Zombie Spam

I kind of wish the following referral spam had shown up in October so that I could have had a Halloween themed commentary. Instead it arrived in the middle of September. But hey, the undead always show up at the most unwelcome of times – sometimes repeatedly. At the time of writing this, http : // jetsli . de / crawler has shown up fourteen times in my Blogger stats for the day.

Using my trusty virtual machine running Windows XP, I checked out the link safely. Remember kids, don’t try this at home!

What showed up was a classic dead domain, which was mildly disappointing. Since the spammer had let the domain lapse, there wasn’t much evidence of what kind of money making scheme had been involved.

So I clicked on a couple of links anyway.

More Linkbucks Connected Spam

Some more referral spam has shown up on Blogger and one provided an unexpected connection to two earlier ones. The first was reported by commenter Charlotte and arrived as 0288c729 . qqc . co which leads to Linkbucks again like a link that started with ceae2122.

So what do you get if you click on that odd string of numbers and letters?

First up is an ad telling you that you absolutely need to download a download manager. Yeah, like that won’t lead to bad things on your system. Remember kids, don’t try this at home and don’t trust strange links. Never click on anything you don’t already know and that includes things sent by trusted friends.

Sailing the High Seas of Spam Piracy

No, this post isn’t about hijacking trucks coming out of Hormel’s canning plants.What I’m on about is the latest referral spam to visit Blogger’s stats for From the Sidelines, http : // getfilesme . com / UPDATED 19 Oct 2013 to include filesw8 . com

 

First off, don’t click on the referral if you see it, there is no point in feeding the spammers and associating yourself with piracy if the government comes snooping around on behalf of the entertainment industry. You also don’t know what you could catch from visiting such sites since they are a favorite way to spread trojans, keyloggers, and all sorts of malware. In other words, don’t try this at home kids.

UPDATE: A nearly identical site showed up today as filesw8 . com and I have no doubt it is put up by the same people. Stay away from it too.

More Polish Spam

It seems I’m getting more referral spam linking to websites in Poland than anywhere else these days. The latest is http : // butyairmax90 . pl / which leads to a Nike shoes site (via my virtual Windows XP machine):

How much you want to bet these are knockoffs and not the real thing?

Wrist watches have long been status symbols, so cheap copies of Rolex’s is something one expects. However, the rise of the expensive running shoe has been something that has occurred in my lifetime and is extremely silly to me. There is money to be had there no matter what my viewpoint is so this kind of spam is getting common.

Do not click on the link if it shows up in your Blogger stats or emails!

A Change of Pace: Porn Spam

It’s been awhile since porn site referral spam showed up and today a false Blogger referral showed up from http: // asian . erolove . in / The title gives away the content right away, so don’t expect screen captures. A simple rule is that anything that has “love” or “ero” is going to feature pornographic material.

Strange as it may sound given my disapproval of pornography, this was almost nostalgic because I remember when porn spam and letters from Nigeria asking for banking help were the norm. These days weight loss and get rich quick schemes dominate with attempts to sell pharmaceutical products right behind.

One of the most bizarre things I’ve run into has been the flood of email spam from a Canadian pharmacy trying to sell Viagra and similar products.

“That doesn’t sound bizarre” you say thinking about your email account’s junk filter. What made it strange is that it posed as a lot of different things in the titles including weight loss, celebrity scandal information, and -- porn. It used to be the porn masquerading as something else! We live in a bizarre world.

Don’t click the referral!

A Failure to Load a Spam Site

While I post about referral spam as a form of public service, I sometimes get sites that won’t load right in my Linux based virtual machine. I can’t tell if the error is due incompatibilities or attempted shenanigans by the spam site.

http: // ceae2122 . dyo . gs / is once such site that appeared in my Blogger stats today. It goes straight to LinkBucks and is supposed to be a video. When I clicked on the video it wanted me to update my video player.

It looks like an ad before the actual destination, but curiosity led me to see what would happen if I clicked the button. First came instructions and then it got interesting:

It wanted me to download and install a customized version of VLC player. Being very familiar with that software, I recognized that isn’t the real release file. Not being interested in cleaning up an infection when I haven’t even gotten to the final destination, I canceled that.

