Fake referrer spam |
|
|
Wednesday, June 01 2005 @ 20:01 CEST Contributed by: Dirk |
|
|
You see something new every day ... Today it was referrer spam for perl.com (yes, the O'Reilly site) and for ucc.ie (which is the University College Cork, Ireland). Obviously, these two sites wouldn't have a need for spamming. All the referrer spam came from the same IP, 69.31.86.186, and in two short bursts, 35 requests in total. The IP address belongs to KERNELNETWORKLLC, which, as a quick Google search seems to indicate, doesn't exactly have the best reputation with regards to abuse handling. Spews.org had nothing about this particular IP, but it's certainly in a bad neighborhood. Banning it can't hurt ... |
|
|
Filed under: Referrer Spam 0 comments (Post a comment) |
|
Spamming DJ |
|
|
Tuesday, May 31 2005 @ 21:23 CEST Contributed by: Dirk |
|
|
Now that's nice - a spammer who also spams for his profile page. Got referrer spams for 2 blogspot.com accounts (sigh ...), obviously devoted to porn, and amidst those there was (from the same IP) this: 213.40.67.65 - - [31/May/2005:09:26:44 -0400] "GET / HTTP/1.1" 200 49020 "http://www.mixstreet.net/djfritzy" "Mozilla/5.0 (compatible; Konqueror/2.2.2; FreeBSD)" The user agent is faked and changed with every request. But that URL is legit and redirects to http://www.mixstreet.net/artist.aspx?artistid=21344 where we learn that "DJ Fritzy" is 19 years old and lives in CARDENDEN, FIFE, SCOTLAND, United Kingdom. The IP address belongs to Netline UK, so he may even be spamming from home (seems to be a rising trend ...). Hello DJ Fritzy, I've been to Fife and know a few people in the area. Want me to send them to you and explain my stance on spam? read more |
|
|
Filed under: Referrer Spam 0 comments (Post a comment) |
|
Clickscoring.com |
|
|
Tuesday, May 31 2005 @ 09:55 CEST Contributed by: Dirk |
|
|
Here's another referrer spammer that slipped under my radar for far too long: clickscoring.com That domain redirects to datashaping.com, a company that, amongst other things, advertises its expertise in "Click Fraud Detection", ironically. They Here's an innovative solution: Block anything that contains a referrer to "clickscoring.com". There - fraud detected, problem solved ... |
|
|
Filed under: Referrer Spam 0 comments (Post a comment) |
|
Meet Mr. Bryan Winstanley |
|
|
Saturday, May 28 2005 @ 23:52 CEST Contributed by: Dirk |
|
|
I must have missed these earlier as I can trace them back to May 15th in the logfiles, but then again he only spams once or twice a day: careonecredit.us, debtquotes.info, and secretshoppersusa.com are all registered by a Mr. Bryan Winstanley from Nova Scotia, Canada. And the nice thing is that he seems to spam from home, since it's always the same IP, 24.215.94.195, belonging to Andara High Speed Internet c/o Halifax Cablevision LTD. Must be an amateur spamming for his own sites. read more |
|
|
Filed under: Referrer Spam 0 comments (Post a comment) |
|
OmniExplorer_Bot really spamming this time |
|
|
Saturday, May 28 2005 @ 16:30 CEST Contributed by: Dirk |
|
|
Correction, 2005-06-13: The bot is not referrer spamming.
I've previously posted about what looked like referrer spam but was (supposedly) only OmniExplorer_Bot in disguise. But now we're seeing real referrer spam (for porn sites, mostly), coming from the very same IP addresses and with the same user agent: 64.71.131.110 - - [28/May/2005:01:07:11 -0400] "GET / HTTP/1.1" 403 26 "http://fotos-voyeur-y-amateur.pnoyny.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8" 64.71.131.112 - - [28/May/2005:07:22:55 -0400] "GET / HTTP/1.1" 403 26 "http://women-want-huge-cocks-for-sex.9032rd.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8" 64.71.131.113 - - [28/May/2005:02:53:17 -0400] "GET / HTTP/1.1" 403 26 "http://filmati-gay-gratis.tlkpcw.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8" 64.71.131.114 - - [28/May/2005:04:12:07 -0400] "GET / HTTP/1.1" 403 26 "http://sex-masturbation-stories.9032rd.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8" 64.71.131.115 - - [28/May/2005:02:56:48 -0400] "GET / HTTP/1.1" 403 26 "http://drunk-girls-at-mardi-gras-galleries.gfdo43.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8" 64.71.131.117 - - [28/May/2005:09:18:30 -0400] "GET / HTTP/1.1" 403 26 "http://naked-photos-of-heather-graham.gfdo43.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8" 65.19.134.3 - - [28/May/2005:09:47:40 -0400] "GET / HTTP/1.1" 200 49316 "http://fitness-pictures-of-women-no-nudity.sfd932.info" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8" So let me repeat what I said before: Block those IP addresses! And now for a closer look at the actual spam: read more |
|
|
Filed under: Referrer Spam 3 comments (Post a comment) |
|