+- Linux-Noob Forums (https://www.linux-noob.com/forums)
+-- Forum: General Stuff (https://www.linux-noob.com/forums/forum-4.html)
+--- Forum: Site News (https://www.linux-noob.com/forums/forum-66.html)
+--- Thread: analysis of a spammer (/thread-2288.html)
analysis of a spammer - anyweb - 2005-12-16
hi guys
it seems that spammers try every method in the book using methods like email, phising, posting on forums (with links to where they want you to click) amongst their methods,
while browsing through the statistics of this website (https://www.linux-noob.com) i came across some unfamiliar 'referral links' which drew my interest and later, disgust.
The spammers have obviously got some 'spam bots' which crawl websites for one purpose, to falsely leave behind their 'links' in the statistics page of a website.
To try and further understand these low-lifes I did some analysis:-
look at the statistics posted here
[/url]http://linux-noob.com/usage/usage_200512.html#TOPREFS
Quote:# Hits Referrer1 73339 24.26% - (Direct Request)
2 1563 0.52% http://www.google.com/search
3 1462 0.48% http://charlestyrrell-ins.com/
4 1462 0.48% http://wgostonemantel.com/
5 1340 0.44% http://downjigger.com/
6 1340 0.44% http://hedcore.com/
7 1340 0.44% http://hellwithgoogle.com/
8 1340 0.44% http://isdwebstore.com/
9 1340 0.44% http://redline-entertainement.com/
10 1340 0.44% http://skateinstrutor.com/
11 1340 0.44% http://slewfootrecrods.com/
12 1340 0.44% http://syperopts.com/
13 615 0.20% http://images.google.com/imgres
14 408 0.13% http://desktoplinux.com/articles/AT9133949670.html
15 376 0.12% http://www.dvd4arab.com/forums/showthread.php
ok, the first link is listed as a 'direct request' and what that means is any internal link on linux-noob.com that links back to a page/site/forum whatever on linux-noob.com is listed as a direct request, same goes for anyone coming here via a bookmark to linux-noob.com or RSS feed.
The second link in the list above is our friend google, nothing strange there.
However, if we look at the 3rd to the 12th links listed, things start to become strange,
obviously to find out who these 'new' referrals were I clicked on the link only to be surprised that I landed on a 'so called search page'
take a look at the first link listed
3 1462 0.48% http://charlestyrrell-ins.com/
clicking on that will re-direct you to the following website
http://www.searchmeup.com/search.php?aid=3...id=this_is_SPAM
which is 'marketing' (spamming to you and me) a drug called "lousy spam".
"lousy spam" itself (according to google) is a diet pill, but who cares. I don't. I'm not interested. What annoys me is that the 'charlestyrell' link redirects me to a 'search site'. That is the SPAM in action.
Let's take the second site listed:-
4 1462 0.48% http://wgostonemantel.com/
once again, it redirects to the above page
http://www.searchmeup.com/search.php?aid=3...id=this_is_SPAM
and you can probably guess that the 'aid=36585' part of the link is the method that the spammer has of knowing how successful his spam is.
Let's continue with the third link:-
5 1340 0.44% http://downjigger.com/
redirects to http://www.searchmeup.com/search.php?aid=3...hoes&said=550_1
which is the same 'searchmeup.com' website and the same 'aid=36585' but now with a 'new' PHONEY search term.
ok,, you get the idea now, so who is running this spamming operation ?
let's do some whois ...
Quote:charlestyrrell-ins.com (Reverse lookup failed)
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2001 William E. Weinman
Request: charlestyrrell-ins.com
connecting to whois.internic.net [198.41.0.6:43]...
connecting to whois.criticalinternet.com [69.50.183.29:43] ...
