Livesearcher.com, a known spammers domain has now been suspended due to excessive spam activities. For almost a year now, the owners of the domain were using techniques such as hacking into forum boards around the world to lay the ground work for their advertising. They would either hack the domain server or just upload their content onto open unprotected sites and display their spam messages. These messages in turn would have a hyperlink associated with their spam messages that would either reroute the visitor back to livesearcher.com or thru to another compromised website that would have the links on that site, then linking back to livesearcher.com.

A recent article that was put out by ICANN reads as follows. The article was mirrored here to allow readers to fully digest and get the story. We wish everyone that is interested in it, please send in your comments or Comments on the Initial Report should be sent to fast-flux-initial-report@icann.org. Original artical can be seen at ICANN. Public comments sent to and received by ICANN, can be accessed at http://forum.icann.org/lists/fast-flux-initial-report

Background

Fast flux refers to rapid and repeated changes to A and/or NS resource records in a DNS zone, which
have the effect of rapidly changing the location (IP address) to which the domain name of an Internet host
(A) or name server (NS) resolves. Although some legitimate uses for this technique are known (see
below), it has within the past year become a favorite tool of phishers and other cyber-criminals who use it
to evade detection by anti-crime investigators.

As we enter into a new year of 2009, spammer are still trying to use websites to advertise their junk.  Any where from pharmaceuticals to pornographic materials are the top favorites.   These miscreants have been hacking into websites, to post their links to other websites, that advertise further.  The end website that actually displays the content, is what the spammer want you to see.  

Over the years, spammers have always used websites to convey their message to some degree or another.  This infiltration into the site owners property and hosting environment has by far been the most intrusive that a spammer or hacker can do to someone, and they do it without regard or remorse to whoever it hurts along the way.  Everyone is effected in one way or another, from the internet providers that the end user is browsing the net, to the host provider of the website, then all the way down to the website owner.  All of this ends up costing us all dearly, while the spammer has next to nothing to pay for while they use your equipment and services for free, to peddle their junk.

We are opening this site up to world wide participation in all supported languages.  If you wish to participate, and have difficulties in English, please post in your native language with a note at the bottom what language it is.  This way others can if needed, translate what you wrote.  We will make all attempts to translate your message into the English standard.

Recently I went thru my logs to clean them up as I do each end of month.  Good thing I noticed this spammer hitting my system at that very same time I was reviewing.  After comparing notes with a few other logs, I noticed a pattern emerging.  This dirty spammer was racking up almost 10 thousand page hits a day.  So I decided to actually go deeper into what they were doing, good thing I did.  They were trying to post to the site using various arguments to try and get by either the captchas, SLV, trackback or firewall.  This went on for several days.

So I decided enough was enough.  I looked at a good majority of the IPs involved and it turned out to only be two blocks located over in Belgrade Serbia.  Below are some of the details.

01/02/09 16:23:00 - Error, invalid username: 'Hypephishit' - IP: 92.48.114.82
01/02/09 16:23:30 - Error, invalid username: 'Hypephishit' - IP: 92.48.114.82
01/02/09 16:23:42 - Error, invalid username: 'Hypephishit' - IP: 92.48.114.82
01/02/09 16:23:49 - Error, invalid username: 'Hypephishit' - IP: 92.48.122.34
01/02/09 16:24:10 - Error, invalid username: 'Hypephishit' - IP: 92.48.122.34
01/02/09 16:24:24 - Error, invalid username: 'Hypephishit' - IP: 92.48.122.34

CastleCops terminates it services and shut down on Tuesday 23 December, 2008.  As written by a contributor of Slashdot.org, Fortran writes:

"Volunteer-powered anti-malware site CastleCops appears to have closed shop. As of Tuesday, December 23, the CastleCops home page notes: 'You have arrived at the CastleCops website, which is currently offline. . . . Unfortunately, all things come to an end.' It was reported back in June that Paul Laudanski, founder of CastleCops and its parent Computer Cops LLC, was taking a full-time job with Microsoft and was 'looking for new management' for CastleCops. The site has also long had problems with funding and with [2]hostile action from spammers. The actual shutdown seems to have taken the security community by surprise; as late as Tuesday evening Brian Krebs was still recommending CastleCops on his Security Fix blog."

Have you often wondered where the spam is being generated now, since the shut down of  McColo.com's internet access by their upstream providers?  Here is a great location to look at for a strong possibility.  We've traced a good chunk of it coming out of the Hollywood Interactive network located at  600 W. 7th Street, Ste. 360, Los Angeles, CA 90017.  They have the IP information:

With the downfall a few weeks ago of the major spammer hub on the internet, the spammers have come back with a vengeance.  They have been working relentlessly to fill up as many forum websites with as much spam postings as they can.  This also unfortunately leaves the website operators vulnerable to many different attacks after the spammer/hacker has infiltrated the website.   We have compiled a short lists of domain names that should be shut down.  The host providers should also terminate their accounts for the same reason as hosting a spam site.

1. ipafeed.com
2. ipadirectory.com

There are other domains that are affiliated with this group.  As we find more, they will be posted here as well as on our master list at http://www.spacequad.com/staticpages/index.php/KnownSpammerDomains

Spacequad AntiSpam Services has now introduced keyword search highlighting.  This was done to help users find what they are looking for faster when they do keyword searches.  Over the course of the next year we plan to introduce and roll out more features the community lets us know what they would like to see.

Please continue to offer new ideas to us, so that they may become available for others to use.  As always, we are open to new participation.  There is a forum area that everyone can submit their ideas to and be discussed.  You can find that in Special needs that Spacequad should have.