We’ve talked about the bait and switch before. The spammers put up an account terminated notice while doing a spam run, then switch it to the real site after the spam run is finished.

And that’s what I thought we were seeing with the nutzu spam run too. But I didn’t look deeply enough.

Michael commented below here, that the real page is actually already there. It’s the javascript that loads the termination page. Which means Google will never see it. They’ll only see the page the spammers intended for it to see.

Which in turn means that from now on, we have to check spamvertized pages even better than before. We know they’ve been cloaking their pages for a while with javascript. But now they’ve taken it to new heights.

UPDATE: I realized after thinking about it for a while, that they’re going to have to remove the javascript at some point. Because after all, the goal is to have humans eyeballing the site at some point. After people have found the site through Google, that is.

More about the Bulgarians

LeechGet was misused by a spammer today.

Sam Spade can even be misused.

And Elliot Bäck even made a free reffy clone.

Also, make note that I caught someone in my logs today, using even the user agents of search engine spiders. Well known ones. IP address: 213.23.176.235

So, why am I posting the links, knowing full well people can misuse these things?

Simple, only stupid people referrer spam from here on out.

I fully expect the domains spamvertized in this way will be banned. Maybe not today, maybe not tomorrow, but unless you run a campaign with a lifespan of one month, and expect to trash the domain after that, you’ll eventually be bested by Google.

It’s just a matter of time.

After all, see what happened to M0nkey…

I have a new offender, spamvertizing a slew of different domains. He’s using software he doesn’t completely understand.

69.225.183.82

My guess is he’s using his own IP address.

Investigation underway, and will be added to this post as I slow through whatever evidence I find…

OK, I’ve went through the domains he’s spamvertizing, and it seems to me this is either a test run, or someone trying to sully the name of respected sites. One of these is a university that’s been online since 1985. It’s of course possible these companies have hired an incredibly clueless SEM (Search Engine Marketing) “Expert”, but I somehow doubt it. The software might be Reffy run without proxies.

You should be able to recognize him by his convention of not including http:// in front of his URL’s.

Found this frustrated rant from The Puppy Pile today.

Her referrer spam situation seems way worse than mine, and she’s even dealing with fake search engine queries!

Someone tell her about mod_rewrite!

Oh, crap (excuse me). She says her blog has been added to an update list for reffy. No wonder she’s getting hammered.

Kate, you wanna give him a wedgie? You’ll have to go to Norway first, though.

UPDATE: One reason for lewd search engine queries in your logs, is if you’re slow to clean up comments and trackbacks. You see, the spammers might try searching for their own or competitors words, in an attempt to find poorly moderated blogs. Not saying that’s what happened to you Kate, just mentioning possible explanations.

I found the Norwegian spammer looking at my blog yesterday. And what did he check out?

Heh, maybe he thought I wouldn’t see it if he checked out the Google cache of one of my posts?

But my, he just gave me more information…

His search term was:
reffy william indre

Which means he was looking for people talking about his little program, and also mentioning the name in the whois of some of his domains: William Indre.

Which, in spammer logic, probably means he’s changed the whois info on some earlier unprotected domains. His most central domains are whoisprotected.

Yep, one of his other domains now sports this info:

Quirin
Quirin Stocker (a.r.k.i.t.e.k.t at home.se)
+1.5555555555
Fax: +1.5555555555
Schoneggstrasse 11
Zurich, ZU 8004
CH

Can you say fake?

UPDATE: By the way M0nkey, you should check reffy in this tool. Looks to me like Google banned your domain!!!

And this time they’re flogging nutzu dot com.

Which probably means the trackback attack yesterday was from them too.

I first heard about nutzu from two other bloggers yesterday, but they got to me after a while as well.

Yesterday the domain didn’t ping anything, but today it’s got one of those account suspended notices. And this one looks a lot more legit. But considering their prior tricks, I don’t believe it.

Especiallly since the contact form on there leads to a nonexistent address at Gandi. The top level domain doesn’t look right. The site itself is hosted on the spamhost in China.

This is actually one of the most massive referrer spam runs I’ve ever seen. Only one domain, no subdomains, and many different pages on that domain.

More about the Bulgarians

There was a new trackback spam run two hours ago. My blocks caught them, but I don’t know why. Don’t know for sure who these were. If any of you managed to snag one of these, I’d like to see a sample.

At least some were open proxies, and different user agents. That points to the Bulgarians, or someone using similar programs.

No more referrer spam, though, so it’s hard to say.

AND, I’ve got quite a few Google queries for people looking for mt-tb.cgi. I’ve got a top ten Google placement for that query. So it might be a new one. Will have to look into that.

I got an entry in my log today with the telling user agen: SBP

AKA Simple Browser Proxy

In this instance, it’s running on a hostdime server.

I can’t imagine what the point is. I’m guessing the browser came in through the kuro5hin link, though.

But using a proxy just to check out a stranger’s blog? Not sitting well with me. So up in the .htaccess it goes…

I don’t advocate violence. And I feel it’s much better to beat them some other way. But I had to snicker at this discussion:
Cold Fury
Quite a lot of anger! And considering we DO track them down given enough time, I guess they should feel very lucky they’re not close by some of the bloggers.

Alexander is in the middle of a new trackback spam run.

I deleted one of my blocks on purpose, to see what he was peddling next time.

And found out that all the sites he was peddling had a 404 error.

But now I’m starting to wonder. I mean, he JUST started, and I doubt the free hosts would manage to get him yanked THAT fast, unless he just didn’t get to my blog until day two of his campaign?

No, I’m starting to think he hasn’t even registered the accounts yet, or he’s just registered but hasn’t started building yet. I think he’s counting on us thinking the sites have been yanked already. And notice how he’s using Spanish and Polish language sites, so it would be hard for us to communicate with the site owners, and hard to figure out what the pages actually say? Can be done, though.

I’ll keep the trackbacks safe for a few days, then check them out and then report him to the free hosts.

Now I’m off to clean my trackbacks.

How about a plugin or MT update so I can moderate those trackbacks?

UPDATE: Yes, Alexander is using a variation of the account terminated technique. I dug in my mailbox, and found a conversation I’d had with one of the other bloggers about one of Alexander’s trackbacks. I said it looked like the portal had already managed to yank Alexander’s site. That’s how it looked at the time. But I rechecked it today, and it’s being served today. So, he was doing this already back in the beginning of February. In other words, expect the URL’s spammed today to start working in a while.