Please add your findings to this list to help admins combat this latest influx of spam
Last edited by PalePhoenix; 01-27-2007 at 03:37 AM.. Reason: inclusion
Some more to watch out for, some old some new.
*@faza.ru # masterhost.ru
Last edited by PalePhoenix; 02-18-2007 at 05:12 AM..
Last edited by PalePhoenix; 01-27-2007 at 03:31 AM..
Specifically targeting YaBB boards with pr0n, as reported at the YaBB Support Forum:
Last edited by PalePhoenix; 02-23-2007 at 07:19 AM..
This was on a YaBB board, and the software didn't pick up the IP.
Anyone seen spammers from this address:
(Yes, I know it's an info address, but not all info are spammers, one of my email addresses is an info one).
We've had two join within 24 hours and I'm pretty sure it's spam but can't find any evidence.
He didn't post on our forum, but a google search shows his first post to be:
Yes, it's spam.
A google search of 'babyfons.com' brings up several pages of the website appearing in profiles. A name which keeps appearing is 'vpromtek' - they don't post but have a wide taste in forums, registering on many, all around 18th Feb.
All typical spammy behaviour.
vpromtek also uses '@avrilka.net' as an email in one 'silent spam' profile - and a google search of that brings up some spam post in vpromtek's name.
I won't repeat it here - just google 'vpromtek' or '@avrilka.net' if you want to see it for yourself.
Just for information, babyfons traces back to:
Last edited by PalePhoenix; 02-23-2007 at 07:18 AM..
Mine's fairly comprehensive, but one occaisonally still gets in and it seems they're always using a Yahoo or Hotmail address.
The last one is present because I get a ton of the cell phone spammers and for some reason, about 1/3 of them have the word phone in their email address. I figure adding it wouldn't hurt too much given that not one of my real members has phone in their email address.
Last edited by PalePhoenix; 01-27-2007 at 03:34 AM..
Well this might as well be my first post
No need to welcome me, it's understood, and if you knew me, you wouldn't
Found this forum while looking EXACTLY for this kind of list, thanks.
I had an inclination to do just what PalePhoenix says, especially with all .info e-addresses.
Another clue we are noticing is that the birthday of January 1, 1980 are all non-legit regs.
AND here are a few more to the list (I'm sure there is at least one already listed, but I'm too lazy to check again
again, much thanks for the list.
I didn't see this one listed so I'll add
I recently had one register with a link and email address with xkje.com. So I googled xkje.com and I got tons of links to profiles on other message boards that all had xkje.com links as their website, no posts and "real" sounding names. The website link always has different words after the xkje.com, that are joined by hyphens. Some of the additional words seem fairly innocuous but others are obvious spam.
I had one get through today and post about 12 spam threads, fortunately one of my mods was on and rapidly deleted the threads. I banned the iqsearch.org domain after this.
Email: sixthnhorion at iqsearch.org
I had another iqsearch.org spammer join at the same time but they did not post yet, so I deleted them.
I've also had the atlas one mentioned above. I've banned the email domains he uses.
I had no email bans when I took over as admin a couple months ago, I know have about 2 dozen and add more everyday
Okay, add this guy to your bans. I googled his username and he's making the rounds on numerous boards within the past couple days.
dralex AT andgarden.org
he's promoting a "news" site and I noticed it comes up #1 on a search for his user name.
I have had a rash of names joining in the past few days that are similar. None of them have links in their profile which I find odd, and none have posted anything yet. They all have email domains that look like they would be spammer email domains. I have done some google searches on the usernames and I get no hits on the names. Most of my spammers seem to show up on dozens of MB profiles when I google the user names, but not these guys.
My theory is that either they are waiting and plan to spam the forums at some point or they are testing my email domain bans since I have banned numerous spammer domains. I did delete one of these names that contained the words "teen" and the nickname for Richard, I knew it couldn't possible be good. My gut says delete them all but I was curious to see if anyone here has seen these names or emails. Note they all follow a similar pattern and some contain the same words.
Basan @ youremailsoftware.org
Terhatedder32 @ superemailfree.org
Tedtardup91 @ dotfreeemail.org
Teentardtedan5 @ emailmandirect.org
Mosterteenup3 @ greatemailaccount.org
Tardanup56 @ emailmandirect.org
Basanteen59 @ totalemaildirect.org
We just got hit by a new wave of .ru spammers tonight and @web.de. The second one included someone who managed to post porm spam.
