KattyBlackyard IP: 89.28.14.35 in massive blog spam attack
by Brian Turner
A massive amount of web spam has been hitting the internet over the weekend, all sourced from a single user on an IP originating in Moldova.
Using the name “KattyBlackyard” and posting through the IP 89.28.14.35, the blog spam attack is one of the most extensive we’ve ever seen, with most if not all of our huge range of honeypots hit by the same comment over the weekend.
More than this, the same user has autoregistered at thousands of internet forums, regardless as to whether they are running vbulletin, phpbb, or IPB.
The IP 89.28.14.35 was first noticed as being a source of spam four weeks ago by Project Honey Pot, and Stop Forum Spam also has a record of the different ID’s and emails associated with spam from the IP.
The weekend’s spam attacks are the most extensive and comprehensive to date.
The following is the original message posted to blogs as a comment over this weekend:
Author : KattyBlackyard (IP: 89.28.14.35 , 89-28-14-35.starnet.md) E-mail : katty@ds4ns1ns2.cn
URL : http://www.google.com
Comment:
Hi, very nice post. I have been wonder’n bout this issue,so thanks for posting
A new message was released this morning, with the same details and single message “Original post by Dmitri Gromov”.
Perhaps more disturbing is that unlike a lot of blog spam, which attempt to get links on blogs for SEO purposes, the only links so far from this profile are to Google.com.
That fact that the current wave of spam attacks from this IP does not link to a spam site suggests that it may be being used to identify potential future targets – with those blogs and/or forums publishing the spam compiled into a list for unrelenting spam attacks later on.
The surprise is just how extensive these waves have been so far, as if someone is making every effort to sniff out a huge chunk of the web, in order to catalogue every possible opportunity for publishing web spam.
The irony is that most blogs will not autopublish the spam, and any that is published is almost certainly using the nofollow attribute to devaue the links for SEO purposes.
Click here to discuss this: Security Forums
Related posts to "KattyBlackyard IP: 89.28.14.35 in massive blog spam attack":
- 92.241.160.25 on mass spam run
- IP 200.63.42.136 in massive blog spam run
- 194.8.75.x on big blog spam run
- hostinggratisargentina.com in massive spam run
- April Fool’s Day not so funny for Storm victims
Comments
18 Responses to “KattyBlackyard IP: 89.28.14.35 in massive blog spam attack”Speak Your Mind
Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
Previous: « Vaserv crippled by hackers
Next: Expedia chooses Neptuny Caplan »
Visited 3464 times, 5 so far today
Had this spam in my blog as a comment, would have been impossible to know it was a spma attack without a small google search to find you. Thx.
Any explanation on the suggestion is a “pre-attack”?
Yeah, I don’t understand it. Why would somebody spam sites and link to Google.com??
Am I missing something here? Isn’t the point of spamming to gain something from your efforts? What’s the point of all this? I have this stuff showing up on my blogs.
I just got this too – same IP and username but with “Hi, interest post. I’ll write you later about few questions!” I thought it was a bit unusual that they were linking to Google.com, so did a quick search and came across this article.
Here’s the WHOIS I get for KattyBlackyard
IP whois for 89-28-14-35.starnet.md
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
% To receive output for a database update, use the “-B” flag
% Information related to ‘89.28.14.0 – 89.28.15.255′
inetnum: 89.28.14.0 – 89.28.15.255
netname: STARNETMD
descr: SC STARNET SRL
descr: Chisinau, Moldova
country: MD
admin-c: SA4929-RIPE
tech-c: SA4929-RIPE
status: ASSIGNED PA
remarks: INFRA-AW
mnt-by: MNT-STARNETMD
source: RIPE # Filtered
role: StarNet Administrator
remarks:
address: SC “StarNet” SRL
address: 10, Calea Iesilor str.
