Those amusing Referer spammers

August 14, 2005

One form of blog spam is 'Referer' spam. Referer is the (optional) HTTP header included in requests from web browsers to web servers that contains the web page that the link to your page was on. Some blog software uses this header as a lower-tech version of Trackback.

Referer spam has the attraction for the spammers that it's dirt simple to do. All their software has to do is to make an ordinary HTTP request for a page or three on a web site and throw in a Referer header. No need to talk XML to a specific URL or anything like that.

As a result, Referer spammers appear willing to hit any web site without bothering to check whether their attempts work (this is like many mass attacks on the Internet; when the cost of the attack is so low, why bother being clever?). So, of course, they've wound up hitting CSpace.

Amusingly, so far the Referer spammers have only been hitting WanderingThoughts' spam category index page. Spammers (futilely) trying to leave Referer spam on a web page about spam; now that's irony.

What I suspect is that the Referer spammers are doing Google searches for web pages that already mention spam domains (perhaps particular ones), as a quick crude way of finding vulnerable web pages. Most of the time this works out okay, but it gets tripped up by web pages that discuss spam domains.

An analysis of my spammer

Looking at recent Referer spam, I got spam for excellent-health.com, casino-attraction.com, and cash-net.biz. Although they claim to be registered to different bogus places, they all seem to touch base with something variously called 'support2000.net', 'support-2000.net', and 'top-support.net'. They also all use the same two nameservers under various names, at the IP addresses 64.27.27.150 and 64.234.220.141.

64.27.27.0/24 is owned by 'Uplink Systems' under 'Hollywood Interactive, Inc' and is routed by ATMLINK (AS7796). 64.234.220.141 is part of a large WebStream Inc block and is SBL listed (SBL17672), for being in a /25 labeled as owned by Traffix.

The web sites themselves are all currently hosted at the IP address 64.4.195.62, part of 'ANET Internet Solutions' in the US, and its /27 is listed in the SBL as SBL24359 for being part of the Rokso-listed 'Brian Kramer / Expedite Media Group' grouping.

The IP addresses making the Referer spam requests don't seem to be listed in any DNS blocklist I routinely look at.

Some quick Googling suggests that these domains also engage in other sorts of blog spam, and that all three of these IP addresses are already well known for their spam involvement. (Yet they remain connected. Such is today's Internet, unfortunately.)

Written on 14 August 2005.
« The anatomy of a DWiki bug
Weekly spam summary for August 13th, 2005 »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Aug 14 00:56:09 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.