Sailing the High Seas of Spam Piracy

No, this post isn’t about hijacking trucks coming out of Hormel’s canning plants.What I’m on about is the latest referral spam to visit Blogger’s stats for From the Sidelines, http : // getfilesme . com / UPDATED 19 Oct 2013 to include filesw8 . com

 

First off, don’t click on the referral if you see it, there is no point in feeding the spammers and associating yourself with piracy if the government comes snooping around on behalf of the entertainment industry. You also don’t know what you could catch from visiting such sites since they are a favorite way to spread trojans, keyloggers, and all sorts of malware. In other words, don’t try this at home kids.

UPDATE: A nearly identical site showed up today as filesw8 . com and I have no doubt it is put up by the same people. Stay away from it too.

More Polish Spam

It seems I’m getting more referral spam linking to websites in Poland than anywhere else these days. The latest is http : // butyairmax90 . pl / which leads to a Nike shoes site (via my virtual Windows XP machine):

How much you want to bet these are knockoffs and not the real thing?

Wrist watches have long been status symbols, so cheap copies of Rolex’s is something one expects. However, the rise of the expensive running shoe has been something that has occurred in my lifetime and is extremely silly to me. There is money to be had there no matter what my viewpoint is so this kind of spam is getting common.

Do not click on the link if it shows up in your Blogger stats or emails!

A Couple of Drive-by Spams

We all notice the spam that hammers our referral statistics on Blogger’s control panel. But there is spam that only hits once or twice and is only seen if you are there at the right time. A couple of cases of these “drive-by” spammers were seen by me this week and you couldn’t get any different in what they were promoting.

First, one that hit today: http : // girlswithglasses . blognet . pw /

This happens to be hosted on blogger but with a name like that I was suspicious and fired up my virtual machine. Sure enough, it is a porn site looking to make money off of clicks. Do not click! Needless to say, there won’t be a screen capture.

The other one was suspicious since it looked like it was masquerading as a legitimate site: http: // quitcoal . org / node / add

Well, it is a legit site. This is a Greenpeace run anti-coal page and it appears someone was trying to make people who clicked on the link automatically join the petition/site. Of course that’s an error message you see in the screen shot, so that forced recruitment failed.

Political referral spam, this is a first in my experience. I’m sure the individual responsible felt righteously motivated and justified in saving the planet. However, a policy of the ends justifying the means always leads into darkness and soon the would be do-gooder is a force of evil rather than good. In other words, a spammer.

By the way, I included the entire virtual machine window to show off my new way of flirting with disaster (cue Molly Hatchet) – checking out sites with Windows XP. The installation is setup to be roughly what an average user would have in the way of security to see what kind of nasty infections I can get from these sites. It’s actually a clone of a clean installation too, so I can do this without any hassle of reinstalls.

A Change of Pace: Porn Spam

It’s been awhile since porn site referral spam showed up and today a false Blogger referral showed up from http: // asian . erolove . in / The title gives away the content right away, so don’t expect screen captures. A simple rule is that anything that has “love” or “ero” is going to feature pornographic material.

Strange as it may sound given my disapproval of pornography, this was almost nostalgic because I remember when porn spam and letters from Nigeria asking for banking help were the norm. These days weight loss and get rich quick schemes dominate with attempts to sell pharmaceutical products right behind.

One of the most bizarre things I’ve run into has been the flood of email spam from a Canadian pharmacy trying to sell Viagra and similar products.

“That doesn’t sound bizarre” you say thinking about your email account’s junk filter. What made it strange is that it posed as a lot of different things in the titles including weight loss, celebrity scandal information, and -- porn. It used to be the porn masquerading as something else! We live in a bizarre world.

Don’t click the referral!

A Failure to Load a Spam Site

While I post about referral spam as a form of public service, I sometimes get sites that won’t load right in my Linux based virtual machine. I can’t tell if the error is due incompatibilities or attempted shenanigans by the spam site.

http: // ceae2122 . dyo . gs / is once such site that appeared in my Blogger stats today. It goes straight to LinkBucks and is supposed to be a video. When I clicked on the video it wanted me to update my video player.

