February 28, 2005
New Pest
Perhaps I should call them fungus since they grow in my logs.
Anyways, a new spam site is making referrer runs this afternoon: highprofitclub dot com, pointing (naturally) to online poker sites. Registered with moniker (naturally) and pointed at obviously bogus registrant info. Sam Spade's browse tool returns "No such server" and no DNS is returned, so I'm guessing they're spamming before the site is even operational.
First appearance in my logs was 22:02 GMT.
Ann Elisabeth is all over it already.
Moron Loses Again
Ted Rall admits defeat in his moronic "right wing challenge".
He was apparently so rattled by what he found in his mail (when he finally got a clue and got it working) that he posted his admission of defeat three times.
February 27, 2005
Spam Sundae
After a couple of days warming up, musicbox1 and isacommie (what is up with that name?) are pounding me today. The script I got from Candy Genius is catching all of them.
My webhost has indicated that he is going to start suspending execution of mt-tb and mt-comments during major spam runs, since they are cpu intensive and during a major run can slow the whole server down to a crawl.
It's really a pity, since this could be solved easily by a soft-nose round through the foreheads of some of these guys.
February 25, 2005
Painless
This has been on my mind lately:
Through early morning fog I see
visions of the things to be
the pains that are withheld for me
I realize and I can see...
that suicide is painless
it brings on many changes
and I can take or leave it if I please.
I try to find a way to make
all our little joys relate
without that ever-present hate
but now I know that it's too late, and...
suicide is painless
it brings on many changes
and I can take or leave it if I please.
The game of life is hard to play
I'm gonna lose it anyway
The losing card I'll someday lay
so this is all I have to say.
Suicide is painless
it brings on many changes
and I can take or leave it if I please.
The only way to win is cheat
And lay it down before I'm beat
and to another give my seat
for that's the only painless feat.
Suicide is painless
it brings on many changes
and I can take or leave it if I please.
The sword of time will pierce our skins
It doesn't hurt when it begins
But as it works its way on in
The pain grows stronger...watch it grin, but...
Suicide is painless
it brings on many changes
and I can take or leave it if I please.
A brave man once requested me
to answer questions that are key
is it to be or not to be
and I replied 'oh why ask me?'
Suicide is painless
it brings on many changes
and I can take or leave it if I please.
'Cause suicide is painless
it brings on many changes
and I can take or leave it if I please.
...and you can do the same thing if you please.
Theme from M.A.S.H., Johnny Mandel, 1970
Hunter S. Thompson, R.I.P.
Heh
Heh. I'd guess he's getting more than he bargained for.
Update: site's back up. The shitwad says his challenge remains totally unanswered. I've seen some references on other blogs that the email address he provided bounces. So either he is giving out a bogus email address because he's a big fraud who doesn't want to see the responses to his "challenge", or he's too stupid to configure a popmail setting.
Either one is pretty funny.
Nanny Nanny Nanny
Salt Should Be Regulated Food Additive, Group Says
The food nannies are at it again. These are people who live every day in a rage that someone, somewhere, might be enjoying a meal, and by God, they're going to put a stop to it!
CSPI are a bunch of sour-faced busybodies who like nothing better than to mind everyone else's business. In fact, that is when they are happiest, or what passes for happy in the gray, bland, padded wall world they live in.
Screw off, jerks!
February 24, 2005
Make It Stop?
Seen on Ann Elisabeth's site:
Spammers Bet on Casino Affiliate Cash at Netaloid.
One of the commenters asks what about the pharma connection? And that's a good point: all the v1agra, c1alis, and ph3ntermine sites out there that spam like crazy are feeding these parasites too.
But I like the idea of letting the casinos know that if they use spammers to advertise, they are obviously not trustworthy enough to handle money.
Update: I emailed one of the casino sites being flogged by nutzu to see what response (if any) I get. Stay tuned.
Ho Hum Spam Day
Spamming from isacommie and musicbox1 is coming in, but it's sporadic, unlike nutzu which hammered my site almost continually for three days.
The server is sort of slow, though, which usually means someone is getting hammered bad. Probably an MT install with open comments.
So goes life in the brave new world.
Update: spoke too soon, naturally. My logs are now full of poker, drugs, and loan offer sites.
February 23, 2005
Break's Over
Well, it was a short break. musicbox1 and isacommie (what the hell name is that?) are starting spam runs against my site today, in spite of the fact that I don't publish my referrers.
