KattyBlackyard IP: in massive blog spam attack

June 15, 2009

A massive amount of web spam has been hitting the internet over the weekend, all sourced from a single user on an IP originating in Moldova.

Using the name “KattyBlackyard” and posting through the IP, the blog spam attack is one of the most extensive we’ve ever seen, with most if not all of our huge range of honeypots hit by the same comment over the weekend.

More than this, the same user has autoregistered at thousands of internet forums, regardless as to whether they are running vbulletin, phpbb, or IPB.

The IP was first noticed as being a source of spam four weeks ago by Project Honey Pot, and Stop Forum Spam also has a record of the different ID’s and emails associated with spam from the IP.

The weekend’s spam attacks are the most extensive and comprehensive to date.

The following is the original message posted to blogs as a comment over this weekend:

Author : KattyBlackyard (IP: , 89-28-14-35.starnet.md) E-mail : katty@ds4ns1ns2.cn
URL : http://www.google.com
Hi, very nice post. I have been wonder’n bout this issue,so thanks for posting

A new message was released this morning, with the same details and single message “Original post by Dmitri Gromov”.

Perhaps more disturbing is that unlike a lot of blog spam, which attempt to get links on blogs for SEO purposes, the only links so far from this profile are to Google.com.

That fact that the current wave of spam attacks from this IP does not link to a spam site suggests that it may be being used to identify potential future targets - with those blogs and/or forums publishing the spam compiled into a list for unrelenting spam attacks later on.

The surprise is just how extensive these waves have been so far, as if someone is making every effort to sniff out a huge chunk of the web, in order to catalogue every possible opportunity for publishing web spam.

The irony is that most blogs will not autopublish the spam, and any that is published is almost certainly using the nofollow attribute to devaue the links for SEO purposes.


Comments in chronological order (20 comments)

  1. Derek says:

    Had this spam in my blog as a comment, would have been impossible to know it was a spma attack without a small google search to find you. Thx.

    Any explanation on the suggestion is a “pre-attack”?

  2. Jarad says:

    Yeah, I don’t understand it. Why would somebody spam sites and link to Google.com??

    Am I missing something here? Isn’t the point of spamming to gain something from your efforts? What’s the point of all this? I have this stuff showing up on my blogs.

  3. Darren says:

    I just got this too - same IP and username but with “Hi, interest post. I’ll write you later about few questions!” I thought it was a bit unusual that they were linking to Google.com, so did a quick search and came across this article.

  4. amanda says:

    Here’s the WHOIS I get for KattyBlackyard

    IP whois for 89-28-14-35.starnet.md

    % This is the RIPE Whois query server #2.
    % The objects are in RPSL format.
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf

    % Note: This output has been filtered.
    % To receive output for a database update, use the “-B” flag

    % Information related to ‘ -’

    inetnum: -
    netname: STARNETMD
    descr: SC STARNET SRL
    descr: Chisinau, Moldova
    country: MD
    admin-c: SA4929-RIPE
    tech-c: SA4929-RIPE
    status: ASSIGNED PA
    remarks: INFRA-AW
    mnt-by: MNT-STARNETMD
    source: RIPE # Filtered

    role: StarNet Administrator
    address: SC “StarNet” SRL
    address: 10, Calea Iesilor str.
    address: MD2069 Chisinau
    address: Moldova, Republic of
    phone: +373 (22) 844444
    fax-no: +373 (22) 844445
    remarks: ———————————————-
    remarks: SC StarNet SRL
    remarks: ISP in Republic of Moldova
    remarks: General questions: info@starnet.md
    remarks: Routing and Technical questions: noc@starnet.md
    remarks: Last Update: 15.04.2009
    remarks: ———————————————-
    remarks: +————————————————————-+
    remarks: | ABUSE CONTACT: abuse@starnet.md IN CASE OF HACK ATTACKS, |
    remarks: +————————————————————-+
    abuse-mailbox: abuse@starnet.md
    admin-c: OB1145-RIPE
    tech-c: OB1145-RIPE
    admin-c: DG3460-RIPE
    tech-c: DG3460-RIPE
    admin-c: VF1333-RIPE
    tech-c: VF1333-RIPE
    nic-hdl: SA4929-RIPE
    mnt-by: MNT-STARNETMD
    source: RIPE # Filtered

    % Information related to ‘’

    descr: SC STARNET SRL
    origin: AS31252
    mnt-by: MNT-STARNETMD
    source: RIPE # Filtered

  5. Drew says:

    I’ve been getting the spam on a regularly.

