I recently checked awstats statistics from Cpanel for my website. It showed
the host unknown.sagonet.net was using 77MB of bandwidth which is ten times over any other host and over twice the 30MB size of my site. It also showed much more activity on my guestbook page than my homepage. I have been getting lots of spam entries in my guestbook lately so I expect the two are connected.

Does anyone have knowledge of unknown.sagonet.net ?

Indeed. A spambot of sorts. Check this discusison: http://forum.statcounter.com/phpBB2/viewtopic.php?t=6308&highlight=sagonet

Sagonet.net is a services provider. The visitor has probably got an account with them. Look at your latest visitor stats in cpanel to see if you are getting regular hits from this or any other address. The spammers who were hitting my site were visiting every 5 seconds. They are still coming to the site, but are getting a 403 Forbidden message and are sent on their way. That doesn't stop them from coming back. At least they aren't eating up any bandwidth now that I've got them blocked. Check the post I have on my web blog about dealing with spammers - http://www.jonra.com/blogs/index.php/b/2005/09/22/p64

Arlen, I just typed (not going to post it here) that name in the address bar and added the www. to the front and removed unknown. There is a website at that domain name.

You can go to dodaddy.com, type the first part of the name in the search box, choose the .net extension then search,, when it comes up taken, then you hit the (more info) link, that will give you more information on them.You cand I believe check the block of IP's from that domain.

If the hit is within that block of IP's I would send email asking what is going on. Take a screenshot maybe of you stat log, for proof, and send it along with a letter of complaint.

Christina and Jonra know about this for sure.


EDIT:
Actually the godaddy stuff does not show the blocks of IP addresses, you can search for the IP addresses somewhere I think, maybe just do a whois search for the one used in your hit. Then it might come back to the server's blocks?

Howdy Arlens,
read this thread elsewhere in this forum :-
http://forum.statcounter.com/phpBB2/viewtopic.php?t=6308

Arlen,

These are the guys that I have written about here. Forget writing to them as Sharron suggests ... I've tried that and received no response. If you browse their forum you will see they deny allowing 'unscrupulous' sites to be hosted with them, yet they are clearly doing nothing about it. Even permitting known spammers to continue spamming.

I am trying John's .htaccess solution for a day or two. If that doesn't do it I intend to block their entire IP range.

jonra, I read your excellent blog on spamming and I also added your banned list to my .htaccess file. Its a shame you have to climb in the gutter and use
their porno terms to deal with them.

This is the latest entry in my guestbook: (substitute . for dot)
" casino free bonus
e-mail casino@so-simple.org
URL: http://casino-free-bonusdot100galdotnet
Location: Egypt
Fri, September 23, 2005 12:30 Host: YahooBB219022018085.bbtec.net
I added for professional appropriate"

I wonder why they all have such idiotic phrases. Why don't they just say something like " I really enjoyed visiting your site "? Not that it would stop me from deleting the entry but a few might get by.

They use some random text geenrator. 99% of the time it's senseless. Occasionally it looks almost lucid. I just deleted several of these kind of posts from here, afetr I caught on to the trick. The spamming bot would use the Quote button to post a reply to the first post from each first thread in each forum category, and simply add something innocuous like Is that so?

jonra, this entry is in your .htaccess file that I copied to my public_html

RewriteCond %{HTTP_REFERER} (casino) [NC,OR]

I wonder why it did not block the spam entry in my guestbook which has
the word "casino" in it. Is there an additional line I could add to prevent this specific spammer from hitting again?

chrisooc, thanks for the clarification, but I wonder why is there a need for the random text generation when they could just have some generic general phrase that might apply most of the time.

JWJ, sorry to see you are experiencing the same problems as I am but just
remember ... we are humans, they are bots...we will prevail!

I think you need to have these lines also to catch all instances of casino.

RewriteCond %{HTTP_REFERER} (casino-) [NC,OR]
RewriteCond %{HTTP_REFERER} (-casino) [NC,OR]

I wonder why is there a need for the random text generation when they could just have some generic general phrase that might apply most of the time.
The random text is meant to trick some spam-catchers that watch for repeated entries or emails that contain the same text.

I took a look into this domain. So far I found that the domain was supposedly owned by a Jhon Whoo (that's the correct spelling) in NY. The nameservers were listed as ns1 and ns2.100gal.net. The ip block is owned by layeredtech.com.

They are a hosting provider located in Dallas, tX. The url posted in your guestbook for 100gal.net redirects to a dynamic page on vg-c.net. This is also on a layeredtech.com server. It is registered to a Elena Gladkaya. Running a whois with layeredtech's whois lead me to, get ready for a big surprise, a guy in Russia.

