Referer spammers are comment spammers too

I have monitored my referer log more closely, or rather: I have started monitoring my _referrer spam_ more closely, and I am now seeing a (rather disturbing) pattern.


The first wave begins with mass referer spam. I am not talking about 50 000 referrals to one single URL, rather anything from 1 to 20 referals for hundreds of different URLs.
If you visit the spamming URL, they are all either dead, or they contain a bogus “Account terminated” message, perhaps in the hope that the victim will ignore this.
The second wave arrives within 2-10 days of the referer spam, and consists of anything from one to hundreds of spam attempts.
I have not yet monitored what happens to the spamming URLs over time after they have spammed Movable Type blogs, but I may do so.
h3. Adminshop connection?
On examining the raw referer logs for the spam attempts I have made some observations:
# The referer spam uses a lot of different User-Agent strings.
# On previous occasions, I have been hit with spam I can certify as coming from the referer spamming tool Reffy (I won’t boost any Google rank, but: “Adminshop dot com”).
# The “First wave” referer spams have, on one occasion come from an IP addresss used by customers of the Norwegian ISP NextGenTel. NextGenTel customers are primarily located around the norwegian cities of Bergen and Oslo.
# The whois info for adminshop-dot-com is protected by something called WhoIsGuard, but the nameservers point to acyon dot com
# acyon dot com points to a street address in Bergen, Norway, where noone by the info in the whois is living, according to the phone book.
# No one with the name in this whois info paid taxes in Norway during the years 2000, 2001 or 2002.
I have also made some further investigation into revealing the possible identity of who really owns acyon dot com, but I am not prepared to reveal what I have found, without running it through a lawyer first.
h3. Related (Updated frequently)
* “John Sinteur traces”:http://wordpress.org/support/topic.php?id=20956#post-119138
* “Tim Bray comments on the spamstorm”:http://www.tbray.org/ongoing/When/200x/2005/01/16/RefererBS
* “Ann Elisabeth does thorough research”:http://www.annelisabeth.com/blog/
* “John Iverson”:http://jei.afraid.org/wordpress/archives/2004/11/26/spam-from-phentermine/ has been in e-mail contact with the owners 161.58.59.8.

Previous Post

9 Comments

  1. So i’m lost on the point of referrer spamming with domains that don’t have any content?
    Is the idea that they will become active at some point in future?

  2. The link text of the spam reveals this quite nicely. They were all advertising one of the following:
    * Online gambling
    * Online loans
    * Online pharmacies
    I presume that the goal of these spammers is to set up harmless domains, to up the pagerank for the linking keywords. At some point in the future, I fully expect these domains to redirect to a few online pharmacy/gambling/loan sites. The goal of this is, pretty obvious: To consolidate PageRank information, thus making the new, non-spamming domains turn up in the first page of search results.

  3. My b2Evolution blog was hit my a massive referrer spam attack of some kind a few months ago. Having not changed the default template there was a publically accessible link to things like my referrer log (why, I do not know).
    My ISP took the step of marking my stats page as “Gone” – the problem has never returned and (interestingly) I’ve had far less comment spam since too.
    Personally, I don’t see the point in publicising referrer information anyway so I’m happy to leave my stats page MIA. I’ll do any such analysis behind the admininstration interface.
    On a related note, have you noticed that some of the “mispeltdomainname.com” type search sites have started placing “Get Firefox” banners under their catagory listings? Naturally, they go via SpreadFirefox.com’s referrer ranking system. It seems that the ambition to get their names on other people’s pages knows no bounds.

  4. There’s one spammer that does that consistently. He’s putting up those termination notices, then do a spam run. A week or more after the spamrun, he puts up the site he intended to put there in the first place. Sometimes he puts in 302 forwarders to another server.
    By then the bloggers have investigated and gloated a bit, never realizing they’re the ones who got had.

  5. Thanks for noticing that I did some research on these unholy folks. I did email them and would suggest everybody else do so as well! I’m not sure that it did much good. The spam did seem to subside, but I have since started running spam-karma on my wordpress blog. It has sqaushed about 160 spam attempts in the last week or so. I’m sure that if these people get enough email, they’ll look further into finding out who’s causing the trouble. Not that it will matter. If they get canceled by one ISP, I’m sure that they’ll just move over to another.

  6. It appears to me that the purpose of this referer spam is to build traffic into a particular domain to increase the Google PR and the Alexa Traffic Ranking. The end purpose can be understood by visiting: warrenoates dot com
    When you hit this website, this person is in the business of selling domains.
    So, the point is to drive up the perceived value of the domains so that they can net a higher fee down the road when they sell the domain.

  7. Referrer Spam Attack

    Referrer Spam. For myself and for anyone curious about my inbound traffic, my installation of Refer is public, but hidden from search engines by a…

  8. More comment spam notes

    Making some good progress now….

  9. I’ve been running a set of changes to my .htaccess to block them at the front end. Blocking from the blog software side still leaves a ‘residue’ on the logs. The .htaccess file I hacked out worked well. I just learned that there was already a post about it from AnnElisabeths blog. Although I am unsure as to the effectiveness of one long setenv vs several smaller and more manageable ones.