Tracking down the source of Referrer Spam
Referrer Spam is the bane of any blogger's statistic tracking. These low-life people attempt to trick bloggers into 'clicking' their URLs because the blog software lists them as the top referrers to the blog. This, as with other types of spam, causes grief because it exists purely to deceive and ultimately wastes time.
In the CentreBlog, our top 10 referrers are all Spammers - primarily split between online casinos and generic directories with hundreds of links. Given that its a Sunday afternoon and I some free time, I decided to go against the crowd and NOT IGNORE IT.
My hunt starts off by trying to figure out who the referrers actually are. I start off with a basic WHOIS search (http://www.whois.sc) on the #1 entry, thebenjamingate.com.
For the record, Internic.net - once known for their usefulness - is practically worthless in a WHOIS search.
Here are the results:
Website Title: Gamble and Casino Content Provider Meta Description: Gamble and Casino Meta Keywords: Gamble and Casino Response Code: 200 SSL Cert: No valid SSL on this Host, Get Secure Website Status: Active Reverse IP: Web server hosts 108 websites Server Type: Apache/1.3.33 (Unix) IP Address: 70.84.113.250 (ARIN & RIPE IP search) IP Location: - Texas - Dallas - Theplanet.com Internet Services Inc Blacklist Status: Clear Cached Whois: 2005-08-28 Whois History: 2 records stored Oldest: 2001-03-01 Newest: 2005-08-28 Record Type: Domain Name Name Server: NS1.SERVERMATRIX.COM ICANN Registrar: NETWORK SOLUTIONS, LLC. Created: 2000-05-10 Expires: 2006-05-10 Status: REGISTRAR-LOCK
So now I know that:
1) This domain has been registered for a long time (since April 10, 2000). This person is probably no novice when it comes to the Internet. Also, they have probably left a trail somewhere...
2) The web server hosts 108 sites. I bet they are all Referrer Spam sites. If I can get this person stopped, I may make a small difference on the Internet!
3) The most important data: I know they are hosted at ServerMatrix (a division of The Planet) and I know the IP address (70.84.113.250).
The WHOIS Site also returns the following contact info:
Registrant:
Zhao, Jackie
82-36 Grand Ave.
null
Elmhurst, NY 11373
US
Domain Name: THEBENJAMINGATE.COM
Administrative Contact, Technical Contact:
Zhao, Jackie
82-36 Grand Ave.
null
Elmhurst, NY 11373
US
8008358336 fax: null
jackie586@gmail.com
Record expires on 10-May-2006.
Record created on 10-May-2000.
Domain servers in listed order:
NS1.SERVERMATRIX.COM 216.185.111.10
NS2.SERVERMATRIX.COM 69.56.222.10
Upon reading this info, I am doubtful that any of it is true. Even if it is, I highly doubt that anyone with the last name Zhao will have a real first name of 'Jackie'. When I see the phone number, I am immediately suspicious... Who has an (800) number? Nevertheless, I try calling it first... SURPRISE, SURPRISE! It's a 'Sex Hotline' asking for my CC#. This guy is a real stand up fella. I bet his kids will turn out great...
Since that isn't his real number, I try to see if I can find him via Reverse Phone Number lookup and address hunting. No dice - imagine that.
All I have left is his email address... so I decide to send him an email.
Hello Jackie,
You have been spamming people's blogs/websites with 'Referrer Spam' - mine included. Why are you doing this? Its very hurtful to the Internet community and you put yourself and your family in the spotlight by doing this. Do you really want someone tracking you down in person to confront you about this? While the Internet is vast and complex, we live in a small world - I ask that you stop your spam attacks and earn your living in an honest manner.
Sincerely,
Nicholas Holland
CEO / President
CentreSource Inc.
Nashville, TN 37210
Before I contact ServerMatrix, I remember a great article about a guy tracking down Spyware and its affiliates. He brought up a good point - follow the money. So I go back to the culprit's website and identify who is paying the slime-ball his money.
