Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
analysis of a spammer
#1

hi guys

 

it seems that spammers try every method in the book using methods like email, phising, posting on forums (with links to where they want you to click) amongst their methods,

 

while browsing through the statistics of this website (https://www.linux-noob.com) i came across some unfamiliar 'referral links' which drew my interest and later, disgust.

 

The spammers have obviously got some 'spam bots' which crawl websites for one purpose, to falsely leave behind their 'links' in the statistics page of a website.

 

To try and further understand these low-lifes I did some analysis:-

 

look at the statistics posted here

 

[/url]http://linux-noob.com/usage/usage_200512.html#TOPREFS

 

Quote:# Hits Referrer1 73339 24.26% - (Direct Request)

2 1563 0.52% http://www.google.com/search

3 1462 0.48% http://charlestyrrell-ins.com/

4 1462 0.48% http://wgostonemantel.com/

5 1340 0.44% http://downjigger.com/

6 1340 0.44% http://hedcore.com/

7 1340 0.44% http://hellwithgoogle.com/

8 1340 0.44% http://isdwebstore.com/

9 1340 0.44% http://redline-entertainement.com/

10 1340 0.44% http://skateinstrutor.com/

11 1340 0.44% http://slewfootrecrods.com/

12 1340 0.44% http://syperopts.com/

13 615 0.20% http://images.google.com/imgres

14 408 0.13% http://desktoplinux.com/articles/AT9133949670.html

15 376 0.12% http://www.dvd4arab.com/forums/showthread.php
 

ok, the first link is listed as a 'direct request' and what that means is any internal link on linux-noob.com that links back to a page/site/forum whatever on linux-noob.com is listed as a direct request, same goes for anyone coming here via a bookmark to linux-noob.com or RSS feed.

 

The second link in the list above is our friend google, nothing strange there.

 

However, if we look at the 3rd to the 12th links listed, things start to become strange,

 

obviously to find out who these 'new' referrals were I clicked on the link only to be surprised that I landed on a 'so called search page'

 

take a look at the first link listed

 

3 1462 0.48% http://charlestyrrell-ins.com/

 

clicking on that will re-direct you to the following website

 

http://www.searchmeup.com/search.php?aid...is_is_SPAM

 

which is 'marketing' (spamming to you and me) a drug called "lousy spam".

 

"lousy spam" itself (according to google) is a diet pill, but who cares. I don't. I'm not interested. What annoys me is that the 'charlestyrell' link redirects me to a 'search site'. That is the SPAM in action.

 

Let's take the second site listed:-

 

4 1462 0.48% http://wgostonemantel.com/

 

once again, it redirects to the above page

 

http://www.searchmeup.com/search.php?aid...is_is_SPAM

 

and you can probably guess that the 'aid=36585' part of the link is the method that the spammer has of knowing how successful his spam is.

 

Let's continue with the third link:-

 

5 1340 0.44% http://downjigger.com/

 

redirects to http://www.searchmeup.com/search.php?aid=3...hoes&said=550_1

 

which is the same 'searchmeup.com' website and the same 'aid=36585' but now with a 'new' PHONEY search term.

 

ok,, you get the idea now, so who is running this spamming operation ?

 

let's do some whois ...

 

Quote:charlestyrrell-ins.com (Reverse lookup failed) 

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)

Copyright 1999-2001 William E. Weinman

Request: charlestyrrell-ins.com

connecting to whois.internic.net [198.41.0.6:43]...

connecting to whois.criticalinternet.com [69.50.183.29:43] ...

