One of the curious things about blog comment spam is how asymmetrical it is. When I've had my site spammed, it feels like a desecration. If you have ever had your house broken into, it is a similar feeling. It is as if someone has come into your house while you were out, defecated on the floor, ransacked through all your belongings, and made off with your valuables. I have read some pretty impressive rants from people after they've been hammered, and they seem to have a similar impression. It feels like a personal affront. But it isn't. It's just a script that somebody wrote that connects to a database they have populated. Spammers never see our rants and raves about their activities.
But who does write and sell these scripts? I have always been curious about what kind of scum writes and sells what must be increasingly sophisticated scripts, so when I noticed that my weblog was being hit repeatedly by a strange entry, www.php-soft.com, I wondered what it was and checked out the site. It turns out to be a vendor of comment spamming software. From the sales pitch at http://www.php-soft.com/advanced_blog_guestbook_messages_board_submitter (not using proper hyperlinks for what I hope are obvious reasons):
This is the perfect unique tool that quickly submits your information to any messages board/guestbook/blog or any other web script using the most effective technique and offers you fantastic opportunities for your web site promotion, increasing the link popularity of your web project.The most effective method of increasing the link popularity of your site is to post to online messages boards, guestbooks and blogs (e.g. LiveJournal). I am very glad that we can introduce our messages boards/blogs/guestbooks submission software to you....
We have the biggest database of discussion boards, guestbooks, blogs with high page rank. Our advanced submitter is a set of php scripts which can easily be installed on your home PC or your hosting server. This software is useful for any kind of data submission.
You can fill the database with information using the following methods: manually one by one, from the list copied into textarea, from the textual file, gathering URLs using Google search engine (enter any script name [e.g. addpost.cgi] into URLs management tool and let our software add all such scripts URLs to your database with one button click), generate URLs list using special rules (regular expressions).
You can use any proxy services to post the data to a set of scripts. You will get more than 750 proxy servers in our software database.
You've a possibility to post unlimited count of data sets to any number of messages boards, guestbooks, blogs or other scripts with different submission form structure!
Our messages boards/guestbooks/blogs for this software has more than 15.000 items! This is the biggest database containing information about guestbooks/messages boards/blogs in the world!
When you click on the link for the Advanced blogs/guestbooks/messages boards submitter, you get taken to another site, www.advanced-submitter.com. That page has some interesting screenshots (available upon request) showing a novel use of the GoogleAPI, and a link to buy the software.
The first thing that I did was follow the money link. The software is being sold for $115 through what I had considered a responsible vendor, Share-It!. Just in case you want to share your opinion with Share-it about them selling what their catalog calls "Advanced blogs/guestbooks/messages boards submitter" software, you can contact them at:
ShareIt! Inc.
9625 West 76th Street, Suite 150
Eden Prairie, MN 55344
USA
Tel.: +1.952.646.5747 or +1.800.903.4152
Fax: +1.952.646.4552
Or use their customer service form , which I did, leaving the following message:
The product you are offering for sale, http://www.shareit.com/product.html?cart=1&productid=206923, Product ID: 206923 Advanced blogs/guestbooks/messages boards submitter) is designed to send comment spam to weblogs. It is certainly unethical, and given the links to child pornography sent to my site, may well be illegal. It certainly isn't something that I would think your company wants to be associated with. I have posted more information on this product, the fraudulent history of the person who is selling it, and your connection with the product, at http://www.thebishop.net/geodog/. I ask you to remove this product from your catalog immediately.
Share-It is owned by Digital River, a large public corporation, symbol DRIV. Their customer service email form is a lot harder to get to, so if you would like to just go straight to the source, you can call their Chief Financial Officer, Carter Hicks, at 952-253-8406, and tell him what you think of a company making money from weblog spam, or you can just send his office an an email.
That was as far as I could get on the money trail, unless I wanted to start chasing through the underworld of porn referral fees, which I had no appetite for, so I turned to seeing what I could find out about the person selling the software: A Whois search of the first site name revealed:
Registrant: PHP PERL Straight ave. London, LN 12345 UgandaRegistered through: GoDaddy.com
Domain Name: PHP-SOFT.COM
Created on: 26-Dec-03
Expires on: 26-Dec-04
Last Updated on: 21-Aug-04Administrative Contact:
Blagodarniy, Evgeniy asm@vinc.ru
Grigorenka 39a, apt. 25
Kiev, Kiev 02140
Ukraine
679070349 Fax --
Domain servers in listed order:
NS5.ESTHOST.COM
NS6.ESTHOST.COM
Doing a reverse IP lookup on the domain shows an IP of 69.50.191.27. Obviously, most of this information is false, but the nameserver and IP address have to be real. Looking up the whois for that IP shows that the comment spamming scum is a little closer to home than Uganda -- right around the corner as a matter of fact.
