Message Board

Tracking Harvesters/Spammers

Arameda Spider

Author: D.Logan (25 Feb 05 1:12pm)

Arameda is appearently a search engine. Spam bot 67.19.8.122 user agent is "Mozilla/6.0 (compatible; arameda.com Spider)". It has 19 messages associated with it according to its stats page. Does this mean that arameda is a spammer?

Well I asked them this:
A spidering bot (ip 67.19.8.122) has been viewing my site and claims to be from arameda according to the logs. Is this an ip address that your spider uses?

They replied:
Yes, this IP belongs to our spider.

Either arameda is a spammer or someone is posing as arameda. Anyone have any ideas?

Stats page for 67.19.8.122:
http://www.projecthoneypot.org/ip_inspector.php?iph=188b8fe3c484d2c815708b35aa1c1224

Dave

Re: Arameda Spider

Author: M.Prince (25 Feb 05 1:44pm)

Interesting. Thanks for pointing this out.

I dug into the data somewhat. All the messages that resulted from a harvesting by 67.19.8.122 were sent to a single spamtrap address that was harvested on January 29, 2005.

Since that spamtrap address was ONLY provided to 67.19.8.122 on January 29, 2005 there are probably only two possibilities. Either:

1) Arameda, or someone with access to the data, is a spammer, or is providing email addresses found by the spider to at least one spammer, or
2) Arameda's spider does not respect the <meta name="robots" value="nocache"> option, a honey pot page was cached by Arameda, and at least one harvester is harvesting from Arameda cached data.

In either case, from what we've seen, in at least one case, it appears Arameda has helped facilitate at least one spammer. Hopefully this was just a mistake, in which case the listing will expire from our system. But I'll keep an eye out for more info on Arameda.

Re: Arameda Spider

Author: D.Logan (25 Feb 05 4:54pm)

I did some more research on arameda. Their contact info states that they are located in Boston, MA. However, their e-mail message to me came from rnbq.biz (213.183.116.131), which is registered to Anton Bondarchuk in Novosibirsk, Russia. OpenRBL gives this mail server a score of Positive=1, Negative=27.

The Arameda Privacy Policy is interesting:
http://www.arameda.com/privacy/

"Arameda does not rent, sell, or share personal information about you with other people or nonaffiliated companies except to provide products or services you've requested: (w)e [sic] provide the information to trusted partners who work on behalf of or with Arameda under confidentiality agreements. These companies may use your personal information to help Arameda communicate with you about offers from Arameda and our marketing partners. However, these companies do not have any independent right to share this information."

Re: Arameda Spider

Author: C.Dijkgraaf (25 Feb 05 5:01pm)

Also see http://groups-beta.google.com/groups?scoring=d&q=67.19.8.122+group:*abuse*

Post Edited (25 Feb 05 4:05pm)

Re: Arameda Spider

Author: G.Stewartson (26 Feb 05 7:30am)

Interestingly enough I was hit by the same spider on Feb 2nd.

I have an array of spamtraps which include the date they were harvested and the IP address that did the harvesting. Sure enough, the latest surge of spam attempts on these spam traps was about 2000 per day sent via various open proxies to addresses that were slurped by 67.19.8.122 on that day.

The upshoot to this experience is that theplanet.com itself is now firewalled from my network - totally - and that several portions of the 'Net no longer have access to my port 25.

Re: Arameda Spider

Author: C.Dijkgraaf (9 Mar 05 10:57pm)

I've also had a visit form Arameda Spider "Mozilla/6.0 (compatible; arameda.com Spider)"
on but from IP 66.111.59.120 which is registerd to a Slava Perehojev, Tomsk, Russia (hmm, a bit of a Russian theme here?).

It requested the robots.txt file and then requested the default page and proceeded to get each page linked directly from the default page (but not the honeypot page) and then stopped, so in all a reasonably behaved bot in that respect. I haven't got any nocache or other tags to give instructions to bots, so I can't say anything abouts its other behaviours.

Why Arameda would be spidering my site at all I don't know, since my web site certainly isn't business related and Arameda is supposedly a Business Directory, a search on a keyword that appears in my site also didn't return anything at their search site, so either this was somebody else possing as Arameda or it just hasn't processed it into it's engine (yet?).

Re: Arameda Spider

Author: B.Millar (15 Mar 05 3:10pm)

come on.... I'm in the process of setting up a dedicated server, strictly and entirely for corporate use, I'm using theplanet.com as the datacenter, theplanet.com is only a datacenter, they don't actually run the hosting software, they just provide the equipment and the pipe, you guys need to be contacting the host themselves, not the datacenter. This particular datacenter is outright hostile towards spammers and is known for shutting down entire servers just because of even an iota of suspicion that the owner is abusing it....

