Those amusing Referer spammers
One form of blog spam is 'Referer' spam.
Referer is the (optional)
HTTP header included in requests from web browsers to web servers that
contains the web page that the link to your page was on. Some blog
software uses this header as a lower-tech version of
Referer spam has the attraction for the spammers that it's dirt simple to do. All their software has to do is to make an ordinary HTTP request for a page or three on a web site and throw in a Referer header. No need to talk XML to a specific URL or anything like that.
As a result, Referer spammers appear willing to hit any web site without bothering to check whether their attempts work (this is like many mass attacks on the Internet; when the cost of the attack is so low, why bother being clever?). So, of course, they've wound up hitting CSpace.
What I suspect is that the Referer spammers are doing Google searches for web pages that already mention spam domains (perhaps particular ones), as a quick crude way of finding vulnerable web pages. Most of the time this works out okay, but it gets tripped up by web pages that discuss spam domains.
An analysis of my spammer
Looking at recent Referer spam, I got spam for excellent-health.com, casino-attraction.com, and cash-net.biz. Although they claim to be registered to different bogus places, they all seem to touch base with something variously called 'support2000.net', 'support-2000.net', and 'top-support.net'. They also all use the same two nameservers under various names, at the IP addresses 18.104.22.168 and 22.214.171.124.
126.96.36.199/24 is owned by 'Uplink Systems' under 'Hollywood Interactive, Inc' and is routed by ATMLINK (AS7796). 188.8.131.52 is part of a large WebStream Inc block and is SBL listed (SBL17672), for being in a /25 labeled as owned by Traffix.
The web sites themselves are all currently hosted at the IP address 184.108.40.206, part of 'ANET Internet Solutions' in the US, and its /27 is listed in the SBL as SBL24359 for being part of the Rokso-listed 'Brian Kramer / Expedite Media Group' grouping.
The IP addresses making the Referer spam requests don't seem to be listed in any DNS blocklist I routinely look at.
Some quick Googling suggests that these domains also engage in other sorts of blog spam, and that all three of these IP addresses are already well known for their spam involvement. (Yet they remain connected. Such is today's Internet, unfortunately.)