OrgName: Atrivo OrgID: ATRIV Address: 200 Paul Avenue City: San Francisco StateProv: CA PostalCode: 94124 Country: USNetRange: 69.50.160.0 - 69.50.191.255
CIDR: 69.50.160.0/19
NetName: ATRIVOTECHNOLOGIES
NetHandle: NET-69-50-160-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: MAIL.ATRIVO.COM
NameServer: PAVEL.ATRIVO.COM
Comment:
Comment: ## Comments listed here will appear in ARIN's WHOIS database.
RegDate: 2003-06-04
Updated: 2003-08-21NOCHandle: EKA4-ARIN
NOCName: Kacperski, Emil
NOCPhone: +1-925-550-3947
NOCEmail: abuse@atrivo.comOrgAbuseHandle: ABUSE658-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-925-550-3947
OrgAbuseEmail: abuse@atrivo.comOrgNOCHandle: NETWO601-ARIN
OrgNOCName: Network Operations
OrgNOCPhone: +1-925-550-3947
OrgNOCEmail: abuse@atrivo.comOrgTechHandle: EKA4-ARIN
OrgTechName: Kacperski, Emil
OrgTechPhone: +1-925-550-3947
OrgTechEmail: abuse@atrivo.com
A little googling of Emil Kacperski's name and phone number turned up a legion of complaints about spam, including this gem from Security Focus:
Earlier this year an expanse of Internet address space belonging to the County of Los Angeles was put to some uses that had little to do with effective municipal governance. Some county addresses inexplicably began hosting porn websites, while others generated suspicious scanning activity that tripped intrusion detection systems around the net. And then there was the spam, suddenly oozing from the county's cyberspace like sludge moving down the Los Angeles river after a rain -- low-interest mortgages, bargain ink jet cartridges, an abundance of "sizzling teens" in adult situations.It turns out the official records of the address block had been doctored, and L.A. County no longer owned the space -- at least as far as the rest of the world was concerned. All 65,534 addresses now belonged to one Emil Kacperski, the 20-something owner of a small unincorporated hosting company in Northern California. No one was more surprised than county officials, who'd been using the space on an internal county-wide network since 1995. "We found out when we got a call from some outfit overseas, saying they were being hacked and they investigated the IP address and it was one of ours," says Dennis Shelley, associate CIO for the county. "We followed up on it, and we found out that it had been hijacked."
Clearly, while weblog comment spam may be a new business to Mr. Kacperski, porn spam isn't. Just to confirm it, a reverse IP search on his site found several sites whose names I don't want to post on a family oriented site, but which have recently seen in comment spam, and which have the kind of content one would expect.
Next I did a whosis search for the site that had the purchase link, advanced-submitter.com:
Registrant: Eugene Blagodarny info@php-soft.com +38.0675555555 PHP/PERL Solutions Kiev, Perova str. 39a Kiev,KV,AU 02140
Domain Name:advanced-submitter.com
Record last updated at 2004-07-20 15:21:33
Record created on 2004/3/6
Record expired on 2005/3/6
Domain servers in listed order:
ns1.advancedhosters.com ns2.advancedhosters.comAdministrator:
Name-- Eugene
EMail-: info@php-soft.com
tel --: +38.0675555555
org: PHP/PERL Solutions
Kiev, Perova str. 39a
Kiev,KV,UKRAINE 02140Registration Service Provider:
name: Fast Internet Technology Inc.
tel: +380652547163
fax: +380652547163
web:http://www.hqhost.net/
Strangely enough, Eugene Blagodarny from the Ukraine seems to get his mail at the website owned by Evgeniy Blagodarniy in the Ukraine, the server for which just happens to be located the Bay Area. A little googling shows that Eugene is promoting his wares at a number of sites, all of which lead back to php-soft.com. Could it be the same Eugene offering support for the forms submitter at http://www.php-soft.com/forum/read/7066?
A closer look at Eugene's site reveals the following meta description:
Pimentos company is a professional provider of web and software development, graphic design services as well as e-commerce and multimedia solutions.
A little more googling comes up with Pimentos' website, the information that they are a member of the Silicon Taiga Alliance and the Ukrainian Alliance of Software Developers, and that the going rate for their services is $10 per hour.
