More Amsterdam Spam? from 212.95.54.38
November 17th, 2008I just got spam in my WordPress blog. Nothing odd about that. But what is odd, is that I recently wrote a post about getting spam from Amsterdam from IP addresses like 94.102.60.152. I added the IP address to my blacklist and the spam is now getting caught by Akismet. But then tonight a strange thing happened…
I got spam from 212.95.54.38 and it looked a lot like the other spam. It had a fake looking author, a fake looking email, and a very short comment that said:
Hello. It is test.
So I looked up the Whois provided by WordPress:
http://ws.arin.net/cgi-bin/whois.pl?queryinput=212.95.54.38
Take a look by clicking on the link.
Now look at this one from the other spam:
http://ws.arin.net/whois/?queryinput=94.102.60.152
OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL
So what is this, an Amsterdam based spam organization? Anyone have any clue? I’m totally confused.
UPDATE:
The IP address is from Germany. But when I get an email from WordPress, it has this Whois info, and typically I click on it and it shows me the IP organization name - usually it matches the nameserver. It’s a bit confusing.
UPDATE:
So upon further investigation, I suppose clicking on the “Whois” link in the email that WordPress generates will lead you down the wrong path. I should have used what I always use to check Whois is: http://whois.domaintools.com/, but I usually use that to check domain names, not IP addresses. So it’s not from Amsterdam, but from Germany. This tool is better for looking up IP addresses: http://whatismyipaddress.com. Sorry Amsterdam, my apologies 
--------------
J. Olkoski
Aldebaran Web Design, Seattle
Jill Olkoski has a BS in Engineering, a BS in Computer Science and an MA in Clinical Psychology. She delights in using her advanced technical and psychological skills to help small business owners develop cost-effective and successful websites.
November 17th, 2008 at 7:48 pm
Ahh, but RIPE is an internet registry: http://en.wikipedia.org/wiki/RIPE_NCC
What anti-spam programs are you running?
November 17th, 2008 at 7:51 pm
Hi Ari,
I’m not running any anti-spam programs at all on my computer. Just Akismet in the blog.
November 18th, 2008 at 1:01 am
If you google for RIPE Network Coordination Centre and spam, you can see results going back a few years.
The problem is RIPE is an internet registry and serves several countries. So, it can’t be blocked.
I saw a new RIPE-hosted IP address add spam comment: 195.149.90.86
November 18th, 2008 at 2:45 am
Hi Jill.
I got one of these this morning, exactly the same. I also got the earlier ones last week in a big splurge, 94.102.60.150-3 I think they were (they’re gone now).
A simple search always seems to pop up the Netherlands connection, as you’ve found, but if you use different whois tools from different places, you get a fuller picture, I’ve discovered. And yes, nearly everything seems to end up in St Petersburg or XIN NET! Or both!!
http://whois.domaintools.com/ give a nice big picture of things, and don’t forget spamtracker and Castlecops as two big resources.
I had a purge of my htaccess file recently following this lot as they’d by-passed Akismet & htaccess. I reckon that Akismet et al do such a good job with their database collection of spammers that blocking individual IP addresses is self-defeating in personal time and the actual performance hit on the website. So I whipped all the IP blocks out but left the rest of the stuff of course.
The link you provided to the WordPress documentation says it all really, in that you have to keep on the ball at all times and change your defences as the spammers/crackers are always morphing and developing. There’s no one solution for everything.
For me, SABRE works well for registration spam in addition to Akismet for normal comments. The French guy that wrote it is here
http://didier.lorphelin.free.fr/blog/index.php/wordpress/sabre/
BTW. You’re not Taurus are you?
Rees
November 18th, 2008 at 11:20 am
You’re using RIPE wrongly then .. it’s a database for European IP addresses, just like I have to use ARIN or LACNIC etc to find IP addresses from other countries. It doesn’t mean that there’s an Amsterdam based spam operation going on .. visit RIPE.NET and input the IP address and it’ll give you :-
inetnum: 212.95.54.0 - 212.95.54.255
netname: V3SERVERS-NET-967806
descr: v3Servers.net
country: BY
admin-c: SA4597-RIPE
tech-c: SR614-RIPE
status: ASSIGNED PA “status:” definitions
mnt-by: NETDIRECT-MNT
mnt-lower: NETDIRECT-MNT
mnt-routes: NETDIRECT-MNT
source: RIPE # Filtered
person: Sogreev Anton
address: 12 Knez Mihailova
address: apt. 18
address: Belgrade
address: 11000
address: Serbia
phone: +1 619 684 2664
abuse-mailbox: [email protected]
nic-hdl: SA4597-RIPE
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered
route: 212.95.32.0/19
descr: ORG-nA8-RIPE
origin: AS28753
org: ORG-nA8-RIPE
mnt-lower: NETDIRECT-MNT
mnt-routes: NETDIRECT-MNT
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered
organisation: ORG-nA8-RIPE
org-name: netdirect
org-type: LIR
address: netdirekt e. K.
