Dear clueless referrer spammer,

when referrer spamming a site, the one thing you don't want to do is to send a lot of referrers for the same URL over a short period of time (say, 25 requests in 22 seconds). This will surely draw someone's attention to your spam, even when they're only casually browsing the logfile. It is also a sure way to p*ss off the site's owner and makes it much more likely that they will a) block you immediately and b) send complaints to your hoster and ISP shortly afterwards. Now go away and crawl back under that rock you come out from.

Spamvertized domain: 18ebony.com, redirecting to daddysdarling.com, both registered with Spot Domain LLC (domainsite.com) for

MediaArtsDesign
S Steffan
Edeseweg 117
Benekom, GD 6721 JT
Netherlands read more

I've seen this one in our logfiles before but never bothered to look it up: k-and-ktreasures.com is an "online shopping mall" that, as it seems, has been spamming us for a while (at least since June 3rd).

It's only sending one or two referrer spams per day, always from the same IP address (24.147.153.209, Comcast). The domain is registered by a DropshipDesign.com LLC in Mill Creek, Washington and hosted at 216.55.186.34 (Abacus America Inc., San Diego).

And when you visit the site and block their cookie, you are presented with a generic IIS 404 page ...

Ann Elisabeth has started a Wiki page collecting information on OmniExplorer_Bot and the persons and company behind it.

Since we (i.e. www.geeklog.net) seemed to be the only ones so far to actually see referrer spam from OmniExplorer_Bot and the IP addresses it uses, I decided to revisit the evidence we had - and found that I was wrong. The bot is not doing referrer spam.

The problem is with the bot's unique (among bots) feature to include referrers in its requests, i.e. to show where it's actually coming from.

And here's how and why I came to the wrong conclusion: read more

Casino spam from Russia - with a twist: We got bursts of referrer spams (50 at once) for go-play-casino.com. They all came from the same IP address, 193.233.5.49, all targetting the same URL and all with the user agent string Mozilla 4.0 IE6.0+ SRV1.1.

The domain is registered with directi.com and the whois does not contain any further information about the registrant. A quick search for directi.com leaves a mixed impression: On the one hand, they do seem to host quite a few dubious domains, while on the other hand their abuse department does post in news.admin.net-abuse.email and promises to look into the issues reported there.

The site itself is hosted at 66.230.189.96, which belongs to Phantographics LLC. This seems to indicate that complaining at Phantographics won't help much ...

The most interesting bit of all this, however, is the IP address the spams came from, as it belongs to the "I. M. Gubkin Russian State University of Oil and Gas" in Moscow. Looks like some student or faculty member there is looking for a little auxiliary income, as all the referrer spams for this domain came from that IP address. Yes, I realise it could be yet another open proxy, but it's odd that all the spam is coming from one IP.

Another episode from the "spammers are stupid" department: So we got another porn referrer spam - nothing new. But this one tried to spam an index.html page (which we don't have) with a referrer for a subdomain that has a space in it - an invalid URL.

Other than that, it was a professional job: The referrer spams came from all over the world. The spamvertised domain is registered with Moniker, using their "Privacy Services" to hide the owner's identity.

But they made another mistake: On the main site, sexchocolates.info, they had Google Ads - with their ID in it, of course (for the record: pub-1940530000905267). I'm sure Google's abuse departement will love this.

Over the course of 7.5 hours, we received a total of 754 of these referrer spams - all the same, all broken. I'm not going to waste my time with Moniker, but The Planet (where the site is hosted) may be worth a try. Also at least one of the IPs where the referrer spams came from seems to be a virtual server in Germany - the owners might be interested in this. Other IPs looked more like hijacked PCs on DSL.