Skip to content

Archives

Referrer Spam Again

More referrer spam stuff. As Mark states in the comments here, it seems that the referrer-spamming is using real browsers run by real people — no bots, no proxies.

The spammers create HTML pages which contain an IMG tag, using one of our pages in the SRC attribute. This causes the user’s browser to attempt to download the page — giving the correct referrer URL — but it’s not particularly visible to the user — since it’s a HTML page, not an image. All they’re likely to see is a ‘broken image’ icon, and more likely the image is hidden anyway using a hidden div or width=0 height=0 attributes.

Anyway, I took a look at the HTML for those sites. Interestingly, all of them use a distinctive HTML style, with a redirecting frame and some Javascript to load the following pop-up ad:

http: //pb. xxxconnex. com/pb.phtml? d=aporndomain.net &sc=EXPN &ip=9999999999 &c=preview

Where ‘aporndomain.net’ is a porn domain, not necessarily always the same one as you’re viewing, and ‘9999999999’ is a 10-digit number. This then loads a frameset containing another random popunder ad from a load of domains. It also throws a few hidden ones into the corner, loads them as pop-unders, loads a javascript timer to open new ones occasionally, etc. etc. etc. As you close ’em, new ones open, and so on. Glad I don’t run IE ;)

I would bet these guys, xxxconnex.com — or one of their customers — are the ones behind the referrer-spamming as a result. Their WHOIS info states they are:

Admin, Domain  info@webfinity.net
1E Braemar Ave
Unit 19
Kingston 10, WI N/A
JM
876-357-8404

Interestingly, that phone number and address also shows up in ROKSO as well, listed under domain registrations controlled by the ‘Dynamic Pipe / Webfinity / Python Video’ spam gang, ie. one of the biggest sources of porn spam out there. They’re diversifying it seems!

Based on some suggestions on Kasia’s weblog, I think I now have a good comeback — still working on this though.