Registration Service Provided By: ESTDOMAINS
Contact: +372.55647646
Website: http://www.estdomains.com
Domain Name: CHARLESTYRRELL-INS.COM
Registrant:
Miamy diamond, inc
Andrew Scott (andrewscott600@yahoo.com)
2301 E St Nw
Washington
,20037
US
Tel. +202.4630871
Creation Date: 10-Dec-2005
Expiration Date: 10-Dec-2006
Domain servers in listed order:
ns1.charlestyrrell-ins.com
ns2.charlestyrrell-ins.com
and the next 'link'
Quote:wgostonemantel.com (Reverse lookup failed)
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2001 William E. Weinman
Request: wgostonemantel.com
connecting to whois.internic.net [198.41.0.6:43]...
connecting to whois.criticalinternet.com [69.50.183.29:43] ...
Registration Service Provided By: ESTDOMAINS
Contact: +372.55647646
Website: http://www.estdomains.com
Domain Name: WGOSTONEMANTEL.COM
Registrant:
-
Klaus Muller (klausmuller007@yahoo.com)
Sandershauser Strasse 101
Kassel
,34123
DE
Tel. +49.56150003
Creation Date: 09-Dec-2005
Expiration Date: 09-Dec-2006
Domain servers in listed order:
ns1.wgostonemantel.com
ns2.wgostonemantel.com
and the third link
Quote:downjigger.com (Reverse lookup failed)
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2001 William E. Weinman
Request: downjigger.com
connecting to whois.internic.net [198.41.0.6:43]...
connecting to whois.criticalinternet.com [69.50.183.29:43] ...
Registration Service Provided By: ESTDOMAINS
Contact: +372.55647646
Website: http://www.estdomains.com
Domain Name: DOWNJIGGER.COM
Registrant:
-
Klaus Muller (klausmuller007@yahoo.com)
Sandershauser Strasse 101
Kassel
,34123
DE
Tel. +49.56150003
Creation Date: 13-Dec-2005
Expiration Date: 13-Dec-2006
Domain servers in listed order:
ns1.downjigger.com
ns2.downjigger.com
so are the people mentioned above real or fake ? any takers ?
the 'searchmeup.com' website has an 'report abuse' link which redirects to
[url=https://www.umaxlogin.com/user_page.php?page=FAQ]https://www.umaxlogin.com/user_page.php?page=FAQ
which is a 'pay per click' ad revenue, so we can see that the many links 'left behind' on linux-noob.com's STATS page are designed to get users to 'click' and end up on 'searchmeup'.
some is trying to profit here, but who ?
I tried to 'report abuse' to the domain name creation site listed above but was left feeling less than impressed (see screenshot)
cmon guys, feel like helping me out here ? who is doing this and how can we stop them ?
cheers
anyweb
<a class="ipsAttachLink ipsAttachLink_image" href="<fileStore.core_Attachment>/post-1-1134724123.png" data-fileid="429">[img]<fileStore.core_Attachment>/post-1-1134724123.png[/img]</a>
analysis of a spammer - znx - 2005-12-16
Quick way to do it with php:
One way
Code:
switch($_SERVER[''HTTP_REFERER']) {
case "badsite.com":
case "nextbadsite.com":
exit;
break;
}Two way
Code:
$bad = array("badsite.com", "badsite1.com");
if(in_array($_SERVER['HTTP_REFERER', $bad)) exit;Either of these placed at the top of the webpages (i.e. on every page like the header) should just terminate the page early and fail to load it for those site REFERER's.
Of course this method isn't perfect as the REFERER can easily be faked.
Another method would be to use iptables.. and simply drop traffic from the bad sites...
Code:
iptables -A INPUT -s badsite.com -j DROPAgain though.. you can get around this, a proxy for instance (or tor?).
