Infected by Spam Virus?

This is a technical article. (This is a friendly warning to people who don’t like to see technical articles on this blog. :-))

Spam

I was notified by my friend in Google that I have some spamware installed on my server http://wangjianshuo.com. This is very astonishing. I checked the directory and found the following files.

filename: /public_html/.htaccess

RewriteEngine On

Options +FollowSymlinks

RewriteCond %{REQUEST_FILENAME} !-f

RewriteRule ^[/]*([^/]+)\.phtml$ ./search.php?q=$1 [L]

AddType application/x-httpd-php .php

and then found out files like search.php, proxy.php, feed_data/ folder and many other files.

I delete these files. But does anyone know why this happens?

Wang Yang Lee (ICBC) May be Fraund

Warning: If you happen to be ready to contact the person, or give them any of your personal information, please STOP now! It seems to be a serious fraud

Look at these report of losing money on my website:

Fardous

Mudduraj

Melad Youssef

Mr. Muhammad Tirta Chariti

They reported that someone called Wang Yang Lee announced to be a manager from ICBC and collected ID and bank account information from victims. People searched in Google and arrived my website. What a mistake to trust someone in this common fraud case! (Another mistake is to take my personal website as ICBC official website).

Typically, the following signiture is included in the scam email:

Mr. Wang Yang Lee

Telex manager

Icbc Bank

Telephone: + 86 20 3365 5054

Fax + 86-20-38664428

Fax + 86-20-85648258

Web site: www.icbc.com.cn

Email: info@icbcbank.zzn.com

E-mail: icbcbonline@asia.com

ifuleuiycfi – I Really Admire You, Spammers

Recently, the admin tool of this site is very slow. I didn’t pay enough attention until it takes about several minutes to load a page in MovableType admin. I found out it was because of the comment spams.

The log shows I am almost 1000 junk comments every day. In the peak time (6:00 – 8:00 AM), there are more than 10 comment requests in every single minute.

MovableType have great anti-spam features. It blocked all of them, but it requires a lot of resources to handle that. The result is, the server is slower and slower. Lunarpages, the hosting company ever emailed me complaining my MT installation sometimes consumes about 40% of one CPU, out of 4 CPU they have for the server.

It seems to be a serious issue.

Changed the Script Name

I guess the spammers may try to post to the default installation of all the MT based blogs: /cgi-bin/mt/mt.cgi. I decided to change the default script name from mt-comments.cgi to something new. I choose the name of the script to a random name.

mt-comments-ifuleuiycfi.cgi

Then changed the configuration so it is now the new comment script. The name ifuleuiycfi of the scripts reads:

I Fu Le U If You Can Find It.

Fu Le means admire in Chinese

Spams Comes After Me

To be honest with you, I don’t think they will check the page for comment scripts before posting spams.

I was wrong, deadly wrong. Within one minute, a new comment spam appeared, using the new comment script. I did a rename, so the previous comment script does not exist already.

screen-ifuleuiycgi.png

New spams keep coming. I’d like to say: “I really admire you guys, spammers”.

Since many of the URL ends with .ru, I guess it comes from Russia.

Changed to Javascript Code

The rule I set for anti-spam is, I don’t add additional work to people who comments. Quickly, I wrote a piece of code like this:

<form method=”post” action=”http://home.wangjianshuo.com/cgi-bin/mt/mt-comments.cgi”

name=”comments_form”

onsubmit=”if (this.bakecookie.checked) rememberMe(this); s1=’http://home.wangjia’; s2=’nshuo.com/cgi-bin/mt/mt-‘; s3=’comments-ifuleuiycfi.cgi’; this.action = s1+s2+s3;”>

The form still direct the robots to mt-comments.cgi, which does not exist.

This time, the comment spams went away. I got only one spam in the last few days – obviously, this honest guy posted manually.

From the server log, mt-comments.cgi is really busy. A file not found error does not add as much burden to the server as a real comment.

So way to go, cheers, and jia you, those spam robots!

The City and Its Moral Boundary

I start to wonder where the moral boundary is, or the ethics deadline people have in today’s Shanghai, the bigger and bigger city.

Farmer Selling?

There is a way called farmer selling. It is basically to hire enough very low educated people (many of them are only children under 18) and pay them to distribute those name-card-size advertisement cards on the street. It is annoying. In People’s Square or Xujiahui, there are many and you have to hide from them, escape from them, and sometimes fight with them to go to your direction. I hate those guys.

There are some common tactics they use.

They will stand just in front of you, on the narrow street, in the middle of your way. You have to change your route to avoid run into those guy. That is the only way they bring your attention to them.

They will hand out to you with the card on hand. People have been educated not to take any cards they gave, but they will throw the card to you, put it into your pocket (sometimes they do) and try every way to stick it to your bag in case your bag is not closed. The worst experience was, someone even run to me, and opens my laptop case and throw the card into it. It seems they can easily take my laptop away. However, to take away something is robbery, but to put something in is not, right? It is just annoying.

Farmer Selling + Metro?

In the morning, I see those guys in the cart of the Metro. In Long Yang station, there were not many people yet. Three boys formed a line and went from one end of the metro carts to the other, and put their cards into people’s body. Since everyone was sitting there, and they delivered their card just like a teacher in kindergarten distribute apples to children. Very soon, there are about 4 cards on my legs, on my laptop bag and on my coat.

It is insulting, I’d say.

A lot of people was angry and throw the cards back to the face of the boys. They just don’t care and continue to move, and distribute. Within 30 seconds, the whole cart was full of garbage cards already.

This situation is not new. It lasted for one month. I believe they must found the result is good, and more and more companies are doing so.

I called the Metro service center at 021-64370000 immediately and reported the spam – yes. real world spam. They said they will inform the security of the next station.

I just wonder what is the boundary of ethics in this city? If several phone calls are so important that they can throw thousands of cards onto metro and rape all the passengers by sending some dirty card onto their body, what else they cannot do for a “successful” business?

Internet Ethics

On the Internet, it is even worse. Almost all downloads from big sites contain adware, and website became popular by creating virus to spread everyday. They hijack the homepage of browser, the address bar, or the icons on the desktop, and pops up advertisement every minute. This is almost the worst of the time. Bigger portals are not doing the right thing too. The porn related SMS and IVR are big portion, if not the major portion, of their revenue reported to NASDAQ. Who cares?

The Magic Water Saver

After I get off board the Metro and head to the Raffles City, a group of people are selling their Magic Water Saver equipment at the tunnel of the Metro. It is just a magnetic coin that stick to the Water Meter. Since the magnetic is so powerful that the pointers of the meter will stop to run, and the water continues to run out of the meter. They claim that with their equipment, you don’t have to pay a penny to the water company while you can enjoy as much water as you want. One woman immediately gave him 10 RMB to get one. This is called shameless stealing, right? Beside it, many people are selling fake goods.

shanghai-water.meter.jpg

Taken at gate 2 of Metro People’s Square Station with my Nokia 6670

Any Solution

I don’t know how long these activities will last, and I am disappointed that all these are there that everyone, including me, can see it but those in charge of the security didn’t see it. What can I do? I called the police after that, but it is obvious that they didn’t got any report before. What’s wrong with the city?

Disclaimer: I don’t think it is only one city’s problem. It is part of the nature – there are good guys and bad guys, sometimes even the definition of good or bad varies from people to people. In the winter of 2004, when I was in the park near the Statue of Liberty in New York, I saw many people selling LV bags at about 20 USD or DVD at 5 USD. I don’t know whether they were offering big discount on LV or DVD or what. I saw the same scene in metro stations (42 street, for example). I was shocked to see all this happen in the States. I didn’t dare to take photos becaues I heard they may have gun. (Poor me) The reason I was shocked was, to conduct some not-so-ethical thing in public, at most crowded area but there are still not many people regulate the market. What is the problem?

Closed Trackback

I removed the trackback script from the system which means there is no way to post track back to this site. I also removed the trackback information from the page.

The Death of Trackback on My Site

Three years, trackback brought a lot of fun to me, when not many people blog and not many people know about blog. That was really exciting expertiment.

Recently, many people know blogging, especially many “smart” spammers. They turn to use Trackback in a more efficient way than normal bloggers. They send thousands of trackbacks to my site.

After putting about 3400 different patterns and IP addresses into my MT-Blacklist, there are just increasing number of spammers join the Trackback Spam Club. I bet it will be a problem in Chinese blog sphere some time, but so far, so good.

In the last year, I deleted about 10 thousands trackback spams, and my blacklist is blocking several about 200 trackback pings everyday.

The Death of Innovation?

I regret to shutdown my trackback, and I believe many people will do the same after spammers get more and more smart. I hope I can reopen the system after I upgrade to MovableType 3.0 or higher, and get protected by better spam prevention tools. But for now, sorry.

Faithful for the Truth Instead of Dream

Trackback is a good idea, but periodically, before better anti-spam tools/standard is aviable, I am more concerned with the success of the content and reader experience, instead of insisting on a technology.

Just as DDOS attack educated that the Internet is built on a weak infrustructure, trackback proposes very high risk when someone what a DDOS to a site – how about try to enter 10G of data into the disk of a blogging system – if the system has 10G or more to fill?

I Hope I can Turn it On Some Time

Just like Push technology Channel failed in IE 4, RSS changed to a new way to do the same thing after several years, I hope we have better ways to leverage the idea of trackback after 3 years. I hope I can turn trackback again in Oct of the year 2008.

Hit by Caribe.sis Virus via Bluetooth

So exciting. One week after I switched to Symbian phone Nokia 6670, I was hit by a virus distributed via bluetooth.

Yesterady, when I had coffee at Starbucks, my phone ringed and displayed “die*_*lucky is sending you a file via bluetooth”. I accepted, and it promoted me to install an application. I realized something wrong happened. So I interrupted the installation and turn to Google for the name of the application:

Caribe.sis

Cabir replicates over bluetooth connections and arrives to phone messaging inbox as caribe.sis file what contains the worm. When user clicks the caribe.sis and chooses to install the Caribe.sis file the worm activates and starts looking for new devices to infect over bluetooth.

