Referer spammers: New scourge of the web Thu, Dec 16. 2004
As an aside, yes they did spell that REFERER, and I assume that the history of that misspelling goes back to the folks who created the CGI-BIN API.
The referrer comes in as part of the http header sent by the browser with its request, and it has always been possible to suppress or change the referer information, so most folks consider "referer" information as a useful indication of sites that have linked to you, but nothing you can depend on.
Lately, there seem to be more and more unscrupolous people marketing software to others which does nothing but waste bandwidth hitting long lists of sites and generating referrer entries in your web logs. Their reasoning is that you will check your logs (and every website reporting package includes information about the refers you get) and very possibly click on them to see how you're being linked, or what their site is about.
In that spirit here's a few sites I know of that are already at this. Feel free to add your own to the comments section. If anyone has any good ways of combatting these folks, lets hear about it, either in comments or over on my forum.
Known refer spammers:
Just a note to those who might be interested.
blogincome dot com AND
adminshop dot com
(No PR value gained by the spammers here.)
are tied together through a common name server: acyon dot com
or the registration address:
8939 S. Sepulveda Blvd
Westchester, CA 90045
This address seems to point to a Mailboxes, etc. just outside of the boundaries of LAX.
Acyon dot com is shown to be hosted on:
I know that there are more websites in this scheme, because I have tracked it several times before trying to figure out who is at the helm. The owner of these sites uses whoisguard.com to hide his identity.
Now, when you do a whois search of acyon dot com, you find that this person likely resides somewhere in Norway.
To understand the point and purpose of this scheme, you must visit another acyon site: warrenoates dot com
When you hit warrenoates, you realize that the acyon spammers are in the business of selling domains.
This is what seems to be afoot.
They are buying these domains as an investment. Then they work their referer spamming to build traffic to the sites.
They provide the site of their current referer (your site) as a "friend" of their site which throws most people off the scent of spam.
Since they are dabbling with people who run site tracking, they are dealing with people who likely use the Google toolbar and the Alexa toolbar. This helps them take advantage of the people who can build their Google PR and more importantly, their Alexa Traffic Rankings.
Bingo, there is the key!
A site with higher Alexa Traffic Rankings is bound to generate a higher resale value!
It is a slick scheme that reeks of dishonesty when dealing with their end customers: the people who buy domains from them.
Finally I do not feel alone! Here is the result of my own research into this. My friend Sadie (http://hollow-refuge.net/phpBB/index.php) and I have been investigating this ruse for a few weeks now!
Fortunecity and V3 dot coms are both using this to insert pop up HTML code via SSI's at unsuspecting sites, these referrers are "pinged" into your blogs "Latest" referrer lists and have extensions that end in get.to
These links lead to a bogus page, that includes JS that redirects you to a site, inserts the pop up code into the header, and you get a pop up window advertising V3 dot com!
Another recent discovery involves a German firm using the same technique described above. There referrer links end in info.ms.
IP ranges to block all their BS?
FC&V3 (weirdname.get.to) ranges are 18.104.22.168/22.214.171.124 and 126.96.36.199/188.8.131.52 Blocking both those range's will stop their BS.
The German equivalent sites nic dot de & their associated ad server cydots dot com (weirdname.info.ms) ranges to block are 184.108.40.206/220.127.116.11 and 18.104.22.168/22.214.171.124
Add the following, best bets? Block their cumulative IP ranges at server level (if you have access to .htaccess)
FortuneCity dot Com (adserver)
V3 dot com (referrer spammer owned by the same CO.)
Links that will relate to their scam end in get.to
IP ranges to blocků
Another player at this game is out of Germany.
Cydots dot com (referrer spammer owned by the same CO.)
nic dot de (adserver)
Links that will relate to their scam end in info.ms
IP ranges to blocků
My friend,2McAbre & I have been tracking down/blocking these scumbags for a couple of weeks,now.We are really glad to have found someone else who has even noticed what is going on.
Be delighted to publish the I.P. ranges of the cretins who've been spamming my B2 Evolution.Is it O.K. if I link one of the pieces we've written to here? Thought it best to ask for fear you'd think it was another bogus referrer!