Damn Spam!
Search 

Topics

User Functions






    Lost your password?

"Gift" spam and more ...

    
Monday, July 18 2005 @ 20:45 CEST
Contributed by: Dirk

So we started seeing referrer spam for somee.com subdomains and it looked like the usual stuff, i.e. spammer uses free subdomain service. But wait, somee.com is a regular hosting service. Oh, and they also have a free hosting plan where you get a 3rd-level domain (aka subdomain).

The interesting bit here are the requirements imposed by somee.com for this free plan:

  • Web site must generate at least 0.2% click through on our advertising banners.
  • Web site must be visited at least 10 times a month.

Is it just me or isn't this almost encouraging customers to spam?

The first spamvertized site there was supposedly about "baby gifts". Inspecting it with Lynx only revealed a lot of gibberish, though, with the words "horse lover gift" all over the place. I don't think I want to explore that any further ...

Shortly afterwards, more "gift" spam started coming in, including some for a subdomain at siteburg.com, which is a subdomain provider. And they don't have an anti-spam clause in their Terms Of Service ...

The spam is all coming from 72.21.43.138, which belongs to Layered Technologies, Inc. in Dallas, Texas. They seem to be a hosting company, not an ISP, so our friend here is spamming from his server (and you get a cPanel default screen when you call up that IP address in a browser).

The actual payload of those spamvertized sites, though, is to redirect to "search engine" pages and profit from that via an affiliate programm. In this case, it's searchmeup.com (aid=40122) and searchadv.com (aid=43048).

All this looks very much like what the Airline Ticket Spammer is doing, only that it's using free services instead of real domains. Without a whois, I can't check for similarities, but I somehow doubt it's the same person. He's also using different affilite IDs.

Subdomains used so far:

  • On somee.com:
    • atkins-diet
    • baby-gift
    • corporate-gift
    • diet-pill
    • dvd-decrypter
    • dvd-shrink
    • flowers-on-line
    • gift-certificate
    • mariah-carey-dvd
    • south-beach-diet
  • On siteburg.com:
    • momdaygift

As you can see from this list, there is now more to this than only "gift" spam - the pills and DVD stuff came in while I was still writing this post. I haven't checked out all of those sites, but the ones I saw all followed the same scheme: Gibberish and false links to innocent sites for the search engine bots, a JavaScript redirect with an affiliate id for the human visitors.

This has only started today. I couldn't find any earlier referrals from somee.com for the past two months. For siteburg.com, I found two older (unrelated) hacking attempts by what appears to be a Brazilian script kiddie - and someone actually running a Geeklog site on that service, so I can't just block that domain completely ...

Filed under: Referrer Spam
()

View Printable Version

Trackback

Trackback URL for this entry: http://spam.tinyweb.net/trackback.php/gift-spam

No trackback comments for this entry.
"Gift" spam and more ... | 1 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
"Gift" spam and more ...

somee.com referrers are still blocked so I only noticed this by accident: Lots of referrer spam for nextel-phone.somee.com, all coming from 70.85.116.52 (The Planet). It's still the same person, obviously, as the spamvertized site features links to searchadv.com with the same affiliate id as before (aid=43048).

Calling up the above IP address in a browser, you end up at a login screen at coconia.net which appears to be a product name or subsidary of 100WebSpace.com, who offer free web hosting.

So again, our "friend" here is hiding behind all those free services and without a domain name involved, makes it harder to be tracked down.

Authored by: Dirk on Wednesday, September 14 2005 @ 13:06 CEST
[ Reply to This | # ]

Copyright © 2008 Damn Spam! Powered By Geeklog