On the page (beyond all the links to gambling), I notice 'Webmasters, remember to join our Casino Affiliate Program'. Here's the kicker, the link is:
adv.casinoblasters.com/index.php?JackyZhao
So his name is not Jackie, but Jacky. So I go to Google and type in "Jacky Zhao" for all exact matches. EUREKA! I find one 'Jacky Zhao' offering to sell a domain (xjoke.net) and listing all of the page impressions it gets per month. Even more interesting, his name is listed in the actual text message as Jackie Zhao. So I hurriedly go back to the WHOIS site to see who owns xjoke.net.
Heeeeere's Jackie! But I am not 100% sure it's him - this Jackie is from China and the site now belongs to Andy Su. I try to visit the site, but the site won't resolve. What I am really looking for is the smoking gun - a site tied to this Jackie that shows up on the original casino site server.
Jackie Zhao
Jackie Zhao
No. 117 Dongda Road
Fuzhou Fujian 350001
China
tel: 86 591 7510052
contact@mp3cdsoft.com
So I keep reading his posts on the SEO site, and I find another one where he is trying to sell a 'popular' software website with 300K impressions per month. I remember that his contact address for xjoke.net was 'mp3cdsoft.com' and I realize which one he is trying to sell. I pull up the site AND IT ACTUALLY HAS A CASINO ANIMATED GIF AT THE BOTTOM. Now I'm practically sure its the same Jacky/ie. Also, I see that the 'contact' address for the mp3cdsoft.com website is the same as the Admin Contact for the XJoke.net - located in China.
I conduct a tracert (trace-route command in DOS), but I don't get the smoking gun I was looking for - but close. The website, mp3cdsoft.com is hosted at ServerMatrix too - but on a different IP address. I conduct the normal WHOIS search on it, but all the contact info is blocked. It seems that a service called NameCheap.com will keep spammers info protected. My suspicions were confirmed when I saw the WHOIS database showed them as being listed as Spammers.
Blacklist Status: Listed - Cached Today (details)
On a hunch, I decide to check other domains listed in our Referrer Spam list. I choose one, innerspacerecords.com, and launch a WHOIS on it. BINGO - WE HAVE A WINNER! Its listed at ServerMatrix, has Jackie Zhao as the Contact, and has the IP address 67.18.111.42 - the very same IP for mp3cdsoft.com. Its 100% confirmed, we now know it was the right Jacky.
At this point, I decide that my lack of Chinese will keep me from tracking him down. There are many entries in Google for a Jackie Zhao (including a blog!) but they are all in Chinese. Since my email to him wasn't rejected, I can only hope that it was a legitimate address and he'll read it.
Now, on to the prevention...
So I visit CasinoBlasters.com (remember the URL with good 'ole JackyZhao in the string) and send them an email:
Greetings,
One of your affiliates is participating in 'Referrer Spamming' and his actions are causing a great deal of grief for honest Internet users. We are actively tracking the person and wanted to know if your organization supported this type of promotion and if not, would you assist us in stopping this person's activities.
Here is their affiliate string:
http://adv.casinoblasters.com/index.php?JackyZhaoI look forward to your response. If we do not hear from you, we will assume you support this method of promotion and will include your service/company in our report.
Thank you,
Nicholas L. Holland
CEO / President
CentreSource Inc.
Nashville, TN 37210
It may be a while until we hear from them, so next I contacted The Planet / ServerMatrix. I called their 'abuse' phone at +1-214-782-7802 & their tech 'Chris' was quick to defer me to their abuse email: abuse@theplanet.com. I filed the following email:
We've identified a Comment/Referrer spammer on your network with the following information:
Name:
Jackie / Jacky ZhaoDomains:
http://www.thebenjamingate.com
http://www.ninetwork.com
http://www.redsquirreldesign.com
http://www.innerspacerecords.com
** Many more **Identified IPs:
67.18.111.42
70.84.113.253Abuse Items:
Referrer / Comment Spam (logs can be provided)
Fraudulent Domain Admin Contact
** Contact number is a Sex-HotlineThank you for your assistance. We (CentreSource) are also clients of ServerMatrix and want to ensure that service remains free of spammers and illegal/fraudulent operations.
