Damn Spam!
Search 

Topics

User Functions






Lost your password?

Pills and drugs, again

    
Wednesday, October 12 2005 @ 12:22 CEST
Contributed by: Dirk

A massive wave of referrer spam for all those fancy drugs and pills started over night and is still going on as I type this. This one provides yet another reason why it's a good idea to block those well-known open proxies at alestra.net.mx, since that's where most of the spam comes through:

148.244.150.57
148.244.150.58
207.248.240.118
207.248.240.119

He's also using another open proxy at 203.112.194.81, which belongs to BTTB, an ISP in Bangladesh.

The spamvertized URLs are from all sorts of redirecting services (move.to, esp.cc, etc.) and, AFAICS, all redirect to hqfinder.net, hosted at 66.246.178.76 (Net Access Corporation, NJ) and registered to 

    Vistakka
    Jonny Bravo        (jobravo@yandex.ru)
    CO Bogota LA blvd. 230143
    Bogota
    Nariņo,562727
    CO
    Tel. +571.3152296

Of course, the names of all those pills also make nice filter criterions: 

RewriteEngine On

# some generic keywords: pills spam
RewriteCond %{HTTP_REFERER} adipex [NC,OR]
RewriteCond %{HTTP_REFERER} buy-ambien [NC,OR]
RewriteCond %{HTTP_REFERER} buy-soma [NC,OR]
RewriteCond %{HTTP_REFERER} carisoprodol [NC,OR]
RewriteCond %{HTTP_REFERER} cialis [NC,OR]
RewriteCond %{HTTP_REFERER} diazepam [NC,OR]
RewriteCond %{HTTP_REFERER} diet-pill [NC,OR]
RewriteCond %{HTTP_REFERER} effexor [NC,OR]
RewriteCond %{HTTP_REFERER} fioricet [NC,OR]
RewriteCond %{HTTP_REFERER} human-growth-hormone [NC,OR]
RewriteCond %{HTTP_REFERER} hydrocodone [NC,OR]
RewriteCond %{HTTP_REFERER} levitra [NC,OR]
RewriteCond %{HTTP_REFERER} meridia [NC,OR]
RewriteCond %{HTTP_REFERER} pharmacy [NC,OR]
RewriteCond %{HTTP_REFERER} pharmacies [NC,OR]
RewriteCond %{HTTP_REFERER} pharmsearchonline [NC,OR]
RewriteCond %{HTTP_REFERER} phentermine [NC,OR]
RewriteCond %{HTTP_REFERER} prozac [NC,OR]
RewriteCond %{HTTP_REFERER} soma-online [NC,OR]
RewriteCond %{HTTP_REFERER} tramadol [NC,OR]
RewriteCond %{HTTP_REFERER} viagra [NC,OR]
RewriteCond %{HTTP_REFERER} weight-loss [NC,OR]
RewriteCond %{HTTP_REFERER} xanax [NC,OR]
RewriteCond %{HTTP_REFERER} xenical [NC]

RewriteRule .* - [L,F]
Filed under: Referrer Spam
()

What's Related

Story Options

Trackback

Trackback URL for this entry: http://spam.tinyweb.net/trackback.php/pills-and-drugs-spam

Here's what others have to say about 'Pills and drugs, again':

Damn Spam! - Xoxa?
Tracked on Saturday, October 15 2005 @ 13:34 CEST

Damn Spam! - They don't care
Tracked on Tuesday, December 20 2005 @ 10:25 CET

Pills and drugs, again | 10 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Another IP

Found another IP he's using: 209.123.8.179 - and this one belongs to the same company (Net Access Corporation) that's hosting hqfinder.net

This IP seems to be spamming exclusively for hgh-.move.to (yes, it looks broken but works), which redirects to search.pluyck.com and uses what appears to be an affiliate id: said=v3hgh. And guess what - pluyck.com is also hosted with Net Access Corporation (on 64.21.174.199).

