Tracking down the source of Referrer Spam

by on Aug 28, 2005 under Culture

Referrer Spam is the bane of any blogger’s statistic tracking. These low-life people attempt to trick bloggers into ‘clicking’ their URLs because the blog software lists them as the top referrers to the blog. This, as with other types of spam, causes grief because it exists purely to deceive and ultimately wastes time.

In the CentreBlog, our top 10 referrers are all Spammers – primarily split between online casinos and generic directories with hundreds of links. Given that its a Sunday afternoon and I some free time, I decided to go against the crowd and NOT IGNORE IT.

My hunt starts off by trying to figure out who the referrers actually are. I start off with a basic WHOIS search (http://www.whois.sc) on the #1 entry, thebenjamingate.com.
For the record, Internic.net – once known for their usefulness – is practically worthless in a WHOIS search.

Here are the results:

Website Title: 	Gamble and Casino Content Provider
Meta Description: Gamble and Casino
Meta Keywords: Gamble and Casino
Response Code: 200
SSL Cert: No valid SSL on this Host, Get Secure
Website Status: Active
Reverse IP: Web server hosts 108 websites 
Server Type: Apache/1.3.33 (Unix)
IP Address: 70.84.113.250 (ARIN & RIPE IP search)
IP Location: - Texas - Dallas - Theplanet.com Internet Services Inc
Blacklist Status: Clear
Cached Whois: 2005-08-28
Whois History: 2 records stored
Oldest: 2001-03-01
Newest: 2005-08-28
Record Type: Domain Name
Name Server: NS1.SERVERMATRIX.COM
ICANN Registrar: NETWORK SOLUTIONS, LLC.
Created: 2000-05-10
Expires: 2006-05-10
Status: REGISTRAR-LOCK

So now I know that:
1) This domain has been registered for a long time (since April 10, 2000). This person is probably no novice when it comes to the Internet. Also, they have probably left a trail somewhere…
2) The web server hosts 108 sites. I bet they are all Referrer Spam sites. If I can get this person stopped, I may make a small difference on the Internet!
3) The most important data: I know they are hosted at ServerMatrix (a division of The Planet) and I know the IP address (70.84.113.250).

The WHOIS Site also returns the following contact info:



Registrant:
Zhao, Jackie
   82-36 Grand Ave.
   null
   Elmhurst, NY 11373
   US

   Domain Name: THEBENJAMINGATE.COM

   Administrative Contact, Technical Contact:
      Zhao, Jackie 
      82-36 Grand Ave.
      null
      Elmhurst, NY 11373
      US
      8008358336 fax: null
      jackie586@gmail.com

   Record expires on 10-May-2006.
   Record created on 10-May-2000.

   Domain servers in listed order:

   NS1.SERVERMATRIX.COM         216.185.111.10
   NS2.SERVERMATRIX.COM         69.56.222.10

Upon reading this info, I am doubtful that any of it is true. Even if it is, I highly doubt that anyone with the last name Zhao will have a real first name of ‘Jackie’. When I see the phone number, I am immediately suspicious… Who has an (800) number? Nevertheless, I try calling it first… SURPRISE, SURPRISE! It’s a ‘Sex Hotline‘ asking for my CC#. This guy is a real stand up fella. I bet his kids will turn out great…

Since that isn’t his real number, I try to see if I can find him via Reverse Phone Number lookup and address hunting. No dice – imagine that.

All I have left is his email address… so I decide to send him an email.

Hello Jackie,

You have been spamming people’s blogs/websites with ‘Referrer Spam’ – mine included. Why are you doing this? Its very hurtful to the Internet community and you put yourself and your family in the spotlight by doing this. Do you really want someone tracking you down in person to confront you about this? While the Internet is vast and complex, we live in a small world – I ask that you stop your spam attacks and earn your living in an honest manner.

Sincerely,

Nicholas Holland
CEO / President
CentreSource Inc.
Nashville, TN 37210

Before I contact ServerMatrix, I remember a great article about a guy tracking down Spyware and its affiliates. He brought up a good point – follow the money. So I go back to the culprit’s website and identify who is paying the slime-ball his money.