So Interneting Physical Replicated Virus

This is very intersting – I know someone around me – within 10 meters – carried a phone that was infected by the virus. How fun…

Friends Nearby?

I got very excited. Not the virus, but the fact that someone very similiar with me are within 10 meters away from me:

  • We use the same Symbian Nokia Series 6 phone.
  • We all enabled Bluetooth
  • We are in the same city, same district, and in the same Starbucks Cofee. There are just less than 50 people there.

If I were not in a business conversation, I would be really interested to stand up and look for the virus spreader… I thought of the application of Jambo.net by Jim and Charles. They install the application on laptop and detect other people with Jambo nearby via Wifi. It is the concept of Internet technology in a very specific area.

P.S. Shang Jin sent me this. Pure geek happiness again.

MTBlackList is Better than IP Banning

As my old anti-spam method, I used IP Banning in MovableType to fight against comment spam. This prevented some nice reader to post since they are banned due to being in the same IP range as the spammers.

I have tried MT-BlackList before, but my last attempt failed. Today, after reviewing the 150 spammers (within 10 minutes) for ringtone and 160 ping spam for some sex sites, I decided to try it again.

As luck would have it, it worked. I have successfully identified and deleted all those spam and added protection to future spam. More than 1800 entries are in my ban list, which is URL and keyword based. It should work perfectly in the future.

So, from today, I am deleting all the IP banning entries from my MovableType. So none one should be banned simply because they are in the same IP range as others. For back up proposes, I am publishing the IP range I have banned before. As you can see, I was using stupid method to ban the whole IP with mask of 255.255.0.0. That is, if there is any IP in a range posting spam, the whole 65025 IP addresses will be banned. I tried to be more specific, but the spammer seems to be smart enough to roam within a 255.255.0.0 IP space. I am happy MTBlackList finally worked, so the IP banning will be a history of my blog.

Since MTBlackList only works on MT 2.6 but not on MT 3.0D, I start to hesitate to upgrade. My server is stable enough and there is no explicit reason for me to upgrade.

Previous Banned IP Address

Database homewang_blog – Table mt_ipbanlist running on localhost

# phpMyAdmin MySQL-Dump

# version 2.4.0

# http://www.phpmyadmin.net/ (download page)

#

# Host: localhost

# Generation Time: Jul 27, 2004 at 08:00 AM

# Server version: 4.0.16

# PHP Version: 4.3.4

# Database : `homewang_blog`

# ——————————————————–

#

# Table structure for table `mt_ipbanlist`

#

CREATE TABLE mt_ipbanlist (

ipbanlist_id int(11) NOT NULL auto_increment,

ipbanlist_blog_id int(11) NOT NULL default ‘0’,

ipbanlist_ip varchar(15) NOT NULL default ”,

ipbanlist_created_on datetime NOT NULL default ‘0000-00-00 00:00:00’,

ipbanlist_modified_on timestamp(14) NOT NULL,

ipbanlist_created_by int(11) default NULL,

ipbanlist_modified_by int(11) default NULL,

PRIMARY KEY (ipbanlist_id),

KEY ipbanlist_blog_id (ipbanlist_blog_id),

KEY ipbanlist_ip (ipbanlist_ip)

) TYPE=MyISAM;

#

# Dumping data for table `mt_ipbanlist`

#

INSERT INTO mt_ipbanlist VALUES (1, 1, ‘212.219.’, ‘2004-04-07 10:48:35’, 20040407104835, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (2, 1, ‘212.219.’, ‘2004-04-07 10:52:01’, 20040407105201, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (3, 1, ‘221.15.71.’, ‘2004-04-07 10:53:32’, 20040407105332, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (4, 1, ‘61.11.26’, ‘2004-04-07 10:54:11’, 20040407105411, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (5, 1, ‘66.58.’, ‘2004-04-07 10:54:15’, 20040407105415, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (6, 1, ‘212.179.’, ‘2004-04-07 10:54:18’, 20040407105418, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (7, 1, ‘4.8.2.’, ‘2004-04-07 10:54:23’, 20040407105423, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (8, 1, ‘200.242.’, ‘2004-04-08 19:58:00’, 20040408195800, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (9, 1, ‘168.143.’, ‘2004-04-08 19:59:36’, 20040408195936, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (10, 1, ‘202.28.’, ‘2004-04-08 20:00:35’, 20040408200035, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (11, 1, ‘213.91.217’, ‘2004-04-10 21:05:27’, 20040410210527, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (12, 1, ‘213.91.217.’, ‘2004-04-10 21:05:41’, 20040410210541, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (13, 1, ‘65.36.113’, ‘2004-04-12 09:58:10’, 20040412095810, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (14, 1, ‘83.31.79.’, ‘2004-04-13 10:07:05’, 20040413100705, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (15, 1, ‘212.255.’, ‘2004-04-15 09:01:44’, 20040415090144, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (16, 1, ‘80.58.’, ‘2004-04-15 09:01:50’, 20040415090150, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (17, 1, ‘219.147.’, ‘2004-04-15 09:01:56’, 20040415090156, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (18, 1, ‘61.120.’, ‘2004-04-15 09:02:01’, 20040415090201, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (19, 1, ‘61.55’, ‘2004-04-15 09:02:08’, 20040415090208, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (20, 1, ‘62.95.’, ‘2004-04-15 09:02:13’, 20040415090213, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (21, 1, ‘212.135.’, ‘2004-04-15 09:02:34’, 20040415090234, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (22, 1, ‘207.75.’, ‘2004-04-15 12:41:34’, 20040415124134, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (23, 1, ‘200.171’, ‘2004-04-15 12:42:13’, 20040415124213, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (24, 1, ‘168.37.’, ‘2004-04-15 12:42:40’, 20040415124240, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (25, 1, ‘216.228.’, ‘2004-04-15 12:43:17’, 20040415124317, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (26, 1, ‘207.75.’, ‘2004-04-15 12:43:33’, 20040415124333, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (27, 1, ‘192.114’, ‘2004-04-21 10:05:07’, 20040421100507, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (28, 1, ‘157.158.’, ‘2004-04-21 10:31:07’, 20040421103107, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (29, 1, ‘213.249.’, ‘2004-04-23 18:57:53’, 20040423185753, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (30, 1, ‘82.77.’, ‘2004-05-10 13:44:05’, 20040510134405, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (31, 1, ‘216.219.’, ‘2004-05-10 13:44:19’, 20040510134419, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (32, 1, ‘213.91.’, ‘2004-05-10 13:44:32’, 20040510134432, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (33, 1, ‘213.91.’, ‘2004-05-10 13:44:43’, 20040510134443, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (34, 1, ‘80.72.’, ‘2004-05-10 13:44:54’, 20040510134454, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (35, 1, ‘213.91.’, ‘2004-05-10 13:45:03’, 20040510134503, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (36, 1, ‘200.158.’, ‘2004-05-11 09:51:25’, 20040511095125, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (37, 1, ‘80.53.42’, ‘2004-05-20 09:28:43’, 20040520092843, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (38, 1, ‘218.66.219’, ‘2004-05-20 09:28:48’, 20040520092848, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (39, 1, ‘170.224.224’, ‘2004-05-20 09:29:13’, 20040520092913, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (40, 1, ‘62.87.’, ‘2004-05-20 09:29:27’, 20040520092927, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (106, 1, ‘66.154.’, ‘2004-07-20 21:40:30’, 20040720214030, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (42, 1, ‘216.148.’, ‘2004-05-20 09:29:52’, 20040520092952, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (43, 1, ‘213.91.’, ‘2004-05-20 09:30:23’, 20040520093023, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (44, 1, ‘213.91.’, ‘2004-05-20 09:30:34’, 20040520093034, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (45, 1, ‘213.91.’, ‘2004-05-20 09:30:43’, 20040520093043, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (46, 1, ‘213.91.’, ‘2004-05-20 09:30:44’, 20040520093044, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (47, 1, ‘62.148.’, ‘2004-05-20 09:30:54’, 20040520093054, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (48, 1, ‘62.148.’, ‘2004-05-20 09:31:03’, 20040520093103, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (49, 1, ‘216.148.’, ‘2004-05-20 09:32:05’, 20040520093205, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (50, 1, ‘83.31.’, ‘2004-05-25 12:02:44’, 20040525120244, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (105, 1, ‘212.235.’, ‘2004-07-20 19:03:30’, 20040720190330, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (104, 1, ‘170.224’, ‘2004-07-18 09:18:59’, 20040718091859, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (55, 1, ‘200.105’, ‘2004-05-26 08:51:18’, 20040526085118, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (56, 1, ‘61.149.’, ‘2004-05-28 22:47:36’, 20040528224736, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (57, 1, ‘198.54.’, ‘2004-05-30 09:21:01’, 20040530092101, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (58, 1, ‘24.70.’, ‘2004-06-04 09:09:56’, 20040604090956, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (59, 1, ‘66.119.’, ‘2004-06-04 09:10:07’, 20040604091007, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (60, 1, ‘83.31.’, ‘2004-06-04 09:10:18’, 20040604091018, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (61, 1, ‘82.81.’, ‘2004-06-07 11:19:58’, 20040607111958, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (62, 1, ‘141.48.’, ‘2004-06-07 19:11:05’, 20040607191105, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (63, 1, ‘212.16.’, ‘2004-06-07 19:11:30’, 20040607191130, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (64, 1, ‘81.31.’, ‘2004-06-22 09:09:20’, 20040622090920, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (65, 1, ‘213.42.’, ‘2004-06-22 09:10:42’, 20040622091042, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (107, 1, ‘66.154.’, ‘2004-07-20 21:40:49’, 20040720214049, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (67, 1, ‘210.55.’, ‘2004-06-24 14:43:03’, 20040624144303, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (68, 1, ‘141.153.’, ‘2004-06-24 14:43:24’, 20040624144324, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (69, 1, ‘66.98.’, ‘2004-06-24 14:43:36’, 20040624144336, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (70, 1, ‘217.110.’, ‘2004-06-24 23:25:53’, 20040624232553, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (71, 1, ‘24.112.’, ‘2004-06-28 00:24:17’, 20040628002417, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (72, 1, ‘81.152.’, ‘2004-06-28 00:24:36’, 20040628002436, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (73, 1, ‘216.37.’, ‘2004-06-28 00:25:16’, 20040628002516, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (74, 1, ‘24.112.’, ‘2004-06-28 00:27:59’, 20040628002759, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (75, 1, ‘24.112.’, ‘2004-06-28 00:28:01’, 20040628002801, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (76, 1, ‘62.81.’, ‘2004-06-28 10:00:29’, 20040628100029, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (77, 1, ‘156.110.’, ‘2004-06-28 10:31:18’, 20040628103118, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (78, 1, ‘156.110.’, ‘2004-06-28 10:31:19’, 20040628103119, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (79, 1, ‘24.112.’, ‘2004-06-28 10:32:38’, 20040628103238, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (80, 1, ‘207.81’, ‘2004-07-03 22:56:00’, 20040703225600, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (81, 1, ‘207.88.’, ‘2004-07-03 22:56:29’, 20040703225629, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (82, 1, ‘198.26.’, ‘2004-07-03 23:03:57’, 20040703230357, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (83, 1, ‘212.21.’, ‘2004-07-03 23:04:11’, 20040703230411, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (84, 1, ‘193.255.’, ‘2004-07-03 23:04:25’, 20040703230425, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (85, 1, ‘66.231’, ‘2004-07-03 23:04:36’, 20040703230436, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (86, 1, ‘199.71’, ‘2004-07-03 23:04:42’, 20040703230442, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (87, 1, ‘198.26’, ‘2004-07-03 23:04:47’, 20040703230447, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (88, 1, ‘202.9’, ‘2004-07-03 23:04:53’, 20040703230453, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (89, 1, ‘213.131’, ‘2004-07-03 23:05:02’, 20040703230502, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (90, 1, ‘213.13’, ‘2004-07-03 23:05:10’, 20040703230510, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (91, 1, ‘213.77’, ‘2004-07-03 23:05:15’, 20040703230515, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (92, 1, ‘163.28’, ‘2004-07-03 23:05:48’, 20040703230548, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (93, 1, ‘148.245’, ‘2004-07-03 23:05:54’, 20040703230554, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (94, 1, ‘212.138’, ‘2004-07-03 23:06:10’, 20040703230610, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (95, 1, ‘195.166’, ‘2004-07-06 17:52:58’, 20040706175258, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (96, 1, ‘217.132’, ‘2004-07-07 13:10:03’, 20040707131003, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (97, 1, ‘212.179.’, ‘2004-07-07 13:11:46’, 20040707131146, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (98, 1, ‘195.77.’, ‘2004-07-08 23:22:35’, 20040708232235, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (99, 1, ‘208.195’, ‘2004-07-09 09:08:37’, 20040709090837, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (100, 1, ‘200.125.’, ‘2004-07-11 19:53:22’, 20040711195322, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (101, 1, ‘213.215.’, ‘2004-07-11 19:54:06’, 20040711195406, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (103, 1, ‘62.255.’, ‘2004-07-18 09:18:25’, 20040718091825, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (108, 1, ‘221.2.’, ‘2004-07-20 21:42:03’, 20040720214203, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (109, 1, ‘24.31.’, ‘2004-07-21 09:17:46’, 20040721091746, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (110, 1, ‘216.46.’, ‘2004-07-24 10:57:04’, 20040724105704, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (111, 1, ‘218.68.215.’, ‘2004-07-25 11:58:04’, 20040725115804, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (112, 1, ‘212.253.’, ‘2004-07-25 11:58:11’, 20040725115811, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (113, 1, ‘151.37.’, ‘2004-07-25 11:59:40’, 20040725115940, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (114, 1, ‘151.37.’, ‘2004-07-25 12:00:45’, 20040725120045, NULL, NULL);