It looks like an ad before the actual destination, but curiosity led me to see what would happen if I clicked the button. First came instructions and then it got interesting:

It wanted me to download and install a customized version of VLC player. Being very familiar with that software, I recognized that isn’t the real release file. Not being interested in cleaning up an infection when I haven’t even gotten to the final destination, I canceled that.

So where did clicking “skip this ad” end up taking me?

Well that’s disappointing. I have no clue what it was supposed to be thanks to the server error. It could be a missing destination for all I know.

LinkBucks is a very shady bunch and to be avoided like the bubonic plague anyway. Don’t click on anything going to them!

I really need to get ReactOS or WindowsXP running in a virtual machine for some of these investigations.

Comment Spam in the E-mail

The experiment with removing bot checks from commenting continues and so does the spam in my email account. Always posing as an anonymous commenter, it only shows up in my Gmail account but not in Blogger. So at least some of the filters are working. That’s the only silver lining since I have to check each email out.

Once again it is time to fire up the virtual machine with Ubuntu on it to do some investigating. Here are some examples and where the links lead to:

Anonymous has left a new comment on your post "Howl’s Moving Castle (2004)":
Cygiefiania xaikalitag icergeallonia [ url = http: // usillumaror . com ] iziananatt [ /url ] Juicillenna http: // gussannghor . com EnedonoMory

The first link is embedded in xaikalitag and is ww2 . wikaswieier . com which throws up an error message. The secong link gets the same result.

The third time is the charm and we get to see a fake search engine made to mine money from click referrals.

Referral Spam Overload

Updated 15 July 2013 with screen captures and testing Tor for browsing.

A very quick post; referral spam went nuts the past 24 hours on the blog totalling 35 hits. The culprits:

adsensewatchdog . com

This is what it looks like without Tor and NoScript. A wide index of terms so they get hits. Just another fake search engine riding the real ones to get traffic and money for pages served.

With Tor (an untrackable browser) and NoScript it looks completely different. Fancier parked graphics and no links.

Spam and an Apparent Pyramid Scheme

Commenter Charlotte gave a heads up that a new spammer has shown up in Bloggers stats so I checked it out several days ago. I didn’t get the spam myself and wasn’t feeling the love from referral spammers. Then the last 24 hours produced 22 spam hits of various kinds including the new one awsurveys . com / ?R=1070526 which showed up seven times. I guess they still love me. Is this what they call “bad love”? UPDATED with another link being used and a shady service connected to it.

So I fired up my virtual PC and checked out the link. Remember folks, don’t try this yourself! Clicking on referral link spam can cause any number of problems including getting you computer infected with malware.

Old Spam Is Still Indigestible

Getting back to posting reviews is turning out to be harder than I expected and the new rounds of referral spam have taken up time meant for writing on other topics. The latest to hit by Blogger stats is from newsuc . com and according to DuckDuckGo it is a parked domain which means no real content is hosted there. The page showing up from this dedicated to spamming site is newsuc . com / blog / blog1 . php / 2009 / 07 / 20 /giant-quake-tsunami though there are several others at the site.

I fired up my virtual machine (VM) running Ubuntu for safe investigation of the site and to take screen captures. Remember, don’t click on the links from newsuc! What I found looked like a real blog, if out of date by three years. But why would they be linking me now?

A Tricky Bit of Spam

Spammers apparently never sleep and so it isn’t long before a new referral spam hits Blogger or an old one appears under a new link.  This particular one is a new one to me and came in as t . co / 1kXhhiBfBE using a shortened Twitter link. So what is it really?

A misogynistic offer to teach men how to seduce women. Apparently it is a video and the format looks all too familiar. The content is different, but I never did see the presentation due to this:

Firefox on Ubuntu failed to install when the camera icon was clicked on. Children don’t try this at home! Digging into the page source code revealed the video link claims to be in SWF format but as you can see, nothing happened. If it is malicious code aimed at Windows, it found the wrong operating system to play with.