On the page (beyond all the links to gambling), I notice ‘Webmasters, remember to join our Casino Affiliate Program’. Here’s the kicker, the link is:
adv.casinoblasters.com/index.php?JackyZhao

So his name is not Jackie, but Jacky. So I go to Google and type in “Jacky Zhao” for all exact matches. EUREKA! I find one ‘Jacky Zhao’ offering to sell a domain (xjoke.net) and listing all of the page impressions it gets per month. Even more interesting, his name is listed in the actual text message as Jackie Zhao. So I hurriedly go back to the WHOIS site to see who owns xjoke.net.

Heeeeere’s Jackie! But I am not 100% sure it’s him – this Jackie is from China and the site now belongs to Andy Su. I try to visit the site, but the site won’t resolve. What I am really looking for is the smoking gun – a site tied to this Jackie that shows up on the original casino site server.


Jackie Zhao
           Jackie Zhao
           No. 117 Dongda Road
           Fuzhou Fujian 350001
           China
           tel: 86 591 7510052
           contact@mp3cdsoft.com

So I keep reading his posts on the SEO site, and I find another one where he is trying to sell a ‘popular’ software website with 300K impressions per month. I remember that his contact address for xjoke.net was ‘mp3cdsoft.com‘ and I realize which one he is trying to sell. I pull up the site AND IT ACTUALLY HAS A CASINO ANIMATED GIF AT THE BOTTOM. Now I’m practically sure its the same Jacky/ie. Also, I see that the ‘contact’ address for the mp3cdsoft.com website is the same as the Admin Contact for the XJoke.net – located in China.

I conduct a tracert (trace-route command in DOS), but I don’t get the smoking gun I was looking for – but close. The website, mp3cdsoft.com is hosted at ServerMatrix too – but on a different IP address. I conduct the normal WHOIS search on it, but all the contact info is blocked. It seems that a service called NameCheap.com will keep spammers info protected. My suspicions were confirmed when I saw the WHOIS database showed them as being listed as Spammers.

Blacklist Status: Listed – Cached Today (details)

On a hunch, I decide to check other domains listed in our Referrer Spam list. I choose one, innerspacerecords.com, and launch a WHOIS on it. BINGO – WE HAVE A WINNER! Its listed at ServerMatrix, has Jackie Zhao as the Contact, and has the IP address 67.18.111.42 – the very same IP for mp3cdsoft.com. Its 100% confirmed, we now know it was the right Jacky.

At this point, I decide that my lack of Chinese will keep me from tracking him down. There are many entries in Google for a Jackie Zhao (including a blog!) but they are all in Chinese. Since my email to him wasn’t rejected, I can only hope that it was a legitimate address and he’ll read it.

Now, on to the prevention…

So I visit CasinoBlasters.com (remember the URL with good ‘ole JackyZhao in the string) and send them an email:

Greetings,

One of your affiliates is participating in ‘Referrer Spamming’ and his actions are causing a great deal of grief for honest Internet users. We are actively tracking the person and wanted to know if your organization supported this type of promotion and if not, would you assist us in stopping this person’s activities.

Here is their affiliate string:

http://adv.casinoblasters.com/index.php?JackyZhao

I look forward to your response. If we do not hear from you, we will assume you support this method of promotion and will include your service/company in our report.

Thank you,

Nicholas L. Holland
CEO / President
CentreSource Inc.
Nashville, TN 37210

It may be a while until we hear from them, so next I contacted The Planet / ServerMatrix. I called their ‘abuse’ phone at +1-214-782-7802 & their tech ‘Chris’ was quick to defer me to their abuse email: abuse@theplanet.com. I filed the following email:

We’ve identified a Comment/Referrer spammer on your network with the following information:

Name:
Jackie / Jacky Zhao

Domains:

http://www.thebenjamingate.com

http://www.ninetwork.com

http://www.redsquirreldesign.com

http://www.innerspacerecords.com

** Many more **

Identified IPs:
67.18.111.42
70.84.113.253

Abuse Items:
Referrer / Comment Spam (logs can be provided)
Fraudulent Domain Admin Contact
** Contact number is a Sex-Hotline

Thank you for your assistance. We (CentreSource) are also clients of ServerMatrix and want to ensure that service remains free of spammers and illegal/fraudulent operations.