INSERT INTO mt_ipbanlist VALUES (115, 1, ‘66.63.’, ‘2004-07-25 17:52:52’, 20040725175252, NULL, NULL);

Database homewang_blog – Table mt_ipbanlist running on localhost

“1”;”1″;”212.219.”;”2004-04-07 10:48:35″;”20040407104835″;NULL;NULL

“2”;”1″;”212.219.”;”2004-04-07 10:52:01″;”20040407105201″;NULL;NULL

“3”;”1″;”221.15.71.”;”2004-04-07 10:53:32″;”20040407105332″;NULL;NULL

“4”;”1″;”61.11.26″;”2004-04-07 10:54:11″;”20040407105411″;NULL;NULL

“5”;”1″;”66.58.”;”2004-04-07 10:54:15″;”20040407105415″;NULL;NULL

“6”;”1″;”212.179.”;”2004-04-07 10:54:18″;”20040407105418″;NULL;NULL

“7”;”1″;”4.8.2.”;”2004-04-07 10:54:23″;”20040407105423″;NULL;NULL

“8”;”1″;”200.242.”;”2004-04-08 19:58:00″;”20040408195800″;NULL;NULL

“9”;”1″;”168.143.”;”2004-04-08 19:59:36″;”20040408195936″;NULL;NULL

“10”;”1″;”202.28.”;”2004-04-08 20:00:35″;”20040408200035″;NULL;NULL

“11”;”1″;”213.91.217″;”2004-04-10 21:05:27″;”20040410210527″;NULL;NULL

“12”;”1″;”213.91.217.”;”2004-04-10 21:05:41″;”20040410210541″;NULL;NULL

“13”;”1″;”65.36.113″;”2004-04-12 09:58:10″;”20040412095810″;NULL;NULL

“14”;”1″;”83.31.79.”;”2004-04-13 10:07:05″;”20040413100705″;NULL;NULL

“15”;”1″;”212.255.”;”2004-04-15 09:01:44″;”20040415090144″;NULL;NULL

“16”;”1″;”80.58.”;”2004-04-15 09:01:50″;”20040415090150″;NULL;NULL

“17”;”1″;”219.147.”;”2004-04-15 09:01:56″;”20040415090156″;NULL;NULL

“18”;”1″;”61.120.”;”2004-04-15 09:02:01″;”20040415090201″;NULL;NULL

“19”;”1″;”61.55″;”2004-04-15 09:02:08″;”20040415090208″;NULL;NULL

“20”;”1″;”62.95.”;”2004-04-15 09:02:13″;”20040415090213″;NULL;NULL

“21”;”1″;”212.135.”;”2004-04-15 09:02:34″;”20040415090234″;NULL;NULL

“22”;”1″;”207.75.”;”2004-04-15 12:41:34″;”20040415124134″;NULL;NULL

“23”;”1″;”200.171″;”2004-04-15 12:42:13″;”20040415124213″;NULL;NULL

“24”;”1″;”168.37.”;”2004-04-15 12:42:40″;”20040415124240″;NULL;NULL

“25”;”1″;”216.228.”;”2004-04-15 12:43:17″;”20040415124317″;NULL;NULL

“26”;”1″;”207.75.”;”2004-04-15 12:43:33″;”20040415124333″;NULL;NULL

“27”;”1″;”192.114″;”2004-04-21 10:05:07″;”20040421100507″;NULL;NULL

“28”;”1″;”157.158.”;”2004-04-21 10:31:07″;”20040421103107″;NULL;NULL

“29”;”1″;”213.249.”;”2004-04-23 18:57:53″;”20040423185753″;NULL;NULL

“30”;”1″;”82.77.”;”2004-05-10 13:44:05″;”20040510134405″;NULL;NULL

“31”;”1″;”216.219.”;”2004-05-10 13:44:19″;”20040510134419″;NULL;NULL

“32”;”1″;”213.91.”;”2004-05-10 13:44:32″;”20040510134432″;NULL;NULL

“33”;”1″;”213.91.”;”2004-05-10 13:44:43″;”20040510134443″;NULL;NULL

“34”;”1″;”80.72.”;”2004-05-10 13:44:54″;”20040510134454″;NULL;NULL

“35”;”1″;”213.91.”;”2004-05-10 13:45:03″;”20040510134503″;NULL;NULL

“36”;”1″;”200.158.”;”2004-05-11 09:51:25″;”20040511095125″;NULL;NULL

“37”;”1″;”80.53.42″;”2004-05-20 09:28:43″;”20040520092843″;NULL;NULL

“38”;”1″;”218.66.219″;”2004-05-20 09:28:48″;”20040520092848″;NULL;NULL

“39”;”1″;”170.224.224″;”2004-05-20 09:29:13″;”20040520092913″;NULL;NULL

“40”;”1″;”62.87.”;”2004-05-20 09:29:27″;”20040520092927″;NULL;NULL

“106”;”1″;”66.154.”;”2004-07-20 21:40:30″;”20040720214030″;NULL;NULL

“42”;”1″;”216.148.”;”2004-05-20 09:29:52″;”20040520092952″;NULL;NULL

“43”;”1″;”213.91.”;”2004-05-20 09:30:23″;”20040520093023″;NULL;NULL

“44”;”1″;”213.91.”;”2004-05-20 09:30:34″;”20040520093034″;NULL;NULL

“45”;”1″;”213.91.”;”2004-05-20 09:30:43″;”20040520093043″;NULL;NULL

“46”;”1″;”213.91.”;”2004-05-20 09:30:44″;”20040520093044″;NULL;NULL

“47”;”1″;”62.148.”;”2004-05-20 09:30:54″;”20040520093054″;NULL;NULL

“48”;”1″;”62.148.”;”2004-05-20 09:31:03″;”20040520093103″;NULL;NULL

“49”;”1″;”216.148.”;”2004-05-20 09:32:05″;”20040520093205″;NULL;NULL

“50”;”1″;”83.31.”;”2004-05-25 12:02:44″;”20040525120244″;NULL;NULL

“105”;”1″;”212.235.”;”2004-07-20 19:03:30″;”20040720190330″;NULL;NULL

“104”;”1″;”170.224″;”2004-07-18 09:18:59″;”20040718091859″;NULL;NULL

“55”;”1″;”200.105″;”2004-05-26 08:51:18″;”20040526085118″;NULL;NULL

“56”;”1″;”61.149.”;”2004-05-28 22:47:36″;”20040528224736″;NULL;NULL

“57”;”1″;”198.54.”;”2004-05-30 09:21:01″;”20040530092101″;NULL;NULL

“58”;”1″;”24.70.”;”2004-06-04 09:09:56″;”20040604090956″;NULL;NULL

“59”;”1″;”66.119.”;”2004-06-04 09:10:07″;”20040604091007″;NULL;NULL

“60”;”1″;”83.31.”;”2004-06-04 09:10:18″;”20040604091018″;NULL;NULL

“61”;”1″;”82.81.”;”2004-06-07 11:19:58″;”20040607111958″;NULL;NULL

“62”;”1″;”141.48.”;”2004-06-07 19:11:05″;”20040607191105″;NULL;NULL

“63”;”1″;”212.16.”;”2004-06-07 19:11:30″;”20040607191130″;NULL;NULL

“64”;”1″;”81.31.”;”2004-06-22 09:09:20″;”20040622090920″;NULL;NULL

“65”;”1″;”213.42.”;”2004-06-22 09:10:42″;”20040622091042″;NULL;NULL

“107”;”1″;”66.154.”;”2004-07-20 21:40:49″;”20040720214049″;NULL;NULL

“67”;”1″;”210.55.”;”2004-06-24 14:43:03″;”20040624144303″;NULL;NULL

“68”;”1″;”141.153.”;”2004-06-24 14:43:24″;”20040624144324″;NULL;NULL

“69”;”1″;”66.98.”;”2004-06-24 14:43:36″;”20040624144336″;NULL;NULL

“70”;”1″;”217.110.”;”2004-06-24 23:25:53″;”20040624232553″;NULL;NULL

“71”;”1″;”24.112.”;”2004-06-28 00:24:17″;”20040628002417″;NULL;NULL

“72”;”1″;”81.152.”;”2004-06-28 00:24:36″;”20040628002436″;NULL;NULL

“73”;”1″;”216.37.”;”2004-06-28 00:25:16″;”20040628002516″;NULL;NULL

“74”;”1″;”24.112.”;”2004-06-28 00:27:59″;”20040628002759″;NULL;NULL

“75”;”1″;”24.112.”;”2004-06-28 00:28:01″;”20040628002801″;NULL;NULL

“76”;”1″;”62.81.”;”2004-06-28 10:00:29″;”20040628100029″;NULL;NULL

“77”;”1″;”156.110.”;”2004-06-28 10:31:18″;”20040628103118″;NULL;NULL

“78”;”1″;”156.110.”;”2004-06-28 10:31:19″;”20040628103119″;NULL;NULL

“79”;”1″;”24.112.”;”2004-06-28 10:32:38″;”20040628103238″;NULL;NULL

“80”;”1″;”207.81″;”2004-07-03 22:56:00″;”20040703225600″;NULL;NULL

“81”;”1″;”207.88.”;”2004-07-03 22:56:29″;”20040703225629″;NULL;NULL

“82”;”1″;”198.26.”;”2004-07-03 23:03:57″;”20040703230357″;NULL;NULL

“83”;”1″;”212.21.”;”2004-07-03 23:04:11″;”20040703230411″;NULL;NULL

“84”;”1″;”193.255.”;”2004-07-03 23:04:25″;”20040703230425″;NULL;NULL

“85”;”1″;”66.231″;”2004-07-03 23:04:36″;”20040703230436″;NULL;NULL

“86”;”1″;”199.71″;”2004-07-03 23:04:42″;”20040703230442″;NULL;NULL

