So we started seeing referrer spam for somee.com subdomains and it looked like the usual stuff, i.e. spammer uses free subdomain service. But wait, somee.com is a regular hosting service. Oh, and they also have a free hosting plan where you get a 3rd-level domain (aka subdomain).
The interesting bit here are the requirements imposed by somee.com for this free plan:
Web site must generate at least 0.2% click through on our advertising banners.
Web site must be visited at least 10 times a month.
Is it just me or isn't this almost encouraging customers to spam?
The first spamvertized site there was supposedly about "baby gifts". Inspecting it with Lynx only revealed a lot of gibberish, though, with the words "horse lover gift" all over the place. I don't think I want to explore that any further ...
Shortly afterwards, more "gift" spam started coming in, including some for a subdomain at siteburg.com, which is a subdomain provider. And they don't have an anti-spam clause in their Terms Of Service ...
The spam is all coming from 72.21.43.138, which belongs to Layered Technologies, Inc. in Dallas, Texas. They seem to be a hosting company, not an ISP, so our friend here is spamming from his server (and you get a cPanel default screen when you call up that IP address in a browser).
The actual payload of those spamvertized sites, though, is to redirect to "search engine" pages and profit from that via an affiliate programm. In this case, it's searchmeup.com (aid=40122) and searchadv.com (aid=43048).
All this looks very much like what the Airline Ticket Spammer is doing, only that it's using free services instead of real domains. Without a whois, I can't check for similarities, but I somehow doubt it's the same person. He's also using different affilite IDs.
Subdomains used so far:
As you can see from this list, there is now more to this than only "gift" spam - the pills and DVD stuff came in while I was still writing this post. I haven't checked out all of those sites, but the ones I saw all followed the same scheme: Gibberish and false links to innocent sites for the search engine bots, a JavaScript redirect with an affiliate id for the human visitors.
This has only started today. I couldn't find any earlier referrals from somee.com for the past two months. For siteburg.com, I found two older (unrelated) hacking attempts by what appears to be a Brazilian script kiddie - and someone actually running a Geeklog site on that service, so I can't just block that domain completely ...
Comments (0)