Spamhuntress

I just saw one of the most damning javascripts I’ve ever seen! Not necessarily a smart javascript, but …definitely damning.

I was researching some referrer spam I got a few days ago. Referrers from these domains:
ad-services.info (69.31.91.162)
liveplaynow.com (69.31.91.162)
todayonlinecasino.com (209.66.123.233)

I was following a trail from the first one. Figured I’d get more interesting affiliates by checking the gambling section.

But that’s not what I found…

I found a javascript that would show a regular scraper site with affiliate links if you accessed the page with no referrer, or a referrer that didn’t trip the payload of the script.

The payload was tripped if you had a referrer containing one of these words:
board
wwwboard
forum
guest
book
archive
ugb
comment

The payload goes through several redirects, and ends up at a porn section of a video chat network.

The owner of that site may just as well go right out and say it: I’m a spammer!

The redirect goes through
j-rx.com (69.31.93.126)

I found another spammer on that webserver: Almenix.

Whois for j-rx.com:

VI-TI-KA
Vadim (jrx@fromru.com)
Rentgena 6/89
St.-Petersburg
null,191187
RU
Tel. +812.5689472

Back to the spamvertizing:

IP: constantly revolving proxies
UA: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7

Pages hit: The referrer spam category, and Refer script: spam magnet.

In fact, I wonder if this was the Google search the spammer came in on:
script refer spam
IP: 217.76.184.47 ( 217-76-184-47.olympus.ru )

This entry was posted on Tuesday, June 14th, 2005 at 3:37 pm and is filed under Referrer spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.