Another blog-spoofing domain

One more* to add to the list of comment-spamming, blog-host-faking domains, along with wblogs.com and blogstudio.net: bllogspot.com with a double L, as found in Sam Ruby’s comment feed (one of my favorite sources for finding spam domains and blocking them before they find me) with thehomelessguy.bllogspot.com.

* One more belonging to the same person, Alexander Morozov, comment-spammer extraordinaire, that is. I was so used to OnlineNIC’s whois being down I didn’t even think to look.

12 Comments

Comment by Sam Ruby #
2004-02-29 13:23:37

Thanks! I completely missed that.

I visited the website. Checked my apache logs. The comment was vaguely on topic in a ”going off on a tangent” sort of way. I thought I would give this entry the benefit of the doubt.

In retrospect, perhaps the fact that a homeless guy in Nashville Tennessee had posted with an ip address of ”ns.krasnogorsk.ru” should have set off some alarm bells.

Comment by SAM R #
2004-05-07 10:29:07

I got a call from these guys
866 422 4758
I called them it was a fax then I searched.
anyone know what is going on??
http://www.opensrs.org/archives/discuss-list/0312/0047.html

 
 
Comment by Phil Ringnalda #
2004-02-29 13:30:56

I really do need to get more serious about logging things: that IP address seems familiar to me, but I don’t know if it’s from my logs, your spam, or just that odd way that things in languages with lots of consonants look familiar to English-speakers even when they are very different words.

Comment by Jacques Distler #
2004-02-29 14:11:49

Or maybe it’s from this email I sent you:

From: distler@golem.ph.utexas.edu
Subject: Amusing search term
Date: February 22, 2004 1:43:14 PM CST
To: phil@philringnalda.com 
I just got my 8th spam comment in 19 weeks. What's amusing is the search term he came in on:
  ns.krasnogorsk.ru - - [22/Feb/2004:08:47:02 -0600] "GET /~distler/blog/index.shtml
  HTTP/1.1" 200 110326 "http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF
  -8&q=link%3Ahttp%3A%2F%2Fwww%2Ephilringnalda%2Ecom%2F" "Mozilla/4.0 (compatible; MSIE
  6.0; Windows NT 5.1)"
  ...
  ns.krasnogorsk.ru - - [22/Feb/2004:08:48:23 -0600] "POST /cgi-bin/MT-2.5/sxp-comments.pl
  HTTP/1.1" 302 - "http://golem.ph.utexas.edu/cgi-bin/MT-2.5/sxp-comments.pl" "Mozilla/4.0
  (compatible; MSIE 6.0; Windows NT 5.1)"
I guess that being associated with you has a certain cachet in blogspam circles.
Comment by Phil Ringnalda #
2004-02-29 14:18:02

D’oh! I don’t need a log, I need a brain. What a drag it is, getting, um, or never to have had a brain.

 
Comment by Phil Ringnalda #
2004-02-29 14:21:09

Ish. Looks like my lame display skillz for the [PGP] link don’t exactly approve of ending a comment with a block-level element other than a paragraph.

Comment by Michel Valdrighi #
2004-02-29 16:41:03

Maybe you could put that PGP link right after the poster’s name. This way you would never have to worry about blocklevel elements for that link. :)

Comment by Phil Ringnalda #
2004-02-29 17:08:08

That’s absolutely where it belongs. Unfortunately, right now it’s not a separate template tag/variable – it’s just tacked onto the end of the comment body, when the plugin decides that it needs to show the link. If it wasn’t bloody Perl, I’d have it yanked out of there already, and a patch on the way to Srijith. As it is, I’m hoping he’ll beat me to it ;)

 
 
 
Comment by Sam Ruby #
2004-02-29 14:54:11

A few minutes later (accounting for time zone differences) he was leaving spam at my site:

213.171.57.162 - - [22/Feb/2004:09:52:32 -0500] "GET /blog/1661.html HTTP/1.1" 200 5854 "http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=link%3Ahttp%3A%2F%2Fwww%2Ephilringnalda%2Ecom%2F" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

213.171.57.162 - - [22/Feb/2004:09:52:56 -0500] "POST /blog/ HTTP/1.1" 200 6233 "http://www.intertwingly.net/blog/1661.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

 
Comment by Phil Ringnalda #
2004-02-29 15:49:08

Um, yeah, yeah, me too! In fact, he spammed me so much he crashed my server! Yeah, that’s the ticket!

Well, actually, he simply seems to have been a big fan of my ”audacious comment spam hack” entry. And I see that OnlineNIC’s whois is finally back up, so we can see that in fact Alexander Morozov, failed comment-spammer, is in fact the registrant of not just bllogspot.com, but also wblogs.com and blogstudio.net. Which means that he’s also capable of commenting through Sprint and AOL, so one wonders why he switched to using his more memorable and recognizable .ru?

 
 
 
Trackback by Computer Toaster #
2004-03-01 00:01:25

Comment-spamming domains

Phil Ringnalda has a list of comment-spamming, blog-host-faking domains….

 
Trackback by Ann Elisabeth's blog #
2005-01-31 16:12:28

Alexander Morozov back at it

Remember we talked about Alexander Morozov a long time ago? He was responsible for a lot of grief after targeting among others Movable Type blogs. He sent trackbacks full of bestiality and other porn links. When that got enough attention…

 
Name (required)
E-mail (required - never shown publicly)
URI
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <del datetime="" cite=""> <dd> <dl> <dt> <em> <i> <ins datetime="" cite=""> <kbd> <li> <ol> <p> <pre> <q cite=""> <samp> <strong> <sub> <sup> <ul> in your comment.