It was announced today that Richter and his high-volume E-mail deploying operation, OptInRealBig, have settled a lawsuit brought against them by Microsoft for the sum of $7million. While Richter continues to deny any wrongdoing, we all know that a settlement is essentially an admission of guilt. Were Richter’s data and equipment subpoenaed maybe they would have shown evidence of unsolicited and fraudulent spamming, potentially opening the doors for even more lawsuits and criminal charges. Better to just take the hit and hope the Microsoft legal squad backs off. It’s interesting to note that the settlement is contingent on Richter also dropping his bankruptcy proceedings, which could have allowed him to skip out on the bill.

This settlement comes on the heels of Richter being de-listed from ROKSO a few weeks back, having sworn some months before that he had gone legit and now deploys his high-volume E-mail only to confirmed opt-in recipients. After passing the requisite period with no new reports, Spamhaus guru Steve Linford announced the event to NANAE to a chorus of wary cheers and well-founded suspicions.

I’m not going to congratulate Scott Richter for slightly altering his shady and offensive business model in the face of fines, jailtime, and seething hatred from every computer owner on the globe. The man has done significant damage to the Internet and deserves to suffer a million indignities with a red-hot Garden Weasel. But on the whole it seems “Snotty Scotty” has indeed stopped spamming. See kids, death threats do work.

RewriteCond %{HTTP_REFERER} ^http://(www\.)?adminshop.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)poker(-|.).*$
RewriteRule .* - [F,L]

In the example, the first condition blocks traffic from a specific domain, while the second blocks any domain containing the keyword “poker”. Any hit that meets either of those conditions will get a 403 Forbidden error. I’ve got a pretty robust list but since the domains never seem to stay active for long I can regularly retire older rules. And, because comment spambots often bring along a forged referrer, this method effectively blocks both types of spam. The downside is that you can’t make the expressions too broad for fear of blocking legitimate links — e.g. it would be a very bad idea to blacklist referrers with the string “goo*”.

But this new dirty trick isn’t easily blockable because they’re legitimate blogs, not spam sites, and a random selection of them to boot. The IPs are always different (spoofed or open proxies no doubt) and the “browser” used seems to always be IE6 on Windows XP, so that rules out blocking the user-agent string. So I’m pretty much left to suffer the annoyance until it goes away.

What I don’t get is WHY??? What good can this possibly do? How does the spammer benefit from this in any way? I don’t post referrers publicly so they’re not getting traffic or googlejuice. I caught onto the trick after the second bogus link I saw in my logs, so I’m not even visiting the referring sites myself. I’ve only come up with two feasable theories:

1. The bot drops comment spam on someone else’s blog, then comes to my site passing along the previously comment-spammed URL in hopes that I’ll visit the referrer and see the spam comments. Tough luck, spammy, I’m not that dim.
2. The spammer has caught wise to the fact that blocking their spam referrers also blocks their comment spam, so they’re using this new approach to get their comment spambots through. And indeed I have had a sudden surge in comment spam, roughly coinciding with the referrer spam.

Hopefully it’ll die down soon when the spammer either tires of it or gets caught by a lynchmob who will string him up by the testicles and funnel sulfuric acid up his nose. With any luck he won’t get off that lightly.

Aloha,

I googled for “Guerra Communications” and found your article about that site being a huge scam.

Well, i did some more poking around, and got this big huge list of websites that are also hosted on that ip address.

You can view that list here: [link]

Have a good day, thanks for the info.

The ads have been increasing in frequency, and so has the search traffic to my post about them. Back then I had asked if there was an easy way to find out what domains direct to a particular server. Well now we know, thanks Mike.

Perusing the list of 1228 domains that share hosting at that IP, a pattern emerges… lots of domains referencing prescription medications, home business opportunities, debt consolidation, online degrees from DeVry and the University of Phoenix… gosh that sure looks spammy. Whois’ing the domains no longer returns Sam Guerra’s contact information as it did a few months ago, now it simply shows that they are almost all registered anonymously by AMNTV.com.

A traceroute reveals that the IP falls into a block controled by Global Crossing, considered to be a spam supporter for refusing to remove spammers from their network. Picking half a dozen random domains from the list and searching the NANAE archives didn’t turn up anything, but the whole thing is dirty enough to leave a bad taste in my mouth. Yet I just can’t resist the urge to dig deeper…

So first let’s see who this AMNTV entity is… sure enough, they’re a company that does “Pay Per Call” advertising on television, wherein the advertiser only pays a cut of the proceeds rather than paying for the airtime up front. They’re calling themselves REVShare now, and they’re the ones responsible for this lame commercial. Turns out they actually produced the ad on behalf of Guerra Communications/Prospect Performance and they even have a case study on their site (which I won’t be linking to, take that, Googlebot) about the campaign’s success. They’re claiming to have brought in 389,337 leads since the ads started running a year ago. 389,337 poor suckers who handed their information over to a network of scammers and spammers.

A little more digging and Googling uncovered the guy who designed the website, REVShare’s creative director, David Schooley. His portfolio lists a bunch of other “as seen on tv”-type sites he’s done, as well as numerous email campaigns. Jack Lalanne’s juicer, AbSwing, Pasta Pot Express, fire fighter coins… you guessed it, the man makes spam.

Some of the other links in Mr. Schooley’s personal porfolio point to jdrmedia.com. JDR Media is listed in the Spamhaus Register of Known Spam Operations (ROKSO). To qualify for a ROKSO listing, a spammer must have been kicked off three or more networks for email abuse. It’s a tenuous connection at best, but it certainly seems that AMN/REVShare has been dealing with spammers, if not spamming themselves.

Spammers are advertising on television.

Of course this isn’t really a deep revelation, but the detective work is fun in that sick-satisfying scab-picking way.

I’m a loyal user and supporter of Spamcop, a free spam blocklist and reporting service. When I get spam I run the source through Spamcop’s parser, which deciphers the headers and scrapes the body for spamvertised urls, and then allows me to send complaints to the ISP where the email originated as well as the webhosts of the sites linked to. In addition to sending these LARTs to the networks responsible, the servers get added to the Spamcop Blocklist to help other list users avoid getting spam from the same source.

Now, we all know that one should never ever respond directly to spam in any way, since that merely validates your email address as a target for more spam. But when forwarding spam to ISPs as part of a complaint, you can still be exposing your address to more spam. Some clueless ISPs merely pass complaints along to the spammers for list washing. Spamcop automatically munges reports for my protection, stripping my address from the headers and sending the report from an anonymous spamcop.net address. Should an ISP want to respond to one of these reports, mail sent to that anonymous address is safely forwarded to my actual address on file with Spamcop.

Evidently some clueless ISP I complained to merely passed that complaint on to the clueless spammer who in turn added a shiny new email address to his spamlist. So now I get email hawking a “Revollutionaary and new peenjs enlaargment devjce!” (actual subject line) forwarded to me via Spamcop.

I’m tempted to report this spam through Spamcop to see if I can start an infinite loop, but I’m afraid that might make the universe implode.

I’ve kept my address very private. I think less than a dozen people know it and it’s never appeared anywhere online. My guess is that this is a fairly massive dictionary attack against gmail. All the spams I’ve received have been sent to slight variations on my actual username, which gmail then forwards to me in a desperate flailing attempt to route seemingly misdirected mail. Luckily gmail seems to be catching it all and dumping it into my spambox rather than my inbox, but it’s still infuriating.

The honeymoon is over.