Nicholas L. Holland
CEO / President
CentreSource Inc.
Nashville, TN 37210
At this point, we've accomplished the following:
1) Identified the culprit
2) Sent him communications asking him to stop his activities
3) Alerted those that fund him
4) Reported his abuse to the servers hosting his activities
5) Mentioned his name (Jackie Zhao, Jacky Zhao) so that it shows up in the search engines and possibly shames him into better behavior.
If I get a response to any of the emails, I'll post them for everyone to read...
Update 08/29/2005
Jackie actually responded... although he ignored my original question of why he spammed in the first place. I responded back - here's the string:
Our URL is http://blog.centresource.com. Why are you spamming blogs? That is not very nice and it upsets many people. I already reported the activity to your Casino Affiliate (Casino Blaster) and ServerMatrix. I ask that you stop this abusive practice.
NLH
Jackie Zhao wrote:
> Hi
>
> What is your url? We will remove your website. We're sorry for the
> inconvenience it may have caused to you.
>
> Thank you.
>
> Best regards
>
> Jackie
Casino Blasters also wrote back:
Dear Nicholas,
Thank you for informing us of this incident. Please note that we are very strict about our NO SPAMMING policy and the affiliate mentioned has been contacted about this.
Thank you again,
Jackie
Affiliate Manager
Customer Relations
1-866-225-6909
And finally, the last note from 'ole Jackie
Hi
I have stopped it a few days ago.
Thank you.
Best regards
Jackie Zhao
Update: 11/06/2005
I got another email from Jackie (jackie586@gmail.com):
Jackie Zhao wrote:
> Hi
>
> Could you please remove this page
> (http://blog.centresource.com/2005/08/28/tracking-down-the-source-of-refe...
>> >) from your website?
>
> Thank you.
>
> Best regards
>
> Jackie
To which I replied:
I cannot remove it - we have had many persons comment that you have referrer spammed their blogs too. As such, I will leave this post as a permanent reminder to all persons that would cause pain and frustration to others.
NLH
Comments
Interestingly enough, the
Interestingly enough, the WASU TV & Communication Holding Co.,Ltd. seems to be the source network for a phishing scam too. This url --> http://www.mybank.alliance-leicester.co.uk.confirmprocedure.sst1.tc/r1/a...
Yeah, it could be anything,
Yeah, it could be anything, really.. a compromised windows PC, an insecure proxy, who knows..
LOL- what a dink! Well, I
LOL- what a dink! Well, I added his ip to my blacklist, but your site is still free and clear. At least you know for sure who was messing with you.
Of course, I don't really 'get' how these things work- but I wonder if that's his real IP or if he's using a proxy server to hide behind. I know a lot of spamming goes on that way.
Interesting.. That IP
Interesting.. That IP doesn't appear to be in a botnet.. He actually browsed to our site from that IP while searching for his name:
The IP belongs to these people:
Could he be so brazen as to web-browse and referrer-spam from the same IP address? From his actual place of work or just a hijacked PC? Who knows.. stay tuned!
Hey Chris- yea, it's a
Hey Chris- yea, it's a little suspicious how they targeted this particular url, rather than your site url. The IP was Referrer IP : 58.101.4.65, though like you, I suspect it was a botnet.
Keep up the good work with hunting these guys down! I hate the time developers have to devote to dealing with this crap just to keep sites functional!
Thanks for this, Rob .. I
Thanks for this, Rob ..
