URL within URL
Got some comment spam on spamhuntress.
At first it looked like spam for syllable.org. But I realized there was something looking a bit like a redirect inside the URL. And after running it through a decoder, it appears there was a lot of code inside the URL. Effectively several URL’s within the URL. The links won’t redirect to the spammy site, so getting direct clicks isnt’ the object.
Each comment had a different patsy link, with trailing spam links.
And when you click on the link, you end up on a page at a respectable site that is entitled Texas Holdem or somesuch. A slur on the site in question, I would say.
And the spammy content was on emistry.com
In fact, they have a partial explanation on emistry.com/Online_poker/
They call it an ongoing experiment. Probably wanting to find out if Googlebot et al will read the URL’s within URL’s as backlinks? And also gaming people to think respectable sites spammed them?
Anyway, the spam is entered through many IP numbers, and many user agents. Including anonymizer.com.
emistry.com
84.204.54.116
84.204.54.116.colo.piter.peterhost.ru
NA
NA NA (kipp.rexroat@gmail.com)
+1.10938661164
Fax: +1.5555555555
NA
null
Na, NONE 19857
PG
The only payoff I’ve found so far is Adsense:
pub-7003516765187668
And considering the amount of fun and games on that site, I wouldn’t trust that to even be the spammer’s Adsense code. Maybe Google could find out?
Have anyone else dug deeper than I did?
Update
The emistry spammer appears to be a regular reader of spamhuntress, at least since April.
83.102.193.130
I first caught him searching for emistry and spam on Russian Google. I then looked at the IP number. Someone using that IP number has been reading my blog for some time, usually pulling in the feed. There might be more than one person on that IP number (home network?), or it may be a local proxy, because I saw several user agents:
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.9) Gecko/20050722 Firefox/1.0.5
Mozilla/5.0 (compatible; Konqueror/3.4; Linux 2.6.13-rc6; X11; i686; en_US) KHTML/3.4.1 (like Gecko)
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050805 Firefox/1.0.6
They’ve all been present for some time though, except for the last one (upgraded linux, would be my guess). I didn’t see the Linux machine(s) until recently.
And yes, I verified independently that it’s the spammer. That IP number spammed guestbooks. Without the URL within URL trick. In fact, I accessed one guestbook, and was redirected to his emistry human created page. He’d used javascript, like what spammers usually uses to redirect human users from their landing pages.
And I found other domains spamvertized by that IP number:
medicine-mall.net
September 16th, 2005 at 6:09 pm
Googlebot et al will read the URL’s within URL’s as backlinks? And also gaming people to think respectable sites spammed them?
______________________________________
Actually, that strategy may Now, get them an email - to webmaster@…com or whatever email is on the site
It appears - verified by Matt Cutts - that a pilot project has just been lauched that will detect REDIRECTS or Link Policies that violate Google’s Quality Standards…
It will thenl trigger a generic email - indicating that the site is banned - and what methods have to be done for reinclusion…
Several postings have been made on SEO forums from Webmasters receiving that email…
September 17th, 2005 at 7:34 am
[…] under another spammer’s nose… Boakes - MyNiceMailAt.com I notified Syllable (see this story), and they’ve posted their outrage on their front page: Syllable joe job […]
September 19th, 2005 at 11:55 am
These bastards have been trying to comment-spam my blog site with this technique for the last 3 days. Fortunately, Wordpress’s built-in spam-detector has caught every single one of their spam comments and placed them in a moderation queue for me to check before they are published (or in this case, deleted).
These shitheads piss me off, they’re worse than the HTTP-referer spam whores I had a few months ago.
September 21st, 2005 at 3:06 pm
yep… I get lots of unwanted comments on my blog, but it’s like Stephen said; WordPress puts everything in the moderation que.
September 23rd, 2005 at 6:37 pm
Arg, I keep getting them too. Casinos, syllable.org, Texas Hold Em, bs like that. annoying as crap
October 16th, 2005 at 4:33 pm
[…] to suspect foul. In fact, those links on that blog (dare I say splog?) reminds me of that URL within URL experiment I covered a while ago. And if you go further back into the past post […]
January 14th, 2006 at 6:44 am
[…] spice I’ve uncovered circumstantial evidence that leads me to believe the emistry.com spam came from the same outfit that shot to fame as the tigerspice.com spammer. T […]
January 14th, 2006 at 9:30 am
[…] I better post this now instead of waiting until tomorrow) So, who did the tigerspice and emistry spam? As far as I can tell from the circumstantial evidence, it’s none other th […]