The German Spam Ring
Over the past few months I’ve been getting comments on this blog from Germans. Now, that’s great, especially since a lot of them are regarding sIFR. Something smells fishy, however. The sites behind these comments aren’t the typical sites you would expect from web developers, they are quite ugly and don’t seem to serve a real purpose. After seeing yet another weird comment today, I decided to dive into this a bit further.
We are dealing with the following domains and originating IP addresses (intentionally not linked):
- info-aerzte.de, from 212.23.126.1
- a-katalog.de, from 217.238.100.199
- 0am.de, from 212.23.126.6
- softsensive.de, from 84.139.122.75
- katulago.de, from 84.139.93.56
- restposten-zentrum.de, from 89.50.175.104, 89.50.175.82
- online-reisefuehrer.com, from 84.154.108.236
- afrika-start.de, from 62.159.35.170
- erfolgs-werkstatt.de, from 84.142.155.180
- themenrelevanz.de, from 84.178.2.131
IP addresses nicely listed:
- 62.159.35.170
- 84.139.122.75
- 84.139.93.56
- 84.142.155.180
- 84.154.108.236
- 84.178.2.131
- 89.50.175.104
- 89.50.175.82
- 212.23.126.1
- 212.23.126.6
- 217.238.100.199
Here are some sample comments:
Wow, never thought that it was so easy, fortunately we don´t have to work with this version….
Great job! Runs absolut fine with Firefox 1.5.0.7 xp sp2 german version.
The IE7 will display a few of my websites also in a different way than the new FF, but who cares….
Did you try to get the FF20? I tried to download it but the server was busy all the time. I am curious if there are new challenges for the web designer…
regards, Sandra
Most notably there are a number of comments with just one or two sentences, ending in a lot of periods. The level of English is lacking, too. (For the real German readers, I mean no offense!) Some commenters even post follow-ups. Considering how the comments fit the context, they are definitely typed by humans.
Looking through the WHOIS information for above domains gives some surprising results. Domains for which a guy named …… is the administrative contact:
- info-aertze.de
- 0am.de
- restposten-zentrum.de
The administrative contact for the domains above contacted me on December 28, informing me his sites were being spammed without his knowledge. I’ve redacted his name at his request.
Domains for which Werner Kaltofen of Neue Medien Muennich is the technical contact:
- 0am.de
- restposten-zentrum.de
- online-reisefuehrer.com
- erfolgs-werkstatt.de
Domains with kasserver.com as name server:
- a-katalog.de
- 0am.de
- restposten-zentrum.de
- online-reisefuehrer.com
- erfolgs-werkstatt.de
Softsensive.de does not appear to be registered, although it still works. The name servers for the other domains reveal nothing interesting, nor does there appear to be a connection the domains I just mentioned and the katulago.de, afrika-start.de and themenrelevanz.de.
There clearly is a connection in the WHOIS data between six of the ten suspected domains. The other domains appear to be connected through the style of the comments linking to them and the type of website found. It is, however, possible that I’m seeing ghosts. In any case, the links from the suspected comments have been removed, and I’m adding the following to my commenting guideline:
Non-contributing comments run the risk of being removed. Especially if the website seem “fishy”. Spammers, beware.
This is a huge reason why I don’t have comments on my site. They’re getting too clever for most automatic detection systems. A lot of comments might seem legit if only for their slight ambiguity.
Take a look at Ben Rockwood’s blog. This specific entry is an introduction to Solaris, yet the comments are generic spambot messages. If the article itself weren’t so specific I might think they weren’t spam at all.
Jared | 12 November 2006, 01:22 | link
“they are quite ugly and don’t seem to serve a real purpose” … now you got a real comment, from a real german webdev ;-)
christian becher | 19 December 2006, 22:30 | link
Christian, cool.
It’s crazy, really. I cleaned up some more I left behind when I discovered what was going on. Actually got a referrer from a search for sites linking to one of the spammers. The German version of the One Million Dollar home page left a spam comment as well.
Good thing sites with a German or Polish domain end in the moderation queue now… ;-)
And nothing against Germans! Heck, I live like 10 km from the border.
Mark Wubben | 19 December 2006, 23:17 | link
@ Mark Wubben
I don’t distinguish between real poster and spammer if the comment lacks enlightening contribution to other readers concerning the post or at least provides a question intresting to others. Mere “compliments” may come via eMail if someone feels the need to make a compliment about my work.
Threatening spammer with a bill for another stupid comment in one blog resulted in a question in another blog and clearly it smelled like spam, yet the contribution to the blog conservation in general was given, thus I decided to leave it.
It is annoying that these idiots (from any and all places on earth) share the same space in the universe yet there is little one can do.
As for robots. They are still pretty stupid. Simple text questions requiring a little human creativity to answer still do the trick nicely to prevent bot from filling online forms.
Silke Schümann | 21 December 2006, 19:22 | link
Hopefully the German spammers will start posting intelligent posts, then you will recognize the posts because they are much better than all the others ;)
Sorry bout the fact that I’m not really contributing to this post, I’m not a spammer I’m just another happyclogger.
Justin Halsall | 10 January 2007, 20:15 | link
@ Mark Wubben
I wonder if you contacted the hosting companies to let them know about the activities of some of their customers?
Neue Medien Muennich ist - as far as I know - a reasonable webhoster (as are Schlund and 1&1, which are hosting two of the above mentioned domains). NMM are hosting some of my domains as well as several of my clients’.
I sent an email today to NMM (as a concerned customer) to ask how they are dealing with
spam originating from domains hosted by them
their customers’ domains “being spammed without their knowledge”
Thanks for sharing the details!
Astrid | 11 January 2007, 09:43 | link
Hi Astrid, no I haven’t. The administrative contact who I described above did tell me the sites were being spammed without his knowledge or consent, I expect the same thing has happened to the other sites. I’ve ask him to tell his “promoter” to stop spamming me. The message above the comment form helped stop the remainder of the spam.
If it stays like this I’ll remove some of my measures (so your post doesn’t have to be moderated ;-)
Mark Wubben | 11 January 2007, 10:03 | link
I´m the webmaster of one of the sites you listed above and surprised that you think that my site belongs to the hardcore spammers of germany. If I leave comments ,and that happened not so often, they refer to the post. Trying to find out which german provider host the most spam sites makes no sense, because there is no certain spamhoster . One thing about ugly websites. The site you listed was one of my first sites that I made and the coding is really bad, but tastes are diffrent ;-))).
Thorsten | 6 January 2008, 13:03 | link
Hi Thorsten, thanks for dropping by. Suffice to say that at the time I wrote this post, I had gotten somewhat paranoid :)
Mark Wubben | 6 January 2008, 15:56 | link