Finally, when you try to close or back out of the page, the javascript launches this appeal to the profoundly desperate. I’m sad to say this will actually work on some guys.

UPDATED: This is now coming in as a full address, thetaoofbadass . pw / ?a_aid=517d032416eac which makes it seem even more silly.

Looking at the source code (with no expertise on my part) was revealing in that this appears to be a prefabricated template complete with instructions. A talented coder will glean a lot more than I did, but it shows just how polished the malware and spam pushing has gotten. It is all very professional now and it seems that the weight loss spam used the same form.

Ohbelog Referral Spam

So I see a Malaysian website on my Blogger stats today and couldn’t resist seeing what the latest spam was. It turned out to be a very interesting place to investigate. An ornate trap is what I would describe ohbelog . com as. At first look it appears to be a social media aggregate site where you can vote up or down on different links.

It’s flashy and oh so modern:

Scrolling down reveals that not a lot of voting is going on and clicking on some of the subsections in the menu nets these results:

Notice anything suspicious yet?

A Source of Referral Spam

Ever wonder where the strange links in your Blogspot stats come from that don’t really link to your blog? Ever wonder why someone would do such a thing? Wonder no more.

r-e-f-e-r-e-r . com showed up on my stats today and this site blatantly lays out what is going on. For $29.95 you can spam forty million websites with links to your site to artificially drive traffic – or at least that’s what they promise. You may have heard of similar schemes for Facebook likes and Twitter follows to boost apparent status.

Screen capture follows and is safe to click on:

The part selling ads pointing out mostly webmasters visit this site is something I find vaguely hilarious. Most won’t be pleased to be visiting, I suspect.

Please don’t help them out by visiting their site.

Topblogstories Referral Spam

Another round of spam has hit the blog stats page and this time it is a link to a purported hookup service for the sexually desperate. Okay, it doesn’t say that, but that’s how I view it.

topblogstories . com / led me to this page:

Link to NSFW screen capture, but not pornographic image.

topblogstories . com / 18331&c=3 led to virtually the same page:

Link to NSFW screen capture, but not pornographic image.

Notice the javascript coding picks up where your IP is from. I suspect false advertising given the number of breasts promised.

As usual, do not click on the referrals! I hope your mother warned you about these kinds of girls…

…and hopefully you will warn others about these kinds of spam.

UPDATE: The first link now leads to a topless photo. It may be that they rotate them, but be warned it is now very NSFW!

UPDATE 2: Seeing another round of it with a small variance. Persistent, aren’t they?

topblogstories . com / 7293&c=6

UPDATE 3: Thanks to the efforts of commenter Edgar Bangkok there are more details on the spammers, both methods and probable location in Ukraine. He’s posted detailed analysis at his blog in two posts:

The first one shows how javascript is used on the webpage.

The second post drops shows the topblogstories spammers are now targeting Google Analytics and shows sublinks going to AdultFriendFinder and Damned Love.

If you don’t read Italian, you’ll need to use a translation service such as Google Translate to read his posts.

New Page Index for Spam Posts

Since I’ve gotten a lot of views on posts about referral spam on Blogger and not many people click on tags, a new page has been added at the top under the blog title graphic to make it easier to find those posts. Spam, Lovely Spam is the page and also includes links to posts on other scams and spamming.

These aren’t the kind of posts that one would hope would be popular on a blog, simply because it would be a better world if it wasn’t necessary to identify the garbage filling our Blogger referrals. Being a strong believer in service, I’ll continue to add info as new spam shows up.

I’d say read and enjoy, but…

Weight Loss Referral Spam

It seems to be a week of heavy traffic in Blogger referral spam and I wish there was a diet we could go on to lose it. The latest links to a video from a chiropractor and “wellness expert” calling himself Dr. Charles from Fishers, Indiana.

current . com / 1rhh7kc is the link showing up today, but it has also been showing up in large quantities as www . filmhill . com / redirect . php?url=http:// flf-course . com?a_aid=510d2acc92117&a_bid=6f93443e for some time now.

