Perl programmer for hire: download my resume (PDF).
John Bokma MexIT
freelance Perl programmer

Zombie networks, comment spam, and referer spam

Monday, January 16, 2006 | 1 comment

Quite a lot of people are not careful with their computer and manage to get a program installed on it that they are not aware of, or they are aware of it, but don't know what it really does.

The program, when activated, contacts another computer, often an IRC (Internet Relay Chat) server and makes clear that it's ready to receive orders. A computer running such a program is called a zombie. A group of such computers is called a zombie network, and those computers are generally used for abuse.

Today I my site got pestered with two common forms of abuse: comment spam and referer [sic] spam.

Comment spam

Comment spam, is a comment on an article for the sole purpose of advertising another service, often a site. Because I moderate the comments, the comment spammer has no chance. Also, the script that emails each comment to me checks the message length, and if a link to a site (URL) is given, the message has even to be longer. This check results in sometimes intriguing messages in my error_log:

Your message 'love ya' is too short (<10)


Your message 'peace' is too short (<10)

For almost a month, the same page receives comment spam. Easy to recognize for humans, since the comments are quite random, and most have nothing to do with the article it comments on. Some examples of the comment itself:

Hi! How to me to adjust a background of page?

Hi! Do not prompt as me to send e-mail? = (

I can not find coordinates for a feedback.

Badly with scripts. Not the convenient interface. And so a site
interesting and useful. Has come, was surprised with quantity of the
information. Has added in the selected works, and I suggest you to
exchange references. In advance thanks, write

Has added in the selected works, and I suggest you to exchange
references. In advance thanks.

As to me to adjust correctly time on my computer?

Good site. It would be desirable to return again and again!

And that if to add on a site a history of creation of a site?

Hi! Who knows still sites similar to this?

The fourth entry almost got me thinking it was a genuine comment.

One of the sites promoted by comment spam
One of the sites promoted by comment spam

The sites, with two exceptions, all have a similar look: a header with a search option, a menu to the left, a table with links to product pages, and to the right Google AdSense. I didn't check thoroughly, but each site gave me the impression that it's a fake shop, and that the revenue comes from AdSense. The two exceptions are sites on casino games (poker, etc.) and look identical.

airtools-store.infoWhoisGuard Protected
accessories-for-cameras.infoWhoisGuard Protected
bedandbath-store.infoWhoisGuard Protected
ultra-tech-store.infoDram Bass, Draminsk str. 4-5, Gborda
online-pokerratings.infoIgor Pavloff, Samara st 12, Moscow
simple-texas-holdem.infoSergey Maksimishin, Karavannaya street 15, St. Petersburg
lighting-sales.infoIlya Burkaltsev, V.O. 11-linia d20 kv3, St. Petersburg
olimpiya.comAlexey A Romanov, Nevsky str. 88-79, Saint-Peterburg
the-big-guns.comIlya Pimenov, Pushkinsky 23, St Petersburg
valerievich.comNikolay Ryaboshapko, Izmaylovskiy bulvar, 43 Moscow

I've listed the spamvertized domains above, followed by the name and address of the registrant. The latter is obviously fake, but gives the impression that this comment spamming project might be coming from the Russian Federation.

I am not sure why they are comment spamming my Google Suggest program page. It probably appears high in a Google search they are targetting.

Referer spam

More annoying, to me, is referer spam. When a visitor visits my page by clicking on a link, the page containing the link, the so called referer [sic] is part of the request for the page visited, and hence recorded in the access_log of the webserver. I often use the referer information to find out which sites are linking to me, and why. Hence, hundreds of fake visitors don't amuse me, and mess up my statistics.

Referer spam consist of having a program visiting sites with the referer information set to the address of a website that one wants to advertise (or spamvertise in this case). By doing this distributed it seems more genuine in the access_log, since it looks like many different visitors visited the same webpage by clicking on a link on the same site.

The reason why this is done is that some sites publish referer statistics, including back links. If a spamvertized site manages to get into such an overview, it might get visitors back, and search engines like Google might count it as an extra incoming link.

Most of the referer spam I got today led to sites selling medicines like: adipex, valium, ambien, and tamiflu. Most of the spamvertized sites used the tf (French Southern Territories) top level domain.

How to stop zombies

Zombies are stopped by reporting the incident to the Internet service provider, and by active scanning of for them by the Internet service providers themselves. Being aware that this problem does exist is also very important. Some forms of comment spam might be overlooked, especially when spamming software gets smarter.

Since the referer spam was done by many computers, it's too much work to manually report each incident. I am going to look into automating this, or maybe someone already has done the hard work.

Zombie related

Also today

Please post a comment | read 1 comment by La | RSS feed