Skip to content

Archives

Referrer spam not via proxies

So a little more investigation shows that the massive numbers of IPs spamming my referrer logs (like 1000 different IPs every day), are not open proxies as I at first thought; I tested 130, and none had any of the well-known proxy ports open.

My current guess is that they’re malware, such as those ‘ad banner spyware’ programs, and the makers of that software must be doing deals with spam companies to set up the spyware to periodically load URLs in order to referrer-spam for the spam bureau’s customers.

In this case, all the spammed URLs are owned and registered by one porn operation, which is either operating from Switzerland (according to the tech contact info) or Los Angeles (according to the DNS info in whois). (More likely the latter.)

All the IPs doing the spam page loads, are running on Windows XP and Windows 2000 systems as far as I can see, with ports 1025 and 5000 open, so alternatively, maybe they’re trojaned… but there doesn’t seem to be any good evidence indicating that. (those ports are reasonably innocuous.)

Anyone got any ideas? Here’s some sample access_log lines for 100 IPs, gzipped, if anyone wants to check them out.