address: MD2069 Chisinau
address: Moldova, Republic of
remarks:
phone: +373 (22) 844444
fax-no: +373 (22) 844445
remarks:
remarks: ———————————————–
remarks: SC StarNet SRL
remarks: ISP in Republic of Moldova
remarks:
remarks: General questions: info@starnet.md
remarks: Routing and Technical questions: noc@starnet.md
remarks: Last Update: 15.04.2009
remarks: ———————————————–
remarks:
remarks: +————————————————————–+
remarks: | ABUSE CONTACT: abuse@starnet.md IN CASE OF HACK ATTACKS, |
remarks: | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC. |
remarks: | !! PLEASE DO NOT CONTACT OTHER PERSONS FOR THESE PROBLEMS !! |
remarks: +————————————————————–+
remarks:
abuse-mailbox: abuse@starnet.md
remarks:
admin-c: OB1145-RIPE
tech-c: OB1145-RIPE
admin-c: DG3460-RIPE
tech-c: DG3460-RIPE
admin-c: VF1333-RIPE
tech-c: VF1333-RIPE
nic-hdl: SA4929-RIPE
mnt-by: MNT-STARNETMD
source: RIPE # Filtered
% Information related to ‘89.28.0.0/17AS31252′
route: 89.28.0.0/17
descr: SC STARNET SRL
origin: AS31252
mnt-by: MNT-STARNETMD
source: RIPE # Filtered
I’ve been getting the spam on a regularly.
Thanks for the information, I got this comment this morning and wasn’t sure if it was spam or not.
Thanks for the information, i’ve been attacked by this ##### spam. I’m really fed up with those bots or what ever is that..
Nice Website, i’m bookmarking your site ;)
Sorry for my poor english, normally speaking french
I started getting this spam 4 weeks ago. The poster asked if he could copy the info from my site to his site and it seemed like a genuine request. I even wrote back and said it was okay to use my content.
The next morning, i see 1500 spam messages all about prescription medicine. I think this is a new trend, where the poster checks to see if his/her comments are accepted and them bombards the website with spam. I still get those initial spam comments, but dont approve them, so i am under control now.
More here….
http://www.google.com/search?q=89.28.14.35
Hi thanks for writing about this amtter, I am also getting few of nice comments without any link only commenters website which is google and with the same Ip and same email address with different names, so what should I mean of this.
Got it as well although we have our routers block off the IP address after getting a few of them from the same IP address within a certain amount of time. Typepad Antispam caught it fine as well.
The google link is probably a default for whatever software they’re using and they forgot to change it. Wouldn’t be the first time.
I own a blog and had a bout 8 or so comments when I noticed all from same ip 89.28.14.35, which led me here. I also found it strange that Google was listed as website and the same username. I have since used IP deny from all accounts on my server. No body does something this big without a reason. My guess would be mass spam, OR if blogs and forums are accepting the spam, it could show potential security issues with other ‘careless’ settings to send out mass spam via nobody or an unsecured folder of something. IP deny 89.28.14.35 seems to have worked so far. No more of this user on my blogs.
I just saw the IP Whois. Thinking an idea its to block entire range of 89.28.14.0 – 89.28.15.255. Not like The Republic of Moldova is high on my visitor stats anyway…
I was also confused by those comments initially. i approved a few and then started getting more and more. Super annoying. Won’t make that mistake again.
QWO9NI I think its good decision what he did.,
This is what I got on my blog. I did not aloow it thnx to u.
KonstantinMiller
google.com
konstantine@info1a.cn
89.28.14.35
Submitted on 2009/07/06 at 7:36pm
Hello. I think the article is really interesting. I am even interested in reading more. How soon will you update your blog?
I have a very small blog, so already I’m intrigued whenever I am notified that a comment has been submitted. I never have comments automatically published without prior approval – a plus for removing any “instant gratification” that might arise from a perceived score. This new spam wave is cunning in it’s generic and realistic comments. Sometimes even the email address looks credible. The number one thing to always look at is the IP. Do a simple whois and find out which country it came from. If you’re like me, chances are, your target audience is for non-repressive, English speaking regions/countries. So, this would exclude China, Russia, Moldova, etc etc. Not an automatic indicator, but a very good one if you have a small blog with only a handful of blog posts. Naturally, a red flag would be the altering of the referrer, and more specifically, the lack of the customary URL parameters normally appended to a true Google search query. This means, “http://www.google.com/” is not from a relevant search. Although, it is worth noting that some bots have been known to generate fake Google search URL’s as their referrer using keywords found on the target site itself – very cunning.
Hey Guys,
I actually had spam from this IP but under a different name (KonstantinMiller). Perhaps he/she knows that we’re on to them lol!
It’s good to know that i’m not the only one…
Possibly a professional spammer showing a potential client what we can do?