  6. Andy says:

    Thanks for the information, I got this comment this morning and wasn’t sure if it was spam or not.

  7. dvn says:

    Thanks for the information, i’ve been attacked by this ##### spam. I’m really fed up with those bots or what ever is that..
    Nice Website, i’m bookmarking your site ;)

    Sorry for my poor english, normally speaking french

  8. aRi says:

    I started getting this spam 4 weeks ago. The poster asked if he could copy the info from my site to his site and it seemed like a genuine request. I even wrote back and said it was okay to use my content.

    The next morning, i see 1500 spam messages all about prescription medicine. I think this is a new trend, where the poster checks to see if his/her comments are accepted and them bombards the website with spam. I still get those initial spam comments, but dont approve them, so i am under control now.

    More here….

  9. Madhav Tripathi says:

    Hi thanks for writing about this amtter, I am also getting few of nice comments without any link only commenters website which is google and with the same Ip and same email address with different names, so what should I mean of this.

  10. Dr. Mike Wendell says:

    Got it as well although we have our routers block off the IP address after getting a few of them from the same IP address within a certain amount of time. Typepad Antispam caught it fine as well.

    The google link is probably a default for whatever software they’re using and they forgot to change it. Wouldn’t be the first time.

  11. Anonymous says:

    I own a blog and had a bout 8 or so comments when I noticed all from same ip, which led me here. I also found it strange that Google was listed as website and the same username. I have since used IP deny from all accounts on my server. No body does something this big without a reason. My guess would be mass spam, OR if blogs and forums are accepting the spam, it could show potential security issues with other ‘careless’ settings to send out mass spam via nobody or an unsecured folder of something. IP deny seems to have worked so far. No more of this user on my blogs.

  12. Anonymous says:

    I just saw the IP Whois. Thinking an idea its to block entire range of - Not like The Republic of Moldova is high on my visitor stats anyway…

  13. Principles says:

    I was also confused by those comments initially. i approved a few and then started getting more and more. Super annoying. Won’t make that mistake again.

  14. Leonidas Georgiou says:

    QWO9NI I think its good decision what he did.,

  15. Jaca says:

    This is what I got on my blog. I did not aloow it thnx to u.

    Submitted on 2009/07/06 at 7:36pm
    Hello. I think the article is really interesting. I am even interested in reading more. How soon will you update your blog?

  16. Don says:

    I have a very small blog, so already I’m intrigued whenever I am notified that a comment has been submitted. I never have comments automatically published without prior approval - a plus for removing any “instant gratification” that might arise from a perceived score. This new spam wave is cunning in it’s generic and realistic comments. Sometimes even the email address looks credible. The number one thing to always look at is the IP. Do a simple whois and find out which country it came from. If you’re like me, chances are, your target audience is for non-repressive, English speaking regions/countries. So, this would exclude China, Russia, Moldova, etc etc. Not an automatic indicator, but a very good one if you have a small blog with only a handful of blog posts. Naturally, a red flag would be the altering of the referrer, and more specifically, the lack of the customary URL parameters normally appended to a true Google search query. This means, “http://www.google.com/” is not from a relevant search. Although, it is worth noting that some bots have been known to generate fake Google search URL’s as their referrer using keywords found on the target site itself - very cunning.

  17. Shady says:

    Hey Guys,

    I actually had spam from this IP but under a different name (KonstantinMiller). Perhaps he/she knows that we’re on to them lol!

    It’s good to know that i’m not the only one…

  18. Internet Threat says:

    Possibly a professional spammer showing a potential client what we can do?

  19. Rune Jensen says:

    I have this IP from the same range today:

    It does the same, only this time it places a link to Yahoo.com

    Since I have numorous security levels, it was blocked on two of them, and thrown to the honeypot, but I am now thinking about blocking the whole range from the start. I consiider it dangerous, much more “intelligent” than other bots I have seen so far.

    I have the suspicion that Starnet itself is involved in the spamming or is “looking the other way”, only I can not prove this yet. But looking for information around the net, it seems like it has been spamming for years now.

  20. Rune Jensen says:

    Well, not the same IPrange, but its done via Starnet also.

    The signature of the spammer is: IE6 as user agent, and the time between GET and POST is atound one second. Also the IP of GET and POST is the same.

    The useragent seems valid, which makes me think if this is only half automated, not a real spambot, but some kind of batch-program to do the spamming. And a real human being pressing the “send” button.

    The spammer could acrually be using his own browser to do it.

Post a comment

Your email address will not be published. Required fields are marked *

Visited 9873 times, 3 so far today