Planet Ozh has the idea of making a Google bomb for Online Poker.
Just remember that redirection scripts, like Ozh has on the site, won’t help. And rel nofollow won’t either.
But the more, the merrier, I suppose.
We have confirmed that the Bulgarian spammers are spamvertizing highprofitclub dot com.
It was operating as late as last week.
It’s a pyramid/MLM scheme casino with shares.
The whois info seems to indicate the Bulgarians now own the domain name. The site itself seems to be in the process of dns propagating, and is unreachable from my location.
IF they’ve bought the MLM part as well as the domain name, then it appears they’ve bought themselves a casino.
Just in time for Netaloid’s big petition to the other casinos they used to earn affiliate income from. We still don’t know what’s about to happen there either.
So keep watching this spot. Might be a bumpy ride…
UPDATE: Hegnar online reports on the start of the highprofitclub
Several bloggers have reported that they haven’t received any more referrer spam from the Bulgarians. Same here. Last time stamp from my log is:
[26/Feb/2005:22:21:20 -0600]
Would like to hear from anyone receiving hits from them since that time. And what’s served? What we do know, is that they’re keeping us under observation. That means my blog, and any blog linked from it. Both blogroll and links in posts.
Mediasushi reports an access with this time stamp:
[28/Feb/2005:05:17:29 +0800]
The same IP number was used by a human a little later to surf her site. She was wondering if that’s the spammer checking out her site? It could have been a very on the ball admin checking out what people are using his site for. Except… This person was coming in to her blog through a link from mine!
Can’t find that IP number in my logs, though. Not even close. I’m missing a bit of log (my host didn’t set up the logs the way I asked yet, and I forgot to bug him), but if her time stamp is correct, I have the log from that time frame. So unless he left his computer for a few hours, or had it in the cache and then came back, it’s a mystery how this happened.
I did get word from a few of the regulars here, who have blogs not visibly connected to our efforts. He got this new domain in his logs:
highprofitclub dot com
Typical Bulgarian whois info. I can’t access the site in any way, but it looks as though it used to be online (check out http://www.whois.sc/). -The design looks a bit unusual for the Bulgarians. Probably a site they’ve bought.
Ah, yes. If the Bulgarians own it now, then it’s definitely something they’ve bought off someone else. It was a pyramid/MLM scheme with gambling. Similar to World Games, which reportedly made it big in Norway. Well, before it collapsed and Økokrim (Economic Crimes - law enforcement agency) got involved. So it’s very possible another such endeavor folded, and the Bulgarians may have bought it cheaply. It will at least have name recognition. But if they spamvertize it, they WILL be reported to Google, and if past history is anything to go by, Google WILL blacklist the domain name…
UPDATE: One of the members of High Profit Club came by the site last week to check on the share prices. Today the site was gone. He has no idea what happened, since his sponsor quit the program (which basically means that unless he knows people higher up, he has no way of getting hold of any info).
I got a design gift from Dionaea. It’s a Norwegian dude with a name I’m not sure you guys can pronounce, so I’ll go with his site name for now.
Anyway, he drew me and sent me three images. One is a header image for Wordpress, and then there’s a png image in a bigger version.
So, guys, can you see this as part of the design of this site?
Netaloid is planning on sending the petition by the end of today. So please sign it now if you intend to:
Petition to have the casinos cut off the affiliate ID’s of the main spammer (yeah, guess who…).
I got the first case of referrer spam on this site during the night.
Canadian IP number, and Australian and Florida whois info.
This time it isn’t gambling, and not pills. It’s related to webcams and related…
Different IP addresses on the two sites spamvertized.
And apparently using Reffy.
I got a personal visit from one of the Bulgarians yesterday. No referrer from the initial click through.
82.103.65.225 at around [25/Feb/2005:08:15:15 -0600]
It’s also hitting my old blog around [25/Feb/2005:08:16:56 -0600].
And a few failed bot accesses the day before.
Quite a few have updated their blacklists with certain keywords. Like poker and casino. And if you’re coming from a legitimate page that contains one of those blacklisted words, you’ll get a nice error message from the page you’re linking in to. Usually a 403, but occasionally a bit more inventive.
Like Sara’s error message after I clicked on her link on Netaloid’s big Casino petition (click on the image to see it clearly):
I just got a comment in my old blog. Really vile stuff, but the looks of the URL’s.
Some are for free homepage services, and others are for NoIP services. And those ping sites on Atrivo.
Those pages of course point to real domain names, via scripts and whatnot.
One of those domains is registered to:
n/a
Sid Fedorov (f-1@ukr.net)
Volutova 2520
Praha
null,15800
CZ
Tel. +42.0602885127
Creation Date: 01-Jul-2004
Expiration Date: 01-Jul-2005
Domain servers in listed order:
dns98.3fn.net
ns2.3fn.net
And the domain pings
216.195.34.180
which is associated with 3fn.net.
I’ve seen nameservers from 3fn before, related to spam.
The spamming IP is from a place I’ve seen before - a bank in Japan. Probably an open proxy.
There’s a bot I’ve seen now and then, that I suspect of being bad. It’s been trying to GET my old B2 comments script on annelisabeth.com.
67.19.91.50
That’s a webserver at ThePlanet. But it’s managed to fool both whois.sc and webhosting.info into believing there’s no website at that address. So what’s it doing? If you access the IP address, there’s a plesk desk served.
And it used to have the user agent:
Mozilla/3.0 (compatible; Indy Library)
But last night that changed. It started trying HEAD on the same file, but this time with this as the referrer:
http://Dmoz.org
That site is of course totally above approach. Not owned by someone who’d be into spamming.
But I think the wielder of the bot intends to spam.
The user agent is now:
Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
About as common as they get…
Anyway, this one should be blocked by IP number. I’ve found samples online of spam from that IP address going back to July 2004. I did manage to find some recently spammed stuff (February 20th), and the IP address of the site spamvertized is:
209.51.135.146
According to both lookups, that IP address only has one site on it.
But wait, there’s more!
This spammer also utilizes this server for hosting:
66.225.211.190
Once again, the lookups only find one site.
Hmmm, duplicate that a few times, and a picture begins to emerge: Virtual Private Server.
Which might mean you get your own IP address and your own server. Hmmm…