Referrer spammer caught

  • I’ve been keeping an eye out on referrer-spammer attempts, and I’ve ‘caught’ a big one. You’ll find this one under many domains, and he’s quite succesful – here’s a google search for one of his domains, but most texas-holdem spams are his as well. An interesting tactic (as you can see in above results page) is that ALL his referring domains, when you type them in the browser address bar, give a variant of an “this account is closed” page, to give you the feeling his hosting provider pulled the plug on him and you don’t have to take any further action. In reality, ALL his domains run on a single IP address. It’s useless trying to block the computers he’s using for his spam runs, as he’s using a zombie network that keeps growing.

    So, I wrote a little code that I put a the top of my index.php, and will redirect all his referer spam to his primary website. That way, you’ll generate zero traffic for yourself, don’t run the risk that you link to him, and play around with his zombie net at the same time. Here it is;

    if (strpos($HTTP_REFERER, ‘ttp://’) > 0)
    {
    $pieces=explode(“/”, $HTTP_REFERER);
    $lookup = gethostbyname($pieces[2]);
    if ($lookup == “161.58.59.8”)
    {
    syslog(LOG_ALERT,”redirected $pieces[2]”);
    header(“Location: ” . $HTTP_REFERER);
    exit();
    }

    }

Viewing 15 replies - 16 through 30 (of 49 total)

  • True, most do not care or notice referral spam. I didn’t until my server slowed way down and I investigated. I found that some idiot tried to hack into my WP admin. That wasn’t a part of the problem the server was having and the hacker didn’t get in but it ticked me off and I have become much more diligent (yes, obsessive) at checking my logs. I didn’t think much about referral spam since I don’t publish my referral logs until I read something on the bandwidth issue and started getting more of the spam than actual referrer sites. That was annoying so I started doing some research. This particular person or persons, uses more than one legit IP (I know of one other) and they are spamming at an incredible rate. I’ve counted 56 tries since I put that referrer code in my index page this morning, all using a different domain name. Amazing!

    I still don’t understand what they get from doing it. Even comment spam doesn’t get them anything, not even a better PR from Google. It’s just a waste of resources.

    kyte, you might want to try this plugin. I’m not sure that it will work in you version of WP but it’s worth a try. I haven’t had a single one get through since I implemented it.

    @kyte -Yeah, that’s the guy. I’d suggest heavy moderation if you can’t upgrade to 1.5 nightlies.

    @glo – Are you tracking this correctly? All the spam will come from ‘legitimate’ IP’s that are either proxies or zombie PC’s. Backtrack the referral URL and you’ll probably end up at the same IP (161.58.59.8) as everyone else. It’s no good blocking the IP’s it’s coming from because believe me they have a lot. You’d be better off tracking down an abuse contact if it’s not a proxy – but damn that’s a full time job.

    The bogus TOS screen has probably kept that spammer box running for ages. Hopefully enough people gathering the correct evidence and reporting it to Verio will get it shut down.

    I just had a thought. Maybe people reading these blogs are actually clicking through to the spamvertised sites! Spam still exists because there are just enough stupid people on the Internet to make it worthwhile for them to inconvenience the vast majority of us. Suppose these stupid people are reading blogs, and decide they want to play some video poker or buy some Levitra from a Canadian pharmacy. Maybe this is what the spammers are thinking.

    Of course, it doesn’t work very well. Bloggers are some of the least likely people to click on a legitimate ad, let alone a comment spam. But it must be getting the spammers something or they wouldn’t bother.

    Oh, and shameless plug for my plugin.

    @ Error – It’s all about ranking, but of course there are people clicking through. It makes sense when comparing cost + effort against reward.

    That’s spam 101 mate.

    Is there a plugin that lets you basically add addresses to it?

    gpshewan, yes I understand what is happening and I do know how to track a spammer and I do realize the IPs that show up in my logs are spoofed. There is at least one other IP and it is connected with 161.58.59.8 which resolves to blackjack-123.com but if you trace blackjack-123.com it will resolve to 64.234.220.141 which resolves to shetef.com and it resolves to 67.18.52.66 which ends up at escape.websitewelcome.com which is a whois privacy protection service.

    Each one of those IPs are connected to the domains the spammers use for their referral spam. Some are sub-domains ending with 4free.gb.com and web4u.gb.com (64.234.220.141). Unfortunately, I didn’t save them all since they were all coming from the above sources.

    Sorry glo, didn’t mean to sound patronising…missed out a smiley on my post there ??

    I’ve tracked all those little so-and-sos down but just being in the contact info can’t get it shut down for spamming (unfortunately). I had somebody referral spam me from his works network (as he thought it was a legitimate way to get traffic…uh-huh…) so there’s a defence there. It’s the 161.58.59.8 IP which is at the centre of it. Document what you have and suvmit it to Verio…the more that do that the better,

    gpshewan, no worries, I wasn’t offended and just for clarity … the shetef.com Ip (64.234.220.141) was not in the contact info. It is the IP of the 4free.gb.com and web4u.gb.com domains (which names only 2, there are others) and they have been in my referral logs in massive amounts. Because blackjack-123.com can be traced/routed to 64.234.220.141 and that IP has domains spamming my referral logs, I believe that to be too much of a coincidence to ignore.

    I should add that the contact info for these IPs are different and probably spoofed as well.

    Thanks Glo and error.

    @glo: couldnt make that plugin work, i have the 1/16 nightly, dunno why, but it doesnt even show up as an option to activate it

    @error: trying spamassassin as we speak. so to speak.

    Thread Starter dreamerfi

    (@dreamerfi)

    Well, get a good night of sleep, and look at the discussion! Indeed, I’m talking about wordpress 1.2.2 for this fix. Multiple IP addresses is simple, just duplicate the if-statement. glo, thanks for the reference to “users online”!

    I set my blog to require moderation for all comments and I found out how 161.58.59.8 was slipping through the spamwords filter. Instead of using ‘phentermine’, for example, he types in ‘phentermine’, which looks exactly the same in a web browser. It’s a variant of one of the common email-munging tactics. Any ideas on how to deal with this fellow’s tactic?

    Moderator James Huff

    (@macmanx)

    Add the ASCII code he posts with to your blacklist.

    I was being SWAMPED in spam until I implimented Spam Stopgap Extreme. Since then, not even one spam attack. Period.

    Either it really works, or I’m missing some other form of attack all together.

    Adding those ampersand-number codes to the blacklist causes errors, at least in 1.2. I’ve been meaning to upgrade, but I think I’ll wait until 1.5 is released.

Viewing 15 replies - 16 through 30 (of 49 total)
  • The topic ‘Referrer spammer caught’ is closed to new replies.