Registration Service Provided By: ESTDOMAINS

Contact: +372.55647646

Website: http://www.estdomains.com

 

Domain Name: CHARLESTYRRELL-INS.COM

 

Registrant:

Miamy diamond, inc

Andrew Scott (andrewscott600@yahoo.com)

2301 E St Nw

Washington

,20037

US

Tel. +202.4630871

 

Creation Date: 10-Dec-2005

Expiration Date: 10-Dec-2006

 

Domain servers in listed order:

ns1.charlestyrrell-ins.com

ns2.charlestyrrell-ins.com
 

and the next 'link'

 

Quote:wgostonemantel.com (Reverse lookup failed) 

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)

Copyright 1999-2001 William E. Weinman

Request: wgostonemantel.com

connecting to whois.internic.net [198.41.0.6:43]...

connecting to whois.criticalinternet.com [69.50.183.29:43] ...

Registration Service Provided By: ESTDOMAINS

Contact: +372.55647646

Website: http://www.estdomains.com

 

Domain Name: WGOSTONEMANTEL.COM

 

Registrant:

-

Klaus Muller (klausmuller007@yahoo.com)

Sandershauser Strasse 101

Kassel

,34123

DE

Tel. +49.56150003

 

Creation Date: 09-Dec-2005

Expiration Date: 09-Dec-2006

 

Domain servers in listed order:

ns1.wgostonemantel.com

ns2.wgostonemantel.com
 

and the third link

 

Quote:downjigger.com (Reverse lookup failed) 

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)

Copyright 1999-2001 William E. Weinman

Request: downjigger.com

connecting to whois.internic.net [198.41.0.6:43]...

connecting to whois.criticalinternet.com [69.50.183.29:43] ...

Registration Service Provided By: ESTDOMAINS

Contact: +372.55647646

Website: http://www.estdomains.com

 

Domain Name: DOWNJIGGER.COM

 

Registrant:

-

Klaus Muller (klausmuller007@yahoo.com)

Sandershauser Strasse 101

Kassel

,34123

DE

Tel. +49.56150003

 

Creation Date: 13-Dec-2005

Expiration Date: 13-Dec-2006

 

Domain servers in listed order:

ns1.downjigger.com

ns2.downjigger.com
 

so are the people mentioned above real or fake ? any takers ?

 

the 'searchmeup.com' website has an 'report abuse' link which redirects to

 

[url=https://www.umaxlogin.com/user_page.php?page=FAQ]https://www.umaxlogin.com/user_page.php?page=FAQ

 

which is a 'pay per click' ad revenue, so we can see that the many links 'left behind' on linux-noob.com's STATS page are designed to get users to 'click' and end up on 'searchmeup'.

 

some is trying to profit here, but who ?

 

I tried to 'report abuse' to the domain name creation site listed above but was left feeling less than impressed (see screenshot)

 

 

 

cmon guys, feel like helping me out here ? who is doing this and how can we stop them ?

 

cheers

 

anyweb

<a class="ipsAttachLink ipsAttachLink_image" href="<fileStore.core_Attachment>/post-1-1134724123.png" data-fileid="429">[img]<fileStore.core_Attachment>/post-1-1134724123.png[/img]</a>



Attached Files
.png   Screenshot.png (Size: 230.44 KB / Downloads: 190)
Reply
#2

Quick way to do it with php:

 

One way



Code:
switch($_SERVER[''HTTP_REFERER']) {
  case "badsite.com":
  case "nextbadsite.com":
  exit;
  break;
}




 

Two way



Code:
$bad = array("badsite.com", "badsite1.com");

if(in_array($_SERVER['HTTP_REFERER', $bad)) exit;




 

Either of these placed at the top of the webpages (i.e. on every page like the header) should just terminate the page early and fail to load it for those site REFERER's.

 

Of course this method isn't perfect as the REFERER can easily be faked.

 

Another method would be to use iptables.. and simply drop traffic from the bad sites...



Code:
iptables -A INPUT -s badsite.com -j DROP




 

Again though.. you can get around this, a proxy for instance (or tor?).

 

Just some ideas...

