hmmm.. I just looked at the instructions.

for spam placed on forums.. there is no email header.

we have the ip number of the spammer.. but this can be faked.

so is the text of the post with the spam urls enough?

perhaps I should put "forum spam", so they know it is not email spam?

@Ikati:
yes, that would work.

In the first/top box, enter something like:

Forum Spam:
http://domain-that-was-spammed.com/to-include-the-full-link-used.html

That should be enough to "get the jist of it"

You should _avoid_ inputting the link to your forum/website in those boxes Or it'll roll your site into the SIRT queue...hehehe.


I know KnujOn is interested in Forum Spam too....
I think their reporting address is "forumjunk@coldrain.net" - but you may want to confirm that with their site - knujon.com

I don't know exactly what they do with the data though...probably more interested in the "forensics" of it.

I don't know if they need the "poster/user" IP address or not...(highly unlikely, since they don't seem to even need/want spam headers)

Something else that "might" help, consider installing a "honeypot" on your website...to try and trap these spammers.

There's a great site dedicated to this at projecthoneypot.org - they keep statistics, etc. of the bots that crawl into honey pots to harvest e-mails, and "spam" the faked addresses (which are unreadable by normal users).

And well, I've heard (from some blogs.....pfft, I read it on the Internet, lol....it must be true! haha) that some bots will actually "avoid" pages that are honeypot-ed...though, like I said, I only read it on the Internet

There was a similar rumor with the old "spampoison.com" tag/links/images Some spam bots would "avoid" crawling pages that contained those links, I guess in fear of collecting bad addresses? Who knows....

Again, I only read it on the Internet lol.


@Pat:
Check your PMs in like 2 minutes.

see also:
http://www.stopforumspam.com/

(via)

thank you everyone for your suggestions. I really appreciate it.

spamislame.. here is one spam post from a spammer that frequents alternative health forums. Because his posts look like they have some information about alternative health products.. some forums let the posts sit there. but.. this guy is a spammer.. actually, it might be a bot (never responds to any replies to his posts.. posts a slew of posts in the early morning.. etc.)

http://www.herbs4usa.com

I'm getting error 400 from that URL now....hmm.

I wonder if the host is working on disabling it...?

But yea, ONLINENIC, INC. is a "new" abused registrar around here lately, based in the U.S. (i think...) - and they seem to take a weird stance on spam reports from what I've seen.

Since ICANN allows spam, and doesn't care about site content, neither do they.

Well...little do they know, they are supporting Criminals. And, as an American registrar, I'm thinking eventually they will have to cave in and suspend them since the U.S. has anti-spam laws.

The registrars who don't suspend spam are clinging to the idea that if they refuse to suspend any site based on content, they won't have to deal with The Church Lady telling them they need to suspend all the porn and gambling sites, won't have to deal with political groups complaining about what their adversaries are saying, won't have to deal with people complaining about comments on forums and blogs, etc.

Legally, they can take the position that they will only suspend for false whois, as is their agreement with ICANN. We all know that spammers always use fake registrations, so there should be no spammed domain over six weeks old. The fact that they aren't even doing that much really does make them culpable.

Hello at last.

Re: herbs4usa.com:

[That's not a typo, that's what they put for their website in the whois record.]

There's that 35.com again. The XIN NET is dead. Long live 35.com. :/

While we're at it: another site featuring the BBB logo. Stay far, far away.

Which raises another stupid thing about this operation: they haven't set up their domains properly at all.

If you try to visit herbs4usa.com, you get a "bad hostname" error. Only "www.herbs4usa.com" will load.

That site links to "http://www.nutripay.com/", which also fails. Only "http://nutripay.com/" will load. That's a very amateur mistake.

But anyway...

They actually have a valid secure connection including valid certificates.

They do not accept fake orders, so order baiting is out.

A Google search for nutripay turns up other sites, as well as herbs4usa.com:

herbmark.com
eastherb.com

The forum spamming is done largely to promote the site (obviously) but also to poison the page ranking in google. This explains why these sites show up so easily when searching for "nutripay" but would probably also work for something more generic like "herbal remedies".

Nutripay sets cookies for the tracking of shopping cart data.

The only unique identifier I noticed:

CartID: 510384

No affiliate id. None is set on herbs4usa either.

So:

- US-hosted payment processor, with whois contact located in US as well.
- Herbs4usa hosted by ThePlanet, out of Houston, TX [ip address: 74.53.118.100. you can complain to abuse@theplanet.com and provide proof of the forum spamming.]
- Nutripay.com is hosted on 74.53.55.76, also handled by ThePlanet

I can't find anything referring to an affiliate program anywhere. It's very telling that if you search for "herbal remedy affiliate program" the pages that come up feature both Nutripay and GenBucks. (aka: SanCash.)

It's not a complete solution but it gives you a place to begin reporting the forum spam in the hopes of having their hosting pulled, since they're promoting the sites while directly abusing your (and other people's) forum.

SiL

If there were a page on this operation on the spamwiki, and if everyone whose forum was hit obfuscated the URL in the post and then edited it so that text string had html tags linking it to the wiki page, would that make all their SEO attempts send traffic to the spamwiki instead of their sites? EG:

if it were http://www.example.com

and you changed it to <a href="http://spamtrackers.eu/wiki/index.php?title=herbs4usa">http:[i ]//[/i]www.example.com</a> (except without the extra space)
would they be sending search engine traffice to the spamwiki page explaining what a fraud they are?

the administrant: ABSOLUTEE CORP. LTD.

seems to have a very shady side.. here is a google:

ABSOLUTEE CORP. LTD.
http://www.google.com/search?q=%22ABSOLUTEE+CORP.+LTD.%22

help i have placed an order with herbs4usa.com last week, and have emailed them 4 times and got no response. they have taken my money at time of order but have not done anything else!
eggstinguish@yahoo.com

they have the same fax number as herbmd.com, which check this out http://www.casewatch.org/fdawarning/prod/2005/herbsmd.shtml
apparently his name is Mushtaq Jafry.
he contributes to the republican party:
http://www.newsmeat.com/fec/bystate_detail.php?zip=90503&last=JAFRY&first=SYED-MUSHTAQ

2854 EL DOADA ST
TORRANCE, CA 90503
is his address apparently from:

http://images.nictusa.com/cgi-bin/fecimg/?27020381045