I fucking HATE trackback spam. Spammers are doing to trackbacks what they did to Usenet and are doing to email: making a perfectly good service absolutely unusable because, in a nutshell, they fucking suck.

The latest back of trackback spam I got points to a page at http:// www .myjavaserver .com/ ~casinosandpoker /videopoker.html (not hyperlinked, don't go there.) which contains some "encrypted" Javascript. Here is a hint kids, you cannot fucking encrypt Javascript, because the clients browser needs to decrypt it. Decrypting it is as easy as looking at the code, and executing it in a sandboxed environment to see what it is doing. This particular chunk of Javascript builds a form with a hidden field, with the name ref, and the value is suposed to be the referer, and then submits that form . For my non technical readers, it basicly logs where you got the link to that site from (the trackback on my site) and then sends that off to a new site (http:// www .best-pokerrooms .com/).

Well that is what it is supposed to do.

These assholes screwed up. They assumed that the server is running PHP (it's not).

Boy, wouldn't it suck if someone put up some arguments to wget and cURL to fill up their referer logging mechanism full of junk?

Man. That would SUCK.

Especially since they get their ad revenue from external Javascript. Which isn't downloaded.

Man.

I hope no-one does that.

wget --post-data="ref=http://StopSpammingBlogs.com/TrackBackSpamSux" \
--referer=http://stop.spamming.blogs.org/StopTrackBackSpammingBlogs \
--spider http://www.best-pokerrooms.com/

curl --form ref=http://StopSpammingBlogs.com/TrackBackSpamSux" \
--referer http://stop.spamming.blogs.org/StopTrackBackSpammingBlogs \
--request POST http://www.best-pokerrooms.com/ >/dev/null

Randomize the urls to be, well, whatever you like really. Just keep the www.best-pokerrooms.com url the same.

Update: Metacharacters are your friend... Certainly don't do this... lots.

Update 2: User agent selection is also good. No-one should ever do this, because it would be oh-so-terrible if it was harder for trackback spammers to scrub their referer logs.

Update 3: Now I am the dumbass, it appears that --spider in wget only performs a HEAD request, not a POST. So I fixed the wget command.

wget --post-data="ref=http://`pwgen 50 1`.com" \
--referer=http://`pwgen 50 1`.com \
--user-agent=`pwgen 50 1` \
--output-document=/dev/null http://www.best-pokerrooms.com/

curl --form ref=http://`pwgen 50 1`.com \
--referer http://`pwgen 50 1`.com \
--user-agent `pwgen 50 1`
--request POST http://www.best-pokerrooms.com/ >/dev/null

Those ass sniffing weasels can get locked up in a toilet box and eat shit. And their blog spamming, child molesting, kiddie porn peddling, pant licking, piece of shit affiliates can get right on my dick.

I'm getting trackback spammed up the wazoo. I've turned on moderation. SO FUCK YOU.

Well, the fucks are getting a little more inventive, and a little better at hiding their identity. I'm getting a lot of trackback spam from a domain *.pain-bdsm-torture.com where * is a Google query of some kind.

If you were to go to any subdomain from pain-bdsm-torture.com, you'll get a "500 Internal Server Error" page. Or what appears to be one.

In fact, these fucknozzles are trying use me in a The Google 302 exploit. See, while visiting that page it says its sending a HTTP 500 error, it is instead sending a 302, which is part of this exploit. I am kinda hazy on the details of how it works, but essentially they are trying to thieve pagerank.

Fuckers.

If you view the source of the page, there is a bunch of obfuscated javascript that essentially does two things:

1. write out the 500 Internal Server Error Page instead of the real one that search engines will crawl
2. Call a piece of external javascript with just 2 lines:
   var SE_query = "female+nazi+torture";
   var SE_referer = "referrer url, i.e. the entry with the trackback";

A whois on the domain just shows the use of an anonymous whois service. Like I said, they are getting smarter.

I've gone for strictly moderated comments and trackbacks now, no way are they going to use my site to fuck with shit.

I'd really rather write part III of my series on DIY Electrical Play. But I got another piece of trackback spam (see my original entry here). So here is more information about these fucknozzles.

This time the trackback was apparently from areaofmusic.net. Which is a redirect to allhqmusic.com. Still no search results for 'jonnay', so this is definitely not legit. Again, here is the address in my apache log:
200.99.43.2 - - [13/May/2005:10:44:48 -0600] "POST /comment.php?type=trackback&entry_id=435 HTTP/1.0" 200 87 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" "-"

And of course, the whois entries point straight back to Azazar and Partners. Here is the whois fragment of areaofmusic.net:

Administrative Contact:
    OsOO Extratuz
    Azazar Kikabitze        (azazar@niksoftware.ru)
    ul. Lenina d. 21 kv. 5
    Bishkek
    Chuyskaya Oblast,720000
    KG
    Tel. +996.912112233

as the spamhuntress mentions, the first IP address is apparently located in Malaysia. The second one is Brazil. My money is that the IP's are either anonymous proxies, or zombies.

the hqhost connection is there again. Again, it might just be a case of just being the hosting providers. So the question is, is it an innocent business? Or are they giving aid and comfort to the enemy?