You should write a letter to abuse@layeredtech.com and tell them that the domains vg-c.net and 100gal.net are running spam bots. Also inform them that it looks like both companies are affiliated with DDANILJEV HOSTING of St. Petersburg, Russia. They may or may not take action.

vg-c.net

Registrant:
Elena Gladkaya
KARAGANDINSKAYA STR 3/52
DNEPROPETROVSK, 49127
UA

100gal.net

Registrant:
Jhon Whoo
Great Avenu 10
New York, NY 02345
US

09/23/05 22:02:11 whois 72.36.222@rwhois.layeredtech.com

whois -h rwhois.layeredtech.com 72.36.222 ...
%rwhois V-1.5:003eff:00 nictool.layeredtech.com (by Network Solutions, Inc. V-1.5.7.3)
network:Class-Name:network
network:ID:ORG-LAYER-3-72.36.190.0/19
network:Auth-Area:72.36.190.0/19
network:Org-Name:DDANILJEV HOSTING
network:Network-Name:ORG-LAYER-3-72.36.222.1
network:IP-Network:72.36.222.1/29
network:Organization;I:DDANILJEV HOSTING
network:Street-Address:Rustaveli 48
network:City:Saint Petersburg
network:State:Saint Petersburg
network:Postal-Code:199000
network:Country-Code:RU
network:Phone:N/A
network:Tech-Contact;I:abuse@layeredtech.com
network:Admin-Contact;I:abuse@layeredtech.com
network:Abuse-Contact;I:abuse@layeredtech.com
network:Created:20050831
network:Updated:20050831

Thanks for the analysis on the domain name jonra. I'll definitely report the spam to layertech.com. I also added the lines to catch "casino" to my .htaccess file. Hopefully there will be no more casino entries to the guestbook.

I just got another spam to my guestbook (dot = .)
" http://paris-hilton-naked-2004dotblogspotdotcom/"

They are like cockroaches... you kill one and a hundred take their place.

Well this is encouraging...they gave me a trouble ticket ID:

Subject: AutoReply: Spam - new -


Greetings,

This message has been automatically generated in response to the
creation of a trouble ticket regarding:

-------------------------------------------------------------------------
"Spam",


There is no need to reply to this message right now. Your ticket has been
assigned an ID of ZGE-62233-878. If this is an emergency abuse issue please
also contact our 'support@layeredtech.com' personnel so the request can be
escalated.

-------------------------------------------------------------------------
Spam - new -
-------------------------------------------------------------------------

in the subject line of all future correspondence about this issue. To do so,
you may reply to this message.

Thank you,
Layered Technologies Abuse Team.

JWJ, sorry to see you are experiencing the same problems as I am
I am not having the extent of problem you are having. My guestbook is being crawled very regularly by sagonet but, so far, no spam. Whether this is because I have my book set up differently to yours, whether it's because I'm using a different book, or whether it's just that my turn is still to come, I have no idea. Good luck with getting it sorted.

The bandwidth thieves at "unknown.sagonet.net" have now stolen almost 100
MB from me. I finally used the IP deny from Cpanel to ban 207.150.173.xxx
from my site. That seems to be stopping most of the hits but some from another IP address that points to sagonet.net still gets by.

I also have five guestbook spam entries since I added Jonra's .htaccess
file. Three of the URL entries were very general but two suggested new words that could be added to jonra's list. The two words from the **** category are "slut" and "freenudes".

Here are the latest entries from my error log file:

Sun Oct 2 19:32:28 2005] [error] [client 207.150.173.13] File does not exist: /home/wickham/public_html/403.shtml
[Sun Oct 2 19:32:28 2005] [error] [client 207.150.173.13] client denied by server configuration: /home/wickham/public_html/guestbook/index.php
[Sun Oct 2 19:26:39 2005] [error] [client 207.150.173.26] File does not exist: /home/wickham/public_html/403.shtml
[Sun Oct 2 19:26:39 2005] [error] [client 207.150.173.26] client denied by server configuration: /home/wickham/public_html/guestbook/index.php
[Sun Oct 2 18:20:26 2005] [error] [client 207.150.173.28] File does not exist: /home/wickham/public_html/403.shtml
[Sun Oct 2 18:20:26 2005] [error] [client 207.150.173.28] client denied by server configuration: /home/wickham/public_html/guestbook/index.php
[Sun Oct 2 17:56:28 2005] [error] [client 207.150.173.26] File does not exist: /home/wickham/public_html/403.shtml
[Sun Oct 2 17:56:28 2005] [error] [client 207.150.173.26] client denied by server configuration: /home/wickham/public_html/guestbook/index.php
[Sun Oct 2 16:33:56 2005] [error] [client 207.150.173.20] File does not exist: /home/wickham/public_html/403.shtml
[Sun Oct 2 16:33:56 2005] [error] [client 207.150.173.20] client denied by server configuration: /home/wickham/public_html/guestbook/index.php
[Sun Oct 2 16:22:26 2005] [error] [client 207.150.173.31] File does not exist: /home/wickham/public_html/403.shtml
[Sun Oct 2 16:22:26 2005] [error] [client 207.150.173.31] client denied by server configuration: /home/wickham/public_html/guestbook/index.php

It looks as if they keep trying new IP addresses.

Add this to your .htaccess site after 'RewriteEngine on' If you are using a copy of the .htaccess file I posted on the forum add it to the # Misc / Specific Sites section

Paste it either at the top of the list. The last one in the list should not have the OR flag.

RewriteCond %{HTTP_REFERER} (sagonet\.net) [NC,OR]

This will stop anything from sagonet.net

Thanks jonra!

I added the line to .htaccess and hope this following AwStat entry for October will be last from these spammers:

unknown.sagonet.net 88 88 849.22 KB 02 Oct 2005 - 17:59