rest of your bullshit sites.

Wednesday, August 23, 2006

Slow Blog Week

Sorry if you aren't getting your daily dose of bad bots and the usual run-on ranting sentences packed full of expletives but I've been busy the last few days catching up on some accounting and doing some work on software and websites.

If you really need your 'fix' you can catch up on the latest of the Nutchies that are still harassing the shit out of me from a link from Doug Cutting's site.

As you can tell in the final comment posted, and a few previous comments, that I'm losing patience with this bunch of crawling-the-web-is-our-right cultists.