My two-line htaccess rule that I got from Candy Genius ( a link is available below) is still giving these pests a 403 error. Guess they aren't very adaptable.
February 22, 2005
Busy Day in Bulgaria
gpshewandotcom » Blog Archive » Google spoofing
The same guy who crawled my site, did the same thing to gpshewan's site, with no better results, apparently
What is this?
Well, I know it's a spoon, but can anyone tell me what type? I have a wild suspicion what it might be, but it's so wild I don't want to jump right in and be revealed as a fool.
If you know, please email me (link below).
Balkan Intrigue
My site has been thoroughly crawled this morning by IP 82.103.65.225, which is probably familiar to anyone who follows referrer spam. Here's the IP--block data:
02/22/05 08:58:42 whois 82.103.65.225@whois.geektools.com
whois -h whois.geektools.com 82.103.65.225 ...
GeekTools Whois Proxy v5.0.4 Ready.
Checking access for xxx.xx.x.19... ok.
Final results obtained from whois.ripe.net.
Results:
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
inetnum: 82.103.64.0 - 82.103.127.255
org: ORG-SN1-RIPE
netname: BG-SPNET-20040113
descr: Spectrum NET
country: BG
admin-c: ZT13-ORG
admin-c: IZ51-RIPE
tech-c: PS2278-RIPE
tech-c: RS2543-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: SPNET-MNT
mnt-routes: SPNET-MNT
notify: zahov@spnet.net
changed: hostmaster@ripe.net 20040113
changed: hostmaster@ripe.net 20050117
source: RIPE
route: 82.103.64.0/18
descr: Spectrum NET PA space
origin: AS8717
mnt-by: SPNET-MNT
changed: savova@spnet.net 20040213
source: RIPE
organisation: ORG-SN1-RIPE
org-name: Spectrum NET
org-type: LIR
address: G.M.Dimitrov 36
address: 1797
address: Sofia
address: Bulgaria
phone: +359 2 9657600
fax-no: +359 2 9657646
e-mail: registry@spnet.net
admin-c: ZT13-ORG
admin-c: RS2543-RIPE
admin-c: RS2543-RIPE
admin-c: TP5213-RIPE
admin-c: GK906-RIPE
admin-c: PS5645
admin-c: TD939-RIPE
mnt-ref: SPNET-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
changed: hostmaster@ripe.net 20040415
changed: bitbucket@ripe.net 20040820
changed: bitbucket@ripe.net 20041216
changed: bitbucket@ripe.net 20041228
changed: bitbucket@ripe.net 20041230
changed: bitbucket@ripe.net 20050105
changed: bitbucket@ripe.net 20050117
source: RIPE
person: Ivan Zheliazkov
address: G.M Dimitrov 36.
address: 1797 Sofia, Bulgaria
phone: +3592 9657686
fax-no: +3592 9657646
e-mail: zheliazkov@spnet.net
nic-hdl: IZ51-RIPE
remarks: Technical and Communication Support Director of Spectrum NET Ltd.
notify: zheliazkov@spnet.net
notify: zahov@spnet.net
changed: popov@spnet.net 20030526
source: RIPE
person: Theodore Zahov
address: Spectrum NET Ltd.
address: 36 G.M. Dimitrov blvd.
address: 1797 Sofia
phone: +359 29657622
fax-no: +359 29657646
e-mail: tzahov@spnet.net
nic-hdl: ZT13-ORG
notify: zahov@spnet.net
mnt-by: SPNET-MNT
changed: savova@spnet.net 20000214
source: RIPE
person: Peter Shtinkov
address: Spectrum Net EOOD
address: 36, G.M.Dimitrov blvd.
address: 1797 Sofia
address: Bulgaria
phone: +359 29657611
fax-no: +359 2 9657646
e-mail: shtinkov@spnet.net
nic-hdl: PS2278-RIPE
mnt-by: SPNET-MNT
changed: hostmaster@digsys.bg 19980625
source: RIPE
person: Rumiana Savova
address: Spectrum Net EOOD
address: 36, G.M.Dimitrov blvd.
address: BG 1797 Sofia
address: Bulgaria
phone: +359 2 9657612
fax-no: +359 2 9657646
mnt-by: SPNET-MNT
e-mail: savova@spnet.net
notify: savova@spnet.net
nic-hdl: RS2543-RIPE
changed: savova@spnet.net 20020521
source: RIPE
Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (xxx.xx.x.19) has visited 1 times today.
