WikiHome RecentChanges WikiNode Preferences chongqed.org

GooglePray

GooglePray

This spammer who seems to go by the name of Sid Wongvorakul has many domains and is using a fake forum to cause innocent visitors to spam guestbooks for his domains using an exploit in IE. He uses many spammy techniques and has lots of near identical sites all pointing to his main site (baikalguide.com) which appears to be banned already.

Ann and I have been blogging about him:
http://spamhuntress.com/2005/04/27/googlepray/
http://chongq.blogspot.com/2005/04/googlepray-tricks.html
http://spamhuntress.com/2005/04/29/googlepray-spammer-hits-back/
http://chongq.blogspot.com/2005/04/googlepray-unhappy.html
http://spamhuntress.com/2005/04/29/googlepray-injoke/

He has replied on her comments and has been stealing her text and others to spam with.

These are other domains he owns, most are used for the running the exploit or are being spammed for. 

art-xxx.com
baikal-tour.biz
baikal-shop.com
baikal-guide.com
baikalguide.com
baikalshop.info
bbsporn.com
freeyaho.com
hotel-shop.info
lake-baikal.info
need-site.com
nude-teacher.com
popular-screen-savers.com
porn-teen-pic.com
porn-samples.com
porn-teacher.com
se4u.net
sex--x.com
sexy-teacher.net
specific911.biz
specific911.com
specific911.info
specific911.net
specific911.org
umax-search-ppc-se-board.com
umax-search.net
umax-se.com
umax-forum.com
umax-se.info
umax-ppc.com
umax-search-se.com
umaxforum-umax-forum.com
umaxppc.com
umaxse.biz
umaxse.com
umaxse.info
umaxse.net
umaxse.org
umaxsearch-ppc.com
umaxsearch-se.com
umaxsearch-search-engine.com
umaxsearch-ppc-se.com
umaxsearch-ppc.com
virgin-sexy.com
weekly-pay.com
weekly-pay-ppc-se.com

Question to Joe or Ann (or both of you). I found hits in my logs coming from the host freeyaho.com. Here's an example: 

freeyaho.com - - [04/May/2005:12:08:11 +0200] "GET /baikal HTTP/1.0" 200 3436 "-" "lwp-trivial/1.41"
freeyaho.com - - [04/May/2005:09:55:37 +0200] "GET /baikal HTTP/1.0" 200 3436 "-" "lwp-trivial/1.41"
freeyaho.com - - [04/May/2005:09:39:54 +0200] "GET /baikal HTTP/1.0" 200 3436 "-" "lwp-trivial/1.41"
freeyaho.com - - [04/May/2005:09:13:56 +0200] "GET /baikal HTTP/1.0" 200 3436 "-" "lwp-trivial/1.41"
freeyaho.com - - [04/May/2005:09:13:41 +0200] "GET /baikal HTTP/1.0" 200 3436 "-" "lwp-trivial/1.41"
What is this? It's obviously not referrer spam. These are GET requests so these aren't spamming attempts either. Any idea what is going on?

Manni

I don't have a clue what he could be trying, but this spammer is obviously really weird. Were those the only pages he was requesting? Could be he is just hitting the site for no reason but to annoy us. – Joe - 2005-05-05 08:23 UTC

How many times did he try and hit that page? – Joe - 2005-05-05 11:39 UTC

That spammer is just weird. He'll do anything to annoy. - Ann

Yep, The Preacher got 26 identical posts consisting of his own URL. – Joe - 2005-05-05 12:59 UTC

These entries: 

freeyaho.com - - [04/May/2005:09:13:41 +0200] "GET /baikal HTTP/1.0" 200 3436 "-" "lwp-trivial/1.41"
He downloads your page and copy-pastes your text into his page - it appears then in short text in google search results making users think, that your page and his page are similiar → "Look it's the same page - let's click"

– Lemat

He recently starting to do that a lot now to us and several other sites that let people know he is a spammer. I don't think he really expects people to believe him, he is just doing things to try and annoy us. He has reportedly hit one place with a Denial of Service attack. From various sites he hits our wiki very frequently too for no apparent reason. See the forum announcement on him. – Joe - 2005-05-17 21:40 UTC

I have now denied access to his hosts that do the downloading. He already got some 50 403's in the last 45 minutes. – Manni - 2005-05-18 00:15

Any clue what he was doing? It doesn't seem to be a denial of service if its that slow. — Joe - 2005-05-17 22:22 UTC

No clue. Just what Lemat said. Or what Ann said. All he did recently was download this page. – Manni - 2005-05-18 00:24

He is also visiting the wiki frequently though. I see three of his servers in the Recent Visitors list frequently. – Joe - 2005-05-17 22:30 UTC

He seems to use a different user-agent to visit the wiki. The .htaccess block I have in place will get him another 403 Denied, though. – Could he be aiming at Google with his copy-cat posts? Not increasing his page rank, but trying to decrease ours by posting copies? – Manni - 2005-05-18 00:44

He is obviously retarted if he is trying to do that. We already do that to ourselves because we list so many dirt bags like him. – Joe - 2005-05-17 23:17 UTC

WikiHome RecentChanges WikiNode Preferences chongqed.org
This page is read-only View other revisions Administration
Last edited 2006-08-25 20:15 UTC by Manni (diff)