Spamhuntress

Pete found an auction for PRstorm, one of the Reffy incarnations.

For anyone who finds this and is thinking about buying it:

It’s spam software. They’ve had every domain associated with this software banned by Google.

Use the software on your valuable domain, and you stand the chance of a spamhunter catching up to you and having your domain banned on Google.

And, remember what Matt Cutts says: If the number of new links look unnatural, you may easily be penalized in Google. That’s what happen to a lot of new sites. Backlinks happening too fast, and a filter kicks in.

This is rather unusual. Here’s a Swedish spammer.

He referrer spammed my log (munged slightly):

193.109.173.79 - - [09/Aug/2005:02:12:36 -0500] “GET / HTTP/1.0″ 200 26146 “h*tp://www.webbshop.co.uk” “IE 5.0″

The domain has this owner:

Peter Sandgren
Besökaregränd 2E
Ystad
Ystad
27142
SE

Registered on: 01-Aug-2005

The address doesn’t actually exist in Ystad.

The IP address puts him on a broadband connection in Skåne in Sweden: Teleservice Bredband Skane AB

Payoffs:
Tradedoubler - 882536
A refresh redirect to a Swedish dating site that belongs to the same guy?
Google Adsense: pub-9166886050951199
A cafepress site, provokat

Update October 7: He had a different IP number when he commented here than the spam was entered from.

Here’s another from the safelist/blaster community. It’s the referrer spammer I discovered August 4.

Tom Horn and his two compadres are pushing their company 3marketeersproductions.com via referrer spam. Kinda weird, considering they’re pushing programs that they say are so revolutionary. And one of their buzzwords is SPAM FREE!!!

I got five accesses within seconds of each other on August 4, referrer spamming five different pages on 3marketeersproductions.com. And a repeat of that the day after on another site. And just so we’re clear, the IP number is from the same town they’re based in, Pontiac, Michigan:
68.61.235.225
A comcast address, which normally means home or business broadband connectivity.

Tom has been marketing his site on safelists/safeboards, using short URL’s to disguise his addresses. One of the sites he promoted was thetoolman.net/blog/. It now has DomainByProxy whois protection. But that was done after he got tagged by two parties on NANAS for e-mail spamming. One included the whois information as it was around June 27:

Administrative Contact:
Horn, Tom tapperlada@3marketeersproductions.com
485 Central
Pontiac, MI 48341
US
+1.2484568009

The toolman site advertizes a blog blaster, and says it’s powered by yourfreeworldscripst. That’s a site owned by Rohit Seth, the guy I talked about in the previous post.

A demo of the tool shows that it can be used as a pure spam tool:

Click on the image to see it in the original resolution.

Despite this, the promo page for the tool states that it’s 100 % permission based. Also note that it refers specifically to getfreeblogs. They admit straight out those are the blogs in their network!

I’ve found ads from Tom on Rohit’s ad-blogsite.

I think it’s time to do something drastic, so these web based outgrowths of safelists no longer make it into search engines. Google, are you listening?

There’s a discussion about jaja-jak-globusy.com on the digitalpoints forum.

It takes them until the second page to figure out that it uses the Google domain park Adsense program. This is a domain spamvertized by Manila Industries.

Thanks to spamfuxor for notifying me in a comment on this post.

I just ran down a very aggressive referrer spammer. One of the worst I’ve ever seen, actually.

JackyZhao

Rojisan got hit by referrer spam from indiatimes.com

I did too, but I didn’t blog about it, because it could theoretically be revenge spam. It’s of course possible. But they should get back to Rojisan if that’s the case.

Anyway, here’s his writeup about Indiatimes

Remember that post about Full confession?

That was about VI-TI-KA.

I’ve had quite a flood of referrer spam the last few days. All subdomains of a free adult webhost.

If you’re linking in from somewhere they’ve spammed, you’re redirected to:

http://j-rx.com/tds/in.cgi?10&group=casino&parameter=404

The way they’re doing that is novel. They look for triggers in the referrer. Typical words like guestbook, refer, blog etc. Very similar to what they did before.

Those that don’t trigger the 404 response, gets a redirect to the payoff:
imlive ID: 123680715705

I found a backup of a database belonging to a referrer spammer. There are 61768961 records in that database. I’m assuming they’ve referrer spammed the majority of those domains! I noticed that some sites have multiple addresses in the database, while some have just one. So the total number of sites is less than the number of records.

Check it out yourself:

http://70.85.193.178/

Maybe you should all download the backup, to help rack up the bandwidth charges? Using a download manager would heighten the effect, of course…

Webhost The Planet has been notified.

This is the spammer:
Manila Industries

I’ve gotten quite a few referrers lately from sites I know I don’t link to. Mainly referrer scripts. One of them had a referrer from http://www.spamhuntress.com/.

Try it yourself, and you can see that it must be fake. I’ve got a 301 (that’s permanent redirect) in effect, because I don’t use the www on this site. So that leads me to believe there’s some hanky panky going on. And considering the threat I referenced in my previous post, I just wonder if maybe the hits with my referrer has the same IP number as the spammer in this post - 65.50.141.2 ?

Update
I’ve confirmed that the IP number used on two sites was:
148.223.216.169
Mexican IP number, used for spamming before.