“87”;”1″;”198.26″;”2004-07-03 23:04:47″;”20040703230447″;NULL;NULL

“88”;”1″;”202.9″;”2004-07-03 23:04:53″;”20040703230453″;NULL;NULL

“89”;”1″;”213.131″;”2004-07-03 23:05:02″;”20040703230502″;NULL;NULL

“90”;”1″;”213.13″;”2004-07-03 23:05:10″;”20040703230510″;NULL;NULL

“91”;”1″;”213.77″;”2004-07-03 23:05:15″;”20040703230515″;NULL;NULL

“92”;”1″;”163.28″;”2004-07-03 23:05:48″;”20040703230548″;NULL;NULL

“93”;”1″;”148.245″;”2004-07-03 23:05:54″;”20040703230554″;NULL;NULL

“94”;”1″;”212.138″;”2004-07-03 23:06:10″;”20040703230610″;NULL;NULL

“95”;”1″;”195.166″;”2004-07-06 17:52:58″;”20040706175258″;NULL;NULL

“96”;”1″;”217.132″;”2004-07-07 13:10:03″;”20040707131003″;NULL;NULL

“97”;”1″;”212.179.”;”2004-07-07 13:11:46″;”20040707131146″;NULL;NULL

“98”;”1″;”195.77.”;”2004-07-08 23:22:35″;”20040708232235″;NULL;NULL

“99”;”1″;”208.195″;”2004-07-09 09:08:37″;”20040709090837″;NULL;NULL

“100”;”1″;”200.125.”;”2004-07-11 19:53:22″;”20040711195322″;NULL;NULL

“101”;”1″;”213.215.”;”2004-07-11 19:54:06″;”20040711195406″;NULL;NULL

“103”;”1″;”62.255.”;”2004-07-18 09:18:25″;”20040718091825″;NULL;NULL

“108”;”1″;”221.2.”;”2004-07-20 21:42:03″;”20040720214203″;NULL;NULL

“109”;”1″;”24.31.”;”2004-07-21 09:17:46″;”20040721091746″;NULL;NULL

“110”;”1″;”216.46.”;”2004-07-24 10:57:04″;”20040724105704″;NULL;NULL

“111”;”1″;”218.68.215.”;”2004-07-25 11:58:04″;”20040725115804″;NULL;NULL

“112”;”1″;”212.253.”;”2004-07-25 11:58:11″;”20040725115811″;NULL;NULL

“113”;”1″;”151.37.”;”2004-07-25 11:59:40″;”20040725115940″;NULL;NULL

“114”;”1″;”151.37.”;”2004-07-25 12:00:45″;”20040725120045″;NULL;NULL

“115”;”1″;”66.63.”;”2004-07-25 17:52:52″;”20040725175252″;NULL;NULL

Appologize from Baliforyou

Today, I got email from the web manager of Baliforyou.com, which I claimed to be Comment Spam.

Dear Jian Shuo

hi

my name is Zack and Im the Web manager of Baliforyou.com, we are in partnership with kecak.com. My staff member indicated to me today your website with your comment about us as being spammers. I am sorry i did not know that my staff was signing guests book when they were suppose to be finding links and link exchanging instead of spamming on guests book.

Please accept my appology on behalf of baliforyou.com. I have given a warning letter to my link masters and threatened them in loosing their jobs,

Once again, please accept our appologies, I too agree with you that spamming is not a healthy business. I also get 3000 spams on my forum and emails and believe me I dont enjoy this either.

Thank you for you indicating this

kind regards

Zack Olsson

Web Manager

baliforyou.com

Well. Good. I’d like to thank Zack for his/her quick response. I withdraw my claimation and decide to call baliforyou.com a good net citizen now. :-D

EndAds.com Caught by FTC

Breaking News! EndAds.com finally caught by FTC

FTC disables pop-up ad firm

By Bob Sullivan

MSNBC

Nov. 6 ?The Federal Trade Commission on Thursday accused a California advertising company of digital-age extortion. D Squared Solutions allegedly hijacked Internet users?computers by bombarding them with Windows Messenger pop-up ads ?as frequently as every 10 minutes. The ads hawked $30 software that promised only to stop future pop-ups from the company….

…D Squared operated a handful of Web sites devoted to advertising their software, including Blockmessenger.com, Endads.com, SaveYourPrivacy.com. and Fightmessenger.com

D Squared did not immediately return e-mails sent to its San Diego office. The telephone number listed on the domain registration information for the company’s Web site wasn’t operational.

FULL STORY>>

FTC Slams Pop-Up Spammer

By Dennis Callaghan

eWeek.com

November 6, 2003

The Federal Trade Commission Thursday took action against a company that it alleges was exploiting a security hole in Microsoft’s Messenger Service utility to send full-screen pop-up ads to consumers advertising software that would block the very same pop-up ads.

At the FTC’s request, the U.S. District Court for the Northern District of Maryland issued a temporary restraining order against D Squared Solutions LLC, and its officers, Anish Dhingra and Jeffrey Davis, blocking them from continuing their business practices. The FTC plans to seek further legal action against the defendants, including recovering any revenue the company earned from selling its software.

FULL STORY>>

Great News!

I believe I am among the most excited people in the world after I hear about the news. EndAds.com should be caught and sued months ago. Starting from Sept 23, 2003, I begin to fight with NET SEND SPAM by writing articles and provide instructions to turn off Messenger Service. Along the way, I started by fight back with bestyan’s spam, then Golarger.com (I am curious about whether this company is caught or not) and Endads.com (with other names like blockmessenger.com…)

The reason I worked so hard to fight with them is, I believe there should be some force to stand against these annoying stuff. You can see people are really annoyed by EndAds.com and its kind.

Check this entry on my site: Shutdown DefeatMessenger And FightPopups Spam, it has 38 comments.

The check this entry: EndAds.com and BlockMessenger.com, it has 296 comments.

Look at how many people are affected. In Oct 2003 along, my site received 2600+ hits from search engine with keyword of Endads.com alone. I believe the craziest period of EndAds.com is not this Oct…

Turn the Down

Great job, FTC. It seems many visitors of this site has sent complain to abuse@level1.com and FCC, but no one mentioned FTC yet. It seems the FTC is the right organization to send complaint to. I cheered about the big success of Shutdown Endads.com. However, it didn’t seem to be the end until government agencies like FTC take legal actions against them.

The Bad Guy

It turned out that the bad guys are named

  • Anish Dhingra
  • Jeffrey Davis

in San Diego, California:

Their company D Squared Solutions, LLC will be infamous very soon.

