Silent noise - about spam, trojans and other nasty stuff

Used the form twice. Using the emailaddress house(x)gmail.com
Spamvertized domain is orderfreeviagra..com (subdomains).
orderfreeviagra is hosted at 92.241.169.197, shitty place according to Spamhaus:
92.241.160.0/19 is listed on the Spamhaus Block List (SBL), Webalta.ru spam/cybercrime hosting

Came in from 195.56.55.71 (GTS-DataNet Telecommunication Co. Ltd. - Hungary) and 80.99.238.131 (UPC/chello.hu).

I don't ever bother to mention the problematic "affiliate did it" argument.

This guy is not directly spamming the domain in question, cheapest-drug.org.
He has instead registered as a user on several forums/communities, giving a link to a domain (or several) in his userprofile and spamvertizes his userprofile via comments.

The latest from today came in via 207.38.4.12 which appears to be a free open proxy on "M9 Systems" in Canada. Tries to leave a comment on the posting about can-spam mailers.

"User": Paeal (including a link to a wikidot.com site, I reckon they will nuke it).

First of all, the usual warning:
Do not visit any external links below with an ordinary browser with javascript, ActiveX and other nastinesses turned on, unless stated that they are safe.

And another warning:
Don't take this as an "expert analysis", I am as far from an expert as you can be.

Lets go

I wrote about referrer spam from 18sex18.info in January this year.

Today I found this in the log from one of my other domains:

Well, hello from Norway, "zxevil163" (zxevil163@gmail.com).

But that was not a friendly "Hi" from you. Your comment in this blog was classified as spam by Spam Karma 2, who scored your comment spam attempt and tells me that you have a "Karma" of -43,67. Bad karma, zxevil.

But it would not have been so bad if the comment had gone through.
Spam Karma tells me this:

Comment has no URL in content (but one author URL)

Curious as I am, I had to check that one too, and the link was to

http://groups.google.com/group/animated-screensave

This one was found in news.admin.net-abuse.misc:

Millionaire Dave Dubbs is Closing my Sales?
See how you can earn thousands per day without ever picking up a
phone. This opportunity is exploding right now. Work 1 on 1 with top
earner. Get the details here your site goes here:

www.FiveHourWeek.com

I get a bit suspicious when I see a from line like this:

From: rm1p9dav <syo3z4xqhoj4raah@gmail.com>

First the usual warning: It is very wise to avoid visiting the sites mentioned below, unless stated it is safe.

The referrer spam site sviolett.com now ends up at pvgadget.com and automatically downloads "setup.exe" which ClamAV recognises as Trojan.Dropper-2529

The journey today goes from sviolett.com to topmovzonline.com to bestdailyvids.com (two hops there) and finally ends up at pvgadget.com. The cookies with references to an "affiliate" number are now gone, the only reference is now "php?id=1309" through all the hops.