Just some ideas...
analysis of a spammer - xDamox - 2005-12-16
Hi anyweb,
I was told you could do this by using: mod_setenvif
[/url]http://httpd.apache.org/docs/1.3/mod/mod_s...f.html#setenvif
also you could use mod_rewrite
[url=http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html]http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html
Ill have a look into both and see if I could produce a rule to stop the spamming
znx's method is also good :)
analysis of a spammer - xDamox - 2005-12-16
ok I had a little chat in #apache and was told do to:
setenvifnocase referer ".*charlestyrrell-ins.com.*" deny_these, then as appropriate deny from env=deny_these
analysis of a spammer - anyweb - 2005-12-19
oh this is just annoying me....
they are now increasing the number of 'referral links' and of course the actual sites have nothing to do with the URL they claim to be
not only that but how are they doing this ?
usually a 'referral' means that someone clicked on a link to end up here, but this is clearly not the case here
i'm still thinking about your suggestions above but has anyone else got any ideas ?
can i remove the links from webalizer ????
Quote:3 1765 0.48% http:// networkresourceservices.com/4 1765 0.48% http:// northeastmetrotec.com/
5 1765 0.48% http:// reesehardin.com/
6 1765 0.48% http:// vicotriajohnson.com/
7 1589 0.44% http:// advertisinggems.com/
8 1589 0.44% http:// clickobras.com/
9 1589 0.44% http:// nativealaaskan.net/
10 1522 0.42% http:// downjigger.com/
11 1522 0.42% http:// hedcore.com/
12 1522 0.42% http:// hellwithgoogle.com/
13 1522 0.42% http:// isdwebstore.com/
14 1522 0.42% http:// redline-entertainement.com/
15 1522 0.42% http:// skateinstrutor.com/
16 1522 0.42% http:// slewfootrecrods.com/
17 1522 0.42% http:// syperopts.com/
18 1462 0.40% http:// charlestyrrell-ins.com/
19 1462 0.40% http:// wgostonemantel.com/
be warned the first link (i clicked it to see) is NSFW
pretty sure the rest are also bad
[/url][url=http://linux-noob.com/usage/usage_200512.html#TOPREFS]http://linux-noob.com/usage/usage_200512.html#TOPREFS
analysis of a spammer - hybrid - 2005-12-19
I'd avoid posting real links in your posts, you're just helping their PageRank. :)
analysis of a spammer - znx - 2005-12-22
Code:
RewriteEngine on
# skip if empty (ie direct.. and the majority of your traffic)
RewriteCond %{HTTP_REFERER} !^$
# all the bad guys
RewriteCond %{HTTP_REFERER} ^http://(.*.)?networkresourceservices.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?northeastmetrotec.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?reesehardin.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?vicotriajohnson.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?advertisinggems.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?clickobras.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?nativealaaskan.net [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?downjigger.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hedcore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hellwithgoogle.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?isdwebstore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?redline-entertainement.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?skateinstrutor.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?slewfootrecrods.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?syperopts.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?charlestyrrell-ins.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?wgostonemantel.com.*$ [NC]
# no OR in the last one
# forbid, set enviromental BAD, L means LAST rules
RewriteRule ^(.*) - [F,E=BAD:1,L]
# alter the logs.. to remove the bad guys but still log them so we can see
CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BADnasty referer's be GONE.. :)
analysis of a spammer - anyweb - 2005-12-23
thanks znx, but where do i put that and what actions must i take inorder for it to do anything ? do i have to install something ?
cheers
anyweb
analysis of a spammer - znx - 2005-12-23
Quote:thanks znx, but where do i put that and what actions must i take inorder for it to do anything ? do i have to install something ?
Oh yeah.. it would have been good to say how to use it .. :P
First make sure that the paths are good for your log files (maybe you want to put elsewhere to test?) then you can simply put that in a .htaccess file in the docroot of your site.. and it will protect across the whole site then...
If you want to test it out.. you can add my site and try clicking through from it...
Code:
....
# all the bad guys
RewriteCond %{HTTP_REFERER} ^http://(.*.)?abdn.ac.uk.*$ [NC,OR]
....When you click from my site.. you should reach a Forbidden page.. and it should NOT be logged in access.log and it should be logged in access_bad.log. Neat eh :)
analysis of a spammer - hybrid - 2005-12-23
Quote:Neat eh :)
znx, you are the script king. :)