Nicholas L. Holland
CEO / President
CentreSource Inc.
Nashville, TN 37210

At this point, we’ve accomplished the following:
1) Identified the culprit
2) Sent him communications asking him to stop his activities
3) Alerted those that fund him
4) Reported his abuse to the servers hosting his activities
5) Mentioned his name (Jackie Zhao, Jacky Zhao) so that it shows up in the search engines and possibly shames him into better behavior.

If I get a response to any of the emails, I’ll post them for everyone to read…

Update 08/29/2005

Jackie actually responded… although he ignored my original question of why he spammed in the first place. I responded back – here’s the string:

Our URL is http://blog.centresource.com. Why are you spamming blogs? That is not very nice and it upsets many people. I already reported the activity to your Casino Affiliate (Casino Blaster) and ServerMatrix. I ask that you stop this abusive practice.

NLH

Jackie Zhao wrote:
> Hi
>
> What is your url? We will remove your website. We’re sorry for the
> inconvenience it may have caused to you.
>
> Thank you.
>
> Best regards
>
> Jackie

Casino Blasters also wrote back:

Dear Nicholas,

Thank you for informing us of this incident. Please note that we are very strict about our NO SPAMMING policy and the affiliate mentioned has been contacted about this.

Thank you again,

Jackie
Affiliate Manager
Customer Relations
1-866-225-6909

And finally, the last note from ‘ole Jackie

Hi

I have stopped it a few days ago.

Thank you.

Best regards

Jackie Zhao

Update: 11/06/2005
I got another email from Jackie (jackie586@gmail.com):

Jackie Zhao wrote:
> Hi
>
> Could you please remove this page
> (http://blog.centresource.com/2005/08/28/tracking-down-the-source-of-referrer-spam/
> > >) from your website?
>
> Thank you.
>
> Best regards
>
> Jackie

To which I replied:

I cannot remove it – we have had many persons comment that you have referrer spammed their blogs too. As such, I will leave this post as a permanent reminder to all persons that would cause pain and frustration to others.

NLH

, ,
Share This
  • Chris

    This, as with other types of spam, causes grief because it exists purely to deceive and ultimately wastes time.

    What’s worse is that it has a physical cost attached to it, in terms of processing and bandwidth resources utilized. My personal blog, which is hosted on a meager 256Kbps link (upstream) has been DoSed by referrer spammer botnets on numerous occasions.

  • http://buildministries.com Kevin

    Dear Friend:

    Your article was helpful. Thank you very much. I wanted to know how to to track the geo-location from where an email was sent. Is this possible?

    Please let me know if u have some info on this.

    Kevin

  • Pingback: CentreSource: Blog » tracking e-mail senders

  • http://www.cartoonchurch.com/blog/ Dave Walker

    Hi – thanks for this. I’ve been getting a huge amount of referrer spam from the same individual who quite clearly hasn’t stopped what they are doing. Have contacted a related but different webspace provider which the domains in question were registered on.

  • Pingback: CentreSource: Blog » Fighting Splogs

  • Pingback: CentreSource: Blog » Tracking down the source of Referrer Spam

  • alex

    this jacki emailed me today that he wants to buy my domain…what is this all about?
    Thanks…ps i told him i sell it £10000

  • Mike C.

    This Jackie Zhao asked to buy mine as well. We’ve been an existing site for years with no plans at all to sell. This is the second such email this month, the other from a different person. Regardless, here’s Jackie’s info, with a return address of contact@alleghanyeda.com:

    AIM: JackieZhao56
    MSN: JackieZhao56@msn.com
    Yahoo: ggcsoft
    ICQ: 269355415

    Should I be concerned?

  • http://www.wussu.com Weed

    i also received email from Jackie Zhao (dated 9 Nov 05) asking if i was interested in selling one of my domains (jamessaunders.org) with same contact info as comment 9 above – content of message looked like a bulk mailout (no individualised content, except for the subject field in the header)

  • http://tcboyle.net sandye

    i, too, received a message from “JackieZhao56″ this morning saying he wanted to buy my tcboyle.net domain.

    what is the purpose of this? i am assuming he wants to use it for unsrcupulous reasons.