I suppose this is either in retaliation for our anti-spam efforts, or it's just a coincidence. It could be either -- I have seen in recent months a marked increase in spammers attempting to "joe-job" other blogs by referrer/comment spamming with legitimate URLs.
In this way, I guess they hope to poison the well, so to speak, so that if anyone relies on communal blacklists, legitimate sites will be affected as well.
However in this case, given the interaction so far with Nick and Mr. Zhao, there's probably a good chance he (or someone else) is just taking a stab at revenge.
Do you by chance have the IP addresses that were spamming the URL? It's probably just a botnet, but maybe not (never assume that a spammer is clever).
Just thought I'd drop you a
Just thought I'd drop you a note- I think someone's messing with you- probably as a result of this article. I was going in to clean out referrer spam- I blacklist the urls and add them to my .htaccess file- and they're generally easy to spot. 9/10 of them come into my /referrers page, so I skim down the list and add the bogus urls to the blacklist.
Anyway, I generally check a site before blacklisting it (unless it's obvious)- and I just got about 20 hits to my referral page in the last hour that lead back to this entry. Which is how I got here!
Nowhere on this page (or I doubt the whole site) are you actually linking to my referral page (which has to do with fan fiction)- so I think someone's screwing with you by referrer spamming under your url. Thought I'd drop you a 'heads up'.
i, too, received a message
i, too, received a message from "JackieZhao56" this morning saying he wanted to buy my tcboyle.net domain.
what is the purpose of this? i am assuming he wants to use it for unsrcupulous reasons.
i also received email from
i also received email from Jackie Zhao (dated 9 Nov 05) asking if i was interested in selling one of my domains (jamessaunders.org) with same contact info as comment 9 above - content of message looked like a bulk mailout (no individualised content, except for the subject field in the header)
This Jackie Zhao asked to
This Jackie Zhao asked to buy mine as well. We've been an existing site for years with no plans at all to sell. This is the second such email this month, the other from a different person. Regardless, here's Jackie's info, with a return address of contact@alleghanyeda.com:
AIM: JackieZhao56
MSN: JackieZhao56@msn.com
Yahoo: ggcsoft
ICQ: 269355415
Should I be concerned?
I got two such e-mails from
I got two such e-mails from him today. Thing is, they were sent to the domain registration contact e-mail, he did NOT use the contact form on the site he was offering to buy. Based on my own Googling, it appears he is sending this message to people whose domains are registered through Dotster or one of their affiliates. Also, mp3cdsoft.com puts out a "shareware" CD burning program that shows up on sites that tend to have spyware laced programs for download, and his name shows up on several sites offering screensavers (usualy also full of spyware).
this jacki emailed me today
this jacki emailed me today that he wants to buy my domain...what is this all about?
Thanks...ps i told him i sell it £10000
[...] ; Misty @ 8:53 pm
[...] ; Misty @ 8:53 pm There were articles posted a while back on comment spammers and referrer spam. So for those of you who found those posts infor [...]
[...] tracking e-mail
[...] tracking e-mail senders Filed under: Spam — Chris @ 12:15 pm Someone on this thread asks the following question: Your article was he [...]
Dear Friend: Your article
Dear Friend:
Your article was helpful. Thank you very much. I wanted to know how to to track the geo-location from where an email was sent. Is this possible?
Please let me know if u have some info on this.
Kevin
Hi - thanks for this. I've
Hi - thanks for this. I've been getting a huge amount of referrer spam from the same individual who quite clearly hasn't stopped what they are doing. Have contacted a related but different webspace provider which the domains in question were registered on.
[...]
[...] http://blog.centresource.com"> Technology and Business (RSS) August 28, 2005 Tracking down the source of Referrer Spam File [...]
This, as with other types
What's worse is that it has a physical cost attached to it, in terms of processing and bandwidth resources utilized. My personal blog, which is hosted on a meager 256Kbps link (upstream) has been DoSed by referrer spammer botnets on numerous occasions.