Michael Pollitt | freelance technology journalist

While EV1 now seems to have removed the two main spammed sites, search-pharmacy-online.com, and online-search-catalog.com, these were only two of the 29 related sites I’d found on EV1 over the last few weeks. The continuing guestbook spamming today prompts me to post fuller details below. If your guestbook and blog (or e-mail) has been spammed by comments that point (redirects are normally used) to any of these EV1-hosted sites, please let me know by e-mail or leave a comment on this post. The ARIN whois details used on the block of EV1 addresses involved may be false.

2 May – update. Some of these sites are now dead or on the move to other hosts. This list below is as it was yesterday, 1 May. Annotated with current status (as at 2 May) in brackets.

Update 4 May: As some of you may already know, my story on the guestbook spammer last week upset somebody enough to try the same tactics against the Guardian. Charles Arthur has written a short piece today about that. Our investigations across several countries in eastern Europe are continuing with some success. I have also been tackling some further spamming today – a series of Pivot-powered blogs which are directing numerous comment acknowledgements at me – linking to a new ‘clone’ pharmacy site hosted on Pilosoft (I won’t identify this at the moment)

Just been sent some grepped log extracts from one of the spammed blogs for today (my thanks to the person who e-mailed them) showing that IPs at In-Telecom Ltd (Russia) are still involved – 81.177.15.44, 81.177.15.50, 81.177.14.241, 81.177.14.231, 81.177.15.238, and 81.177.14.237. If you google any of the individual IPs like this you’ll see some spam. And it gets more interesting if you do it like this. The guestbook spammer has been busy. He’s been using a system here too.

This blog is also being hammered by pharmacy comment spam today. Fortunately, none of it has got past Akismet (919 spams killed since 1 April). Update 6 May: 1025 spams now dead!

Sites hosted by EV1 in the range: 67.15.237.1 – 67.15.237.255

http://67.15.237.44 – pharmacytousa.com (dead)
http://67.15.237.45 – klikadult.com (live)
http://67.15.237.48 – nichepass.com (live)
http://67.15.237.49 – klikvipsearch.com (live)
http://67.15.237.50 – klikstyle.com (live)
http://67.15.237.51 – unidentified search site (live)
http://67.15.237.67 – pharmacy-online-search.com (live)
http://67.15.237.69 – another unidentified search site (live)
http://67.15.237.70 – similar to 67.15.237.69 (live)
http://67.15.237.75 – uploading.com (live)
http://67.15.237.78 – klikvip.com (live, moved to http://207.226.176.139/)
http://67.15.237.82 – unidentified search site (live)
http://67.15.237.85 – klikdomains.com (live)
http://67.15.237.240 – uploading.com (live)
search-pharmacy-online.com (previously at 67.15.237.49) – a clone site (bsearches.com) has now appeared on Pilosoft and is being spammed. (Still live 2 May 2006)
online-search-catalog.com – (previously at 67.15.237.49). Dead. May have appeared as a clone elsewhere?

pharmacy-online-search.com (67.15.237.49) (dead)
online-teacher-search.com (67.15.237.67) (dead)
finance-search-online.com (67.15.237.67) (dead)
online-search-pharmacy.com (67.15.237.49) (dead)
online-finance-search.com (67.15.237.49) (dead)
online-search-casino.com (67.15.237.67) (dead)
bestsearchinsurance.com (67.15.237.67) (dead)
online-adult-search.com (67.15.237.49) (dead)
onlinesearchcasino.com (67.15.237.67) (dead)
best-auto-search.com (67.15.237.67) (dead)
travel-best-search.com (67.15.237.67) (dead)
search-best-auto.com (67.15.237.67) (dead)

(2 May… 67.15.237.49 goes to klikvipsearch.com, 67.15.237.67 goes to pharmacy-online-search.com)

Other: azresults.com (207.44.134.217) – note, this is a direct allocation on EV1. Found from a spammed guestbook. (now dead 2 May 2006)

Notes:

1. Many of the above sites include a copyright message for klikvip.com on the index page.

2. According to the ARIN whois, the EV1 owned block of 67.15.237.1 – 67.15.237.255 is currently assigned to:

[details removed - 2 May 2006]

3. Information correct as at 1 May 2006. Updates in brackets 2 May 2006.