One of the readers, who for now wishes to remain anonymous, got really fed up with all the referrer spam from the Zahariev brothers. So he wrote a little script to block the proxies as they came in, and shared the list of blocked proxies. Some of those on his list may be from other proxies, but most should be ones used by the Zaharievs. They like to shake up their lists now and then, but if you block these, you should have some respite for a while (bandwith wise, they’ll still try to hit the site, getting 403 errors):

128.135.11.152
128.2.198.188
128.31.1.14
129.10.120.111
129.105.44.80
129.105.44.81
129.97.75.238
130.192.86.29
130.37.198.243
130.37.198.244
130.60.48.210
140.131.110.4
148.223.216.169
148.244.150.52
148.244.150.57
148.244.150.58
150.165.15.19
163.16.30.50
163.28.48.69
163.28.48.70
165.21.7.105
166.114.30.40
192.139.28.248
193.140.140.70
193.140.140.76
193.194.68.3
193.219.147.212
193.219.42.36
193.24.213.214
193.52.45.49
193.95.243.108
193.95.90.52
194.249.248.10
194.249.66.110
194.63.235.148
194.77.84.131
195.229.241.180
195.229.241.181
195.229.241.184
195.229.241.186
195.229.241.187
195.61.146.130
198.163.152.230
200.107.34.233
200.13.218.147
200.171.140.113
200.178.216.80
200.183.227.162
200.196.101.98
200.39.103.224
200.41.79.83
200.42.214.178
200.77.144.246
200.92.225.13
200.93.196.23
201.243.58.105
202.128.69.58
202.143.156.18
202.175.234.163
202.28.204.123
202.29.136.140
202.44.14.194
202.62.97.18
202.83.175.156
202.83.175.98
203.125.254.164
203.144.197.194
203.144.216.211
203.144.230.226
203.150.234.43
203.155.1.245
203.187.176.185
203.187.248.154
203.190.147.11
203.197.196.178
203.199.92.158
203.74.111.25
203.98.57.97
204.83.0.41
204.83.150.164
205.136.240.131
205.155.212.20
207.127.8.66
207.248.240.118
207.248.240.119
207.54.97.185
209.191.9.229
209.240.205.63
210.128.142.42
210.173.179.77
210.212.140.23
210.212.204.241
210.238.249.8
211.101.6.5
211.5.244.162
211.9.240.35
212.0.128.2
212.109.106.118
212.138.113.12
212.138.113.16
212.138.47.13
212.138.47.14
212.138.47.15
212.138.47.17
212.138.47.29
212.155.169.124
212.199.177.59
212.199.177.64
212.199.177.66
212.199.249.206
212.205.135.51
212.60.64.245
213.144.118.197
213.157.67.112
213.162.50.228
213.181.81.242
213.228.160.17
213.249.130.232
213.249.155.231
213.249.155.242
213.42.2.10
213.42.2.21
213.42.2.22
213.42.2.23
213.42.2.25
213.42.2.29
216.146.120.108
216.227.95.43
216.37.138.189
216.60.21.4
217.133.0.152
217.149.102.14
217.17.41.72
217.218.147.180
217.219.20.66
217.219.28.152
217.52.247.3
217.52.41.199
217.63.142.225
218.145.25.43
218.248.1.13
218.26.211.18
218.29.23.179
218.44.191.226
218.56.32.230
218.97.253.217
219.140.161.24
219.144.196.200
219.144.196.202
219.93.62.106
219.95.111.181
220.106.0.34
220.110.186.122
220.192.24.168
220.192.24.169
220.194.54.27
220.212.163.178
220.96.253.245
221.186.246.66
24.107.33.4
24.158.18.138
24.56.238.108
24.60.61.68
24.97.174.130
59.120.174.243
61.11.26.142
61.129.44.201
61.150.115.245
61.178.185.56
61.221.199.204
61.221.30.167
61.66.137.2
61.95.227.16
62.101.126.212
62.150.9.178
62.242.24.96
62.81.221.65
63.148.99.234
63.148.99.244
63.218.109.130
63.241.72.171
64.140.49.66
64.140.49.68
64.140.49.69
64.157.224.134
64.235.204.179
65.160.122.209
65.160.122.217
65.165.84.11
65.98.67.74
66.208.166.3
66.92.163.205
67.136.230.150
67.89.120.101
68.104.181.197
68.236.84.4
68.50.130.121
68.67.102.167
69.155.184.142
70.242.144.156
80.148.9.98
80.191.247.13
80.191.49.7
80.207.188.140
80.53.145.58
80.53.183.102
80.53.206.34
80.53.30.180
80.53.47.142
80.53.53.34
80.55.189.10
80.58.8.42
81.0.182.35
81.10.150.42
81.115.31.217
81.12.246.11
81.138.138.1
81.15.233.3
81.168.201.95
81.4.168.140
81.8.110.33
82.101.146.133
82.141.201.194
82.154.249.248
82.189.93.226
82.190.108.210
82.201.185.22
82.76.208.73
82.76.77.30
82.77.200.162
82.79.195.170
83.100.139.182
83.155.9.70
83.213.14.174
84.80.120.134