Stopping the guestbook spammer – part 3
If you’re looking for the Michael Pollitt who left a spam message in your guestbook (or in other response forms), it wasn’t me.
He’s back! Spamming guestbooks using my name and e-mail address [this link may not last] and the other names mentioned here. I’ve picked up this activity from alerts and guestbook acknowledgement e-mails. As soon as I know what IP he’s using for the spam runs, I’ll do my best to get the plug pulled. The main site being spammed is search-pharmacy-online.com (hosted by EV1) via redirects from the other sites listed in the spam messages. I’m going to try and get that pulled too.
Checking the EV1 AUP, I found this:
…anyone hosting websites or services on their server that support spammers or cause any of our IP space to be listed in any of the various Spam Databases will have their server immediately removed from our network…
Seems clear enough, doesn’t it? I also found another site on the same IP as the spammed site. It’s klikvipsearch.com. Looking at the IP more thoroughly, there’s a connection to Moldavia. The more abuse I see involving my name, the more I’ll investigate and report. Hint to spammer: stop using my details and I’ll leave you in peace.
Update: EV1 is now on your tail:
We appreciate you bringing this to our attention. This issue is currently being investigated. Due to privacy policies we will most likely not be able to provide you with information regarding the outcome of our investigation.
Update 22 March: More spam evidence in today so more details from me. The plug has not yet been pulled on search-pharmacy-online.com (ev1s-67-15-237-49.ev1servers.net) so I have reminded EV1. The netblock owner is remsys.org (67.15.237.0-67.15.237.255) and there are other pharmacy sites in this block such as the one at 67.15.237.67 (pharmacy-online-search.com (note the name reversal!) – ev1s-67-15-237-67.ev1servers.net) I’ll leave you to do the full whois on remsys.org but it comes up as Chisinau in Moldova (country code MD). Joe (see his comment on this post) reports that his name is being used by the spammer.
Update same day: More evidence to hand, so more to blog. The guestbook spamming run is coming from 69.31.41.89 (colo-69-31-41-89.pilosoft.com). I have just found a guestbook entry in Ann Elisabeth’s name left using that IP and there are links (via redirects) back to search-pharmacy.online.com at EV1. Pilosoft is also the place where 1-800-pills.com is currently sitting (though there’s no content at the moment) along with various porn sites. EV1 has still not taken down the spammer’s site. 69.31.41.89 has been very busy – there are 2,774 results in MSN for that IP involving guestbook spam (612 results in my name). I’ve just reported this to Pilosoft.
Update 23 March: I just had to share this gem from EV1.
Dear Sir or Madam,
In order to accurately track the origin of the email, we need the full header and message. If you need help please visit the following site: http://www.haltabuse.org/help/headers/. This site will give you instructions on how to get headers from any email program.
Please keep in mind that we can only investigate Spam complaints that are no more than 3 days old.
Once you provide us with the full message and header we will then investigate this issue. Thanks in advance.
What the …..! I’ve told EV1, again, what this all about. And it isn’t e-mail spam. The only e-mails I’m getting are the ones from the spammed guestbooks. No response from Pilosoft so far.
Update same day: I’ve had enough. The spamming is continuing unabated judging by increasing search engine results. I therefore followed up this “Copyright 2006 KlikVIP.com” on the bottom of the search-pharmacy-online.com page and complained to klikvip.com. In their FAQ, they say:
CAN I SPAM? Absolutely not. your account will be closed and you’ll not get paid.
We’ll see what happens next. No response from Pilosoft and nothing further from EV1. Oh, guess what. klikvip.com is hosted at EV1 (ev1s-67-15-237-78.ev1servers.net)
Update 24 March: E-mails reporting the abuse have been repeated to EV1 and Pilosoft (Alex Pilosov).
Update 27 March: The spamming in my name has continued over the weekend. So more information to blog as promised. Had the spammer stopped, I would have stopped blogging. The more I dig, the more evidence is pointing at EV1 in terms of hosted sites for this spammer. Why doesn’t EV1 do anything about it?
If you look here, you’ll see a list of spamvertised sites with my details. I’ve checked each site.
