Porn clone blogs

“Idly.org”:http://www.idly.org/2003/11/14/porn_sites_hiding_behind_blogs.php, “Sam Ruby”:http://www.intertwingly.net/blog/1649.html and others are covering the mysterious porn clone blogs that have hit many referer logs over the last week.
Whoever created these clone-blogs actually know something, or should I say a lot about exploiting Google and other search engines.


First: Each of these clone blogs have only one actual link leading off the front page. This link always leads to a directory on the site named /adult-webcam/, the rest of the site only uses javascript:-protocol links.
The reason for having just this one actual link may be to raise the importance of that one link, in case any search-engines care. (I do not believe everybody do: AFAIK, Google applies PageRank sitewise, not pagewise)
If you click on this single link in a modern, javascript-enabled browser a supposedly-for-free porn-site appears, “only” requesting that you give up all your personal information, including credit card details to “verify your age”. This page, however is quite invisible to Google and other search engines.
If you examine the source of the adult-webcam page, you won’t find any trace of the site most people see. Instead you’ll see a relatively clean HTML-document (although it won’t validate) document, containing a <title>, one <h1> element, and a lot of text in paragraphs of different length, interspersed with links. Some effort has been made to make it appear the text appear to be written by a live person, and not just autogenerated, although I still believe this text to be semiautomatically generated. The links here are relative URLs, apparently pointing to documents like _bacon-webcam.html_ and similar.
Further, there is a script on this page that will actually replace the contents of the page with an <iframe>. This script uses trivial encryption to hide any URLs inside the script, in case a search engine should pick up and read the script.
The document in the <iframe> resides on the splash.homesexnetwork.com webserver. Whois information for this domain returns the following information, both for owner, administrative, technical and zone contact:

Castview Inc.
Marco Hof
2916 NW Bucklin Hill Rd #486
Silverdale, WA 98383
US
Phone: +1 360-830-5310
Email: marco@castview.net

The URL leading to the homesexnetwork.com servers appear to contain some sort of unique ID, often used by banner advertisements and other cash-for-referrals programs.
*Update:* On re-examining some of the URLs linked in the HTML-only version of the document, some of these lead to other sites like an adult server residing on a secure server at webpower.com, also appearing to contain some sort of cash-for-referral id. The redirection seems to be semi-random
Summing up, the way these spammers are operating is as follows:
* They create a fairly inoffensive site, and spam several blogs with the root URL of this site.
* This site contains one link, and one link only, to a page containing a fairly comprehensive adult vocabulary, and a lot of (not-so)-innocent-looking links
* All the links on that page lead to a page very similar to itself.
* A robot that doesn’t grok Javascript will only see this text content. A typical robot won’t actually even see that the script’s replacing the content of the page with an iframe.
* Any user who visits any of these sites are promptly redirected to a porn site.
Finally: This sort of spam exists for one reason alone: That people, bloggers in particular, feel the need to tell everybody and their grandmother that someone is actually linking to them. *Stop publishing your referer logs! Password protect your stats pages!*

2 Comments

  1. There is a group of supposed web directories that share a lot in common with these porn-hidding blogs. Keoz.com shares the same IP block, the same domain name registrar and was created on or around the same date. I wrote the thing up at:
    http://softwaretimes.com/files/web%20scam.html
    Denny Schlesinger
    Caracas – Venezuela

  2. Referrer spam is high tech.

    After reading this Virtuelvis blog on referrer spam I am considering password protecting my referrer logs, and removing them from my index page altogether.
    One more project….the list is a mile long now.