Now why is my little blog of such interest in Bulgaria? If you're (Bulgarians) reading this, please note that I do not allow comments, I do not allow trackbacks, and I do not publish referrers, so all your efforts just end up in logs that no one but me ever sees. They aren't accessible to Google or any other search engine, so your spam floods don't go anywhere.
So go back to your day job - pimping your daughters.
Assholes.
February 21, 2005
Spam Me Not
After a relentless onslaught that has gone on for the last five days, 24 hours a day, nutzu-dot-com has fallen quiet. They also removed the cloaking script from their site and if you browse to nutzu-dot-com, you get their registration page.
I, for one, wish I had never heard of poker.
So, is this the end? Or (more likely) are the Bulgarians tooling up for another client whose spam will start appearing in the next day or so? Video at eleven.
February 20, 2005
I'm Special
I feel so special Today I started getting my very first trackback spam (attempts). That must mean I've finally arrived in the blog world (or not, hehe).
In either case, mt-tb points to a honeypot script, not to the original MT script. I will have a file with lots of info on the spammers each time they try to post.
I still suggest that shooting them in the spine is the best idea.
February 18, 2005
Bulgarian Bull
Ann Elisabeth points out that the referrer spammers who are pestering the blog world these days are Bulgarians. I have been to the nutzu dot com page and found the obfuscated javascript that flings you to a bogus "account suspended" page, which puzzled the heck out of me until Ann Elisabeth pointed out that Google would not "see" the javascript redirect and would index the actual referred pages. And there are lots of pages. Lots and lots of pages.
It looks like nutzu wants to be the top ranked page in Google for anything to do with poker. WTF is the big deal with poker? No way I'm trusting these putrescent boils on the ass of the internet with any financial information, which is a given for internet gambling. You may as well send them the title to your house as well.
See this entry at Ann Elisabeth's also, for more analysis like what I was doing below. joatBlog spends a lot more time delving into shetef.com and the twisted connections of the referrer spammer's world.
For myself, I don't publish my referrers, like many (used to) do. It's pointless, now anyway, with all the spam circulating. I also don't have comments, for the same reason. My mt-comments script is actually a honeypot that gathers information on spammers when they try to ping it.
I use Linux - bye, bye SCO!
Their screwy dealings have come home to roost big time - they can't get their 10K in to the SEC and NASDAQ has warned them that they will be delisted next week.
Delisting will make what was previously an easily traded, although rapidly declining, stock very difficult to unload when the last clueless longs finally figure out that the sundeck just slipped below the waves and all the lifeboats are gone.
Seth Jayson, at Motley Fool, calls it SCO's Slow Death Spiral, and points out that Admiral Darl McBride, who is plotting this ship's course into the iceberg, was paid "over $1 million for this kind of leadership, including a $750,000 bonus, plus 78,000 restricted shares of stock and 200,000 options." A $750,000 bonus for the biggest bonehead move ever in the IT industry. Obviously the board at SCO is so tightly wound up in their circle-jerk they haven't come up for air in quite a while. It's almost over, guys. The federal judge in your case all but called you liars and criminals for your performance to date, and decided to give you a few more feet of rope so that when the noose snaps tight, there will be no escape. You morons are doomed, and if justice still exists, more than one of you has a cell waiting.
Enjoy the twilight, idiots. It's the last light you will see for quite a while.
(Somebody please cancel McBride's, Sontag's, and Stowell's passports before they skip for the Bahamas, okay?)
February 14, 2005
Joke Page, right?
Bill Gates is a funny guy. As pointed out by the CTO of Opera Software in this Register article, Gates' statement on interoperability is, well, a joke. The world leader in broken browsers, busted standards, non-compatibility, grabbing free and open standards and making them proprietary, is talking about interoperability. And doing it on a page that lists, at latest count (20:26GMT 14-Feb-2005) 42 errors according to the W3C validator.
And some of the errors are ridiculous, like having multiple <HTML> declarations in the page, stuff you should learn in high-school web page classes.
If you want a laugh, heres the page:
Executive E-Mail: Bill Gates on Interoperability
Bottom line? You can't trust these bastards, don't even think about it.
February 13, 2005
Hacking Fun
Okay, what's this?