http://garry.za.pl/valium74.html (REDIRECTS TO) search-pharmacy-online.com
http://republika.pl/jjedai/alprazolam69.html (REDIRECTS TO) search-pharmacy-online.com
http://pharm.inknoise.com/001/2006/03/17/0004 (REDIRECTS TO) search-pharmacy-online.com
http://pharm.inknoise.com/001/2006/03/17/0002 (REDIRECTS TO) search-pharmacy-online.com
http://www.comunalia.com/xanaxvalium – NO REDIRECT
http://c.1asphost.com/shnur/lorazepam.html NOT FOUND
http://www.zorpia.com/tamiflu (REDIRECTS TO) search-pharmacy-online.com
http://republika.pl/varvarv/phentermine9 (REDIRECTS TO) search-pharmacy-online.com
http://c.1asphost.com/coolkelly/carisoprodol.html NOT FOUND
http://republika.pl/jjedai/alprazolam9.html (REDIRECTS TO) search-pharmacy-online.com
http://www.zorpia.com/vaniqa (REDIRECTS TO) search-pharmacy-online.com
http://c.1asphost.com/varvarv/levitra.html NOT FOUND
http://1800adipex.proboards55.com (REDIRECTS TO) search-pharmacy-online.com
http://c.1asphost.com/varvarv/metformin.html NOT FOUND
http://www.comunalia.com/valiumvsxanax – NO REDIRECT
http://phentermine.cba.pl/phentermine-fda.html NOT FOUND http://www.cba.pl/
http://c.1asphost.com/shnur/lortab.html NOT FOUND
http://republika.pl/varvarv/phentermine2.html (REDIRECTS TO) search-pharmacy-online.com
http://republika.pl/ratatyi/HYDROCODONE-POLISTIREX.html NO REDIRECT
http://www.pharmacy.bitdom.pl/phentermine-tablets.html (REDIRECTS TO) search-pharmacy-online.com
The above links give you an idea of the extent of this spamming operation.The search-pharmacy-online.com site is hosted at EV1 (ev1s-67-15-237-49.ev1servers.net). Guestbook/form spamming from 69.31.41.89 (Pilosoft) (colo-69-31-41-89.pilosoft.com) is continuing.
There are TWO search-pharmacy-online.com sites at EV1 that look almost identical.
www.search-pharmacy.online.com = ev1s-67-15-237-49.ev1servers.net
search-pharmacy-online.com = ev1s-67-15-237-67.ev1servers.net.
and then there’s this: pharmacy-online-search.com = ev1s-67-15-237-67.ev1servers.net which has the same registration details as search-pharmacy-online.com.
Whois for search-pharmacy-online.com
Name: Nelroy Ltd.
Company: Nelroy Ltd.
Address:
State House Avenue
Victoria House, Suite 206
City: Victoria
State:
Country: SC
Zip: 101-04
Tel No: 7 9103377737
Fax No:
Email:
(edited: the administrative and technical contact details are the same as the registrant)
Nameserver DetailsNameServer: ns1.klikdomains.com
NameServer: ns2.klikdomains.com
NameServer: ns3.klikdomains.com
NameServer: ns4.klikdomains.com
Record Details
Creation Date: Jan 15 2006
Expiration Date: Jan 15 2007
klikdomains.com whois
Domain Name: KLIKDOMAINS.COM
Registrant:
MK Digital Media LLC.
Maxim Korolevich (support@mk-digital.com)
1620 Dia Del Sol Way
Las Vegas
NV,89128
US
Tel. +1.7022173612
Creation Date: 14-Apr-2005
Expiration Date: 14-Apr-2006
Domain servers in listed order:
ns4.klikdomains.com
ns3.klikdomains.com
ns2.klikdomains.com
ns1.klikdomains.com
(edited: the administrative, technical and billing contact details are the same as the registrant)
Where are the name servers?
klikdomains.com 67.15.237.85 PTR record: ev1s-67-15-237-85.ev1servers.net – EV1 again….
ns1.klikdomains.com 66.135.40.144 PTR record: mercury.orderbox-dns.com
ns1.klikdomains.com 66.249.5.10 PTR record: venus.orderbox-dns.com.
ns1.klikdomains.com 67.15.47.188 PTR record: 67-15-47-188.opticaljungle.com.
ns1.klikdomains.com 66.249.5.25 PTR record: mars.orderbox-dns.com.
whois for klikvip.com (mentioned on search-pharmacy-online.com)
Domain Name: KLIKVIP.COM 67.15.237.78 PTR record: ev1s-67-15-237-78.ev1servers.net (EV1 again!!)
Registrant:
Nelroy Ltd.
Nelroy Ltd. (contact@nelroyltd.com)
State House Avenue
Victoria House, Suite 206
Victoria
null,Victoria
SC
Tel. +7.9103377737
Creation Date: 19-Nov-2005
Expiration Date: 19-Nov-2006
Domain servers in listed order:
managedns1.estboxes.com
managedns2.estboxes.com
managedns3.estboxes.com
managedns4.estboxes.com
(edited: the administrative, technical and billing contact details are the same as the registrant)
27 March end of day: I’m currently seeing more e-mails from guestbooks provided by a US-based specialist hosting company. They thought they’d fixed the vulnerability but the spammer has found a way around it. Last time I had 350 e-mails from this source.
This post has now got a bit long! So I’ll be starting part 4 of stopping the guestbook spammer soon.
Looks like now he is using Joe too. I thought originally I had been spared. Whoever it is is clearly a regular reader of Ann’s blog or went back and read a lot of posts’ comments. Halz is not a frequent poster there and lately I hadn’t posted much either untill last week.