Here's a list:
marix99 @ web.de < -this was the porn spammer
bigbloger @ web.de
fwfxan @ xatqcxox.com
nep1924 @ pochta.ru
rapor1817 @ smtp.ru
opus490 @ pochta.ru
faza1717 @ fromru.com
rapor1819 @ hotbox.ru
opus489 @ mail15.com
rapor1818 @ land.ru
abcand @ inmail24.com
tom @ xxx-search.info
I had a suspicious poster named dara join and post a thread titled: My Las Vegas Vacation!?. The text started out like this:
I had no luck searching the name or domain but when I searched for the text of the post I found the exact same thing all over the place but with different usernames. There were no links in the post so I'm not sure how they are actually spamming, unless the plan was to come back and add links. The email was
ebani AT thatsthegame DOT com
I have also recently had two porn spammers from this domain:
I have blocked all .info and .biz links, in the way you have it written. I don't think it's bad to do because I couldn't find a single legit poster who used those domains. I still get lots of spam, but I at least don't get those ones you all have posted that use info or biz domains.
I don't know if this has been posted but our old spammer friends at gawab.com have started using gawab.comi.
I am also getting a lot of Italian and/or Spanish porn spammers lately. Everything is posted in Italian or Spanish but the links are pretty obvious what they are referring to, apparently "masturbate" is the same word in English and Italian.
here's a recent one;
onefortwotwentytwo AT yahoo.co.uk <-I'm seriously considering banning this domain.
And yet another penis enlargement spammer:
HerbalPeniss penispils AT tlen.pl
Last edited by PalePhoenix; 02-23-2007 at 07:25 AM..
I know that plenty of these have been mentioned but I'll put it up here anyway.
I figure if I add another one today:
iqsearch.org (online casino search)
I can use it as a launch platform to take exception to this
the BURNACOUPLEMORE.COM guy just hit me also with his pump and dump stocks bullcrap
Registration Service Provided By: NameCheap.com
Contact: support @NameCheap.com
Domain name: BURNACOUPLEMORE.COM
George Wells (email@example.com)
3000 Stone Park Blvd
Sioux City, IA 51104
George Wells (firstname.lastname@example.org)
3000 Stone Park Blvd
Sioux City, IA 51104
George Wells (email@example.com)
3000 Stone Park Blvd
Sioux City, IA 51104
Creation date: 23 May 2006 18:08:28
Expiration date: 23 May 2007 18:08:28
Last edited by PalePhoenix; 02-23-2007 at 06:45 AM..
I try to break down my banned email list into seven categories:
1) Free email providers that are unlikely to be used by legitimate forum members, but are frequently used among spammers (mail.ru, cashette.com, gawab.com, etc.)
Yes, I ban Yahoo addresses. If a Yahoo user wasn't a spammer, there were more often than not problems with validation emails ending up in junk mail boxes, full mailboxes, inactive accounts, and other things causing bounces and general mayhem. It was just too much work. Banning Yahoo eliminated Nigerian 419, cell phone/Nokia and private message spam. Most of my users have access to alternative email addresses -- their work or ISP address -- so they have options. Blocking Yahoo didn't hurt membership; the rate of new members remained about the same both pre-ban and post-ban.
Disclaimer: Most gawab.com and mail.ru users are legitimate, but the likelihood of one of those non-spamming registering on an English-language board are probably rare. If you run a Russian language-based forum, you'll probably have a much higher ratio of legitimate users to spammers with the Russian, Belarusian and Ukranian free email providers. Relative to new members, the number of spammers registering from mail.ru may seem small. If you run an Arabic site, blocking gawab.com and its associated addresses may hurt your prospective membership.
If you run a non-English site outside of an English-speaking country and you find that everyone that registers from aol.com is a spammer, it makes sense to ban the address, even though most AOL users that register on US boards will be legitimate.
2) Disposable spamhole-type accounts (dodgeit.com, sneakemail.com, spamgourmet.com, etc.) While these are only occasionally used by spammers, the main reason for banning them is that they are quickly forgotten by those using them for forum registration. If you're trying to contact a user with a spamhole address a year after they registered, they're probably not going to see your mail.
3) Spammer-owned domains that don't provide free email to the general public. This includes sites like burnacouplemore.com, freestuffo1.com, tradedoubling.co.uk, and the like. Addresses like this make up only a very small percentage of the users that register just to spam. The goofy domains like drugs-pills-casinos-wet-asian-teens-mortgage-refinancing-oem-software.biz and the like are usually only used once; I can't add every known domain like this to the list.