So where did clicking “skip this ad” end up taking me?

Well that’s disappointing. I have no clue what it was supposed to be thanks to the server error. It could be a missing destination for all I know.

LinkBucks is a very shady bunch and to be avoided like the bubonic plague anyway. Don’t click on anything going to them!

I really need to get ReactOS or WindowsXP running in a virtual machine for some of these investigations.

Comment Spam in the E-mail

The experiment with removing bot checks from commenting continues and so does the spam in my email account. Always posing as an anonymous commenter, it only shows up in my Gmail account but not in Blogger. So at least some of the filters are working. That’s the only silver lining since I have to check each email out.

Once again it is time to fire up the virtual machine with Ubuntu on it to do some investigating. Here are some examples and where the links lead to:

Anonymous has left a new comment on your post "Howl’s Moving Castle (2004)":
Cygiefiania xaikalitag icergeallonia [ url = http: // usillumaror . com ] iziananatt [ /url ] Juicillenna http: // gussannghor . com EnedonoMory

The first link is embedded in xaikalitag and is ww2 . wikaswieier . com which throws up an error message. The secong link gets the same result.

The third time is the charm and we get to see a fake search engine made to mine money from click referrals.

Referral Spam Overload

Updated 15 July 2013 with screen captures and testing Tor for browsing.

A very quick post; referral spam went nuts the past 24 hours on the blog totalling 35 hits. The culprits:

adsensewatchdog . com

This is what it looks like without Tor and NoScript. A wide index of terms so they get hits. Just another fake search engine riding the real ones to get traffic and money for pages served.

With Tor (an untrackable browser) and NoScript it looks completely different. Fancier parked graphics and no links.

Spam and an Apparent Pyramid Scheme

Commenter Charlotte gave a heads up that a new spammer has shown up in Bloggers stats so I checked it out several days ago. I didn’t get the spam myself and wasn’t feeling the love from referral spammers. Then the last 24 hours produced 22 spam hits of various kinds including the new one awsurveys . com / ?R=1070526 which showed up seven times. I guess they still love me. Is this what they call “bad love”? UPDATED with another link being used and a shady service connected to it.

So I fired up my virtual PC and checked out the link. Remember folks, don’t try this yourself! Clicking on referral link spam can cause any number of problems including getting you computer infected with malware.

Old Spam Is Still Indigestible

Getting back to posting reviews is turning out to be harder than I expected and the new rounds of referral spam have taken up time meant for writing on other topics. The latest to hit by Blogger stats is from newsuc . com and according to DuckDuckGo it is a parked domain which means no real content is hosted there. The page showing up from this dedicated to spamming site is newsuc . com / blog / blog1 . php / 2009 / 07 / 20 /giant-quake-tsunami though there are several others at the site.

I fired up my virtual machine (VM) running Ubuntu for safe investigation of the site and to take screen captures. Remember, don’t click on the links from newsuc! What I found looked like a real blog, if out of date by three years. But why would they be linking me now?

A Tricky Bit of Spam

Spammers apparently never sleep and so it isn’t long before a new referral spam hits Blogger or an old one appears under a new link.  This particular one is a new one to me and came in as t . co / 1kXhhiBfBE using a shortened Twitter link. So what is it really?

A misogynistic offer to teach men how to seduce women. Apparently it is a video and the format looks all too familiar. The content is different, but I never did see the presentation due to this:

Firefox on Ubuntu failed to install when the camera icon was clicked on. Children don’t try this at home! Digging into the page source code revealed the video link claims to be in SWF format but as you can see, nothing happened. If it is malicious code aimed at Windows, it found the wrong operating system to play with.

Finally, when you try to close or back out of the page, the javascript launches this appeal to the profoundly desperate. I’m sad to say this will actually work on some guys.

UPDATED: This is now coming in as a full address, thetaoofbadass . pw / ?a_aid=517d032416eac which makes it seem even more silly.

