I noticed a bunch of referrer spams in our logfiles that already got a proper 403 response. Looking through our .htaccess, I noticed that I had the IP address blocked long ago with a note saying haven't looked into it, but comes back often
. So let's look into it now ...
The IP address in question is 67.170.247.179 (Comcast, sigh). The spamvertized sites include drupes.com, opensexsearch.com, thematricks.com, stiffing.com, thewildtwins.com, and, in an earlier visit, amplifiedfestival.com. Even earlier, he spammed for paris-hilton-tape.net, paris-hilton-movie.com and .net, CamPartyUSA.com, and the-matricks.com.
All those domains are registered with GoDaddy by a certain
Ross Ivcia
3056 Castro Valley Blvd
#17
Castro Valley, California 94546
United StatesThe sites are all hosted on 64.202.167.129 (also GoDaddy), which is the home of almost 2 million domains, according to whois.webhosting.info. Looks like this is a server where GoDaddy hosts "domain only" registrations, as all of Mr. Ivcia's domains use a frame redirect to porn sites elsewhere.
Earliest recorded hit from this spammer: 2005-05-13, from that same IP address. He only seems to show up on irregular intervals, e.g. almost every second day back in June, but not at all in August.
Payload: As mentioned above, all those domains redirect to various porn sites, usually with a referrer ID. Those include r=712045 (for adultactioncam.com) and ref=8717 (for sexsearch.com).
The nice thing about this spammer is that he sticks to his IP address for so long. So it's easy to block him.
Comments (0)
Damn Spam!
http://spam.tinyweb.net/article.php/regular-visitor