Tuesday, January 18, 2005

More gay.com spambots

Looking through the referrer logs for my little blog, one of the biggest reasons people come here is some sort of web search on the gay.com spambots. It's surprising how widespread all over the world the visits are from. Everywhere from Mexico to Asia to Eastern Europe. Yet it's interesting how little information there is on the web about the bots.

I've long believed that these bots are run by people outside the USA. There's just something about the poor English that suggests they were written by someone with a poor handle on the language. For example:

  • i need good cock to suck
  • i just wanna some sex
  • hi, i need a good company guys
  • i will swollow your cum!
  • hit me for the chat! [Hit you? Oh, if only...]
  • hey guys, let's have some fun tonight. i'm a horney, smoothe bod, and a hell of a f**k [Because, you know, I'd be so offended if he'd actually spelled out "fuck."]

Lately, all these bots are advertising sites hosted at icamsonline.com. So let's see what lovely person is responsible for that domain:

whois -h whois.enom.com icamsonline.com

Registrant Contact: sss
Frank Lxxxxxxxxx (xxxxxx@hotpop.com)
(973) 822-xxxx
Fax: none
xxxxxxxxxxxxxxx
Morristown, NJ 07960
US

New Jersey. That figures. Interestingly, however, the Google phonebook for Mr. L. is just a wee bit different:

Frank Lxxxxxxxxx - (973) 451-xxxx - xxxxxxxxxxxxxx, Morristown, NJ 07960

Note that the phone number and address number are slightly different.

Now let's take a look at the icamsonline.com domain, which resolves to 81.31.38.5:

whois -h whois.ripe.net 81.31.38.5 ...

inetnum: 81.31.38.0 - 81.31.38.127
netname: EXMASTERS1
descr: Exmasters.com web hosting
country: CZ
(etc...)

The CZ top level domain is for the Czech Republic. So this domain is hosted by exmasters.com, which is an adult hosting company, and has previously hosted this spammer's domains. Some of the previous ones no longer resolve (hornydolls.com, inetmates.com), so it's not clear if this exmasters is spam-friendly or whether they simply drag their feet when cleaning off their spammers' sites.

So, let's take a look at one of the spamvertized webpages in general. For example, http://icamsonline.com/gary Getting past the redirects through obfuscated Javascript, the ultimate payload for this spambot is:

http://clickcash.webpower.com/SetPermanentSignupCookie.cgi?svc=IF&lang=ENGLISH
&type=REVSHARE&mode=1&art=FRIENDS/FRIENDS1.JPG&acct=CHATSTREET
&url=https://orders.webpower.com/iFriends/viewprefmain.htm

Ah, so it's ifriends.com / webpower.com / clickforcash.com, as usual. This site is responsible for pretty much all of the gay.com spam. They seem to be unwilling to do anything about it, so much so, I can't help but wonder if they are part of the abuse themselves. I've noticed that I get a lot of referrer hits for "ifrends scam" as well, so I also wonder if even the hot young things beating off for you on cam that they advertise is a scam or not.

Update (7 August 2005): I'm suspicious that this registration information may be faked, so I removed the identifying information in case this is an innocent bystander. See this post for details.

Update (16 Nov 2007): Mr. L or someone with the same name showed up in the comments claiming not to be affiliated with the site. As I suspected identity theft previously, this doesn't seem implausible, and I've obscured the used for the registration. The domain has since expired and been picked up by a domain name squatter.

6 comments:

Anonymous said...

how can we the ppl stop the bot from the chat room thanks

Narc said...

Wow, this is by far the most viewed page on the blog.

You can't really "stop" the bots in the gay.com chatrooms. Only gay.com can stop them, and that doesn't seem to be a priority for them. What you can do is mitigate the impact they will have on you. The best way I can suggest to do this is to stop using the gay.com Java chat client (ugh) and start using the gayboi.org chat client.

Go to gayboi.org, download, and install his chat client. Under Settings : General, enable BotGuard, and create a BotGuard question. This will stop the bots from sending you private messages.

Anonymous said...

im so sick of adbots on gay.com now there are the auto AI chat bots .how about we get a address of the host or hosts and a base ball bat and remove there ISP from the World Wide Web...
it would not suprise me if the spambots pay or even own gay.com
i see the same ones over and over and report them but they are still there ......

jennifer said...

why does anyone really care what this man is doing. are you getting paid to do this or are you just so life draining that this is what you do. what if i looked into your background? would there be anything there?

Narc said...

This has nothing to do with anyone's background. This has to do with ongoing, rampant, and offensive abuse of someone else's property on a massive scale. We're not talking about one person sending unwanted messages here. We're talking about computer scripts that probably send tens of thousands of messages from thousands of "people."

It is analogous to you receiving a sexually explicit phone call from a telemarketer every ten minutes with nothing you could do to stop it. After a while, and after the phone company refuses to do anything about it for the hundredth time, you'd get bitchy too.

And as for "finding anything in my background" ... well, I was pretty sure I had already take care of all the witnesses. Apparently I was wrong.

Frank said...

I am Frank Lockburner. I never hosted this site, nor did I register this site. Please take me off. If you can prove it, please post the proof. Put my email out there as I would like to know why this is out there.