Damn Spam!
Search 

Topics

User Functions






    Lost your password?

OmniExplorer_Bot really spamming this time

    
Saturday, May 28 2005 @ 16:30 CEST
Contributed by: Dirk
Correction, 2005-06-13: The bot is not referrer spamming.

I've previously posted about what looked like referrer spam but was (supposedly) only OmniExplorer_Bot in disguise.

But now we're seeing real referrer spam (for porn sites, mostly), coming from the very same IP addresses and with the same user agent: 

64.71.131.110 - - [28/May/2005:01:07:11 -0400] "GET / HTTP/1.1" 403 26 "http://fotos-voyeur-y-amateur.pnoyny.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"
64.71.131.112 - - [28/May/2005:07:22:55 -0400] "GET / HTTP/1.1" 403 26 "http://women-want-huge-cocks-for-sex.9032rd.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"
64.71.131.113 - - [28/May/2005:02:53:17 -0400] "GET / HTTP/1.1" 403 26 "http://filmati-gay-gratis.tlkpcw.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"
64.71.131.114 - - [28/May/2005:04:12:07 -0400] "GET / HTTP/1.1" 403 26 "http://sex-masturbation-stories.9032rd.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"
64.71.131.115 - - [28/May/2005:02:56:48 -0400] "GET / HTTP/1.1" 403 26 "http://drunk-girls-at-mardi-gras-galleries.gfdo43.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"
64.71.131.117 - - [28/May/2005:09:18:30 -0400] "GET / HTTP/1.1" 403 26 "http://naked-photos-of-heather-graham.gfdo43.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"
65.19.134.3 - - [28/May/2005:09:47:40 -0400] "GET / HTTP/1.1" 200 49316 "http://fitness-pictures-of-women-no-nudity.sfd932.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"

So let me repeat what I said before: Block those IP addresses!

And now for a closer look at the actual spam:

All the spam is for unpronouncable .info domains, which are registered to 2 personalities:

  • 9032rd.info, fd6765.info, gf2243.info, gfdo43.info, rd9532.info, sfd932.info, tr9443.info to a Karl Smith, Beverly Hills (admin@gfd942.info)
  • oarklj.info, pnoyny.info, tlkpcw.info to a Matt Brown, Sevilla, Spain (11@fastnamed.com)

The domains are hosted on 63.208.158.252, 63.208.158.253, and 63.208.158.254. The IP addresses belong to Level 3. gfd942.info, the domain from Mr. Karl Smith's email address, is on .254.

The spamvertised URLs do a JavaScript redirect to other porn sites or porn "search engines". User agents not interpreting JavaScript will be presented with lots of porn links to other subdomains of the above-mentioned domains (with some gobbledegook thrown in, to keep the link / text ratio low - in other words: to fool search engine spiders).

Affiliate spam, probably, although I see some redirects without any obvious affiliate IDs.

Filed under: Referrer Spam
()

View Printable Version

Trackback

Trackback URL for this entry: http://spam.tinyweb.net/trackback.php/omniexplorer-bot-spamming

No trackback comments for this entry.
OmniExplorer_Bot really spamming this time | 3 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
OmniExplorer_Bot really spamming this time

Here's another range of IP addresses that are used by both the OminExplorer_Bot as well as for referrer spam: 65.19.150.2xx (specifically, .207, .210-.213, and .252 so far). I'll have to go through our logfiles to come up with proper lists of IP ranges.

They've also changed the user agent string used in the referrer spam. It's now Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.5)

Authored by: Dirk on Friday, June 10 2005 @ 11:12 CEST
[ Reply to This | # ]
OmniExplorer_Bot really spamming this time
My Omni hits today:
904 65.19.150.233
114 65.19.150.206
4 65.19.150.217
3 65.19.150.213
2 65.19.150.214
Authored by: Anonymous on Friday, June 17 2005 @ 01:26 CEST
[ Reply to This | # ]
OmniExplorer_Bot really spamming this time
Here is a more complete list of the IPs:

1x 65.19.150.218
1x 65.19.150.219
3x 65.19.150.224
1x 65.19.169.250
1x 65.19.150.226
1334x 65.19.150.245
1x 65.19.150.227
2278x 65.19.150.207
2x 65.19.150.221
8x 65.19.150.213
2x 65.19.150.223
1815x 65.19.150.214
1x 65.19.150.215
561x 65.19.169.233
3x 65.19.150.252
8x 64.71.131.113
1x 65.19.150.220
1x 65.19.169.245
Authored by: Anonymous on Tuesday, June 28 2005 @ 14:30 CEST
[ Reply to This | # ]

Copyright © 2008 Damn Spam! Powered By Geeklog