Kleyer Strasse 79 / Tor 14
60326 Frankfurt
Germany
phone: +49 69 90556880
fax-no: +49 69 905568822
admin-c: SR614-RIPE
admin-c: WW200-RIPE
mnt-ref: NETDIRECT-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
.. meaning that the spam operation is from an IP address in Belgrade - Serbia which uses an IP range hosted from a German server ..
There are several IP databases available to trace things ..:-
ripe.net - Europe
arin.net - N.America
lacnic.net - Latin America
AfriNIC.net - Africa
APNIC.net - Asia Pacific
Hope that helps .. cos you’ve gotten mighty confused LOL ;oP
November 18th, 2008 at 8:51 pm
Dear Tseug,
At least in this comment you didn’t violate the Discussion Rules like you did in previous comment you left on my blog. I appreciate your trying to help and suggest you tone down the hostility a bit. I believe this post was all about trying to understand something, and getting beaten over the head after you’ve already said you’re confused, doesn’t help.
November 18th, 2008 at 8:55 pm
Hi Strangely Perfect,
Whew, thanks for the nice comment. After that rant it’s nice to hear from someone friendly. Thank you for the additional resources. Yes, I’m a Taurus.
November 19th, 2008 at 1:49 am
Doh!
I’ve just checked your “about” page where you’ve explained everything perfectly.
We sort of adopted two almost feral kittens in Provence. We called them Capella & Aldebaran because of my astronomical bent! Space considerations forced us to leave Albebaran and we took just Capella with us for a few months in our van on our French travels before we had to return to the UK. Because of UK quarantine regs, we had to leave the (now big) cat because of the cost. So we found Bridget Bardot’s place in the north of France and tearfully left it there.
I don’t know why I’ve told this little tale here. It’s not connected apart from the name of the cat.
Tseug is a bit gruff and curt. But the info is right. Sometimes doing a whois isn’t straightforward as there’s no obligation for each organisation to pass any extra domain info to the rest. All they are required to do is serve names….I think! Because of this, the bad guys have registrations within registrations within registrations like a (somewhat appropriately) Russian Doll!
In a recent post on my site, I describe how I used “The Complainerator” to speed up this process. If you do this, make sure that you use an old spammers email address, not your good one - I detail what happened afterwards in a follow up. What happened was that I got bombarded by XIN NET who are obviously the lowest of the low and make no pretence about following the normal abuse channels that almost everyone else in the world adheres to.
Alternatively, it’s likely that there’s an already extant automation tool that will burrow down through the whois’s for you to speed up the manual searching, like The Complainerator but without the emailing. I haven’t looked for one yet.
Rees
November 19th, 2008 at 11:02 am
Hi Strangely Perfect,
That’s a shame about your cats. Great names though!
The Russian Doll analogy is really interesting - I was unaware that you could somehow layer registrations, other than perhaps buying from a reseller. Please feel free to add a link to your “The Complainerator” link on your site, I’d like to read it and so might others.
November 19th, 2008 at 1:28 pm
Hi Jill.
My original post is here: http://strangelyperfect.tv/1576/more-info-on-eurosoftware-eurosoftmarket-dot-con/ and there’s a follow up too. I’ve had several investigations like this over the last few months. By the continuing hits on these posts, people are obviously peeved by the continuing dross.
Like you, I’ve been trying to make some (personal) sense out of the deluge of drivel etc and to hope that it’ll give me a clearer understanding of how it all works.
The Complainerator is here: http://www.complainterator.com/download.html Follow through on the simple menu system for more usage links etc and to learn about the dark world of the international spammer…
You need to get a good grasp of what it’s doing before you use it. When I ran it, it took about five minutes to complete all the lookups and make mail messages - so it’s not frozen!
Keep well!
Rees