Reply
#3

Hi anyweb,

 

I was told you could do this by using: mod_setenvif

 

[/url]http://httpd.apache.org/docs/1.3/mod/mod_s...f.html#setenvif

 

also you could use mod_rewrite

 

[url=http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html]http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html

 

Ill have a look into both and see if I could produce a rule to stop the spamming

znx's method is also good :)

Reply
#4

ok I had a little chat in #apache and was told do to:

 

setenvifnocase referer ".*charlestyrrell-ins.com.*" deny_these, then as appropriate deny from env=deny_these

Reply
#5

oh this is just annoying me....

 

they are now increasing the number of 'referral links' and of course the actual sites have nothing to do with the URL they claim to be

 

not only that but how are they doing this ?

 

usually a 'referral' means that someone clicked on a link to end up here, but this is clearly not the case here

 

i'm still thinking about your suggestions above but has anyone else got any ideas ?

 

can i remove the links from webalizer ????

 

Quote:3 1765 0.48% http:// networkresourceservices.com/4 1765 0.48% http:// northeastmetrotec.com/

5 1765 0.48% http:// reesehardin.com/

6 1765 0.48% http:// vicotriajohnson.com/

7 1589 0.44% http:// advertisinggems.com/

8 1589 0.44% http:// clickobras.com/

9 1589 0.44% http:// nativealaaskan.net/

10 1522 0.42% http:// downjigger.com/

11 1522 0.42% http:// hedcore.com/

12 1522 0.42% http:// hellwithgoogle.com/

13 1522 0.42% http:// isdwebstore.com/

14 1522 0.42% http:// redline-entertainement.com/

15 1522 0.42% http:// skateinstrutor.com/

16 1522 0.42% http:// slewfootrecrods.com/

17 1522 0.42% http:// syperopts.com/

18 1462 0.40% http:// charlestyrrell-ins.com/

19 1462 0.40% http:// wgostonemantel.com/
 

be warned the first link (i clicked it to see) is NSFW

 

pretty sure the rest are also bad

 

[/url][url=http://linux-noob.com/usage/usage_200512.html#TOPREFS]http://linux-noob.com/usage/usage_200512.html#TOPREFS

Reply
#6
I'd avoid posting real links in your posts, you're just helping their PageRank. :)
Reply
#7



Code:
RewriteEngine on

# skip if empty (ie direct.. and the majority of your traffic)
RewriteCond %{HTTP_REFERER} !^$

# all the bad guys
RewriteCond %{HTTP_REFERER} ^http://(.*.)?networkresourceservices.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?northeastmetrotec.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?reesehardin.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?vicotriajohnson.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?advertisinggems.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?clickobras.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?nativealaaskan.net [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?downjigger.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hedcore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hellwithgoogle.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?isdwebstore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?redline-entertainement.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?skateinstrutor.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?slewfootrecrods.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?syperopts.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?charlestyrrell-ins.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?wgostonemantel.com.*$ [NC]
# no OR in the last one

# forbid, set enviromental BAD, L means LAST rules
RewriteRule ^(.*) - [F,E=BAD:1,L]

# alter the logs.. to remove the bad guys but still log them so we can see
CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BAD




 

 

nasty referer's be GONE.. :)

Reply
#8

thanks znx, but where do i put that and what actions must i take inorder for it to do anything ? do i have to install something ?

 

cheers

anyweb

Reply
#9

Quote:thanks znx, but where do i put that and what actions must i take inorder for it to do anything ? do i have to install something ?
 

Oh yeah.. it would have been good to say how to use it .. :P

 

First make sure that the paths are good for your log files (maybe you want to put elsewhere to test?) then you can simply put that in a .htaccess file in the docroot of your site.. and it will protect across the whole site then...

 

If you want to test it out.. you can add my site and try clicking through from it...

 



Code:
....
# all the bad guys
RewriteCond %{HTTP_REFERER} ^http://(.*.)?abdn.ac.uk.*$ [NC,OR]
....




 

When you click from my site.. you should reach a Forbidden page.. and it should NOT be logged in access.log and it should be logged in access_bad.log. Neat eh :)

Reply
#10

Quote:Neat eh :)
 

znx, you are the script king. :)

Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)