More referrer spam stuff. As Mark states in the comments here, it seems that the referrer-spamming is using real browsers run by real people — no bots, no proxies.
The spammers create HTML pages which contain an IMG tag, using one of our
pages in the SRC attribute. This causes the user’s browser to attempt to
download the page — giving the correct referrer URL — but it’s not
particularly visible to the user — since it’s a HTML page, not an image. All
they’re likely to see is a ‘broken image’ icon, and more likely the image is
hidden anyway using a hidden div or width=0 height=0 attributes.
Anyway, I took a look at the HTML for those sites. Interestingly, all of them use a distinctive HTML style, with a redirecting frame and some Javascript to load the following pop-up ad:
http: //pb. xxxconnex. com/pb.phtml? d=aporndomain.net &sc=EXPN &ip=9999999999 &c=preview
Where ‘aporndomain.net’ is a porn domain, not necessarily always the same one as you’re viewing, and ‘9999999999’ is a 10-digit number. This then loads a frameset containing another random popunder ad from a load of domains. It also throws a few hidden ones into the corner, loads them as pop-unders, loads a javascript timer to open new ones occasionally, etc. etc. etc. As you close ’em, new ones open, and so on. Glad I don’t run IE ;)
I would bet these guys, xxxconnex.com — or one of their customers — are
the ones behind the referrer-spamming as a result. Their WHOIS info states
they are:
Admin, Domain info@webfinity.net 1E Braemar Ave Unit 19 Kingston 10, WI N/A JM 876-357-8404
Interestingly, that phone number and address also shows up in ROKSO as well, listed under domain registrations controlled by the ‘Dynamic Pipe / Webfinity / Python Video’ spam gang, ie. one of the biggest sources of porn spam out there. They’re diversifying it seems!
Based on some suggestions on Kasia’s weblog, I think I now have a good comeback — still working on this though.