Ian C Rogers is one of the masterminds behind yahoo's new file-sharing-music-drm-thing-a-ma-bob. He has this Blog Entry where:

I thought I'd give you (friends, family, fellow geeks) the real story, human to human, on why you should (or shouldn't) use the new Yahoo! Music Engine.

Except, that it reads like marketing fluff. It is by all means possible that he is just excited about a new product launch. And he does have quite the reputation, in fact, he can't stop talking about it...

FWIW, my name is Ian Rogers. I used to work with Beastie Boys, for their record label Grand Royal, at Nullsoft (where Justin and Tom made Winamp, SHOUTcast, and Gnutella), and most recently had a very small company called Mediacode with my main man Rob Lord (who started IUMA and brought Nullsoft up with Justin).We sold Mediacode to Yahoo! in Dec 2003 and Y! has had us in a cave ever since building the Yahoo! Music Engine and some other stuff we can't tell you about yet.

But down to the reason you're reading this. I'm asking you to ditch Windows Media Player (aka WiMP, sorry John, Mark), Winamp (pour out a little liquor), iTunes (sorry Chris and Steve G), MusicMatch (apologies to my new brothers and sisters), Rhapsody (you were my first for-pay love, ya tramp), and Napster (THROW ANOTHER STACK OF BENJAMINS ON THE FIRE!), and use Yahoo! Music Engine instead. (If you're using Foobar2000, keep on, brother man, I ain't going to war with y'all purists.)

Right okay okay okay. You're beating me over the head with your Old School Hip Street Credibility. The rest of it is basically market-droid-speak.

This blog entry seems to be nothing but advertising. Maybe there is nothing wrong with that, but it does leave a bad taste in my mouth. It's like hearing about people who are paid to loudly discuss a product or people paid to pump up a product in chat rooms and web forums.

Maybe I'll sort out my thoughts about this later. But for now.. Ugh. Time for the mouthwash.

More trackback spam is coming my way. Thanks to the good folks at mp3se. They seem to be somewhat related to hqhost.net, which The Spam Huntress has had some dealings with. I am not quick to blame hqhost.net, they might just be a semi shady company providing anonymous proxies to spammers and not the actual spammers.

Doing a quick search on mp3se, it seems like they don't actually link to any of my music, so why would they trackback an entry, except for 'Search Engine Optimization'? Stupid fucks.

Here is the whois record for mp3se.com:

Domain Name: MP3SE.COM

Registrant:
    Azazar & Partners
    Mikhail V Yevchenko        (azazar@azamail.biz)
    PO Box 2723
    Chelyabinsk
    ,454014
    RU
    Tel. +7.9222316240

Creation Date: 12-Dec-2004
Expiration Date: 12-Dec-2005

Domain servers in listed order:
    41730.mercury.orderbox-dns.com
    41730.venus.orderbox-dns.com
    41730.earth.orderbox-dns.com
    41730.mars.orderbox-dns.com


Administrative Contact:
    Azazar & Partners
    Mikhail V Yevchenko        (azazar@azamail.biz)
    PO Box 2723
    Chelyabinsk
    ,454014
    RU
    Tel. +7.9222316240

Technical Contact:
    Azazar & Partners
    Mikhail V Yevchenko        (azazar@azamail.biz)
    PO Box 2723
    Chelyabinsk
    ,454014
    RU
    Tel. +7.9222316240

Billing Contact:
    Azazar & Partners
    Mikhail V Yevchenko        (azazar@azamail.biz)
    PO Box 2723
    Chelyabinsk
    ,454014
    RU
    Tel. +7.9222316240

Googling Azazar & Partners, and Mikhail V Yevchenko comes up with almost nothing in the way of results. I've added 'mp3se.com' to the global referrer blacklist. Usually I just let the spam-catch plugin deal with trackback spam, because the other trackback spammers always try and trackback older entries. So when I see them come in I can blissfully let them linger in 'un-moderated' land. These guys trackback fresh entries, which are automagickally approved. I might have to change that. For now the referrer blocking works fine.

Here is their signature on my apache log in case that helps out any other sleuths:

203.92.128.3 - - [12/May/2005:12:18:01 -0600] "POST /comment.php?type=trackback&entry_id=435 HTTP/1.1" 200 99 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" "-"

A fine person at Boakes.org has done some pretty nice sleuthing work to track down the dumb-fuck comment/referrer/trackback spammers. According to the Spam Huntress (whi is a supersluth) they are a pair of Bulgarians With the last name Zahariev. Certainly not 'Jane Phill' as various whois records would suggest.

Fuckem.

Jerks.