A wave of referral spam recently hit my Blogger stats that looked like it might be real referrals, but as you have probably guessed from the title, it was spam again. The culprits are from freenode . net in two incarnations and I’ll be showing where the links lead to. Also included is some bonus spam involving the sex trade, travel, and an error message.
Remember to never click on suspicious links and leave that to those of us crazy enough to do so! You could end up with all sorts of nasty stuff on your computer.
For the past week, http: // webchat . freenode . net / ?channels=%23%23dedicatedpool has been knocking at my door and wanting in. To be precise, 24 times it has visited my blog stats. At first I suspected somebody had linked a review or a screen capture in a chat, but none of my other trackers showed it.
Now Freenode has been around hosting relay chats for almost as long as the World Wide Web has been around. It has also had shady characters associated with it and denial of service attacks have been made against it from time to time. Since it is readily available for anyone to use, it is ripe for abuse.
When I saw the above log in screen, I stopped cold because I had no interest in delving further if I had to register.
Could someone have legitimately linked to me? Yes. I’m going to err on the side of safety because this referral has not shown up in Google Analytics or Statcounter logs.
So when https : // kiwiirc . com / client / irc . freenode . net / ##dedicatedpool showed up for 14 visits, I was more than a little suspicious. Of course the users could all have their javascript disabled, but that would be farfetched to say the least.
I’m curious to see if others have had these hits.
Much more obvious spam came in around the same time too.
From the very sleazy underbelly of the Net came two different links to nudo . net that led to the above page. I went no further since the site is obviously related to prostitution given the links that came in: http : // nudo . ca / escort / male and http : // nudo . ca / services / reno_1 .
More harmless was a return of travel service spam, this time http : // newstraveller . ru / czech / botanicheskiy-sad-pragi-uvlekatelnoe-mesto-dlya-turistov . html . It looks to be a real site simply promoting itself by spam rather than anything truly sinister, or at least that’s how a cursory look through Google Translate appeared. Negative SEO is a wildcard possibility, however I’ve seen too many travel sites spamming to think that’s the case here.
Finally, a very suspect link http: // xn—0cajkdgo9avx . su / news-hentai failed to connect when loaded. Was it a Finnish site devoted to Japanese perversions? I really don’t want to know and was relieved when it produced an error message.
11 comments:
I saw that freenode stuff and when I saw the login screen, I knew something suspicious was up. I'll probably not click on those those links in the stats section of my Blogger.
Thank you, Patrick!! I had a feeling you'd have the skinny on this URL. Because of the word "chat" in the title, for just a second, I thought that someone might have been sharing one of my recipe posts on a legit chat forum. Then I became concerned that some unscrupulous jerk was skimming from me and trying to get away with passing it off as their own. (this has happened to me more than once, unfortunately) Luckily, my gut said, "go check Patick's blog" and lo and behold, here it is! I really do appreciate what you do in the service of your fellow bloggers. A lot of folks could easily and innocently get their computers (and in some cases, much more than that) all jammed up by these creeps. By taking the time to investigate as safely as possible and then posting your findings, I guarantee that you've saved more than a few bloggers out there from certain internet doom. I'm sure that several people read your findings and might not leave a comment, but I just wanted to let you know that I am truly very grateful for your efforts! Thank you, kind sir! Have a great weekend!
Glad to be of service, Mary. You have a great weekend too.
Thanks Patrick, I have the webchat referrals too for a week or so and didn't know what they were, cheers for clearing that up :)
Thank you so much for this article. I was suspicious when my web stats showed 33 visits from this site in the past one week. Thank you for the warning.
Regards
Dr Sonia S V
Thanks for sharing this, I have had webchat.freenode popping up on my stats too a couple of times recently. I thought it was a bit odd but like the others it makes you wonder if someone has linked something. I will continue to ignore them!
The channel in question has 120 people in it, so seeing 30 of them click on a link shared in the channel would not be surprising. There is nothing malicious to worry about with webchat.freenode.net itself; it's simply a web browser interface to the freenode IRC network. Note that links you find shared over IRC might not all be safe, however.
The login credentials on webchat.freenode.net are optional, for people who are already familiar with and regularly use freenode. If you want to join as a guest, then just make up whatever nickname you like, answer the recaptcha (which blocks spam bots), and click connect.
I joined and watched for a day or so, and saw someone toss out a blogspot link to an image in someone's blog. The discussion wasn't related to the blog at all, so I think they just got the image link off a google images search or something, and were talking about it.
Anon -- That would make sense if the link was clicked over a short period of time, but it extended to over a week. Then there was the fact the same exact link showed up as a referral on multiple blogs.
But what is most interesting is the referral did not show up in either Google Analytics or Statcounter. That would require everyone clicking the link to be blocking javascript (completely or through Noscript) to both services, which while possible, is highly unlikely. During that period, under 10 visits to my entire blog had it disabled. That's far less than 24.
I know freenode is a valid service, but as I stated it can be abused. It was a strange bit of spam, no doubt.
I was curious about this too. It says that it's all coming from Russia, but who knows. I'm still confused by it but after seeing that initial login page I too turned back. It's annoying though because just yesterday 86 hits came from that service. It make it hard to keep track of legitimate stats.
Of course I'm the total loser who tried to sign in to see who freenode was and why I couldn't view it... Only after I tried to create an account did google search it and came up with your blog...heavy sigh.
I've noticed the same wave of visits from webchat.freenode on my two blogspot blogs for a couple of weeks. Surely it's spam.
Post a Comment