Spamhuntress

A referrer spamming bot that was active through most of November, and had it’s last recorded hit December 1st, is:

216.195.58.20

It resolves to dns237.3fn.net, which is a known entity around here. We’ve had a lot of porn coming from customers on there. Check a Google search for it on my site to see details. But the IP block belongs to APS Telecom in Portland. However, the abuse section is from 3fn, and it’s a pretty big IP block.

This outfit has been referrer spamming for some digg stories that have been removed by now.

There’s some spam to a University forum post that’s been hijacked by a method I’ve never seen before. The spammy site is placed within a cell in a table! The site is top7.biz, which is also registered with ESTdomains, and has DNS at f3n.net. The next hop is findroll.com, which is registered at Register Services, which has a calling code belonging in Estonia. The DNS servers are again from 3fn. The next hop goes through 216.195.44.106, which is also at 3fn. The link is encrypted, and goes through lightask.com or goclick.com and affiliatetracking.com

The latest spam is for sites ending in .ua, and is in Russian, so I gave that a miss.

I checked a spamvertized domain (freshly spammed today from host168.canaca.com).

It responded with this text:

SERVER ERROR

Trouble is, I saw that text in a text browser, that also transmitted the status code: 200, which means OK. That means in essense, there’s no server error. A(n internal) server error has status code 500. So, it’s just a ploy to throw off irate bloggers. That domain will later on serve up content.

I found this referrer:

http://localhost/spamit/index.php

That presumably means there’s a script on that IP (212.13.99.14) that spams.

I found some referrer spam, with spam pointing to other people’s blogs and galleries with lots of spam comments on them. That spamit referrer preceded what looked like a human looking at my blog, with a different user agent than the spamming that preceded it (by less than ten minutes).

I was referrer spammed by 71.111.51.172. That’s in Michigan, according to Geobytes.
The point is rather that the Adsense on his scraper sites has a “root site”, that has nothing on it:

tempsubdomain.blogspot.com

That should have kinda tripped an alert when he signed up for the Adsense, eh? Not that it necessarily was empty then, but the name of the blog, now that would have made me a bit wary, were I to OK that account.
And since there are lots of curious people here, I’ll include the spammed for sites:

squishygames.com
goobot.com
careward.com
bluepc.info

They’re on:
74.52.59.2
82.165.194.46

All the domains have whois privacy.

User agent is usually: Mozilla/2.0 (compatible; MSIE 3.01; Windows 98)

But the first access I have for that IP had this user agent: Googlebot/2.1 (+http://www.google.com/bot.html)

And the last access had a seriously mangled script that included HTML code in the get and referrer.

I didn’t get that many visits from the bot, but I found another page that had gotten more than it’s share. It recorded the top referrers and the number of referrers. I’ll redact the subdomains, and include the counts - from the Google cache on 15 Aug 2006 05:55:45 GMT:

(252)
(239)
(188)
(175)
(147)
(134)
(122)
(119)
(98)
(96)

And I found another domain spammed by the same guy: wikicore.com

I don’t often proclaim someone to be a spammer right out. But this is either a spammer, or he’s been revenge spammed.

Bruce C. Shaw
3765 W 4600 S
Roy, Utah 84067
US
801-731-7648

Why? I just got referrer spam for his website yourbesttrafficsource.com. You know, one of those cleverly worded websites that promises traffic to your website, and doesn’t say a word about what you ACTUALLY have to do to get that traffic. I just have to assume spamming comes into it somewhere, since he has to resort to spamvertizing his site to get that traffic, right?

IP: 65.100.197.196
User agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
- now that is most likely a fake user agent!

Heh, even the IP is from Utah, on Qwest!

And since I was nosing around, I found comment spam from the end of July.

You’ve been a very bad buy, Bruce! Let’s see how Qwest likes having a spammer for a customer.

Disclaimer: Of course, it’s possible Bruce’s neighbor got irritated and referrer spammed his site, but that’s a whole lot of maybe’s, so let’s see if Qwest agrees it’s him.

I got a referrer from a refer.php page. That’s a commonly used referrer script. But I got suspicious. I was pretty sure I hadn’t linked to the domain it was on. So I looked.

And found a page that had referrers, but didn’t look like it was powered by that script. And all the referrers were typical splogs on blogspot. The main page of the domain the “script” was on was a scraper.