Sun Feb 13 14:44:29 2005 : Blocked access attempt from 170.224.33.19
Sun Feb 13 14:44:29 2005 : Blocked access attempt from 170.224.33.17
Sun Feb 13 14:44:29 2005 : Blocked access attempt from 170.224.33.18
Sun Feb 13 14:44:28 2005 : Blocked access attempt from 170.224.33.19
Sun Feb 13 14:44:28 2005 : Blocked access attempt from 170.224.33.17
Sun Feb 13 14:44:28 2005 : Blocked access attempt from 170.224.33.18
Sun Feb 13 14:44:27 2005 : Blocked access attempt from 170.224.33.19
Sun Feb 13 14:44:27 2005 : Blocked access attempt from 170.224.33.17
Sun Feb 13 14:44:27 2005 : Blocked access attempt from 170.224.33.18
Sun Feb 13 14:44:26 2005 : Blocked access attempt from 170.224.33.19
Sun Feb 13 14:44:26 2005 : Blocked access attempt from 170.224.33.17
Sun Feb 13 14:44:26 2005 : Blocked access attempt from 170.224.33.18
Sun Feb 13 14:44:25 2005 : Blocked access attempt from 170.224.33.19
Sun Feb 13 14:44:25 2005 : Blocked access attempt from 170.224.33.17
Sun Feb 13 14:44:25 2005 : Blocked access attempt from 170.224.33.18
Sun Feb 13 14:44:24 2005 : Blocked access attempt from 170.224.33.19
Sun Feb 13 14:44:24 2005 : Blocked access attempt from 170.224.33.17
Sun Feb 13 14:44:20 2005 : Blocked access attempt from 170.224.33.18
Sun Feb 13 14:44:20 2005 : Blocked access attempt from 170.224.33.19
Sun Feb 13 14:44:20 2005 : Blocked access attempt from 170.224.33.17
Sun Feb 13 14:44:19 2005 : Blocked access attempt from 170.224.33.19
Sun Feb 13 14:44:19 2005 : Blocked access attempt from 170.224.33.17
Sun Feb 13 14:44:19 2005 : Blocked access attempt from 170.224.33.18
Sun Feb 13 14:44:18 2005 : Blocked access attempt from 170.224.33.19
Sun Feb 13 14:44:18 2005 : Blocked access attempt from 170.224.33.17
Sun Feb 13 14:44:18 2005 : Blocked access attempt from 170.224.33.18
Those are Sequent numbers (IBM).
Hmm.
February 12, 2005
403 means go away
The most astonishing thing has happened in my ongoing struggle with the referrer spammers. I put a two-line entry in my htaccess file, and now all the referrer spammers are getting "403 - Forbidden" tags.
Admittedly it's not the same as getting them all shot through the spine, but it's something.
If you want to know the secret entry, email me, or visit Candy Genius, where I found it.
February 11, 2005
Mystery Tour
I am getting a lot of referrer spam from subdomains of 6q.net, so I thought it might be fun to poke around to see what connections are under the hood.
Picking one at random:
65.165.84.11 - - [11/Feb/2005:13:51:33 -0500] "GET /weblog/archives/000128.html HTTP/1.0" 403 310 "http://party-poker.6q.org/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
Okay, that IP belongs to webshield.sulanet.net. The whois gives you this:
Registrant:
INSETEC (SULANET2-DOM)
25th AVE. S.W. 4TH STREET INSETEC
BUILDING
SAN PEDRO SULA, CORTES 144
HN
Domain Name: SULANET.NET
Administrative Contact:
CANAHUATI, JORGE (JCV153) INSETEC@NETSYS.HN
INSETEC
25 AVE. S.O. 4A CALLE
SAN PEDRO SULA, CORTES 144
HN
(504)552-2535
Technical Contact:
ALFARO, JOEL (JA9474) jalfaro@SULANET.NET
Sulanet
25th AVE S.W., 4TH ST
San Pedro Sula Cortes none, CO 144
HN
+504-550-1212 ext 1505 fax: +504-550-2542
Record expires on 03-Nov-2006.
Record created on 03-Nov-1999.
Database last updated on 11-Feb-2005 14:30:34 EST.