UPDATE 1: Now it is coming as vk . com / away . php?to=http %3A%2F%2Fflf-course . com%2F%3Fa_aid%3D51893d1ad4b02&post=18068744_31

UPDATE 2: Once again the link has changed, this time to appear to be coming from LinkedIn. www . linkedin . com / redir / redirect?url=http %3A%2F%2F flf-course %2Ecom%3Fa_aid%3D517d0f042c205&urlhash=e75j

UPDATE 3: As of June 26, 2013 a new link has appeared: http:/ /t . co/ MaAptuGFVu that is of course the same video.

UPDATE 4: July has found the video making its way into referrals again, this time as blogsrating . pw/ An interesting thing happened when I loaded the site – it ran a very long load with many blogspot addresses going by in the info bar of the browser. I’m no code expert, but I wonder if it uses every hit on the site to send further referral spam hits to our blogs.

Also, it appears to be using Russian resources, surprise, surprise.

Screen capture of the Current version:

Screen capture of the Filmhill version:

Yep, it’s the same thing with only the sidebar being different.

I should also note I had to “hard” shutdown my virtual Kabuntu session to get out of the second link. Whether that has something to do with my video card drivers or the site I can’t say, but I don’t advise visiting the sites. Besides it’s just another scam to get money out of you.

A Very Strange Blogger Referral

I checked my stats today and found a referral that looked extremely suspicious:

mysql . removeyourcontent . com / russ_pornbb_spider / admin / hentai_check . php

An attempt to access this through a virtual machine asked for an admin login plus password and when I limited it to the domain I got an Apache 2 test page. Apache is one of the most common software packages that runs servers.

To my eyes, it appears to be a misconfigured spider checking web sites to see if it can drop porn spam. Either that or it is looking for porn. The hentai part of it relates to anime and the referral showed up on one of my anime reviews. Since I don’t have any hentai this is a dead end if it is a search.

Could it also be a way to get into an Apache server? I wish I knew more about the software to say.

Comment Spam

From the Sidelines has had a visitor named “fati” from Casablanca, Morocco attempt to post twice during the past two days on different referral spam posts. The content of the comments is the same:

It's easy way to make money
Super-Duper Easy Way to Earn Money By
Promoting A link - 0.5$ per Referral Link Visit.
-Register
-Share Refferral Link
-Earn Money on every visit

A shortened shortened link is also included. I’m not going to click that for obvious reasons.

It’s fascinating to see how prevalent “black hat” methods of generating income from ads on the Net have become. Some of this is typical of how underhanded people always exploit anything that can be exploited. But I’m also becoming aware that some of this is a reaction to how hard it is to make money from running advertisements on a website these days.

Money is tighter and tighter in the current world economy that’s teetering on collapse and ads have always been nebulous in results. With the Web coming into being, actual viewing and response to ads has become a harder science than it was. Results can be tabulated in near real time, targeting has become extremely refined, and wasted efforts easier to avoid.

Google has tried refining its search indexing protocols (SERPS) to downgrade black hat method using sites, but is losing the war while taking out innocent bystanders. They also are in the business to make money and favor branded economic sites over “mom and pop” small businesses now. Reading the pain going on for some of them and how some are turning to “the dark side” to survive, I have to wonder if the mess can be resolved in any good way at all.

My posts on spam, especially of the referral type on Blogger, came about due to the lack of information about the links showing up in my stats. They are a public service endeavor which has led me to learn about things I had no clue about in the financial ecosystem of Web advertising and search results. I’ll never be an expert, but from the amount of hits the posts have gotten at least some information got relayed to those who needed it.

So these public service announcements will continue though they annoy me to write.

How Many Referral Spammers Are There?

That’s the question on my mind. Yet again faked referral links have shown up in my Blogger stats and yet again it is one I haven’t seen before.

afslotat . net16 . net is the newest one to hit the blog with a tempting link:
afslotat . net16 . net / info / my blog address

It appears to be out of Latvia, but that could be faked too. An attempt was made to load the site in a VM, but failed so I’m very suspicious and advise not clicking the link for any reason.