My name servers and IP's are of course, using theplanet's assigned ones, but if you do a whois, you'll see they are assigned to my own url. I don't even want to point it here since a simple remark in this forum has blackballed an entire, very, very good datacenter. You guys need to be damn sure of who you are pointing fingers towards, otherwise you are doing nothing but causing grief... I was referenced to this page after doing a spam trace look up through dnsstuff.com and noticed there was ONE red mark on it's listings, after looking into it further, it looks like all it took was someone posting "here" in reference to theplanet.com and nothing more.....

Anyway, I have a mega box, a plan of action to fight spam in a way that's beyond what even you guys are doing and I want to make it very clear, theplanet.com is not compliant with spammers, it doesn't support them nor does it facilitate outside parties from using their servers to work in that capacity.

Re: Arameda Spider

Author: D.Logan (16 Mar 05 9:23pm)

What I know is that harvesting from spam bot 67.19.8.122 has resulted in spam. The exact details such as datacenters, hosting software, and contracted hosts in relation to 67.19.8.122 are unclear to me as of now. If theplanet.com is "outright hostile towards spammers" as you say, then hopefully some good can come out of knowing that 67.19.8.122 has facilitated spam.

Would you please describe your plan of action to fight spam? You mention it is "beyond what we are doing here" and we may all benefit from your insight if you share your ideas. Thanks.

DL

Re: Arameda Spider

Author: J.Withrow (6 May 05 1:29am)

Why is my server - 67.19.187.18 - being blocked by this list?

Re: Arameda Spider

Author: A.Blanchard (8 May 05 3:01pm)

Totally Russian. All paths lead back to Tomsk

from the whois for arameda.com:

Domain Name: ARAMEDA.COM
Administrative Contact:
Mouraviev, Mikhail sales@arameda.com
423 Brookline Avenue, #359
Boston, MA 02215
US
781-791-2413

Googling the address reveals that it's just a maildrop.
Googling the phone number finds it also on the privacy page for trevolta.com
The address for trevolta.com is given as

Trevolta, Ltd.
410 Park Avenue, 15th floor
New York, NY 10022.

But this is just another maildrop, see: http://www.manhattan-office.com/virtual.html

whois for trevolta.com:

Domain Name: TREVOLTA.COM
Administrative Contact:
Prokofiev, Konstantin sales@trevolta.com
37 Kirova St.
Tomsk, Tomsk 634042
RU
7-382-257-3780

The IP address 67.19.8.122 (see first message in this thread) is more interesting.
Arin reveals this is owned by theplanet.com.

IP-Network-Block:67.19.8.120 - 67.19.8.127
rwhois.theplanet.com reveals that it belongs to Steve Gass, Reinholds
PA 17569

Google give us his address and phone number:
Steve Gass, (610) 678-4131, Rr 1, Reinholds, PA 17569

67.19.8.122 resolves, backwards and forwards, to ralph.gass.com
67.19.8.123 resolves, backwards and forwards, to www.gass.com, but there is a blank web page there.

Who wants to call Steve Gass and ask him about Arameda?

Re: Arameda Spider

Author: A.Blanchard (8 May 05 3:07pm)

I may have been too hasty about linking Steve Gass to arameda.com. According to rwhois.theplanet.com, he only aquired the Network-Block:67.19.8.120 - 67.19.8.127
on 19-April-2005, which seems to post-date the harvesting date. Maybe theplanet.com did kick arameda off.

Re: Arameda Spider

Author: D.Logan (10 May 05 9:49pm)

A.Blanchard,

Interesting stuff. I think you're right that Arameda has moved on from theplanet.com. IP block check for aramdea.com reveals:

-----

IP block arameda.com
Trying 64.247.5.1 at ARIN
Trying 64.247.5 at ARIN

OrgName: Net Access Corporation
OrgID: NAC
Address: 1719 STE RT 10E
Address: Suite 111
City: Parsippany, NJ 07054

ReferralServer: rwhois://rwhois.nac.net:43

NetRange: 64.247.0.0 - 64.247.63.255
CIDR: 64.247.0.0/18
NetName: NAC-NETBLK05
NetHandle: NET-64-247-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.NAC.NET
NameServer: NS2.NAC.NET

Re: Arameda Spider

Author: S.Grayban2 (21 Sep 05 11:42am)

Tallking about theplanet here sparks a hate for them. They refuse to use proper RCF protocols for DNS. They will not setup reverse dns for there generic host name's, IE; some-IP.reverse.theplanet.com does not and will never have a reverse.

Even though many IT people I know that have constantly complained either for spam or hacking attempts to The Planet. Most of the IT people have finally null routed them for this me included.

Re: Arameda Spider

Author: S.Gass (10 May 07 7:27pm)

Gee, it sure is nice to discover one's name, address and phone number splattered all over the net like this. Yes, A. Blanchard, you were indeed "too hasty" about linking me to arameda.com, or to anything having to do with spam. I have to trust that you have since learned to do further research *before* posting such libelous statements.