So what's the end result? I've had fun with the search, and I've identified what could be an immigrant from the former Soviet Union living in the Bar Area who has a history of running a business hosting pornographers, spammers, and sellers of spam tools, who looks like he is continuing in his old business. With any luck I have made it a tiny bit harder for him to sell his scumware. I've identified what by the results seems like a good programmer from the Ukraine who is willing to create reasonably sophisticated scripts for $10 an hour that will submit comments and links to blogs. Does he care that the comments will deface people's writing? I haven't asked him, but I doubt it. Maybe he will comment here.
I have been very impressed with the quality of some of the shareware and freeware coming out of Eastern Europe and the states of the former Soviet Union. Keynote is the best 3-pane outliner I've used, and all my computers run nncron for scheduling. But I suspect that Mark is right, as long as there is all this talent available for $10 an hour, and as long as people in the West are willing to pay serious money for pornography and various drugs that supposedly enhance sexual pleasure and performance, we are going to have comment spam.
Posted by tbishop61 at September 18, 2004 03:46 AM | TrackBackMy apologies, but my web hoster has turned off commenting, due to a flood of obscene spam bringing the server to its knees. I hope to have this weblog transitioned over to Wordpress in the near future, so that I can have commenting up and working again. Until then, please feel free to send me your comments via my email contact form.. Please ignore everything below this comment.
I recived the following email today:
Dear Tim,
Thank you for making us aware of the situation.
We have contacted the publisher of the software and asked him for a statement and to deactivate this product within 48 hours. Otherwise we will deactive this product immediately.
Please do not hesitate to contact us for any further question.
Sincerely,
Ekrem Obuz
Your share-it! Team
So hopefully I have made it a little more difficult for someone to make money inflicting misery on others.
Posted by: Geodog on September 20, 2004 11:08 PMHello,
Let's just say don't believe everything you read. Mind you that I control over 15K different IP's. Just finishing up the WHOIS server, so that each netblock will show the actual owner of the machine.
Your basic searches as you have done, would basically show any ISP as being the culprit while that is false.
It's like going to www.spamhaus.org and looking at the spam entries for Comcast, is comcast really the one sending the spam? Think not.
Anyway do appoligize for my customers actions, if anyone needs to contact me, please do!
Thanks!
Posted by: Emil Kacperski on September 27, 2004 01:53 AMEmil,
I welcome whatever you would like to post telling your side of the story.
However, I will note that as of today, your customer Eugene is still selling the spamming script from his site on your sever.
I have sent follow up mail to Share-it / element 5.
Posted by: Geodog on September 27, 2004 11:42 PMWhile doing a search by this joker's aliases and following the money (much like you), I found this thread. What struck me as odd is that I've been here already today (by the way.. love what you are doing with Magpie :) )... anyway... I just pounded out a letter of my own. It seems that persons using this thing have been trying to gain entry into my site... tsk tsk tsk.... I'm sure the friendly customer service people (okay, that just happen to carry firearms) involved with Operation Web Snare are still interested in catching up with Mr. Kacperski, I'm sure they'll also be surprised to find a San Fran address associated with him, but who knows what that means (we are talking about a business that you can do from anywhere). Anyway... Thanks for the info, it was very informative and helpful.
Posted by: 64bitguy on September 29, 2004 04:34 AMHello,
What am I missing here, this seems to be a script that PHP-Soft wrote and I am sure there are a lot of scripts out there like this? The sad part is that some of you have no idea what your even looking at.
Every ISP on the planet has ARIN info displayed, love it how somehow I was linked to this software or even the domain. Probably one of the few people that actually answer abuse e-mails, you try to contact ComCast or ATT regarding a abuse and see how far you get.
Now if you actually know how to read the data from Arin, just "one" netblock I manage is:
NetRange: 69.50.160.0 - 69.50.191.255
Hmmm considering that the above is 7650 IP's, and I manage a total of over 15K IP addresses feel that the occasional complaint that get's dealt with is pretty damn good.
And as far as people like you "64bitguy" go somoene tries to do the right thing and makes you wonder if it's worth it. The WHOIS info for me is valid and always has been. Sure it would be easy to fake it, but I actually try to make sure non of my customer abuse..
Google search results for ATRIVOTECHNOLOGIES, apparently owned by Mr. Kacperski. This is just a few.
http://www.google.com/search?sourceid=navclient&ie=UTF-8&q=ATRIVOTECHNOLOGIES
http://www.slyck.com/forums/viewtopic.php?t=7142
http://methlabs.org/forums/showthread.php?t=1784
http://www.dslreports.com/forum/remark,9373511~mode=flat
It looks like the servers owned by Atrivo are being used for plenty of evil doings including CoolWebSearch hijacking.
Posted by: suzi on November 14, 2004 12:47 PM