Tag: referrer spam

Russian Referrer Bot on 2017 Aug 31: 43 Unique IPs

I can only label this a Russian referrer bot because it uses predominantly Russian referrers, used for referrer spam. In fact I have no evidence of its origin. The list of 46 unique requesting IPs are from around the world, seemingly random. While it is easy to ban these 43, there is no way to find the originator of this bot.

Referrer spam is unique in that the originating IP does not care about returned data. All the IP request wishes to do is insert their referrer info into the request. This request goes back to and therefore affects and pollutes your Google Analytics. The requesting IPs, not wanting any information in return, could be from anywhere and could well be faked.

Hetmanship Referrer Spam Campaign: Case Study

Got it by a small referrer spam campaign today, for some website called “hetmanship”. I’ll not mention the extent, as if you look them up you might download some malware. That would be bad.

As is typical, multiple IPs from around the world: Indonesia, China (8), Russia/UA (5), Mexico, Columbia, Peru, Germany, US. They are indeed difficult to track.
Referrer: http://hetmanship.(will not publish)
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Documenting A Referrer Spam Campaign

Get, I do, a lot of referrer spam on my site. I’m pretty sure that every site gets referrer spam, they are ubiquitous. Usually I have already banned them and they are usually from Russia, such as xrus, dealing with lovely, nubile, young Russian women. These I treat like background noise: I glance at the error 403 and move on. Then occasionally, about once a month, I get a bona fide referrer spam marketing campaign, where someone really wants to make a negative impression on both my Google Analytics and myself. I then find and ban them.

Combating Blogspot Referrer Spam, Hosted by Google

Hotlinking is simply not cool. Referrer spam is also not cool. I get both of these from 4 Blogspot sites, and have struggled to contain their mess. The problem is that they are hosted by Google, through their Blogger platform, GoogleUserContent.com. Though Blogger is free, they are very difficult to kill. Here’s what I did to combat the problem.

Using Blogger as a Referrer Spam Platform

tanyadokterkeluarga.blogspot Referrer Spam: Research, Ban

tanyadokterkeluarga.blogspot is a persistent referrer spammer. They use a huge amount of Ip addresses that do not repeat the third octet. It has similar strategies to kosmetik-freaks.blogspot, in fact sharing identical IP ranges. They are sister referrer spammers. Both are not banned by the HTTP_REFERER in htaccess. If you kill one you kill the other, a nice double prize. As with the sister, this spammer runs out of Indonesia.

These are the referrers:
tanyadokterkeluarga.blogspot.ca
tanyadokterkeluarga.blogspot.co.id
tanyadokterkeluarga.blogspot.com
tanyadokterkeluarga.blogspot.in
tanyadokterkeluarga.blogspot.my
tanyadokterkeluarga.blogspot.sg

kosmetik-freaks.blogspot Referrer Spam: Research, Ban

This kosmetik-freaks.blogspot is a referrer spammer that has been harassing me for quite a long time. I have tried to ban them with an HTTP_REFERER ban but this does not work. My ISP, Site5, will not help me. They are predominantly out of Indonesia. They are pret103.47.135.43
103.47.135.50
103.47.135.7
103.47.135.72
too sophisticated to evade my detection for so long.

The sister referrer spammer is tanyadokterkeluarga.blogspot, which uses the identical method and largely shares the same IP ranges. When you kill one you kill the other. Almost all these UAs are mobile devices, leading me to believe these are mobile customers that have downloaded the same spam app.

kwpublisher.com Referrer Spam: Research, Ban

kwpublisher.com is a long-time referrer spammer that I would like to remove. I have tried to ban them with an HTTP_REFERER ban but this does not work. My ISP, Site5, will not help me. This guy seems to have a similar method to kosmetik-freaks.blogspot. They seem to be out of Pakistan mostly, but have gone to Indonesia and China. I am now tracking them closely.

Conclusion: Tracked down the code hotlinking to my site. Complained to their domain names provider. Them they disappeared. Goodbye.

39.42.52.98 x 4 39.32.0.0 – 39.63.255.255 Pakistan Tel

45.32.48.27
45.32.48.27
45.32.48.27

Host Name 0 Zero or localhost in your Raw Access Log

Does your raw access log display a host name of “0”, or zero? Very odd, is it not? I have been struggling with this for a couple of months, and my ISP Site5 had no answers. It turns out that one of my spammers, NFORCE_ENTERTAINMENT, puts an unprintable character into their host table, so that when my ISP looks them up, they display the unprintable character in my log as “0”.

Trying to control your site’s spam can be challenging. If you try to ban an IP that is simply 0, or a host name of “0” you will fail, because there is no zero in their host name, but an unprintable character. Ban these guys instead.

no-ptr.as20860.net Comment Spammer: Research, Ban

no-ptr.as20860.net is a dual Ip spammer with a twist. The originating IP hostname lookup returns three IPs! You’ll need to ban all three, but there’s a lot more. They use IOMart, GB as their ISP.

It seems like this hostname also morphs to numerous IP addresses, making them difficult to track down.

Observation:
no-ptr.as20860.net hostname lookup 62.128.193.135 84.22.161.172 50.97.43.3

Method:
no-ptr.as20860.net not only uses the dual ip spammer strategy, but also changes its host name through many ip addresses, making it double difficult to ban.

fvds.ru Content Spammer: Research, Ban

fvds.ru spammed me, so I researched them. A good portion of their IPs are in the range of 62.109.24.0/24 but there are others. They use a wide variety of names.

Observation:
t-testing.fvds.ru host lookup 62.109.2.78 is bogus. Research revealed 62.109.24.26 and 62.109.24.27.

Research:
tinchurin.fvds.ru 62.109.16.78
info2.fvds.ru 62.109.18.75
dap.fvds.ru 62.109.24.110
zwrk018.fvds.ru 62.109.24.115
esesovets.fvds.ru 62.109.24.132
ensore.fvds.ru 62.109.24.14
camedia.fvds.ru 62.109.24.145
a777825.fvds.ru 62.109.24.157
move.fvds.ru 62.109.24.20
izhirnoff.fvds.ru 62.109.24.215
pool-62.109.24.0.fvds.ru 62.109.24.218
app777.fvds.ru 62.109.24.236
darthspacker.fvds.ru 62.109.24.249
motorspb4.fvds.ru 62.109.24.30
admin15.fvds.ru 62.109.24.35
cyberilya32.fvds.ru 62.109.24.53
merchdist.fvds.ru 62.109.24.61
aachibilyaevyandex.ru.fvds.ru 62.109.24.82
realmyst1.fvds.ru 62.109.24.95
nkryptor.fvds.ru 62.109.29.208
dimys12373.fvds.ru 62.109.31.36
frederick.fvds.ru 62.109.31.91

Mgi.fvds.ru 78.24.219.148
Fvds.ru 78.24.219.165
fakeyoudeadxtv.fvds.ru 78.24.221.1
MMM5.FVDS.RU 82.146.33.242
alosvlad.fvds.ru 82.146.34.229
voloshenko.ilya.fvds.ru 82.146.36.96
exiex.fvds.ru 82.146.38.254
leonid.fvds.ru 91.240.85.23
fdvcxvcxv.fvds.ru 92.63.98.50