Link Exchange Spammers Are Back Again!

Well, the link spammers never really went away did they? Has anyone noticed a huge increase in the number of “link exchange” emails or is it that I’ve been added to a particularly busy spammer’s list? I just noticed that a few recent ones contained the text “emailsnomore(dot)com” so I’m going to add a gmail filter to delete any emails containing that domain. You probably should too.

Hi,

My name is Daisy Gibson, Web Marketing Consultant. Ive greatly enjoyed looking through your site ocaoimh.ie and I was wondering if you’d be interested in exchanging links with my website, which has a related subject. I can offer you a home page link back from my related websites all in google cache and backlinks which are:

shawntierney(dot)com PR4
collectiveunconsciousltd(dot)com PR3

If you are interested, please send me the following details of your site:

TITLE:
URL:

I’ll add your link as soon as possible, in the next 24 hours. As soon as it’s ready, I’ll send you a confirmation email along with the information (TITLE and URL) regarding my site to be placed at yours.

I hope you have a nice day and thank you for your time.

Kindest regards,

PLEASE NOTE THAT THIS IS NOT A SPAM OR AUTOMATED EMAIL, IT’S ONLY A REQUEST FOR A LINK EXCHANGE. YOUR EMAIL ADDRESS HAS NOT BEEN ADDED TO ANY LISTS, AND YOU WILL NOT BE CONTACTED AGAIN. IF YOU’D LIKE TO MAKE SURE WE DON’T CONTACT YOU AGAIN, PLEASE FILL IN THE FOLLOWING FORM: emailsnomore(dot)com ; PLEASE ACCEPT OUR APOLOGIES FOR CONTACTING YOU.

The worst targeted spam ever!

I honestly thought that spammers had gotten smarter about making sure their emails were taken seriously. Even the most geeky and anti-marketing of developers will realise that big red and bold text, center justified, looks like something out of the last century. I hope for the sake of their business that they put more effort into their backup service.

This email, which I received twice in the last week is just a joke. I would have immediately marked it as spam and forgotten about it but it mentioned WordPress and obviously my email address is on their list of WordPress bloggers. I wonder if they read my blog?

At least they didn’t CC everyone like an Irish guy did a few years back.

If you want me to look at your new service, write me a nice friendly email, address me by name, email me from your own email address, talk to me about something you’ve gleaned from my blog or my twitter stream so I at least think you’re a friendly individual and I may even check out your site.

Bah! Frapz spammed me!

I received a friend request from an oddly named character on Xbox Live the other day. Looked something like wwwwfrapzcouk with some odd characters thrown in here and there. They then spammed me. Grrr.

Frapz Spam

Rather embarrassingly for them, their website isn’t even set up correctly:

Friend removed, and complaint lodged. I don’t like unsolicited commercial messages. Especially on a social network.

Phishing in Irish

Well, this is a surprise. One of my .ie email addresses got a very targeted phishing email. It was so specific that it was actually written in Irish! It wasn’t directed at me, but at a list owner address at linux.ie.
I wonder if the spammers know how many Irish people could actually read their email easily? It’d certainly be easier for most people to read in English.

Aire

Tá mé an tUasal Patrick KW Chan an Stiúrthóir Feidhmiúcháin agus Príomh-Oifigeach airgeadais Hang Seng Bank Ltd, Hong Cong.
Tá mé togra gnó brabúsaí leasa choitinn a roinnt le leat;
Baineann sé leis an aistriú suim mhór airgid.
Fuair mé do tagairt i mo cuardach a dhéanamh ar dhuine a oireann mo chaidreamh gnó molta.
Má tá suim agat i obair liom teagmháil a dhéanamh liom mo trí r-phost príobháideach (mrpatkwchan52@yahoo.com.hk) le haghaidh tuilleadh sonraí

Dearbhófar do fhreagra túisce chun an litir seo a mhór.

An tUasal Patrick Chan
E-mail: mrpatkwchan52@yahoo.com.hk

I suppose it was bound to happen now that Google translates text into Irish. Well done to Gmail for marking it as spam!

Gooochi talks to /bc/123kah.php

This is weird, a huge number of POST requests started to hit the Shite Drivers website a few days ago. The requests came from lots of IP addresses and all requests went to the non existent /bc/123kah.php

The payload was an array that looked like this:

Array
(
    [showed] =>
    [clicked] =>
    [version] => 2.6.2.4
    [id] => c3b342beb6ad7adf39499e7a38f93c09f681611d
    [tm] => 1266855758
    [aff_id] => gooochi
    [net_id] => gooochi
    [safe] => 1
    [exceed] => 2505,2507,2582,2597,2602
)

So I presume it’s the Gooochi malware referenced in this search for that word. Strange that the infected PCs hit my server though.

The traffic was never overwhelming but I decided to put a stop to it with a simple deny from all in a .htaccess file. Much better than having WordPress serve up a 404 page.

I mentioned the 123kah.php file on Twitter and I’m not the only one to see these odd requests. I guess even malware has bugs! (which is all the more reason to keep your anti-virus software up to date if you use Windows)

Win a trip to Disneyland

I’ve got good news, and I’ve got great news! The good news is for spammers. The great news is for you.