More News Coverage

I’d like to thank Bianchi who posted comment to notify me about the news. It was really breaking news.

FTC Obtains Order Barring Pop-up Spam Scam, Urges Consumers to Take Steps to Protect Themselves

Google’s News Coverage on FTC and SPAM.

Physical Location of this NET SEND SPAMMER

Reader Josh commented

If I ever meet someone who works for endads, or even talks about it like a good marketing thing… I will beat the crap out of them…. and not feel bad.

It is very true. The address of these hidden bad guys is the secret everyone really wanted to know. Now they are exposed on the net. According to FTC’s complaint, the address of D Square is

11286 Corte Belleza, San Diego, CA, 92130

Then Yahoo!Map draw the location of their evil headcourter:

map-d.square-endads.com.gif

With the help of TerraServer-USA.com, we finally find out (how?) the picture of this spammer.

screen-endads.headquarter-terraimage.jpg

Image courtesy of the U.S. Geological Survey and TerraServer-USA

We can Visit our Old Friend Now

Good. Good. They were caught red-handed. Any people interested to drive by and say hello to these two guys if they are not in prison?

Kecak.com – (No Longer a) Comment Spammer

Update October 24, 2006

Waking up this morning, I saw Yunata’s comment about the changes in Kecak.com. I applause for the change in management, and Yunata’s commitment to create a good company.

As you may noticed, this entry was posted 3 years ago, when Kecak.com sent comment spam to this blog (and many others). 3 years later, it seems to me that Kecak.com turned to be a good company. I felt it from Yunata’s comment.

I believe nothing can be a better evidence of a good company than showing people that they are correcting mistakes, and committed to make changes.

My fellow readers, if you are search for Kecak.com in Google and reached this page, AND if you have the time to read through what happened three years ago and today, I believe you will feel more confidence in dealing with this company, because they made progress!

I didn’t remove this entry (as stated in my reply), since this can make positive impact on Kecak.com.

Good luck to Kecak.com. We have some shared experience three years ago, and I will be more than happy to see a great company there.

Jian Shuo

End of update

My site is attacked by the Comment Spam – the advertisement posted on my blog entry.

Here are examples:

Good Job …Well done

Please also visit my Bali site at http://www.kecak.com

Posted by: Elizabet-Bali Resorts and Bali Resort on October 20, 2003 10:09 PM

Source: http://home.wangjianshuo.com/archives/20030302_guestbook.htm#1009

The Next Version of Email Spam and Net Send Spam

Actually, it is the next wave of spam after Email spam and Net send spam. Becaues of the wide adoption of the same system – the MovableType or other simliar system, and the anonymous nature of these system, it is very easy for the bad guys to send the spam to millions of blogs in serveral hours.

Not only links

The comment spam not only bring more visitors to their website. More importantly, it add much value for its Google PageRank. From Google, we can see that there are 1560 pages/sites link to this site, so their PageRank is already PR6. It is a good number that help them list high in Google search result. Just a simple test: Type Bali in Google and you will find out it is listed as the 7th website.

Google judges the importance of a website by the link pointing to them. A link to a site stands as a vote to that website. Actually, the spammer has stealed the vote right from my website. It is bad.

The Trick Behind

The spam happens two weeks ago. It seems that the spammer thought of the idea in one night. Just after I wake up one morning, I found a lots of entries with the same name and content on many of my pages. It was really a hard job to delete them one by one and put their IP address into the block list.

Regarding this Spammer from Bali, they are creating very bad reputation for the beautiful island of Bali. I receive serveral spam from this guy every day. I know the name of this guy – John or William. It is for sure that they are fake names. Look at the two comments below (originally posted here)

Great site !!!

Please also visit my Bali site at http://www.baliforyou.com/bali/

Posted by: John- Bali Hotels Travel on October 20, 2003 10:15 PM

Good Job …Well done

Please also visit my Bali site at http://www.kecak.com

Posted by: Elizabet-Bali Resorts and Bali Resort on October 20, 2003 10:17 PM

It seems that the two comments are pointing to two different website. They seem to compete with each other. However, they are exactly the same site. Here are the details of the post.

Entry: Emails and Privacy Policies

IP Address 202.146.236.4

Author: Elizabet-Bali Resorts and Bali Resort

Email Address: william@kecak.com

Comment

Good Job …Well done

Please also visit my Bali site at http://www.kecak.com

Entry: Emails and Privacy Policies

IP Address 202.146.236.4

Author: John- Bali Hotels Travel

Email Address: john@baliforyou.com

Comment

Great site !!!

Please also visit my Bali site at http://www.baliforyou.com/bali/

You see, these two comments came in with only two minutes in interval and came from the same IP address.

Moreover, by using the Google search, you clearly discover that this spammer has successfully spamed 653 pages using the term Great site !!! Please also visit my Bali site at and 286 pages with the pattern of “Good Job …Well done Please also visit my Bali site at” by 12:37 AM 10/21/2003

Please note that the number is only the pages indexed by Google at the time of last crawl. My victim page is not on the list yet. So the pages infected by this spammer should be at least serveral thousand.

Moreover, http://www.putritour.com are also a alias for this big spammer.

Disaster for Bali Island Website

If this company continue to conduct this kind of criminal on the web, the websites of Bali Island will face big problem. I am seeking for blacklist for MovableType spam and found MT-Blacklist (via MovableType.org). Websites containing the term of Bali has already been listed in the 400 spammer list by default. I believe more and more website will implement this kind of blacklist. At least I am going to filter all comments with the term Bali in content.

The Solution

Just as we have worked together to shut down EndAds.com before, we will finally find out the way to stop them from doing this. Before the spammers stop by themself, I am going to implement the anti-spam MT plugin in the next few days.

Good luck, the spammers.

Appendix

Automatic Email Response from their Contact Page.

===========================

Dear Jianshuo Wang,

We received your message today. We would like to offer our sincere thanks to

you for for Inquirying

Our staff responds to Inquiries during regular business hours, although we

also attempt to answer Inquiries in the evenings and weekends whenever possible!

Inquiries are normally answered within 4-8 hours on week days and 8-10 on

weekends. You should be receiving a personal response by e-mail from one of our staff

shortly.

Best Regards,

Ngurah Narendra

========================

PT.Kecak DotCom

Jl.Raya Kuta 88R

Kuta – 80361 – Bali – Indonesia

Ph:+62 361 766880/766881/66882

Fax:+62 361 766810

Email:reservation@kecak.com

Website:www.kecak.com

See, they still dare to publish their phone nubmer while Net Send Spammer EndAds.com did dare to do it.

Update Baliforyou.com Appologized Oct 11, 2003

Here is the story.

Shutdown DefeatMessenger And FightPopups Spam

Before you complain and leave any bad words with my comment system, read this disclaim first:

This page provides simple steps to stop the EndAds.com, DefeatMessenger.com and FightPopups.com spam. It also call for action to shutdown the servers of these spammers together. Read before post…

I hope with the disclaimer at the very beginning, I will not sufer that much as on my entry of EndAds and BlockMessenger where people thought it was this site sending out the net send spam and just throw out all the dirty words they can think of. I hope…

Let me repeat the steps again in case people didn’t see my previous entry:

Simple steps to turn it off

The easist way to stop receiving this kind of message is to turn off Windows Messenger service. If you are running Windows XP or Windows 2000, following these steps:

  • Click Start button on your Windows taskbar.
  • Click Run…
  • Enter “Services.msc” (without quotation marks) and click OK.
  • Browse the list till you find “Messenger” in Name column.
  • Double click it. The Messenger Properties (Local Computer) dialog box comes out.
  • Choose “Disable” in “Startup type” drop down box.
  • Click OK.

It will definitely work. If you don’t believe that so simple steps can stop the annoying pop-ups, see the comments of about 100 people on this page.

Note: These steps will NOT affect your usage of MSN Messenger, AIM, Yahoo! Messenger or ICQ.

Huge Success to Shutdown EndAds.com

On July 30, 2003, Chris Mikeson suggested to not only shutdown the Messenger Services on our own computer, but to send out complain to the ISP hosting the service.

Later, many people including Joseph, AP, Cory, Jennifer, aaron, Don, Tom, Scott Hawkins, KS, Krozar and machinetodd (not a complete list) send complain email either to abuse@level3.net or FCC.

Yesterday, Aug 21, 2003, Chris, who initialized the Complain Campaign, noticed us that EndAds.com is no longer accessable. It was also confirmed by Jeremy.

So, let’s keep this going people. Let us know the new domain name they come up with and we will get that thing shut down quicker than a skittish jackrabbit can lick a carrot stick.

Bravo people! Well done! Power to the Internet community fighting these SCUM! Let’s keep this going…

– chris m.

If it is really because the ISP shutdown the service (not the technical difficulties of this spammer), it is really good news. People felt the power to fight back, instead of just pay for the so called Anti-spam software from these spammers.

Call For Actions: Shutdown other Spammer Website TOGETHER

DefeatMessenger.com and FightPopups.com are owned by the same person as EndAds.com. Here is the detailed information that may be useful to file a complain. IMPORTANT: The information comes from the WHOIS database on the Internet and may NOT be accurate.

Contact:

Administrative Contact:

SpamSlammers

Admin

PO BOX 927142

San Diego, CA 92129-7142

US

800-453-3422

msgaway2003@yahoo.com

IP address: 216.251.43.11. Here is the information for the hosting company:

OrgName: InternetNamesForBusiness.com

OrgID: INFB

Address: 500 East Broward Boulevard

Address: Suite 1700

City: Fort Lauderdale

StateProv: FL

PostalCode: 33394

Country: US

NetRange: 216.251.32.0 – 216.251.47.255

CIDR: 216.251.32.0/20

NetName: MEGA-1

NetHandle: NET-216-251-32-0-1

Parent: NET-216-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.MEGANAMESERVERS.COM

NameServer: NS2.MEGANAMESERVERS.COM

NameServer: NS3.MEGANAMESERVERS.COM

Comment:

RegDate:

Updated: 2001-04-09

TechHandle: ZI51-ARIN

TechName: InternetNamesForBusiness.com

TechPhone: +1-954-463-3080

TechEmail: admin@internetnamesforbusiness.com

OrgTechHandle: ZI51-ARIN

OrgTechName: InternetNamesForBusiness.com

OrgTechPhone: +1-954-463-3080

OrgTechEmail: admin@internetnamesforbusiness.com

Update Augest 23, 2003

Chris suggested to send complain to abuse@peer1.net and abuse@sbcglobal.net. Please read his comment blow to for the method to find out this email alias from any domain name.