UPDATED

Another address like it showed up this evening:
radepaha . hs8 . ru / de  /info / my blog address . de

I'm not even going to try to investigate it since it is likely from the same people behind the other.

UPDATED again...

Now I've gotten referral spam from one of the biggest weirdos on the net. escapefrommasachusetts . org is on the loose again after being around as escapefromma . com and this site is dangerous to click on. The latest incarnation of pseudo anarchic drivel is salacious statements about Mitt Romney. A little out of date, that.  DO NOT CLICK!

Yet another UPDATE:

A new variation of the first two spams has shown up and racked up a ridiculous number of hits in one day. It uses the same fake "info" then your blog address in the referral. The new culprit is:

tkdot . com

Another Day, Another Referral Spammer

If you notice another Blogger site by the name of www . kmzackblogger . com in your referrals, know that it is a blog setup to get you to pay for better YouTube video placement. It showed up on the blog I just started for my grandmother's diaries, so I was curious enough to check it out.

Don't click on it.

UPDATED April 28, 2013

Once again KMZack Blogger left a comment, this time with an embedded link to a link exchange. Text follows:

Hey if you still get a referrer as my web (link removed) please aware that it is a kind of system that my competitor did to visual my web as spamming. then if you would like to exchange link with my website please proceed to here..
(link removed)

Since he's hoping to get his links up, the comment is not being put up.

A screen capture of his website (picture is safe to click):

Nothing shady about that, right? A competitor trying to make him look like a spammer isn't very plausible.  I'm surprised he isn't offering the Brooklyn Bridge for cheap.
UPDATE:

It is very interesting that as soon as I post about one of these spammers, more referral spam shows up. It makes me suspect they are all connected somehow.

In this case three different ones:

www . bthemes . info
This looks somewhat legitimate in that it has themes for Blogger. But the fact they use referral spam makes them look quite shady. I don't advise using them for that alone.

vampirestat and zombiestat:

These are run by the same people using the same templates with different graphics and purport to show the monetary worth of websites. I have to wonder how legitimate the Facebook likes and G+ numbers are. Do not go there since there are all sorts of things asking to be installed.

UPDATED:

Yet another referral spammer on Blogger showed up with 11 page views on February 28.

make-money-with-your-blog . review-blogspot . com is another get rich quick scheme making the rounds. "Mary" even has a short bit on the page about people reporting her blog is a scam and that she has "the approval of Blogger." Of course there is only the one post containing a shortened link.

Avoid at all costs.

An Odd Bit of Spam

2013 continues to be an interesting year for blog referral spam here at From the Sidelines. The latest one intrigued me a great deal due to how ridiculously long the link was:

applehut . info / 2011 / 08 / 05/ woot – deal – 16gb – hp – touchpad - %e2%80%93 – 379 – 99 – 5 – shipping . php

I’ve added a lot of spaces to disable the link from working, but did check it out in a Linux virtual machine. The site is another fake meant to lure traffic in and poses as an aggregator of smart/cellphone news. It even has an “About” page! That particular post is very out of date which was a tip off that they hadn’t really linked me. Also, I’ve never written about the HP Touchpad! Something very amusing to me is that the post itself may have been spammed in the comments.

If you are going to sucker people in for a deal, it would be smart to at least have the date on the post be within the current month and year, don’t you think? Not to mention using a product that isn’t out of production and replaced by cheaper alternatives that are vastly superior.

As far as how safe the link is to check out, I cannot say since I used Linux to visit it. There might be some Windows (or other OS) based malware there in the ads, but I wouldn’t be able to tell. I highly recommend not clicking on this or any other link from there in your referrals.

Also recommended is adding Google Analytics, Statcounter, or some other tracking service rather than relying on Blogger’s own stats. They filter this spam out a lot more effectively, though they aren’t bullet proof. In the end, your own judgment is your best defense against spam.

Neither registered this referral.