Pills referrer
I got an insistent referrer spammer. And this one was a bit more work to track.
He uses lookscool.com URL redirect addresses. Those are hard to track. Sam Spade won’t cut it. You can load the addresses in your browser, or use a tool which is a bit more invasive: Ethereal.
Bottom line, the addresses redirect to 1-800-pills.com, which then have encrypted links to paysefeed/goclick/enhance.
Domain bought and hosted at ESThost:
69.50.176.254
Whois:
SinteZ Ant Hill
SinteZ (mail@sintez.us)
Ant Hill 1-10
Ant Hill City
,10025
US
Tel. +10.67536487
And the e-mail address isn’t in Google, so I checked the whois on that domain as well:
Registrant Name: Denis Basargin
Registrant Organization: Guard Software, LTD
Registrant Address1: pr. Vernadskogo 17
Registrant City: Moscow
Registrant Postal Code: 326000
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +791.14003377
Registrant Email: densys@onego.ru
Denis is/was interested in Delphi programming, and has released a program for hiding files. He’s 24 years old, and is from Petrozavodsk in Russia. He is or was a CIO for a company.
Considering the whois info for the spamvertized domain is fake, and the trail leads to him, Denis has an explaining problem.
November 29th, 2005 at 10:22 pm
Ann,
This clown has invaded my turf also in the last few days. Here’s a couple of his other “domains” in addition to lookscool.com;
lookscute.com
digitalbomb.com
windowsexplorer.com
cutezone.com
all pointing back to 1-800-pills
Funny I was looking into it today and you have this at the same time. I found the same whois info for all, emailed ESThost and received no reply.
The redirects are registered at Tucows and hosted at Hitstation, if you hadn’t seen that.
What do you do about this? It’s the first time I’ve had this at this level.
Regards,
Mark
November 30th, 2005 at 9:07 am
First of all, the domains aren’t his. It’s a redirect service. So what THEY need to do, is to deny this guy service.
And what to do about it… Ban the IP numbers. He’s using proxies, and more and more different ones. Kinda a loosing battle. Oh, here’s another, if you’re brave enough. You could block his user agent. He’s using what appears to be a real user agent - probably took it from his browser and used it for his script. You could ban all Russian variants of Firefox… You’d be blocking most other Russians of course, if you can spare them?
November 30th, 2005 at 12:02 pm
Thanks Ann,
Marco will be working something up for me, thankfully.
Appreciate your reply,
Mark
December 1st, 2005 at 2:36 pm
Yes. All of them are redirect hosts from the same engine (you can see full list in drop down “Select A Domain” field at lookscool.com)… There were others from that list in the pharmacy top google’s SERP during last month. It seems those redirect hosts became popular among webspamers recently - many of them just trying to copy what others of them do.
December 2nd, 2005 at 11:36 am
[…] te. Tuesday, for some reason, I thought taking a look at SpamHuntress was a good idea and I found this. Almost simultaneously, a couple of things were happening! My ban […]
December 19th, 2005 at 9:05 am
[…] m which pings 69.50.176.254 More info on the spammer, including whois, can be found here: Pills referrer. I’ll gather more info on the spammer, and might update here or make a w […]
February 27th, 2006 at 4:03 pm
[…] pt, I was 301 redirected to 1-800-pills.com, which is owned by the spammer I identified as using the name Denis Basargin, a long time ago. And in case you’re wondering, here are […]
December 8th, 2006 at 6:37 pm
[…] Tuesday, for some reason, I thought taking a look at SpamHuntress was a good idea and I found this. Almost simultaneously, a couple of things were happening! My bandwidth usage was growing like never before, new referrers were showing up in my stats to a larger and larger degree and Ann (SpamHuntress) had posted about the very same stuff! […]