The good news is that in 3 simple steps you too could win a trip to Disneyland:

  • Visit one of those sites that lists this blog as a dofollow blog (BTW – it doesn’t dofollow anymore)
  • Click on a link to my blog.
  • Have a great time in Disneyland!

The great news is that you can send those spammers to Disneyland too! Just take a look at the code in disney.txt and copy it into your wp-config.php (Put it right at the top of the file!) or into an auto_prepend file.

The $bad_referrers array is a simple list of offending sites that send you the most spammers. Add them in and when the spammer comes visiting they’ll be whisked off to Disneyland for a magical tour of the castle. (Hopefully they’ll meet an ogre who’ll take a fancy to them and lock them in the tower or something!)

I use my Comment Referrers WordPress plugin to tell me where comment authors come from but sometimes if they’ve browsed around my site (and the referrer is gone then), I search my logs for their IP address.

Yes, the above could be done with .htaccess mod_rewrite rules but this is more portable and I redirect to a Pretty Link shortcut so I can easily count the hits. No matter what I did I couldn’t get it to exclude the hit to the shortcut and it would redirect continuously.

Update! I added rewrite rules to send the spammers off. I’m sure these rules can be improved so leave a comment if you have any tips.

RewriteCond %{HTTP_REFERER} .*theseomizer.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*seomizeme.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*revolutioners.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*rishabhsood.net.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*011831068587400451950.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*backlinkmagic.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*www.online-utility.org/webmaster/backlink_domain_analyzer.jsp.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*forums.digitalpoint.com/showthread.php?t=1011238.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*courtneytuttle.com/blogs-that-follow/.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*forums.digitalpoint.com/showthread.php?t=1006727.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*forums.digitalpoint.com/showthread.php?t=1003675.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*rasimcoskun.com.* [NC,OR]
RewriteCond %{HTTP_REFERER} .*smartpagerank.com.* [NC]
RewriteRule ^(.*) http://disney.com/ [R,L]

And in other news, Stephen Cronin created the comment warning plugin to warn visitors who come from predefined urls like the dofollow lists above. Nice!

Why you should limit login attempts

limit-logins

Some idiot at 213.155.4.184 hit all my websites over the last few days trying to login to my blogs. He fired off hundreds of automated requests probing and searching and testing my admin login. Each request had a different password. I use difficult to guess passwords but seeing the attempts was disconcerting.

I went searching and found the Limit Login Attempts plugin. After installing, a new page appears under Settings with a wealth of options:

lockout

I’m glad I did install it, it caught the same guy when he hit this blog a few hours later! You should probably install it too.

PS. Matt asked me to explain how I recorded those requests. There is a WordPress plugin that sends an email when a POST request is made but I threw this code into a file and load it with the “auto_prepend_file” directive in my php.ini (saves adding it to every installation of WordPress on my server)

if ( ( isset( $HTTP_RAW_POST_DATA ) || !empty( $_POST ) ) && $_SERVER[ 'REQUEST_URI' ] != '/wp-cron.php?doing_wp_cron' && $_SERVER[ 'SCRIPT_NAME' ] != '/wp-comments-post.php' && substr( $_SERVER[ 'REQUEST_URI' ], -10 ) != '/trackback' && substr( $_SERVER[ 'REQUEST_URI' ], -11 ) != '/trackback/' ) {
    mail( "MYEMAIL@gmail.com", $_SERVER[ 'HTTP_HOST' ] . " POST request: " . $_SERVER[ 'REMOTE_ADDR' ], "URL: {$_SERVER[ 'REQUEST_URI' ]}\nPOST: " . print_r( $_POST, 1 ) . "\nCOOKIES: " . print_r( $_COOKIE, 1 ) . "\nHTTP_RAW_POST_DATA: $HTTP_RAW_POST_DATA" );
}

Please help the World Health Organisation

I received a nice polite email from a man asking for my help last week. He was a bit cryptic but he replied this morning saying he works with the World Health Organisation.

Help the World Heath Organisation

Hi Donncha O Caiomh,
there is something to talk about , i want your assistance coz i work with W.H.O ( world health organisation ) and i bought some goods in state and i am in finland here for official purpose.
Will you kindly send me your address so i can send the goods to you and also maybe when am through with my official assignment i will come down there and collect the goods bought.
Pls kindly reply me so as to know what to do.
THANKS
JUNIOR BENRICHARD.

Oh the poor guy! He’s stuck in Finland and needs goods delivered? As I was about to reply with my full address, I remembered getting another email from him. He had contacted me about a post I wrote. That was last week when I was on holiday and I still haven’t got around to clearing out my inbox. I went searching and here it is:

electric car info

hi
yea i drive an electric car. i work with the car construction company. if you wanna know, kindly send me 3000usd via western union and i will get back to you as possible.
you can call me on +2348029479959. am junior by name.

Oh what a talented guy! He works for W.H.O. and for a car company! I don’t know if I want to know about electric cars that much. I mean, $3000? That’s a lot of money!

Oh, and Ben, since you’re subscribed to my blog, please get in touch again. The Irish Police want a word with you.

Edit (10/08/09) Ben has been in touch again:

Hi donncha, how r you nd everything, am off state and i some1 wanna send some money to my credit-card so as to collect and use it to pay my childs school fee. pls send me you details so as to send you the money nd you will only help me to western it to my child coz she is totally inneed of it.
am looking forward to see your reply
JUNIOR BENRICHARD.