I have monitored my referer log more closely, or rather: I have started monitoring my _referrer spam_ more closely, and I am now seeing a (rather disturbing) pattern.
The first wave begins with mass referer spam. I am not talking about 50 000 referrals to one single URL, rather anything from 1 to 20 referals for hundreds of different URLs.
If you visit the spamming URL, they are all either dead, or they contain a bogus “Account terminated” message, perhaps in the hope that the victim will ignore this.
The second wave arrives within 2-10 days of the referer spam, and consists of anything from one to hundreds of spam attempts.
I have not yet monitored what happens to the spamming URLs over time after they have spammed Movable Type blogs, but I may do so.
h3. Adminshop connection?
On examining the raw referer logs for the spam attempts I have made some observations:
# The referer spam uses a lot of different User-Agent strings.
# On previous occasions, I have been hit with spam I can certify as coming from the referer spamming tool Reffy (I won’t boost any Google rank, but: “Adminshop dot com”).
# The “First wave” referer spams have, on one occasion come from an IP addresss used by customers of the Norwegian ISP NextGenTel. NextGenTel customers are primarily located around the norwegian cities of Bergen and Oslo.
# The whois info for adminshop-dot-com is protected by something called WhoIsGuard, but the nameservers point to acyon dot com
# acyon dot com points to a street address in Bergen, Norway, where noone by the info in the whois is living, according to the phone book.
# No one with the name in this whois info paid taxes in Norway during the years 2000, 2001 or 2002.
I have also made some further investigation into revealing the possible identity of who really owns acyon dot com, but I am not prepared to reveal what I have found, without running it through a lawyer first.
h3. Related (Updated frequently)
* “John Sinteur traces”:http://wordpress.org/support/topic.php?id=20956#post-119138
* “Tim Bray comments on the spamstorm”:http://www.tbray.org/ongoing/When/200x/2005/01/16/RefererBS
* “Ann Elisabeth does thorough research”:http://www.annelisabeth.com/blog/
* “John Iverson”:http://jei.afraid.org/wordpress/archives/2004/11/26/spam-from-phentermine/ has been in e-mail contact with the owners 126.96.36.199.