søndag, maj 08, 2005

Referer spam

Case solved?

For months this blog – and other sites hosted on the same web server – was hit by referer spam, of which the majority was spamvertizing domains registered by the infamous Jane Phill (NIC-8754), by some believed to be identical to the Bulgarian twins. A couple of days ago I'd had it, I was fed up, and I decided to write to postmaster, abuse and the registrant of the offending domains.

I didn't really expect anything to happen, but the next morning I found an email from Doris Young in the abuse handler's mailbox:
Received: from [] by web32004.mail.mud.yahoo.com
via HTTP; Fri, 06 May 2005 21:58:42 PDT
Date: Fri, 6 May 2005 21:58:42 -0700 (PDT)
From: Doris Young <tqiopi@yahoo.com>
Subject: Re: Stop spamvertizing whvc.net in HTTP_REFERER!


Please let me know your url that was spamed and I will remove you from the list ASAP!

Interestingly, the emails sent to abuse and postmaster are still in the mail queue as I write this, so the email “Doris” replied to has to be the one sent to contact61@support-4u.net.

I quickly responded with a list of domains, and instructed Doris to never use referer spam to promote Jane Phill's – or anyone else's – domains again, and after a short while I noticed someone from ip address (belonging to Barak I.T.C. in Israel), the very same ip address Doris used for Yahoo webmail, poking around on the web server. A coïncidence? Hardly!

Next came another email from Doris:
Received: from [] by web32012.mail.mud.yahoo.com
via HTTP; Sat, 07 May 2005 08:48:04 PDT
Date: Sat, 7 May 2005 08:48:04 -0700 (PDT)
From: Doris Young <tqiopi@yahoo.com>
Subject: Re: Stop spamvertizing whvc.net in HTTP_REFERER!


You are out from the list :-)

Thanks and sorry,
Well… I haven't noticed any referer spam on the web server for almost 30 hours now, but we all know that spammers are lying, so I'm not going to hold my breath. I do hope, however, that Doris, Jane, the Bulgarian twins – or whoever the culprit was – will stay away from this web server forever, and I encourage my net fellows to contact the registrant of the spammer's domains. Let me know if you succeed.