Domain servers in listed order:
NS1.SULANET.NET 65.165.84.2
NS2.SULANET.NET 65.165.84.3
If you browse that IP address, you get:
Error - 400
Requested URL is not valid
So, no help there, although I've seen that identical response enough times to begin to form a hypothesis of what's going on. (Hint: think "open proxies")
Okay, so let's browse the target, party-poker.6q.org. That gets me a brief look at what might be an online poker site before redirecting to www.6q.org, and a page saying:
This statement is permanently in suspension - Due to mis-proper use of the hosting account
ACCOUNT TERMINATED!
So, the authorities have caught up with the bad guys, right? Well, maybe not. The whois for 6q.org is no longer searchable, but was found to be registered by Moniker, a Chinese spam registar. The IP address for party-poker.6q.org is 219.150.118.16, which is in the Asian (RIPE) block.
On the "Account terminated" page is a form to
" Step up to fight unwanted client practices. Fill the form below so we can take appropriate action."
The action on this form is:
action='http://64.234.220.141/submitAbuse.php'
Now THAT ip address goes to shetef.com, and the whois for shetef.com is:
Registrant:
Shetef Solutions Ltd. (SHETEF-DOM)
10 Azmaut Street
Ness-Ziona, ISRAEL 74010
IL
Domain Name: SHETEF.COM
Administrative Contact:
Dascalu, Yonat (YD32) ziv@web2000.us
Shetef Solutions Ltd.
21 Tlalim street
Raanana 43568
IL
+972-9-7748832 fax: 999 999 9999
Technical Contact:
Inc., Interland, (DA6173-ORG) domreg@INTERLAND.NET
101 Marietta St
Atlanta, GA 30303
US
1.800.214.1460 fax: 1.678.365.2899
The IP block belongs to Webstream, Inc., in Fort Lauderdale. If you do a Google search of Webstream, you will find references to referrer spammers and porn sites.
So that's quite a tangled web. A proxy in Honduras (HN = Honduras?) points to a spammer site in China which redirects to a page that wants you to fill out a form that goes to a domain registered in Israel, hosted in Florida.
All I can think to say, is: WTF?????
Update: I tried the ip address 65.165.84.11 in the following format:
http://65.165.84.11/?http://www.yahoo.com/
and what do you know? I got the Yahoo! home page. So then I tried to proxy myself through them, thusly:
http://65.165.84.11/?http://mdwalters.net/
and much to my surprise got a cornerhost screen saying "This account is disabled". Holy cow! I quickly loaded my page normally, and it worked fine, so I'm guessing Michal has banned proxies that use my rather primitive proxy technique right at the gateway.
The server logs at cornerhost do not include the "HTTP_X_FORWARDED_FOR" field, so you can't see the proxies when they come in. I might email Michal and ask if that can be added to the apache log format line, so the logs will reflect proxied requests.
February 08, 2005
Say What?
Watched "24" last night. I had successfully avoided the first two (three?) seasons, in order to watch something on another network that was more attractive to me. I could tell that 24 was excellent, but I didn't want to get into the "watch this one, tape that one" fire drill that I sometimes fall into with competing time slots.
But this year I got hooked by 24 early on, and there's not that much opposite that can't be caught up on during rerun season. The Azar family are deliciously evil in their fanatical pursuit to damage the U.S., and as expected, C.A.I.R. came out with their usual complaints.
So it was a nice irony last night when Keifer Southerland did his spot on how "the American Muslim community stands with all Americans against terror" given this.
Yeah, shoulder to shoulder. Right.
Update Little Green Footballs noticed this, too. Ha.
February 07, 2005
Holy Cow
Uh, wow!
Yahoo! News - New 'Supercomputer on a Chip' Makes Debut
Linux. Heh, heh. Take that, SCO.
Bot this
So Microsoft is going to challenge Google in searchspace? Let me see, "to Google" something is pretty well understood everywhere in cyberspace as meaning to get comprhensive data on a subject through an internet search service. "To Microsoft", if it means anything at all, would probably mean to fuck over your competition and your customers by leveraging a monopoly to squeeze out competition and foist crappy software on your customers.
Google runs on Linux, Microsoft search runs on God knows what, although if they want it to work more than a few hours at a stretch, I'm guessing not Windows. That is a sort of metaphor for the whole situation: free and open source versus Satan.
So, in honor of the launch of Microsoft's new search service, I have edited my robots.txt file to tell msnbot to take a hike.
February 03, 2005
Sleaze Masters
I am being beseiged by referrer spammers at present, but I have written a rule for the htaccess file that flings them to a particularly disgusting porn site.
Something to do with a goat. :)