Authored by: Dirk on Wednesday, October 12 2005 @ 14:16 CEST
[ Reply to This | # ]
Pills and drugs, again
Thanks, Dirk. Blocking these IP's cut down on this idiot's spam by quite a bit. Still some coming through though.

Any easy way to track back on the ones that are still coming. Tracing back to the supplied IP's turns up linkor.home.net.pl (62.129.240.10) and red-corp-201.130.128.131.telnor.net (201.130.128.131) as the end of the routes.
Authored by: Anonymous on Thursday, October 13 2005 @ 22:48 CEST
[ Reply to This | # ]
Pills and drugs, again
Here are a couple other sources that appear suspicious:

adsl-208-190-252-29.dsl.wchtks.swbell.net
host-148-244-150-52.block.alestra.net.mx (148.244.150.52)
www.gympressbaum.ac.at
201.139.195.31
202.143.145.68
linkor.home.net.pl (62.129.240.10)
Authored by: Anonymous on Thursday, October 13 2005 @ 23:45 CEST
[ Reply to This | # ]
Moving away from alestra.net.mx

Looks like he's starting to use other open proxies more and more. Instead of playing catch-up, I'd suggest the above-mentioned blocking by keywords.

Looks like I forgot one drug, "carisoprodol", though. I've updated the list in the article now. Just copy and paste to your .htaccess.

Authored by: Dirk on Friday, October 14 2005 @ 11:14 CEST
[ Reply to This | # ]
Drug Spam
Recieved the following email from fortune city in response to my abuse complaint.

Thanks for letting us know about this spam.
Could you provide us with the specific domain names so we can delete those
subdomain accounts?
Thanks!
Brian Marshall

Brian Marshall
Sales and Support Representative
FortuneCity
322 8th Avenue
New York, NY 10001
bmarshall@corp.fortunecity.com
Visit us at www.fortunecity.com
Authored by: Anonymous on Friday, October 14 2005 @ 18:56 CEST
[ Reply to This | # ]
Drug Spam

Good! I hope you told them.

I sent a complaint to V3 (which owns the move.to and pagina.de domains that this spammer uses) but haven't heard back and the sites are still online ...

Authored by: Dirk on Friday, October 14 2005 @ 19:55 CEST
[ Reply to This | # ]
Pills and drugs, again
Well, surprisingly, FortuneCity.com seems to be interested in stopping the drug spam. Here is their reply to the list of spam domains that I sent them:

"The 29 domains we identified in your logs have been killed.
Thanks!"


The spam seems to have slowed almost immediately. These guys control all of the domains ending in .to, such as move.to, hey.to, etc. So if you see any spam from these domains, send the complete domain name to Brian Marshall <bmarshall(at)corp.fortunecity.com>



---
Bill
Authored by: billn on Friday, October 14 2005 @ 20:54 CEST
[ Reply to This | # ]
Pills and drugs, again

Excellent. Good work, Bill.

Btw, I mangled that email address - we don't want him to get too many spam email now, don't we?

Authored by: Dirk on Friday, October 14 2005 @ 21:10 CEST
[ Reply to This | # ]
Most redirects shut down

Looks like most of the redirect / subdomain accounts have been shut down by now, including the ones at splinder.com and superbikeclub.com. Only the one at pagina.de (that's also Fortunecity / V3) is still working.

Of course, that doesn't stop our "friend" here from still spamming for them ...

Authored by: Dirk on Saturday, October 15 2005 @ 10:11 CEST
[ Reply to This | # ]
Search Engine Ranking
My search engine ranking for Sharpened.net plummeted as soon as I started getting all this spam traffic from the hqfinder.net sites. Is there anything I can do to recover from this or reverse this frustrating process?
Authored by: Anonymous on Thursday, January 12 2006 @ 15:23 CET
[ Reply to This | # ]

Copyright © 2010 Damn Spam! Powered by Geeklog