Comments on: KattyBlackyard IP: 89.28.14.35 in massive blog spam attack

By: Internet Threat

Internet Threat — Mon, 24 Aug 2009 09:28:32 +0000

Possibly a professional spammer showing a potential client what we can do?

By: Shady

Shady — Tue, 07 Jul 2009 23:27:59 +0000

Hey Guys,

I actually had spam from this IP but under a different name (KonstantinMiller). Perhaps he/she knows that we’re on to them lol!

It’s good to know that i’m not the only one…

By: Don

Don — Mon, 06 Jul 2009 19:25:35 +0000

I have a very small blog, so already I’m intrigued whenever I am notified that a comment has been submitted. I never have comments automatically published without prior approval – a plus for removing any “instant gratification” that might arise from a perceived score. This new spam wave is cunning in it’s generic and realistic comments. Sometimes even the email address looks credible. The number one thing to always look at is the IP. Do a simple whois and find out which country it came from. If you’re like me, chances are, your target audience is for non-repressive, English speaking regions/countries. So, this would exclude China, Russia, Moldova, etc etc. Not an automatic indicator, but a very good one if you have a small blog with only a handful of blog posts. Naturally, a red flag would be the altering of the referrer, and more specifically, the lack of the customary URL parameters normally appended to a true Google search query. This means, “http://www.google.com/” is not from a relevant search. Although, it is worth noting that some bots have been known to generate fake Google search URL’s as their referrer using keywords found on the target site itself – very cunning.

By: Jaca

Jaca — Mon, 06 Jul 2009 18:47:26 +0000

This is what I got on my blog. I did not aloow it thnx to u.

KonstantinMiller
google.com
konstantine@info1a.cn
89.28.14.35
Submitted on 2009/07/06 at 7:36pm
Hello. I think the article is really interesting. I am even interested in reading more. How soon will you update your blog?

By: Leonidas Georgiou

Leonidas Georgiou — Mon, 06 Jul 2009 17:43:06 +0000

QWO9NI I think its good decision what he did.,

By: Principles

Principles — Fri, 19 Jun 2009 03:26:00 +0000

I was also confused by those comments initially. i approved a few and then started getting more and more. Super annoying. Won’t make that mistake again.

By: Anonymous

Anonymous — Wed, 17 Jun 2009 03:56:37 +0000

I just saw the IP Whois. Thinking an idea its to block entire range of 89.28.14.0 – 89.28.15.255. Not like The Republic of Moldova is high on my visitor stats anyway…

By: Anonymous

Anonymous — Wed, 17 Jun 2009 03:52:53 +0000

I own a blog and had a bout 8 or so comments when I noticed all from same ip 89.28.14.35, which led me here. I also found it strange that Google was listed as website and the same username. I have since used IP deny from all accounts on my server. No body does something this big without a reason. My guess would be mass spam, OR if blogs and forums are accepting the spam, it could show potential security issues with other ‘careless’ settings to send out mass spam via nobody or an unsecured folder of something. IP deny 89.28.14.35 seems to have worked so far. No more of this user on my blogs.

By: Dr. Mike Wendell

Dr. Mike Wendell — Tue, 16 Jun 2009 18:55:41 +0000

Got it as well although we have our routers block off the IP address after getting a few of them from the same IP address within a certain amount of time. Typepad Antispam caught it fine as well.

The google link is probably a default for whatever software they’re using and they forgot to change it. Wouldn’t be the first time.

By: Madhav Tripathi

Madhav Tripathi — Tue, 16 Jun 2009 12:38:09 +0000

Hi thanks for writing about this amtter, I am also getting few of nice comments without any link only commenters website which is google and with the same Ip and same email address with different names, so what should I mean of this.