  • http://www.PoetsHaven.com VertigoXX

    I got two such e-mails from him today. Thing is, they were sent to the domain registration contact e-mail, he did NOT use the contact form on the site he was offering to buy. Based on my own Googling, it appears he is sending this message to people whose domains are registered through Dotster or one of their affiliates. Also, mp3cdsoft.com puts out a “shareware” CD burning program that shows up on sites that tend to have spyware laced programs for download, and his name shows up on several sites offering screensavers (usualy also full of spyware).

  • http://media-cow.net rob1

    Just thought I’d drop you a note- I think someone’s messing with you- probably as a result of this article. I was going in to clean out referrer spam- I blacklist the urls and add them to my .htaccess file- and they’re generally easy to spot. 9/10 of them come into my /referrers page, so I skim down the list and add the bogus urls to the blacklist.

    Anyway, I generally check a site before blacklisting it (unless it’s obvious)- and I just got about 20 hits to my referral page in the last hour that lead back to this entry. Which is how I got here!

    Nowhere on this page (or I doubt the whole site) are you actually linking to my referral page (which has to do with fan fiction)- so I think someone’s screwing with you by referrer spamming under your url. Thought I’d drop you a ‘heads up’.

  • Chris

    Thanks for this, Rob ..

    I suppose this is either in retaliation for our anti-spam efforts, or it’s just a coincidence. It could be either — I have seen in recent months a marked increase in spammers attempting to “joe-job” other blogs by referrer/comment spamming with legitimate URLs.

    In this way, I guess they hope to poison the well, so to speak, so that if anyone relies on communal blacklists, legitimate sites will be affected as well.

    However in this case, given the interaction so far with Nick and Mr. Zhao, there’s probably a good chance he (or someone else) is just taking a stab at revenge.

    Do you by chance have the IP addresses that were spamming the URL? It’s probably just a botnet, but maybe not (never assume that a spammer is clever).

  • http://media-cow.net rob1

    Hey Chris- yea, it’s a little suspicious how they targeted this particular url, rather than your site url. The IP was Referrer IP : 58.101.4.65, though like you, I suspect it was a botnet.

    Keep up the good work with hunting these guys down! I hate the time developers have to devote to dealing with this crap just to keep sites functional!

  • http://blog.centresource.com Chris

    Interesting.. That IP doesn’t appear to be in a botnet.. He actually browsed to our site from that IP while searching for his name:

    58.101.4.65 – - [08/Nov/2005:21:49:17 -0600] “GET /2005/08/28/tracking-down-the-
    source-of-referrer-spam/ HTTP/1.1″ 200 9921 “http://www.google.com/search?source
    id=navclient&ie=UTF-8&rls=GGLG,GGLG:2005-35,GGLG:en&q=Jackie+Zhao” “Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)”

    The IP belongs to these people:

    descr: WASU TV & Communication Holding Co.,Ltd.
    descr: 6/F, Jian Gong Building, NO.20 Wen San Road, Hangzhou,
    descr: Zhejiang province, P.R.China 310012

    Could he be so brazen as to web-browse and referrer-spam from the same IP address? From his actual place of work or just a hijacked PC? Who knows.. stay tuned!

  • http://media-cow.net rob1

    LOL- what a dink! Well, I added his ip to my blacklist, but your site is still free and clear. At least you know for sure who was messing with you.

    Of course, I don’t really ‘get’ how these things work- but I wonder if that’s his real IP or if he’s using a proxy server to hide behind. I know a lot of spamming goes on that way.

  • http://blog.centresource.com Chris

    Yeah, it could be anything, really.. a compromised windows PC, an insecure proxy, who knows..

  • ChrisR UK

    Interestingly enough, the WASU TV & Communication Holding Co.,Ltd. seems to be the source network for a phishing scam too. This url –> http://www.mybank.alliance-leicester.co.uk.confirmprocedure.sst1.tc/r1/a/

  • http://www.canedesign.com Miami Web Design

    You have done some remarkable work by writing this blog. It shows that you have done a hard work on preparing this and it is really wonderful.

  • Sunflower

    This was great to read I am having a few problems myself,sadly I don’t know enough to be able to do the things you have :-(.