It is appreciated if you can point out a better way to shutdown these sites or correct me if I was wrong at any point. I believe when the voice of people surfering from these spam heard, the Internet will become peace again. Good luck!

Updated EndAds.com Spammers Caught Nov 06, 2003

Good news! The EndAds.com, actually D Square LLC was caught by FTC and was sued. I believe it is the final ending of this nightmare. Read more: EndAds.com Caught by FTC

Secret Wealth Spam

X-Apparently-To: myemail@yahoo.com via 216.136.172.58; Fri, 15 Aug 2003 21:23:16 -0700

Return-Path:

Received: from 216.136.130.41 (HELO web10005.mail.yahoo.com) (216.136.130.41) by mta235.mail.scd.yahoo.com with SMTP; Fri, 15 Aug 2003 21:23:16 -0700

Message-ID: <20030816042316.60576.qmail@web10005.mail.yahoo.com>

Received: from [213.136.96.105] by web10005.mail.yahoo.com via HTTP; Fri, 15 Aug 2003 21:23:16 PDT

Date: Fri, 15 Aug 2003 21:23:16 -0700 (PDT)

From: “KONE IBRAHIM”

Subject: from kone to you

To: myemail@yahoo.com

MIME-Version: 1.0

Content-Type: text/plain; charset=iso-8859-1

Content-Transfer-Encoding: 8bit

Content-Length: 1517

FROM : Master Kone Ibrahim

REFEGUE CAMP

PLATEAUX ABIDJAN

Dearest one,

With regard to your reputation and co-worshipper of

God who will not disappoint me nor deny me in faith, I

am directing this letter of assistance to you. I am

Master Kone Ibrahim the son of Mr Bamba Ibrahim from

Republic of Zimbabwe really in dear need to get

somebody who will safe guard the interest of me and my

treasure. Briefly, my father Mr Bamba Ibrahim was a

Gold and Cocoa merchant who based in Abidjan Côte

d’Ivoire and had a branch office in Accra Ghana.

My father was a wealthy Gold/Cocoa merchant who has

business in many countries in Europe, America and

Asian countries. According to my father, my own mother

died when I was about six years of age which means

that I did not even know my mother very well.

The story is that my father Mr Bamba was poisoned to

death by his business associates about some months

ago, and he died in a private hospital here in

Abidjan. But when he was about to die, he called me

beside his sick bed and told me that he deposited the

sum of Ten Million seven hundred thousand United State

Dollars (USD10.7M) in a confidence account as bond in

a bank here in Abidjan Côte d’Ivoire, this money was

kept for me his only son. Right now I am here in

Abidjan, the commercial city of Cote d’Ivoire in West

Africa.

My problem now is that since my father has been

poisoned to death by his business associates, I don’t

even trust any other person here again and to this

effect, I do contact you. Right now, I want you to

help me in the following ways:

1) I want you to help me extract this money from the

bank here and then provide a bank account where this

amount here (USD10.7M) can be transferred.

2) You are going to be the manager of this fund and

also my personal guardian until I finished my studies

as I’m just 24 years old.

3) You are going to procure admission for me to

continue my studies in one of the known university in

your country.

4) That you must prepare immediately to make a working

visit to Abidjan here so that me and you can see each

other and we can then do the transfer of the fund to

your account at the same time and I will go back with

you to your country for the fund investment.

5) You are going to receive 20% of the total sum for

your assitance to me.

I appreciate if you consider my condition and help me,

and I am willing to proceed with you as soon as I have

your response. Please try to contact me through my

email address

THIS BUSINESS IS HIGHLY CONFIDENTIAL BECAUSE NONE OF

MY LATE FATHER’S BROTHERS AND SISTERS KNOWS ABOUT THIS

TRANSACTION.

Waiting for your immediate response.

Thanks for your understanding

Master Kone Ibrahim

Anyone received email like this? I got this kind of email from different persons every week. I am not sure what they are going to do?

EndAds and BlockMessenger

hlb felt very painful when he was hit by the EndAds spam.

I keep getting pop ups from endads.com telling me how to get rid of pop ups. But I only get pop ups from them so I’m certainly not paying them to get rid of themselves!! Mr Norton is supposed to do this for me. But he’s failed miserably.

Spam is a good business, isn’t it?

It is obviously a good business to spam others and ask others to pay to get rid of the spam. EndAds.com did it and BlockMessenger.com is doing it too. This is what I call: ROBERY.

Simple steps to turn it off

The easist way to stop receiving this kind of message is to turn off Windows Messenger service. If you are running Windows XP or Windows 2000, following these steps:

  • Click Start button on your Windows taskbar.
  • Click Run…
  • Enter “Services.msc” (without quotation marks) and click OK.
  • Browse the list till you find “Messenger” in Name column.
  • Double click it. The Messenger Properties (Local Computer) dialog box comes out.
  • Choose “Disable” in “Startup type” drop down box.
  • Click OK.

It will definitely work. If you don’t believe that so simple steps can stop the annoying pop-ups, see the comments of about 100 people on this page.

Note: These steps will NOT affect your usage of MSN Messenger, AIM, Yahoo! Messenger or ICQ.

I have also put the instructions here and there on this site. I hope EndAds.com cannot get a single penny if people spread the easy cure on the Internet.

Updated: Shutdown EndAds.com Together July 31, 2003

It is a shame that the spammer EndAds.com is still accessiable on Internet and is still collecting money by its “day-light robery” spam. My reader Chris Mikeson have given us very good suggestion to shutdown EndAds.com together by complain to their hosting company at abuse@level3.net.

Everyone who has been abused by endads.com should email abuse@level3.net. If they get enough of them they will shut them down and ban them from returning. It will only take about 5 customers complaining. I can usually do this alone but it adds credibility of others of you also send email to abuse@level3.net.

By Chris Mikeson

Please paste your complain to abuse@level3.net and their response on this page as comment and we can clearly see the progress.

Updated EndAds.com Spammers Caught Nov 06, 2003

Good news! The EndAds.com, actually D Square LLC was caught by FTC and was sued. I believe it is the final ending of this nightmare. Read more: EndAds.com Caught by FTC

About this site

Wangjianshuo’s blog is a personal weblog written by Jian Shuo Wang. It is updated daily with events that affects people’s life from Shanghai, China.

MSN Messenger Spam

I hate NET SEND SPAM, and I have been fighting with it for a long time by helping people to disable the Messenger services or install firewalls. I have clearly stated that the Messenger Service NET SEND SPAM used is NOT the MSN Messenger or Windows Messenger.

However, there comes the new type of spam – MSN Messenger Spam.

MSN Mesenger Spam is more annoying and dangerous than NET SEND SPAM

Here is the screen shot of the forth messenge I got in the last four hours.

screen-msn.messenger.spam-christina.PNG

It is more annoying and dangrous because:

  1. I can turn off the Messenger Service to prevent NET SEND SPAM from appearing, since the messenger service is seldom used. But MSN Messenger is the tool I use everyday to communicate with my friends
  2. Firewall and other techniques may be not easy to block this kind of spam since the connection with the server is always kept alive. The content flow within this connection is seldom checked. (I may be wrong on this. Correct me if I made the wrong statement.)
  3. NET SEND SPAM only deliver messenges and the user has too retype it in browser to visit the spammer’s website. But MSN Messenger’s message can display URL and the page is just one click a way. What if the page contains virus code? People seldom take the download-file-warning seriously.

How this happend?

Actually, it is very annoying to me since till now, I didn’t find out the reason why it appeared. The common sense for MSN Messenger is, if some one is not on my contact list, he cannot send messenges to me. In other words, I need to either add them to my contact list by myself, or accept their add request before we can talk. But this person ugly_tcharlesz@hotmail.com is not on my contact list!

I will investigate this and post my answers

Stay tuned. I will find out how they send these spam and post solution to disable it in the next few days. If you know the answer and solution, please let me know too.

Update: Reasons and solutions found April 14, 2003

After investigating this for some time and also got help from people like Jonathan Kay [MVP] in the newsgroup, I finally find out how the spammer did it and the solution to fix this problem.

It seems the new version of .NET Meseengers enables anyone to send you a message WITHOUT being on your contact list.

How to do this? (I am using the Windows Messenger that comes with Windows XP as example here)

  1. Open the Messenger Main window, click Send an Instant Message… on Action menu. The Send an Instant Message dialog box appeared.
  2. Click on the Other tab. Enter any Passport e-mail address into “Enter e-mail address:” input box and send a message to them, without being on their contact list.

    screen-msn.messenger-send.an.instant.message.other.PNG

Looks dangerous, isn’t it?

Solution

The solution is simple.

  1. Open MSN Messenger main window.
  2. Click Options… on Tools window.
  3. Switch to Privacy tab.
  4. Select “All Other Users” in the My Allow List and click “Block>>” button. The “All Other Users” groups will appear in the My Block List list box.
  5. Click OK to save your settings.

Now, only those who are on your contact list can send message to you and you are free of such spam now.

Update Works in Trillian also May 18, 2003

Thanks Kynan for letting us know that the following steps works in Trillian also.

  1. Go To Preferences (Right click tray icon, Options, Preferences)
  2. Scroll down to “Chatting Services” and MSN. Under the MSN option select Privacy
  3. Hidden amongst your contacts is the “All other users” contact in your “My Allow List”, select it and click on the “Block>>” button
  4. Hit OK and voila, no more spam.

Physical Location of GOLarger.com

yolei81 posted the WHOIS data for golarger.com – which has been under our investigation for a long time.