Looking at the source code (with no expertise on my part) was revealing in that this appears to be a prefabricated template complete with instructions. A talented coder will glean a lot more than I did, but it shows just how polished the malware and spam pushing has gotten. It is all very professional now and it seems that the weight loss spam used the same form.

Ohbelog Referral Spam

So I see a Malaysian website on my Blogger stats today and couldn’t resist seeing what the latest spam was. It turned out to be a very interesting place to investigate. An ornate trap is what I would describe ohbelog . com as. At first look it appears to be a social media aggregate site where you can vote up or down on different links.

It’s flashy and oh so modern:

Scrolling down reveals that not a lot of voting is going on and clicking on some of the subsections in the menu nets these results:

Notice anything suspicious yet?

Topblogstories Referral Spam

Another round of spam has hit the blog stats page and this time it is a link to a purported hookup service for the sexually desperate. Okay, it doesn’t say that, but that’s how I view it.

topblogstories . com / led me to this page:

Link to NSFW screen capture, but not pornographic image.

topblogstories . com / 18331&c=3 led to virtually the same page:

Link to NSFW screen capture, but not pornographic image.

Notice the javascript coding picks up where your IP is from. I suspect false advertising given the number of breasts promised.

As usual, do not click on the referrals! I hope your mother warned you about these kinds of girls…

…and hopefully you will warn others about these kinds of spam.

UPDATE: The first link now leads to a topless photo. It may be that they rotate them, but be warned it is now very NSFW!

UPDATE 2: Seeing another round of it with a small variance. Persistent, aren’t they?

topblogstories . com / 7293&c=6

UPDATE 3: Thanks to the efforts of commenter Edgar Bangkok there are more details on the spammers, both methods and probable location in Ukraine. He’s posted detailed analysis at his blog in two posts:

The first one shows how javascript is used on the webpage.

The second post drops shows the topblogstories spammers are now targeting Google Analytics and shows sublinks going to AdultFriendFinder and Damned Love.

If you don’t read Italian, you’ll need to use a translation service such as Google Translate to read his posts.

Mamie’s Life

The project I’ve mentioned working on is finally live in a bare bones kind of way. Mamie’s Life is a new blog where I’ll be posting the writings and diary entries of my late paternal grandmother. Much work needs to be done yet including adding photos and a brief biography, but I wanted to get something up for what would have been her 105th birthday.

I was too young when she died to have ever given her a valentine, so this is my way of doing so. It is also my way of getting to know her. Please take a look.

An Odd Bit of Spam

2013 continues to be an interesting year for blog referral spam here at From the Sidelines. The latest one intrigued me a great deal due to how ridiculously long the link was:

applehut . info / 2011 / 08 / 05/ woot – deal – 16gb – hp – touchpad - %e2%80%93 – 379 – 99 – 5 – shipping . php

I’ve added a lot of spaces to disable the link from working, but did check it out in a Linux virtual machine. The site is another fake meant to lure traffic in and poses as an aggregator of smart/cellphone news. It even has an “About” page! That particular post is very out of date which was a tip off that they hadn’t really linked me. Also, I’ve never written about the HP Touchpad! Something very amusing to me is that the post itself may have been spammed in the comments.

If you are going to sucker people in for a deal, it would be smart to at least have the date on the post be within the current month and year, don’t you think? Not to mention using a product that isn’t out of production and replaced by cheaper alternatives that are vastly superior.

As far as how safe the link is to check out, I cannot say since I used Linux to visit it. There might be some Windows (or other OS) based malware there in the ads, but I wouldn’t be able to tell. I highly recommend not clicking on this or any other link from there in your referrals.

Also recommended is adding Google Analytics, Statcounter, or some other tracking service rather than relying on Blogger’s own stats. They filter this spam out a lot more effectively, though they aren’t bullet proof. In the end, your own judgment is your best defense against spam.

Neither registered this referral.

First Referral Spam of 2013

The new year has hardly begun and a new spammer has shown up: videoshub . needz . it. From the spelling, I can only surmise that it is a link to tawdry materials of a graphic nature. It is highly suggested you do not click on it if you find it in your Blogger stats.