4) Top-level domains where there have been many spam-related registrations, and few no legitimate user registrations. For me, this includes:
The list of banned TLDs may vary from board to board, and country to country. Many ban .cn, .ph and .kr, but my site gets quite a few legitimate users from China, the Philippines and South Korea, with few spammers.
Yes, I know there's a few legitimate .biz and .info users. Still, why put up with the hundreds of spammers that will register from such domains, just to the convenience of the one legitimate user with such an address that may or register five years from now?
5) Email address keywords. These are words you see in an address or domain name that have a high correlation with spammers. The short list includes:
The last two categories are a personal email address blacklist, and a personal domain blacklist; people who aren't spammers, but still don't want around. These lists are fairly small.
Last edited by Cyburbia; 09-17-2006 at 02:46 PM..
The list won't stop most astroturfing/ashleeturfing-type spam ("Hey, check out this kewl band!!!11!!"). Much of that kind of spam comes from the unpaid "street teams" of Fanscape and other guerilla marketing firms. Users posting a certain number of verifiable messages to bulletin boards are rewarded with t-shirts, CDs, and other schwag. The street teamers usually register from their normal email accounts.
For that type of spam, you have to be savvy; look for new users hyping some band, TV show or Web site, but in an almost conversational style.
Last edited by Cyburbia; 09-16-2006 at 10:32 PM..
I've got several users on my board with [something]@[department].rutgers.edu addresses; apparently students and faculty at Rutgers University in New Jersey. As an experiment, I added .ru to the banned email lists, with "Aggressive Email Banning" enabled, and tried to register a new account using "firstname.lastname@example.org address. The registration was blocked.
If you don't expect anyone from Rutgers to register, and you're unlikely to have any legitimate users from Russia, do a straight .ru block. Really, it stretches the bounds of political correctness to tolerate registration from hundreds of spammers, just to make it easy for that very rare Russian user that may or may not register for your board sometime in the next five years.
I catch hell over blocking Nigeria in my .htaccess file -- every IP range in the country, including satellite companies that serve Nigerian customers -- because "99% of all internet users in Nigeria are legitimate." That may be the case, but they're not the ones signing up on my message board; it's just the 419ers, private message spammers and Nokia spammers. I'm not going to deal with cleaning up hundreds of spam messages and banning hundreds of spammers just because someday, in the distant future, my site may see a legitimate user register from Nigeria.
Last edited by Cyburbia; 09-17-2006 at 02:37 PM..
I hope not everyone takes your cue and bans all yahoo accounts. Real people with valuable contributions make up many of OUR users, hell I think I'm registered to this forum with my yahoo account.
Anyway, got a few more with similarities
you all can make your own conclusions about what to ban.
