Spambot left on autopilot?
I’ve noticed referrer spam from jaja-jak-globusy.com now and then the last few months.
Today I checked, and it doesn’t even resolve.
So my question is, have they left the spambot on autopilot and forgotten to turn it off? It’s been spamming from the same place forever now.
February 19th, 2006 at 12:14 am
Did it resolve before?
There’s an outside chance that it hasn’t been taken down, but that it has yet to go live. Doing “register, spam, configure” in that order has the advantage that SBL URI checks, or any other anti-spam heuristic that resolves the domain are no longer in play. The intended recipient can use the domain, but the spam filter can’t.
ISTR this has been tried in e-mail, with a roughly overnight time frame, i.e. register domain, spam it in the evening, configure NS records in the morning when the intended recipients will be reading the messages. Since the audience of referrer spam (as I understand) is a web spider that may revisit the link weeks or months down the road, delaying the “configure” step may work here.
Of course, it’s more likely that the domain got shut down due to spamming, but the bot somehow survived. Responsive registrar, unresponsive ISP?
February 19th, 2006 at 3:40 am
Yes, it did resolve a long time ago. Typical scraper directory. That outfit has loads of them. But that’s the only site they’ve consistently referrer spammed.
Months ago it had some sort of error message, and now it doesn’t resolve at all.
I believe they’ve changed registrar too.
It’s all very mysterious…
February 21st, 2006 at 12:44 am
Hi Ann,
I’ve been wondering about this myself. We’ve been getting increasing amounts of linkless Paris Hilton spam, but the one that’s really weird is this stuff that looks kinda like it’s encrypted.
Ei0v1lYlTg - IP: 202.129.12.14
Comment: BcuQgUeNXs abQiTFofqI 5BuPMhZXVSnGu
Uxz4g4f4EL - IP: 202.58.85.8
Comment: LeTw5t1dZq4Aji mAzar28s1xoi uktg2WhJxNnl
Getting about 3 or 4 a day for a while. Sails through most spam filters. Any experience with this?
February 21st, 2006 at 6:26 am
Hi Alex,
I get about the same amount of those too. I don’t know what the deal is.
February 21st, 2006 at 12:18 pm
Actually, there is a pretty simple explanation for that behavior, botnets used for spamming. See this quote from a Wash Post article
“There is one factor in controlling vast numbers of bots that can mask the true size of any given botnet, Dagon said. To reduce the load that a massive botnet would place on a command-and-control network, many bots are configured to remain mostly disconnected from the herd, “phoning home” periodically to check for updates or new instructions.
The downside to this setup — from the botmaster’s standpoint — is that only a fraction of the herd is connected at any given time, meaning new instructions may not reach the entire network for several hours. ”
Given the distributed nature of command & control in some botnets, it is possible that some of these machines end up as orphans, no longer able to contact the leader for new instructions, but still dutifully carrying out the last command, to spam a no longer active domain.
February 21st, 2006 at 12:35 pm
To Brian,
I’m sure you’re right …when it comes to botnets.
But this is NOT a botnet.
It’s ONE machine that’s been referrer spamming for a very long time. There’s never been more than one machine spamming at any one time. It’s quite simply a machine they either rent/colocate or a machine they’ve compromised. It’s a webserver.
You see, webspammers are different from mail spammers in one respect:
Many of them use webservers for their spamming. Servers they pay for themselves.
February 22nd, 2006 at 7:16 am
YMMV. I use an automated blocking script to detect and block referral spammers as well as comment spammers from hitting my blog/website. With that in place, it is practically impossible for any of them to use static servers of any kind to spam my web pages. So, almost all of my current spammer traffic (reduced but I still get periodic storms) are using botnets for their dirty work.
So, I guess I see everything through the prism of my own situation.
February 22nd, 2006 at 7:46 am
Ugh!! I blocked referrer spam from that domain months ago.
Alex, I’ve been getting that same crap too, like this:
Ei0v1lYlTg - IP: 202.129.12.14
Comment: BcuQgUeNXs abQiTFofqI 5BuPMhZXVSnGu
Some have live links to non-existant domains like abQiTFofqI 5BuPMhZXV.com. At lease they appear to be non-existant when I;ve looked up the whois and tried to go to the domain.