Referrer spammer caught

  • I’ve been keeping an eye out on referrer-spammer attempts, and I’ve ‘caught’ a big one. You’ll find this one under many domains, and he’s quite succesful – here’s a google search for one of his domains, but most texas-holdem spams are his as well. An interesting tactic (as you can see in above results page) is that ALL his referring domains, when you type them in the browser address bar, give a variant of an “this account is closed” page, to give you the feeling his hosting provider pulled the plug on him and you don’t have to take any further action. In reality, ALL his domains run on a single IP address. It’s useless trying to block the computers he’s using for his spam runs, as he’s using a zombie network that keeps growing.

    So, I wrote a little code that I put a the top of my index.php, and will redirect all his referer spam to his primary website. That way, you’ll generate zero traffic for yourself, don’t run the risk that you link to him, and play around with his zombie net at the same time. Here it is;

    if (strpos($HTTP_REFERER, ‘ttp://’) > 0)
    {
    $pieces=explode(“/”, $HTTP_REFERER);
    $lookup = gethostbyname($pieces[2]);
    if ($lookup == “161.58.59.8”)
    {
    syslog(LOG_ALERT,”redirected $pieces[2]”);
    header(“Location: ” . $HTTP_REFERER);
    exit();
    }

    }

Viewing 15 replies - 31 through 45 (of 49 total)

  • Quick question: how do you know that his spam bots honor the redirect? If I were the spammer, I’d make my bot ignore any such thing the target server tells me.

    Attn gpshewan:

    Document what you have and suvmit it to Verio…the more that do that the better

    I’m not uber-experienced with the ins and outs of this. But I’ve been getting tons of referer spams with the web4u.gb.com etc. and I’d like to do my part to report this abuse (I have access to several days’ worth of logs).
    Would you be so kind as to explain in a little more detail what precisely I should document? I guess I’d send it to [email protected], no?

    @ AuntiAlias – that’s okay, it seems like it was a Verio reseller and it’s being looked into now (so don’t mail Verio). Regardless, it looks like the spammer is in the process of moving from that box to another one.

    @ glshewan: aaah, so when the [expletive deleted] spammer gets a new box, we’ll change the index.php code snippet from the given IP to a different IP, then?

    The new IP the spammer is using as of today is 219.150.118.16

    Has anyone tracked down the IP of the “online-deals-4u [dot] info” referral spammer?

    I’m dumping all those IPs and the ascii-munged names and the URLs and the spam words into the comment blacklist we now have in 1.5. BINGO!

    ph &#101 ; &# 101 ; rm& #10 5; n &# 101 ;

    Excellent. Those have been slipping through my email spam collector, too and it wasn’t until I took a closer look that I spotted it.

    Ah, but I see in the posts that this won’t work in the spam filter….is there a way to make this work?

    Thanks!

    Thread Starter dreamerfi

    (@dreamerfi)

    “online-deals-4u [dot] info” – not yet – most of his sites are not up yet, and the domain has only two (non-functioning) name servers at this point. I suspect it’ll take us a few hours at most once he turns on his domains…

    Thanks for the info, DreamerFi.

    I think it would be ideal if this information was centralized. As in, someone with special authority adds a new IP to this global blacklist, and from there, everyone would aggregate that information. Does that even sound feasible?

    Isn’t there already a blacklist plugin?

    Personally I’m not keen on IP blacklisting. It’s a little like plugging holes in a very leaky bucket…pointless if someone keeps poking new ones – but turn off the water (try and pinpoint and shut down the server) and life get’s much easier.

    Remember, a lot of us are seeing this from server logs – but if you don’t check them and have moderation enabled you shouldn’t be bothered by this guy.

    Someone mentioned that you can’t add the extended character spellings of titles used by spammers in the spam words filter with WP.

    Has anyone come up with a way to do that yet?

    anything on extended characters in the WP spam list? I got hit by these.

    My major source of referer spam is with referer as different sub-domains of best-xp-software.biz ( 211.144.164.201 ). So I have added that too.

    Thanlks for the tip.

Viewing 15 replies - 31 through 45 (of 49 total)
  • The topic ‘Referrer spammer caught’ is closed to new replies.