# Block Nigeria. Yes, the whole damn country. <limit GET HEAD POST PUT DELETE> order allow,deny # Nigerian/African 419 Scammers IP addresses deny from 220.127.116.11/27 18.104.22.168/20 22.214.171.124/29 126.96.36.199/17 62.56.235. 62.56.236. 188.8.131.52/22 62.56.248. 184.108.40.206/20 220.127.116.11/19 18.104.22.168/19 22.214.171.124 126.96.36.199/19 63.70.178. 63.73.58. 63.100.193. 63.103.138. 188.8.131.52/26 184.108.40.206/22 220.127.116.11/29 18.104.22.168/25 63.122.154. 64.110.30. 64.110.31. 22.214.171.124/28 126.96.36.199/23 64.110.81. 188.8.131.52/28 184.108.40.206/28 64.110.147. 220.127.116.11/24 65.209.91. 65.209.92. 18.104.22.168/19 66.110.31. 22.214.171.124/29 126.96.36.199/28 188.8.131.52/24 66.178.55. 66.178.62. 184.108.40.206/29 220.127.116.11/29 18.104.22.168 66.205.20. 22.214.171.124/19 126.96.36.199/20 80.88.129. 80.88.130. 80.88.131. 188.8.131.52/26 184.108.40.206/27 220.127.116.11/29 18.104.22.168/26 22.214.171.124/27 126.96.36.199/28 188.8.131.52/29 184.108.40.206/25 220.127.116.11/26 18.104.22.168/29 80.88.136. 80.88.137. 22.214.171.124/25 126.96.36.199/26 188.8.131.52/27 184.108.40.206/25 220.127.116.11/26 18.104.22.168/27 22.214.171.124/28 80.88.140. 126.96.36.199/25 188.8.131.52/27 80.88.142. 184.108.40.206/24 220.127.116.11/23 80.88.146. 80.88.147. 80.88.148. 18.104.22.168/25 22.214.171.124/26 126.96.36.199/28 80.88.150. 80.88.151. 80.88.152. 80.88.153. 188.8.131.52/27 184.108.40.206/29 220.127.116.11/29 18.104.22.168/28 22.214.171.124/25 126.96.36.199/27 188.8.131.52/29 deny from 184.108.40.206/24 220.127.116.11/27 18.104.22.168/29 22.214.171.124/17 126.96.36.199/23 188.8.131.52/24 184.108.40.206/24 220.127.116.11/27 18.104.22.168/26 22.214.171.124/25 126.96.36.199/24 188.8.131.52/28 184.108.40.206/29 220.127.116.11/27 18.104.22.168/28 22.214.171.124/24 126.96.36.199/24 188.8.131.52/26 184.108.40.206/28 220.127.116.11/24 18.104.22.168/24 22.214.171.124/20 126.96.36.199/23 188.8.131.52/20 184.108.40.206/20 220.127.116.11/20 18.104.22.168/28 22.214.171.124/29 126.96.36.199/28 188.8.131.52/28 184.108.40.206/28 220.127.116.11/27 18.104.22.168/28 80.255.43. 22.214.171.124/29 126.96.36.199/28 188.8.131.52/29 184.108.40.206 220.127.116.11/24 18.104.22.168/20 22.214.171.124/24 126.96.36.199/24 188.8.131.52/27 184.108.40.206/27 220.127.116.11/25 18.104.22.168/24 22.214.171.124/25 126.96.36.199/29 188.8.131.52/21 184.108.40.206/20 220.127.116.11/20 18.104.22.168/16 22.214.171.124/24 126.96.36.199/24 188.8.131.52/22 184.108.40.206/24 220.127.116.11/23 18.104.22.168/22 81.199.84. 81.199.85. 81.199.86. 81.199.87. 81.199.88. 81.199.89. 22.214.171.124/24 126.96.36.199/23 188.8.131.52/22 184.108.40.206/22 220.127.116.11/21 18.104.22.168/17 22.214.171.124/23 126.96.36.199 188.8.131.52/18 deny from 184.108.40.206/16 220.127.116.11/18 18.104.22.168/18 22.214.171.124/21 126.96.36.199/23 188.8.131.52/18 184.108.40.206/23 193.189.128. 220.127.116.11/18 18.104.22.168/16 22.214.171.124/24 126.96.36.199/26 188.8.131.52/27 184.108.40.206/26 220.127.116.11/27 18.104.22.168/25 22.214.171.124/25 126.96.36.199/26 188.8.131.52/26 184.108.40.206/27 195.8.22. 220.127.116.11/21 18.104.22.168/21 195.137.13. 195.137.14. 22.214.171.124/19 126.96.36.199 195.166. 195.219.176. 188.8.131.52/20 184.108.40.206/22 220.127.116.11/22 18.104.22.168/20 22.214.171.124/23 126.96.36.199/18 188.8.131.52/21 184.108.40.206/22 220.127.116.11/20 18.104.22.168/20 22.214.171.124/20 126.96.36.199/19 188.8.131.52/25 184.108.40.206/24 220.127.116.11/19 18.104.22.168/21 22.214.171.124/20 126.96.36.199/18 188.8.131.52/18 184.108.40.206/24 220.127.116.11/19 18.104.22.168/24 209.88.163. 209.101.84. 209.159.164. 22.214.171.124/24 126.96.36.199/23 188.8.131.52/28 184.108.40.206/29 220.127.116.11/30 18.104.22.168/31 22.214.171.124/27 126.96.36.199/28 188.8.131.52/23 212.96.4. 212.96.28. 212.96.29. 212.96.30. 184.108.40.206/19 220.127.116.11/17 18.104.22.168/27 212.165.135. 