[tag]Comment spammers[/tag] are getting more sophisticated every day. It is a fucking arms race. Now that they know we all have content filters on, they try to make their messages sound innocent. I currently have one jackass posting things like Wow! Excellent post! comments all over the place. He has no link in the comment body, but he includes a german [tag]online casino[/tag] address in the website field. Quite clever… Not clever enough though, because so far every single comment has landed in [tag]akismet’s[/tag] [tag]spam[/tag]-bucket.
The interesting thing about this dude is that he has a static IP address. Most of the other spam messages caught by akismet comes from a wide range of IP’s. No other address showed up with the same consistency day after day.
All the comments show up as posted from 74.52.68.226. Quick whois query revealed that the IP belongs to a Dallas based web hosting company:
OrgName: [tag]ThePlanet.com[/tag] Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US
I did shoot them several emails (to [tag]abuse[/tag], admins and webmaster addresses) about this issue over the last few days. So far no response. I’m posting it here, hoping that public exposure will prompt ThePlanet to investigate this and take appropriate action.
I started poking around, and it turns out that the guy is running apache with php and mysql. He was even nice enough to print out the phpinfo output for us. Heh…
I’m suspecting that the spammer likely has created an account with ThePlanet and he is using it as a proxy to spam out blogs. The machine I was scanning is likely just a node in their server farm or a ssh login server. Either that, or it is a rooted, hijacked machine on their network. In both cases they should do something about it. I’m sure I’m not the only person being hit by this asshole.
For now, I’m denying that IP in my [tag].htaccess[/tag] file. Even though he has yet to post a single successful spam on my blog, I don’t want to give him any more chances. Hopefully his software will mark me as dead when it can no longer connect to my site.
To bad that the AOL dialup swarm that barrages me with “free ringtone” offers does not have a single unifying static IP. :P All their hits are from 152.163.100.* range which is owned by AOL. I’m wondering if that’s just one user that gets a new IP when he reconnects, or multiple users all infected with the same spambot. Here are some of their IP’s:
I would really like to know what are they using to bypass the captcha. They must have some decent OCR module – I just wish I knew what it was. Consequently I slightly increased the complexity the image to make their lives slightly more difficult. Let’s see if that does anything…
i am getting this too from that same Ip!
but im conflicted..as this spam said a really nice comment telling me to cheer up about losing everything in a hosefire back in june (albeit over and over) but the link was from a porno site lol i am denying the ip too.
Yeah, they are getting sneaky these days.
But, since I blacklisted that IP, I didn’t get any more spam of this type. I still get some other weird messages (mostly about ringtones) but they are from dynamic IP’s owned by AOL…
Pingback: High Desert Wanderer » Blog Archive » Spam, spam, spam
blah. same thing here also, over and over. although it is nice that it is the same static IP address over and over again so it’s quite easy too ignore.