Spam, Spam, Spam, Lovely Spam…

After the temporary stats outage at Blogger last Sunday, I had vague hope against hope that something was being done about the referral spam. Of course I knew better, but it was a nice dream. So a couple more referral spam links have shown up since then and racked up 37 hits between them.

itpaystoday . TextCashNetwork . com has been the most prevalent, not to mention most obvious. There must be a sucker born every other minute (birth rates are down, you know) in order for these operations to keep going. It boggles my mind that people fall for it. It is out of Russia like so many of the others.

The other spammer has trickip . net for an address. There is a faint possibility this is not referral spam, but there is no way I am clicking on anything that has a name like that. Not even sandboxing the browser is enough to convince me to do it.

Blogger Stats Vanish and Life Goes On

It was interesting to log into Blogger’s Dashboard tonight and see all the stats had vanished. This messes up two widgets I used, so it is inconvenient to say the least. I am not alone in this with the support boards lighting up with hordes of unhappy bloggers complaining.

While I do use the stats for auto arranging the top posts for the past week and all time, I had been thinking of embedding a tracker besides Google Analytics, which is still working. I will have to dig into those services and see if there is any widgets that perform a similar task available, but it isn’t a priority. With Noscript and Firefox being popular, it isn’t like we can get a perfect record of traffic anyway.

This outage certainly won’t stop my posting and I have much to do besides.

UPDATE: 10-15-2012

I see the stats are back. Life does indeed go on.

More Russian Referral Spam

The latest round of spam showing up as blogger hits come from fr.netlog . com and appears to be actually a link from t . co instead. So far I have gotten sixteen “referrals” from there this week. While they show up on the Blogger dashboard’s stats, Google Analytics does not list the hits. Why Google does not filter them out for Blogger’s built in stats puzzles me.

So anyone getting hits from there, please do not clink on the links to investigate, that is what they want you to do. I would not be surprised if this is being done by the same people responsible for the aptratings spam.

UPDATED October 1, 2012

Yet another round of referral spam from Russia has been hitting my blog heavily. In this case adsresultpages . com links to a viagra ad. Out of curiosity, I looked up the website through whois and found out it gets about the same amount of visits I do a day. Not exactly a successful campaign, is it?

Funny thing is that referral spam has been around since at least 2002 when blogs started getting going in earnest and nobody can figure out how it can be profitable.

An Impressive Bit of Socially Engineered Blog Spam

Going through my email account revealed a comment waiting to be approved. While posted from that ever witty pseudo being, Anonymous, it looked legit at first before going off the rails:

Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point.
You definitely know what youre talking about, why
waste your intelligence on just posting videos to your weblog when
you could be giving us something enlightening to read?
Look at my homepage ... free porn

No video on the post is a wee bit of a giveaway even before the pornography offer (link deleted by me). Misspelling is no longer a surefire indicator that something is spam, so that can be forgiven. The idea of using constructive criticism as a form of social engineering in spam is a new one to me. I know it made me read the entire thing, so I bet this one is fairly effective.
Fiendishly clever is the phrase that applies, methinks.

UPDATED

Meanwhile, the Russian referral spam continues unabated. This time it is one from super-online-search . com that takes you to a site you do not want to visit.The Huns are at the gates, I tell you.

UPDATED 9-13-2012

A comment for another post is another clever variation of this that turned out to be a way to get clicks on a “survey” site as well as the video.

I'm having this exact problem with the video: http://www.youtube.com/(removed by me)  I've put one comment on the video site, but Youtube won't let me link your post as part of the explanation. So far, you are the only post that has tried to make sense of this stupid spam issue. Thanks for posting!

The identity of the commenter was “Ron” but the link to his profile is the afore mentioned survey at sprezzaturarrd . blgospot . com. Interesting development because it looks like they are aware of people trying to spread the word. Notice how the video gets another hyperlink via the comment?

Sadly they did get a couple of clicks out of me verifying the profile, but somebody has to take a look to see what is going on to warn others.