According to the WHOIS database, the location GOLarger.com’s owner is:

Organization:

Jason Spencer

Bob Lerman

45 Henry St

Brooklyn, NY 11201

US

Phone: 718-654-7898

Email: b_lerman2002@yahoo.com

Here is the maps about this location on MapPoint.msn.com.

newyork-henry.father.brooklyn.map-mappoint.gif

Here is the satellite photo of the area.

newyork-brooklyn.map-terraserver.PNG

Below are more detailed maps and photos.

newyork-henry.brooklyn.map-mappoint.PNG

newyork-henry.brooklyn.map-terraserver.PNG

TerraServer

Note: Please note the phone and location listed in WHOIS may not be the actual owner’s name. So please do not do anything for this phone or location yet, since it may be wrong.

STOP

Pleased do not complain using the telephone number I provided since I just saw Althey’s comment that the number belongs to a 90 year old woman, who is obviously the owner of the spammer’s website. Sorry for the inconvenience it caused.

Fight Back for Golarger Spam

Yesterday, I talked about golarger, which I claim to be both Net Send Spammer and Blog Comment Spammer. Shortly after that, I am very happy to see SImo posted about the effort to fight back for Golarger Spam. Please read this.

In contesy of Simo, I quoted his comment here.

!!! FIGHT BACK FROM NET SEND SPAM !!!

It does pay to advise the ISP that the NET SEND SPAM is coming from….Please see this email I just recived :

Hello,

your report was registered, due disciplinary measures about our customer are on the way.

Meanwhile, please accept our apology for Your trouble.

Best regards.

=================================================

Abuse Staff

Seat Pagine Gialle s.p.a.

http://tin.virgilio.it

Area Internet – abuse@tin.it

Consulta la guida sulla sicurezza alla pagina http://tin.virgilio.it/periniziare/guida/sicurezza.html

==================================================

===== Original Message =====

From: “Simon Frappell”

To:

Sent: Thursday, February 27, 2003 12:52 PM

Subject: Net Send Spam Abuse

> Hi,

>

> I’m getting Net Spam coming from this address : 80.116.221.181. Can

> you please see that this is stopped.

>

>

> Spam details :

> 02/27/03 21:29:42 UPLOAD_SUCCEEDED OK REPORT_INSERTED

> FWIN,2003/02/27,21:29:40 +10:00

> GMT,80.116.221.181:26142,203.45.218.24:137,UDP

>

> Event Type: Information

> Event Source: Application Popup

> Event Category: None

> Event ID: 26

> Date: 27/02/2003

> Time: 9:26:53 PM

> User: N/A

> Computer: PSYCHO

> Description:

> Application popup: Messenger Service : Message from GOLARGER to on

> 2/27/2003 8:45:34 PM

>

>

>

> www.golarger.com

> www.golarger.com

> www.golarger.com

>

>

> We are the #1 MALE ORGAN ENLARGEMENT

> supplement on the web. We guarantee the

> success of our program or we will refund every

> penny. Come find out why more men AND WOMEN

> come to us than any other site.

>

> Enlarge your member 1-3 inches in a matter of days!

>

>

> www.golarger.com

> www.golarger.com

> www.golarger.com

>

> Whois information captured by my Firewall. :

>

>

> inetnum: 80.116.128.0 – 80.116.255.255

> netname: TINIT-ADSL-LITE

> descr: Telecom Italia

> descr: Accesso ADSL BBB

> country: IT

> admin-c: BS104-RIPE

> tech-c: BS104-RIPE

> status: ASSIGNED PA

> remarks: Please send abuse notification to

> abuse-bbb@telecomitalia.it

> notify: ripe-staff@telecomitalia.it

> mnt-by: TIWS-MNT

> changed: net_ti@telecomitalia.it 20020801

> source: RIPE

>

> route: 80.116.0.0/16

> descr: INTERBUSINESS

> origin: AS3269

> notify: network@cgi.interbusiness.it

> mnt-by: INTERB-MNT

> changed: net_ti@telecomitalia.it 20020517

> source: RIPE

>

> person: BBBEASYIP STAFF

> address: Via Val Cannuta, 250

> address: I-00100 Roma

> address: Italy

> phone: +39 06 36881

> e-mail: ripe-staff@telecomitalia.it

> nic-hdl: BS104-RIPE

> notify: ripe-staff@telecomitalia.it

> changed: net_ti@telecomitalia.it 20001019

> source: RIPE

>

> Awaiting your reply,

> Simon Frappell.

>

Beautiful fight back, SImo. I wonder what the “due disciplinary measures” are. I am looking to see if there is any further investigation of this issue. Please keep us updated. Thanks.

Easiest way – turn off Messenger service

The easist way to stop receiving this kind of message is to turn off Windows Messenger service. If you are running Windows XP, following these steps:

  • Click Start button on your toolbar.
  • Click Run…
  • Enter “Services.msc” (without quotation marks) and click OK.
  • Browse the list till you find “Messenger” in Name column
  • Right click and click “Stop” on the pop up menu. That is not all. If you don’t want the service to start the next time you start your computer, continue with the following steps:
  • Double click it. The Messenger Properties (Local Computer) dialog box comes out.
  • Choose “Disable” in “Startup type” drop down box.
  • Click OK.

Related

Golarger.com – NET SEND Spamer and Comment Spammer

When I opened my web server log today, I was surprised that many visitors are visiting my site via Yahoo! or Google just to find out who is golarger or golarger.com. (Yes! I intensionally didn’t hyperlink this URL since I don’t want to contribute more traffic to this spammer’s web site).

Why are people interested in golarger

It is obvious the 221 hits for searching the exactly the same term golarger is not just by chance that people happen to think about this term together. When the sudden increase of a word in my web log, I know something special happened. This is the case of golarger.com.

The truth is, golarger.com sent out Windows Messenger spam to a lot of people, asking them to visit their web site. I don’t know how many yet.

According to Work of Fiction, Brad Nugget received the popup box like this:

Message from GOLARGER on 2/15/2003 11:55:17 PM

www.golarger.com

www.golarger.com

www.golarger.com

We are the #1 MALE ORGAN ENLARGEMENT supplement on the web. We guarantee the success of our program or we will refund every penny. Come find out why more men AND WOMEN come to us than any other site.

Enlarge your member 1-3 inches in a matter of days!

www.golarger.com

www.golarger.com

www.golarger.com

Brad, sorry that I cannot link to the orginal blog entry on the site since the archive link on this site does not work when I visited

Someone even posted the Network Monitor result of the analysis here.

Bad. Very bad!

As always, I hate NET SEND SPAM of any kind. If you are interested, please see my previous blog entries (the pages enjoy the highest hit rate of my whole blog site) on NET SEND SPAM.

Why searching for golarger leads to my page?

I was asking the same question then. This is another bad thing golarger did. Under my page of Stoping Net Send Spam, James left a comment like this:

I mean, honestly… www.golarger.com should be the target of the next “Code Red”…

Posted by: James on February 14, 2003 02:25 AM

I did notice this entry but didn’t pay much attention to this one. Now, the discussion on golarger.com is not popular on Internet, my page became one of the only 4 pages on Internet which contains golarge at the time this entry is created.

James, the bloggerr comment spammer

Again, beside being a “NET SEND SPAMMER”, the lovely James has another title, blogger comment spammer – who sends their advertisement to blogger’s comment system. I used the term from this article.

The battle against Net Send Spam (NSS) just begins

I thought everyone is hating spam, but Mr/Miss/Mrs Marketer told me the opposite thing. He commented in ths comment entry that

So, what do you do when you go to your mail-box outside of your home? Do you beat up the postman when he delivers a piece of junk mail or do you go to court because you received the latest sales flyer from Radio Shack or maybe you call ABC and NBC when your favorite movie is on TV and here comes a commercial. I think not! This whole Spam Issue makes me sick and you should be ashamed of yourself.

Let people advetise…there is nothing wrong with it…it is how you got your website on one of the top search engine pages….OH!, Maybe you forgot that!!!…

I also replied the entry stating

However, net send advertisement directly popup on MY screen no matter what I am doing. It is just like someone jumping into my room and paint their advertisement on MY wall. I don’t care if he/she do it on his wall or on his friends’ wall – as long their friend is OK for that. But I am angry if I see these kind of popups….

Hot debate on net send spam

Many other people joined the debate on the topic of Net Send Spam under my page on Net Send Spam – Yet Another Type of Spam. It is very interesting to see how people think of the same thing diffenetly.

Marketer:

I hope that I was able to maybe shed some light on this subject and enable you to look through the eyes of an Online Marketer who earns just over $3,000 per month Online. This is my small income to support six children of which three are being adopted by my beautiful wife and myself….

Const:

In a word, i think such spamming in the cyber world is not ethical, although one might make a large amount of money from it….

Antimarketer:

Yeah, now this ass marketer is telling us that if he has 3 adopted children and 3 of his own, he has the right to spam. so now if i go an adopt 6 kids, and have six of my own, i guess i can go and kill too, because i will be making a meanie 3000 dollars to feed my kids. what an asshole this guy is, and how stupid can he become ?? …

Marketer

I am asking this board to please use another term

other than SPAM when addressing this form of advertising.

The word SPAM is incorrect, go and see for yourself. Spam relates ONLY to EMAIL…period!…

Reader:

Well, first I have to say that I agree somewhat with marketer.

You pay for cable or satellite to see your movies on tv, then they send you their advertisements that they paid for.

It’s pretty much the same with the internet. You paid for access, and someone else is paying to advertise where you can see it….

iX:

Some boastingly thought this sort of SPAM should continue. I don’t think so. There are certain types of Junk mail it is illegal to send, there are some forms of advertising on the Television that is illegal (subliminal), even though everyone has a TV and is capable to receive subliminal messages, it has been deemed illegal. Net Send messages take processing cycles and comsume memory and network bandwidth, which means I have fewer resources to perform more effective functions. Ditto to Web Popups and Popbacks. These things consume resources and are unsolicited advertising….

