Continuing my "war on spam":http://www.juju.org/archives/2004/01/07/blogspamandmtblacklist.php, I've decided to tackle "referral spam":http://www.jayallen.org/commentspam/2003/11/alertreferral_spamming

For months I've noticed an ever increasing amount of crap on my "website stats":http://www.juju.org/cgi-bin/awstats.pl?config=www.juju.org&output=refererpages page. In case you don't know about referral spam, its when spammers send fake requests to your website with their website being the source. As if someone visited their website and clicked on a link to your website. Well, there sure as hell aren't any links to my website on www dot teen-blow-job-pictures dot biz, unfortunately. Back in the good olde days this was just a minor annoyance to try and get webmasters to visit their site. Unfortunately in this day and age of "Google Pageranking":http://www.google.com/technology where sites rank higher if they are linked to from popular sites (I checked the other day and somehow juju.org managed to have a google pagerank of 6 out 10) and I was dumb enough to link to my website stats, thereby making me a juicy target.

While looking through my list of lame referrals. I noticed backlinks dot seguru dot net (there's no way in hell I'll link to them). Seguru is a "service [that] takes the headaches out of building link popularity". (read: we're a dirty rotten sleazbag company that spams websites for you). From their "how it works" webpage, they clearly admit their crime:

bq. What does our system do?

bq. Simply put, we seek out sites that are indexed in major crawling search engines. Not just any sites, but sites that show Top Referrers or maybe they have their website statistics open. We use numerous search terms within these engines to find up to 1000 listings for each of the terms that would find us that type of site we need to show you as a referrer!

bq. Once we�ve identified these sites, we send a simple HTTP request to that site thru an anonymous proxy. No one knows where the request came from, the only people that typically see these types of pages are webmasters.

bq. So our system will seek out anywhere from 10000 to 15000 of these sites on a daily or weekly basis depending on how much of a boost you think you may need with this service. Your site now begins to show up as a Top Referrer and in the stats pages of these many other sites that we already know is indexed�and your sites spider activity goes thru the roof. With this method, you can place any web site you own in front of certain spiders many times and start seeing a fast impact on your search engine placement.

The interesting thing is, they say they use an anonymous proxy. At first I was afraid they use a number of temporary hosts to send their spam. However, all their fake referrals come from a single ip address: "64.239.138.76". So I decided to do the following:

I could just remove the link to my website stats, but damnit I don't want to. So I decided to add Disallow: /cgi-bin/awstats.pl to my "robots.txt":http://www.juju.org/robots.txt file. So that spiders will no longer index my website stats and stop adding to their pagerank scores.

Sent them an email (trying very hard to remain civil) telling them I know they've been using my website to spam my referral logs and that I've blocked them and removed my stats page from being indexed so they might as well stop spamming me because it won't help the pagerank of their clients any more. I never recieved a reply and they kept spamming me so...

I Added DROP net:64.239.138.76 dmz all - to my firewall rules to stop them from even reaching my website at all. btw, I suggest "DROPing the packet and not REJECTing the packet":http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject. That way when their spamming system tries to send the request to my website instead of immediately recieving a "connection rejected" response, they will instead sit and wait for the connection to time out. Thereby hopefully slowing their system down a bit.

The funny thing is, they say they use an annonymous proxy to do their dirty work. "Samspade":http://www.samspade.org tells me 64.239.138.76 "64.239.138.76 has dubious reverse DNS of colo3.hostcloud.com - which is a valid hostname, but not one that resolves to 64.239.138.76". And backlinks dot seguru dot net resolves to 64.239.140.103. seguru dot net and seguru dot com are basically the same thing. seguru dot net's admin contact is:

bq. Administrative Contact: BABIN, DARON contact@domainnamesystems.com 1811 Englewood Road Suite 230 Englewood, FL 34223 US 941 473 1779

And seguru dot com's admin contact is:

bq. Administrative Contact: Babin, Daron (35982737P) webmaster@seguru.net AMI 7298 Siena Way Boulder, CO 80301 US 303-549-2197

Yet traceroutes seem to indicate their servers are hosted somewhere in California. And they use THIRDSPHEREHOSTING dot COM.

Not very annonymous. Also a "google search for 64.239.138.76":http://www.google.com/search?q=%2264.239.138.76%22 shows that they are definitely pretty busy spamming people's websites. Ok, I've wasted enough time obsessing. Maybe I'll go around reporting them to their hosting companies. However, I somehow doubt that will do any good. I consider it obvious abuse, but will the hosting companies care?