New tactic, in other words. Insert a referrer page into other people’s referrer scripts - hopefully some are public. Then sit back and wait for the search engines to come by.

Olliver from BBClone got a reply from a spammer, and blogs it:

Worlds apart - an email response from a web spammer

I was talking too soon about US webhosts understanding about webspam.

One of them just nullrouted the IP to my webserver, from their webserver.

Translation: They don’t know how, or don’t care, to stop the referrer spamming, and want to prevent the spamming from reaching my website, in order to stop me from complaining.

They just waved a big red TENT in front of my eyes, that’s what they did!

They better figure out how to stop that spamming, and TELL ME, or I’ll be so incredibly tempted to tell the world exactly what webhost this is.

So guys, watch out for webhosts nullrouting the IP of your servers when you complain, instead of actually dealing with the problem!

Here’s HostGator’s latest missive to me regarding the referrer spamming: (timestamped 03:51:28 -0700, July 21)

Dear Spamhuntress,
Setting up an actual packet sniffer would require admin time needed to install and configure it for your purposes. We would be happy to do so for you but there would be a fee associated with this service.

We could easily set it up just to log the fact that packets were sent using a series of iptables rules, but since we want the actually packets we would need to compile the pcap libraries and go with a program such as ethereal or dsniff, both which are pretty generally out of our line of work. It’s defiantly doable though if you like.

We do apologize, but we’re not accustomed to customers actually wanting to track spam! Hence, our actions were taken in order to simply prevent the spam entirely. Please let us know how we may best assist you.

I find that rather offensive. They’re NOT preventing the spam entirely. They’re just stopping it from reaching MY little website! And where did they get the idea I was their customer? I definitely never will be, from what I’ve seen lately.

Bear in mind:

This host replied to my complaints. Not every host will even reply to an abuse complaint. Some silently null-route them. So this isn’t the worst offender in any way. But it highlights something that’s fairly typical of webhosts today: The margins are small. The prices for webhosting are very low compared to what they were, and people are price shopping. Many hosts say they’ll charge a fee for investigating mail spam - charged to the offender, when they’ve received a complaint. So they were - par for course - looking for someone to bill the investigation to. It was just so offensive to me that they wanted to bill the complainer for something that’s their duty (in my opinion) to investigate and mitigate completely. I DID tell them I’d blog this if they insisted null routing me was solving the problem, and then they came up with the idea to charge me… Like Joe said below - this could be the tip of the ice berg concerning that particular server. And they don’t care. Remember before blocklists made it important for ISP’s and webhosts to remove mail spam off their services immediately? They didn’t care either. Investigation costs, and booting customers costs. It isn’t until businesses are compelled that they’ll actually do something about spam. So this is a beautiful example.

Update: Just got an apology (timestamped 21 Jul 2006 05:28:35 -0700) about the misunderstanding about me being a customer, and to wait for another response from one of the other team members.

Partial victory: They’re removing the null routing, and will be monitoring connections to my site only, to see if they can figure it out. That’s a solution I can live with, and hopefully they’ll figure out how to stop the abuse, and hopefully also figuring out how others can check their servers to boot.

I just reported a referrer spammer to two US webhosts. And to my surprise they seemed to know what I was talking about and wanted to get rid of it. The problem was that they didn’t know how - yet.

Either my links with info on webspam did the trick (though that hasn’t helped in the past), or knowledge about the issues is beginning to trickle down to abuse/support personnell.

Either way, time to celebrate!

Block:
66.28.54.254
gw.magnoliaroad.net

They use multiple user agents. Looks like Reffy or similar.

Referrer spam for goldhqs.com

Whois:
Diversified CoCreative Ventures, Inc.
Domain Administrator (domains@diversifiedcocreativeventures.com)
+1.8153616235
Fax: +1.2068309674
5348 Vegas Dr.
Las Vegas, NV 89108
US

It’s a site promoting gold in various forms.

Payoffs:
Adsense: pub-1287241501913620
On another page I found a link to Commission Junction, with this ID: click-2017395-1481396

And at the bottom he’s got loads of links to other “topics”. Looks like links trading to me.

The website is residing on 216.240.157.200, which seems to have domains from several owners. But I found at least one more with the same whois details:
1-dental-insurance-place.com
ebssales.com