Spamhuntress

Paulo sent me some log lines. He’d gotten referrer spammed by the reffy spammer today. Remember them? One Norwegian and one Australian. The Norwegian created a referrer spam tool for windows, and got scared off using it by his ISP. Google routinely ban their domain names. Well, now they’ve got a new one:

http://www.thetrafficproject.com/

Spam details:
IP address: 202.7.166.165
User agent: Rotating list
URL spammed: http://www.thetrafficproject.com/blog_articles/

The design is familiar, and promises traffic boosting secrets, including a reference to Reffy.

So I did some digging (when do I not?)

I found that it resided on the same IP number (65.75.130.120) as another spammer. M0nkey claimed that he wasn’t doing any porn spam, and so far I hadn’t seen any indication that he did. But right now there are a few domains on the same IP number as this site and another of his, that are porn spam sites. They all redirect to an affiliate program (cam type).

I did some digging on that IP number. As far as I can tell, it’s on managed.net’s service. They rent out servers for a monthly fee. I can’t see any virtual hosting there. I noticed that all the domain names had the same name servers:
ns1.urlremoved.com
ns2.urlremoved.com

Reffy.net resides on 65.75.130.123, which appears to be another server. But still using those same nameservers. It’s a domain name that was spamvertized November 30 2004 along with some other domains previously owned by the reffy spammers. Some of those have been sold, some are for sale on SEDO. So my guess is it’s a vanity name server. Which in turn means the porn redirect sites probably either belong to M0nkey, Odin or customers of theirs.

I found something interesting in Managed’s AUP:

Managed.com expressly disclaims any obligation to monitor its Customers and other Users with respect to violations of this Policy. Managed.com has no liability or responsibility for the actions of any of its Customers or other Users or any content any User may post on any Web site. Managed.com reserve the right to levy a penalty fee of $10.00 per violation of the Acceptable Use Policy and Service Agreement.

So please report each and every referrer spam you get from these guys. Of course, the AUP doesn’t specify anything but e-mail spam, but if Managed get enough complaints, they may actually levy that penalty on the user. Abuse messages should be sent to:
abuse at managed dot com

—————-

I found some interesting stats on the name server: urlremoved.com
It currently is serving as name server for around 17 domains. One domain was transferred to it from whiteguysgroup.com, an old domains used by these spammers. That name server has recently gone from 32 to 21 domains in a month.

————

Update
One of the domain names on their server was spamvertized on Yahoo groups. Lots of them. And I can prove it was at least done from one of their servers. Note that the mail was sent from nobody - doesn’t that mean it’s a local user of the whiteguysgroup server? Another messages was sent from the Acyon server. There was a campaign February 13 and 18 this year too. Looks like it was done through proxies or zombies.

The e-mail address starting with bryan6200 sounds SOOO familiar. Where have I seen that one before?

————–

Update April 30
thetrafficproject.com has been GoogleBanned…

And 202.7.166.170 visited my blog April 28 after checking TuxedoJack’s forum. Coming back April 29 after doing a Google and a Yahoo search for thetrafficproject. Odin, I presume. And probably not too happy… And M0nkey also came to take a look, both days.

This entry was posted on Wednesday, April 27th, 2005 at 3:27 pm and is filed under Referrer spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.