Spamhuntress

I found a comment spam on David Naylor’s comment feed.

The peddled URL was:
http://spysrc.afraid.org/main.html

A javascript forwards to:
http://r.x-stories.org/n.php?niche=spyware&num=12&url=http://freedns.afraid.org/

It’s kind of hard to follow, but when I followed this one:
http://se-na.poreva.net/r.pl?niche=spyware
I came to a script that forwarded to:
http://uni.poreva.net/nar.cgi?niche=spyware&num=0&ref=
Which in turn forwards to:
http://morwillsearch.com/results.php?adv_id=dyakon&q=pop+up+blocker

This is the end address, and it reveals the affiliate ID: dyakon
That’s echoed in the whois info for poreva.net

I should also note that I’ve heard that domain before. This is an entrenched spammer.

I’ve e-mailed the search engine. If they don’t toss the spammer’s affiliate ID, they’re in bed with them. That simple.

This is an example of how complicated these cloaking pages are.

Oh, and I didn’t mention that unless you come to the page with a referrer from Google or another search engine, you’ll just be tossed to an unrelated page. That’s how they fool bloggers.

They hide their affiliate ID’s in a jungle of cutouts. You need to be able to read javascripts and use a non-graphic browser to really appreciate how this happens. The affiliate ID is hidden by the time the landing page appears.

This entry was posted on Monday, March 7th, 2005 at 2:28 pm and is filed under Comment spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.