Damn Spam!
Search 

Topics

User Functions






Lost your password?

Massive referrer spam wave

    
Thursday, December 29 2005 @ 22:36 CET
Contributed by:

And here I was wondering why our site was so slow ... Turns out we have a massive case of referrer spam for, AFAICS, four domains:

  • makesearch4me.com
  • searchweb4me.com
  • hq-pictures.net
  • sexybabes-online.com

The requests seem to be coming in from a lot of different IP addresses, so I'd suggest blocking by referrer. They also seem to use the same user agent string on all requests: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7.5) Gecko/20041108 Firefox/1.0

Russia, it seems. Why doesn't that suprise me at all?

The two ...4me domains are supposedly registered to a 

    WILLIAM B CANTON        (crow@2hmr.biz)
    2028 OAKMEADOW CT APT 805
    BEDFORD
    null,760214717
    US
    Tel. +508.9102401

while the other two are registered to 

    Monster INC.
    Andrey Monst        (webmaster@mega7porn.com)
    Seliva 396
    London
    null,SE9 3TL
    GB
    Tel. +02.077314135

All four of them are hosted on the same server, 69.50.176.251 (InterCage, Inc., CA).

As for the reason of that spam - I have no idea (yet). I've only looked at one of the spamvertized URLs: police-officer-association.hq-pictures.net looks like a blog but the actual articles are only gibberish. On a quick scan, I don't see any redirects, popups, JavaScript, or AdSense ads. All the links seem to lead to other subdomains at hq-pictures.net.

Have to look into this closer at another time - I have to keep a website up and running here ...

Filed under: Referrer Spam
()

What's Related

Story Options

Trackback

Trackback URL for this entry: http://spam.tinyweb.net/trackback.php/massive-referrer-spam-wave

No trackback comments for this entry.
Massive referrer spam wave | 4 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Someone didn't do his homework ...

... and that someone was me: Ann Elisabeth has lots of material about InterCage (formerly Atrivo) and their relation to ESThost - all well-known names as far as spam is concerned. Here is just one of her posts.

So if InterCage want to be the nice guys now, here's their chance: Close down those scumbag's sites ASAP!

Edited on Monday, May 06 2013 @ 19:31 CEST by Dirk
Authored by: Dirk on Thursday, December 29 2005 @ 22:45 CET
[ Reply to This | # ]
Massive referrer spam wave

Many of doorways you name contains backlinks not only pointing to cross-linked doorways network but also have some links to a lookscool.com's redirect hosts. e.g. spammy landing page... And those one contain payse.com's advanced feed links. You even could see the exact affiliate id for payse.com (if you want ;) Here is a screenshot 

rathamahata@arise ~/t $ nc xml1.paysefeed.com 80
 /payse.php?c=rJQZnApMFvtCHN5EeSKsWAYf0xP39NgdfmRzeTyhOHuE4yj2aOqSOx%2BeP2Is938sbNpGn11Tb4noM%2ByxU25XLfp8vzqJkZUjyEq4XBB43pGuZkk686WORatpQO5sLlsaEsGlwHeln0dGTwZu6PWDnr7X8aSWGyAa1XqHddqk7CxhMo0OFOplf1FAl5lepXbKqSp8EqEbMpYJnspuAMNqsWkr6x5QyXmtG3ItGXm8riCWmpexYmABXYYdt9ZRCbaL%2Bqo0Ir4KQ8zFBdXfZ%2BAMdY%2BSV8tDi7%2Fv8k7UuzRbLuVt3Miv5rwQCFV%2B%2Bwg%2Bxx%2BEmXjOyWiAdGXkPrRtJnk3R3o98OKOkztbVabwPnveqEuCNz8WO5cNQv83id%2Bk8NBuhivlHZyYnMuIGluE60Tcll4mwU%2B9hmXvfgKAV51VHbM0UeY65v1fFwZKselO4xa7ZwNocGMPeWTIM6fI%2FHUwN%2FT1TKKKic4YZOgG3gO%2BRtCJHnIzgio1MHKceeapO5ldb1xCpe357VhQCSt40GedLLIeFcOQcWXLknOC1NgKBhh9zg9iVt1JtYfCHHy0W9O4yzfE3oZIxq%2BYMl%2FTc9oPKOA0Bn%2Fl%2BIfQ2148PjmGSWCtm52EkClQHLVbzUjSxnCW HTTP/1.1
Host: xml1.paysefeed.com

HTTP/1.1 302 Found
Date: Fri, 30 Dec 2005 14:10:32 GMT
Server: Apache/2.0.52
X-Powered-By: PHP/4.3.9
Location: http://www.paysefeed.com/search.php?aid=445&sub_aff_id=&q=accutane&u=xml1.paysefeed.co%2Fpayse.php%3Fc%3DrJQZnApMFvtCHN5EeSKsWAYf0xP39NgdfmRzeTyhOHuE4yj2aOqSOx%252BeP2Is938sbNpGn11Tb4noM%252ByxU25XLfp8vzqJkZUjyEq4XBB43pGuZkk686WORatpQO5sLlsaEsGlwHeln0dGTwZu6PWDnr7X8aSWGyAa1XqHddqk7CxhMo0OFOplf1FAl5lepXbKqSp8EqEbMpYJnspuAMNqsWkr6x5QyXmtG3ItGXm8riCWmpexYmABXYYdt9ZRCbaL%252Bqo0Ir4KQ8zFBdXfZ%252BAMdY%252BSV8tDi7%252Fv8k7UuzRbLuVt3Miv5rwQCFV%252B%252Bwg%252Bxx%252BEmXjOyWiAdGXkPrRtJnk3R3o98OKOkztbVabwPnveqEuCNz8WO5cNQv83id%252Bk8NBuhivlHZyYnMuIGluE60Tcll4mwU%252B9hmXvfgKAV51VHbM0UeY65v1fFwZKselO4xa7ZwNocGMPeWTIM6fI%252FHUwN%252FT1TKKKic4YZOgG3gO%252BRtCJHnIzgio1MHKceeapO5ldb1xCpe357VhQCSt40GedLLIeFcOQcWXLknOC1NgKBhh9zg9iVt1JtYfCHHy0W9O4yzfE3oZIxq%252BYMl%252FTc9oPKOA0Bn%252Fl%252BIfQ2148PjmGSWCtm52EkClQHLVbzUjSxnCW
Content-Length: 0
Connection: close
Content-Type: text/html

rathamahata@arise ~/t $
Authored by: seo b&w on Friday, December 30 2005 @ 14:44 CET
[ Reply to This | # ]
More domains

Another two domains that have started showing up in our logs and are also spamvertized in the same way (both registered to Andrey Monst):

  • hiddendisires.com
  • slutgames.net

Also forgot to mention that their spambot is sending broken HTTP requests that are caught by Bad Behavior.

Authored by: Dirk on Friday, December 30 2005 @ 15:56 CET
[ Reply to This | # ]
Pills and drugs spam now

Loads of referrer spam for the usual drugs and pills today, all using free hosting / subdomain providers. One that has already been taken down (kudos to peim.net): vicodin.12cent.de.

Why do I know it's the same spammer? He's still using that broken bot with the same user agent string (that Russian version of Mozilla, see above), and the spamvertised domains redirect to 1-800-pills.com, which is hosted with InterCage.

Authored by: Dirk on Monday, January 09 2006 @ 14:05 CET
[ Reply to This | # ]

Copyright © 2013 Damn Spam! Powered by Geeklog