22.214.171.124/29 126.96.36.199/26 188.8.131.52/25 184.108.40.206/24 220.127.116.11/26 18.104.22.168/26 22.214.171.124/24 126.96.36.199/24 188.8.131.52/24 deny from 184.108.40.206/24 220.127.116.11/24 18.104.22.168/23 22.214.171.124/23 126.96.36.199/19 188.8.131.52/19 184.108.40.206/21 220.127.116.11/24 213.185.112. 18.104.22.168/26 213.185.124. 213.187.135. 213.187.145. 22.214.171.124/18 126.96.36.199/24 213.232.96. 213.255.193. 188.8.131.52/25 184.108.40.206/27 213.255.198. 213.255.199. 220.127.116.11/21 18.104.22.168/28 216.129.159. 216.133.174. 22.214.171.124/28 126.96.36.199/28 188.8.131.52/28 184.108.40.206/28 220.127.116.11/24 18.104.22.168/26 22.214.171.124/27 126.96.36.199/26 188.8.131.52/24 184.108.40.206/24 220.127.116.11/24 18.104.22.168/24 22.214.171.124/25 126.96.36.199/24 188.8.131.52/26 184.108.40.206/27 220.127.116.11/27 18.104.22.168/26 22.214.171.124/28 126.96.36.199/24 188.8.131.52/24 184.108.40.206/24 220.127.116.11/26 18.104.22.168/27 22.214.171.124/24 126.96.36.199/20 188.8.131.52/25 184.108.40.206/25 220.127.116.11/29 18.104.22.168/29 22.214.171.124/28 126.96.36.199/29 188.8.131.52/29 184.108.40.206/29 220.127.116.11/29 18.104.22.168/29 22.214.171.124/29 126.96.36.199/29 188.8.131.52/24 184.108.40.206/29 220.127.116.11/27 18.104.22.168/20 22.214.171.124/20 126.96.36.199/28 188.8.131.52/28 184.108.40.206/29 220.127.116.11/27 18.104.22.168/26 217.146.5. 22.214.171.124/25 126.96.36.199/27 217.146.7. 188.8.131.52/25 217.146.9. 184.108.40.206/25 220.127.116.11/25 217.146.12. 217.146.13. 18.104.22.168/25 22.214.171.124/25 126.96.36.199/27 188.8.131.52/29 184.108.40.206/22 220.127.116.11/20 18.104.22.168/27 22.214.171.124/28 126.96.36.199/29 # Pan Am Sat: Nigeria deny from 188.8.131.52/19 184.108.40.206/29 # New Skies Satellite Service: UK (provides service to Nigerian cybercafes) deny from 220.127.116.11/17 # Versatel: Netherlands (provides service to Nigerian cybercafes) deny from 18.104.22.168/22 22.214.171.124/21 126.96.36.199/22 82.93. 188.8.131.52/14 # Goldenlines.net.il: Israel (provides service to Nigerian cybercafes) deny from 184.108.40.206/24 # Teleglobe: Canada (reassigned IP blocks to Nigerian cybercafes) deny from 220.127.116.11/24 18.104.22.168/24 # Sky-Vision: Cameroon deny from 22.214.171.124/18 126.96.36.199/20 # Netdish S.p.A.L.: Italy (provides service to Nigerian cybercafes) deny from 188.8.131.52/24 # Net Planet Earth Limited: Cyprus (provides service to Nigerian cybercafes) deny from 184.108.40.206/18 allow from all </limit>
Last edited by Cyburbia; 09-18-2006 at 01:39 PM..
this started hitting pretty badly within the past few weeks on 3.5.4
time to upgrade to the latest vbulletin.
email: frl @vaosoft.com
seems to be a variant of clubcontrol @vaosoft.com
which spams message boards advertising their internet cafe software.
220.127.116.11 (delaware, usa) - guessing it's a zombie pc
Last edited by PalePhoenix; 02-23-2007 at 09:42 AM..
I'm seeing myway.com associated with a lot of Nigerian 419 and Nokia spam elsewhere online. I searched through my user database, and didn't find anyone with a myway.com address. I just added it to my ban list.
|Currently Active Users Viewing this Thread: 1 (0 members and 1 guests)|
|Thread||Thread Starter||Forum||Replies||Last Post|
|.ru email addresses||jcerious||Members & Staff||71||12-20-2006 01:14 PM|
|Damage limitation from forged from: addresses in spam?||Alex Apple||Site Security||7||09-22-2006 08:58 PM|
|Spam email list||rasp||Members & Staff||10||06-01-2006 11:43 AM|
|Re-validating email addresses||cinq||Members & Staff||14||12-30-2004 12:09 AM|