This is the only conclusion I can come to. I don't know Andrew Kartashov, but he seems pretty intent on helping others fill their needs in these areas, I can only guess he's motivated by his overriding need to help people like himself.

Andrew Kartashov runs a site called adsoft-development.com, who has been performing link-spam operations for several years, yesterday and today, they hit here, and here's the Analrapy

UPDATE: I forgot I wanted to give props to the SpamHuntress for the cool Wiki-ized writeup. I don't think I could deal with this noise every day, since it seems so pointless and fruitless to fight it. Good work.

I allow anonymous posting here. I'd thought I had implemented CAPTCHA's, but probably didn't really test it, since no one comes here anyway. In any case, they're there now, so we'll see if they work. I'm not willing to block anonymous comments, simply because there is no user base and no incentive for people to sign up for an account here. I don't pretend to give people a reason to either. If you want to, great, the more the merrier, join, start a blog, make comments, whatever. If you want to post an anonymous one-off comment, great, appreciate it. That's kind of how it needs to be.

So yesterday morning, there was a relatively small number of new comments full of spam links to sites which will infect your machine with bots, trick you into sending your credit card info over the web in the clear (no encryption) to a site in Russia to buy drugs that probably don't exist. Drugs, Casinos, Insurance Quotes, that kind of thing. All meant to steal your personal info in one way or other.

I noticed then that 15 minutes before the relatively short "Test Run" (which was about 20 minutes long all told), my site had been thoroughly crawled by 74.86.176.75. This IP belongs to rr.com (Road Runner cable internet). If you do an nslookup on this IP, it has a reverse DNS mapping of tiger.adsoft-deveopment.com. That domain has no forward resolution (No A record). I assumed that this meant this is a Road Runner Business Internet connection. The only real reason to need a valid reverse entry is if you're sending mail. Most mailservers don't care if your reverse entry matches a forward NS lookup, but they want that reverse entry to be there. It also means that's a static IP address since rr.com wouldn't want to update their DNS every time some user's cable modem restarts.

So I mailed them and sent them some logs.

I was digging around a little. Their Site doesn't really do much. It gives you a flash splash page which doesn't seem to do anything, beyond redirect you to www.dewia.com (more about that in a minute). So you can't really navigate beyond that page. But Google has. Googling for site:www.adsoft-development.com gives you entry into their site, which has the appearance of being a very small time, very cheap, crappy web development company. No mention of "SEO" or "Ad Placement" or anything like that. Except that when you get to their "Get a Free Quote" page, they've left a link for "phentermine" in the corner. This page is a template for their drug-scam sites.

Dewia.com is pretty much the same. I'm pretty sure "Dmitiri Forener" probably has much the same medical condition as Andrew Kartashov. I notice that Mr. Forener is receiving email at sslpayments.com. The administrative contact there is John Varshavski and the address goes from Beautiful Sunnyvale, California, to Chilly (but no less beautiful) Moscow, Russia. There are several more layers of domain recursion here, but you get the point.

The domains used in the link spam were in the many many dozens at least. I haven't really analyzed anything yet, and it's unlikely I ever will. I'll probably just throw away all this data.

What's the worst that can happen. I trace this back to some dickhead Russians, with ISPs in russia hosting them. Why would those ISPs listen to me? What they're doing isn't even illegal there. At the very least, RoadRunner and the other US ISPs they're either hosting with or have service through might pull their service. Big deal. Losing one business cable internet connection is pretty meaningless to these guys, but I just got annoyed enough for 10 minutes to bust off the mails.

So as of 10:30 this morning, anonymous commenting was disabled on my site until I could troubleshoot the CAPTCHA issue, which I've just done. That did not stop the requests though. Dozens of thousands of POSTs coming from zombie infected machines. Those are the ones I wish I could wake up. I wish people would quit clicking on shit. I wish they'd stop letting themselves be infected by software that is then used to make them attack other people. Just think twice. NO, in fact, Just Think ONCE.

I grabbed their bot installer off one of the gambling sites, and I'll be infecting a VM this weekend probably, maybe, if I give a shit. That should give me whichever (IRC) server they're connecting to for command/control, and show me if they're running a webserver so they too can participate in the Wacky World of Fast Flux DNS Web-Hosting Provider. So once again, I side with the bad guys. I don't have anything against the Russian Mafia, even if they can't get it up. I have a problem with the regular people running webservers un-noticed on their XP machines over their cable modems. They're the ones actually running the sites and fooling other suckers out of their credit card info.

One thing I noticed is that not much of my traffic came from these people. A whole lot of it appears to be coming from infected Linux machines running Apache (Yeah, I just looked and made sure my machine wasn't doing the same thing). The people running those machines are getting these:

----
Hi,

Friendly note, your webserver at $ip_address is attacking my website. It's trying to post link spam for adsoft-development.com drug scam, gambling and insurance scam sites. I'm actually very interested in the attack vector here, since it's not just some home XP server running bot software. Feel free to email me if you figure out what it is and how it got there. If you need help figuring that stuff out, let me know that too and I may be able to help.

I've got a bit of write-up here: http://www.xrayspx.com/$blog_post

Thanks,

Chris
----

Anyway, "rant off". I could go on, I could dig deeper, but I really don't care. This stuff will keep happening, people will keep entering their damn credit card info, because people are morons who want something for nothing. The Russian scammers want free money, the US morons who click the link in the spam or on sites like mine who don't notice the link spam want cheap drugs or free gambling.

Never ends. In the meantime though:

"Overdose on Phentermine and die Andrew, John and Dmitry".