Graeme:

In response to the pro spam ad post by Marketer, the patronising attitude of telling me to click “that little x” is not appreciated. Having to close the pop up is not the problem here, it’s the intrusive nature of the advertising. What right does anyone have to force a box with their useless little message onto your screen. Not only is it annoying, but it can potentialy destroy someones work….

anon:

Opt-in email advertising is not only ethical but also appropriate for small business owners in today’s internet society.

I could go on for a while – but I think that my point has been made – IF YOU DON’T WANT TO RECEIVE THE MESSAGES – THEN TURN THE OPTION OFF….

SpamBlows:

We don’t like it. If you love spam so much give us all your ip address, and we’ll spam the hell out of you, and we’ll do it using a dynamic IP…how do you like them apples?…

Ryan:

my friends and i have used net send for years at the university we attend. i was shocked to find out that people have began using such a useful tool as a means of mass advertising. i would like to point out to the readers out there that these people CLAIM to pay thousands, and if they are foolish enough they actually may, but in fact anyone with an extra 15 minutes can send these spam messages to every ip in the world for free….

Want to be heard of what you think?

You can view the full text of the discussion under this page:

I also welcome you to join the discussion to be heard – this is the first place every body goes if they search for “NET SEND SPAM” in Google, Yahoo! or MSN, at the time when this blog is written.

Let People Advetise…There is Nothing Wrong with it

Today, I saw a pro-spam comment posted on my entry of “Net Send” – Yet Another Type of Spam. Here is the quote:

So, what do you do when you go to your mail-box outside of your home? Do you beat up the postman when he delivers a piece of junk mail or do you go to court because you received the latest sales flyer from Radio Shack or maybe you call ABC and NBC when your favorite movie is on TV and here comes a commercial. I think not! This whole Spam Issue makes me sick and you should be ashamed of yourself.

Let people advetise…there is nothing wrong with it…it is how you got your website on one of the top search engine pages….OH!, Maybe you forgot that!!!

Click here to see full text of the comment.

Very good comment, isn’t it?

This comment helped me to further realize the diversity of the world. At first, I was astonished to see there are some one like Marketor who thinks highly of NET SEND – let me avoid to quote it as spam for a while. I also see how angry he/she was when I call NET SEND spam. These are two different ways of thinking the same thing.

To be honest, this message is a little bit offensive when he asked Didn’t they teach you in school to CLICK YOUR DELETE Key or that little x that is in the top right hand corner of the pop-up. But I am happy that there are some discussion around this, from another persepective.

PS…How long will you leave this message on your board?” asked Marketer.

Why not keep it? I am not the one who will delete negative comment immediately. I will leave it as long as my site is still there.

But I still think net send advertisement is spam

So, what do you do when you go to your mail-box outside of your home? Do you beat up the postman when he delivers a piece of junk mail or do you go to court because you received the latest sales flyer from Radio Shack or maybe you call ABC and NBC when your favorite movie is on TV and here comes a commercial. I think not! This whole Spam Issue makes me sick and you should be ashamed of yourself.

It is true that I, and most of us, accept commercial on TV. Although nobody turned on TV just for commercial, we can accept it since it is still reasonable for the advertiser to pay for the movie. We see the movie since someone paid. It is the same for junk mail in my mailbox – I mean post-mail box.

Please Remember to bring a SHOT-GUN with you the next time you are driving in a city and you see a sign on a building that is advertising that particular business and then take perfect aim and blow a whole in it. This way you can go to jail for a while and leave hard working people alone.

It is also acceptable since the advertiser paid the building for the advertise. I don’t care unless the ad is too ugly.

However, if the advertisements go furthure, extend outside the boundary they should be kept within, and enter my personal boundary, I will think it as spam. That is, if someone goes into my house and put the flyer on my desk when I am working, when they paint the advertisement on the white wall of my guest room, if someone seize me tightly and force me to listen to him how good the product is, no matter whether I am walking on the street or having my dinner – I believe they are outside the boundary of acceptable advertisement and should be treated as spam.

Why net send advertise steps out side the boundary?

Online advertisement is not that offensive, since it is the reason why we get free resources. Popup advertisement is a little big annoying, but it is ourselves who want to visit a web site and we need to accept it.

However, net send advertisement directly popup on MY screen no matter what I am doing. It is just like someone jumping into my room and paint their advertisement on MY wall. I don’t care if he/she do it on his wall or on his friends’ wall – as long their friend is OK for that. But I am angry if I see these kind of popups.

Please continue to discuss this

Please continue to post comment to express what do you think of this matter.

Flighting back for NET SEND SPAM

I talked about NET SEND SPAM and methods to stop it later. Now it is the time to fight back.

Who sent the spam?

“What is the IP address of the spammer?” You probably eager to know. Well. It is not easy. It is almost impossible to get the IP address of the sender. If you are very technical and want to know more about the details, please read this article first.

Install a firewall

A better way than shutting down the Messenger service is to install a firewall. By install a firewall, you gain the follow benifit.

  1. You eliminate NET SEND SPAM and other kind of attack and virus.
  2. You log the IP address of all attackers so you can take actions to fight back.

There are handful of great personal firewall software available. If you are using Windows XP, you already have a firewall installed. It is called Windows Internet Connection Firewall (a.k.a. ICF). You only need to follow these steps to enabled it.

To enable or disable Internet Connection Firewall

  1. Open Network Connections (Click Start, click Control Panel, and then double–click Network Connections.)
  2. Click the Dial–up, LAN or High–Speed Internet connection that you want to protect, and then, under Network Tasks, click Change settings of this connection.
  3. On the Advanced tab, under Internet Connection Firewall, select one of the following:
    • To enable Internet Connection Firewall (ICF), select

      the Protect my computer and network by limiting or preventing access to

      this computer from the Internet check box.

    • To disable Internet Connection Firewall, clear the Protect my computer and network by limiting or preventing access to this computer from the Internet check box. This disables the firewall, your computer and network are then vulnerable to intrusions.

Source: Use the Internet Connection Firewall to Secure Your Small Network

Enable Firewall logging

This is a good article on how to enable firewall logging. After you enable the logging, you keep the record of all attack to your server.

Analysis the report

On of the easy way is to utilize myNetWatchMan. Follow the steps to register and download an agent. The agent will check the log file on your computer and send the attack information to the server. After aggregating all the report from many agents (about 5000+ currently), it will send abuse compliane to the network owner, thus prevent futher spam.

You can also check for yourselves. Here is an sample from my personal firewall log:

2002-11-08 21:38:25 DROP UDP 195.252.113.35 211.161.107.5 1026 137 78 - - - - - - -

If you find a lot DROP lines from a source while it indicates port is UDP 137, it seems like a spam.

Use this command in Command line (replace the IP address with the IP you saw in your log file

NBTSTAT -a 195.252.113.35

You will get return like this:

Local Area Connection:

Node IpAddress: [157.60.112.235] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status

===========================================

SPAM-01 <00> UNIQUE Registered

SPAM <00> GROUP Registered

SPAM-01 <20> UNIQUE Registered

SPAM <1E> GROUP Registered

MAC Address = 00-10-A4-BB-E2-C3

Note the last line: it is the MAC address of the spammer. MAC address is the serial number of a Network Interface card. It is burnt into the chip and cannot be changed. Unfortunately, there is no reliable way to narrow down to certain geographic location from IP address. But by know the MAC address, it is very solid evidence that the package is sent out from the computer of the MAC address owner.

We need more

The topic of NET SEND SPAM never stops. I will fine tune this article and replace some general concept to some resources and steps. I believe we need to unite to fight back to NET SEND SPAM.

Stop NET SEND spam

Update: Looking for what is golarger? See this entry. Feb 28, 2003

I talked about NET SEND spam in my previous blog. After that, I found this page become the first item in Google for net send spam. Many visitors hit this page via Google. I believe I share the responsibility to publish something that is helpful for the visitors to prevent this kind of spam.

Messenger service is dangerous

If you keep your Messenger service running, anyone can send you a message and it will pop up on your screen. Even the simplest program ever can drive you mad. Create a file named “NetSendSpam.bat” with the following three lines.

:sendspam

net send 127.0.0.1 How are you

goto sendspam

It keeps sending the same message to you again and again. You will face endless message box stating “How are you.” – Please do not try this script to anybody except yourself. To send spam is as easy as picking up a stone and breaking the store window, but everyone in this world should realize their responsibility and don’t abuse others.

Easiest way – turn off Messenger service

The easist way to stop receiving this kind of message is to turn off Windows Messenger service. If you are running Windows XP, following these steps:

  1. Click Start button on your toolbar.
  2. Click Run…
  3. Enter “Services.msc” (without quotation marks) and click OK.
  4. Browse the list till you find “Messenger” in Name column
  5. Right click and click “Stop” on the pop up menu.

    That is not all. If you don’t want the service to start the next time you start your computer, continue with the following steps:

  6. Double click it. The Messenger Properties (Local Computer) dialog box comes out.
  7. Choose “Disable” in “Startup type” drop down box.
  8. Click OK.

Update The equivalant method

Thanks to Docslax for pointing this out. There is another equivalant way to do this in Windows.

  • Start -> Run -> cmd.exe
  • Then type the following “net stop messenger” after which you’ll see “messenger service is stopping”.

To start it again for any reason open the command prompt again (Start -> Run -> cmd.exe) and type “net start messenger”

Now you can be assured that your world will become silent. No one can send you NET SEND SPAM again.

But wait, that is all

Please note: some alert services and system services like printing, rely on this service to function.

However, as I understand, there are two kinds of people using computers ?those in company or those at home. I believe most people surfer from NET SEND SPAM is home users connecting to DSL or Dial-up. For cooperate users, they need printers and file sharing functions, but they are more likely to be protected by corporate firewall. So my suggestion is, anyone who surfers from NET SEND SPAM to turn off the service using the step listed above.

You can also fight back

If you are using Windows XP or you have personal firewall product, it is even better to enable them. But enabling a firewall, you not only eliminate the chance to be attached by spam, you can also get the IP address of the spammer and you can fight back. I will talk more about this in my future blog.

Resources