Hi all-

A warning in anecdote form...

Once upon a time (today), while checking my raw access log, I came across a visitor who came through from a site I'd never heard of before. I decided to check them out (I'm not posting the actual link - PM me if you think this may have happened to you, too - visit this other site FIRST since it tells the story of what these sites are doing: http://www.idly.org/2003/11/14/porn_sites_hiding_behind_blogs.php ) and found it to be a relatively innocent looking Blog site about Business Blogs. Odd... why the link to us? I found the link to us on the left hand side, where you'd normally see a navigation menu - and it wasn't just any link - it was a link to our control panel. Of course, without the password and such, people can't get in... but why?

So, I did a Whois on the site and got a name. Then Googled the name - that's where I got the above link - about how porn sites are hiding behind blogs - and using these "links" to boost their Google popularity. Now, as I understand it, there is a hidden link at the bottom of the page which I also found when I did a view source. Either way, and whatever the heck - How would this affect the popularity of a porn site? I mean having a link to my control panel on a blog site, even if it is a false front (which I have yet to comprehend), how will this helps them?

Anyways, this is more of a warning than anything else - watch your logs and check out referrers. I've had some people coming through from porn sites before (though I have nothing remotely porn-like on my own sites) and even a gun enthusiasts' site in Germany - why? Who? What? That whole world is a little more "deep web" than I get!

JMac

Obviously they never watched you play badmitton or they'd know they were flirtin with disaster!

See this thread started by Judith:
Why are these bloggers linking to me? (http://www.webproworld.com/viewtopic.php?p=41577&highlight=control+panel#41577)

Good thread.

I checked the site out and found one of those listed in my referrers. Also, one not listed, "Mike's Spot.Com.

I had looked at these when they appeared in my stats but thought they were harmless. Hell, I couldn't even see any links to my site????

I'll be looking more closely in future. However, what can be done to stop it? If you e-mail them a strongly worded complaint all you are doing is providing a live address they will probably sell on?

Hi again,

For an update on what's been discovered so far, see:

http://www.webproworld.com/viewtopic.php?p=41932#41932

(You know, even though it says HTML is enabled for me in my profile, I have yet to successfully use it in a post!)

Have a great Monday and feel free to join in the hunt for the source of these sites.

JMac

Rocky-

I've got a birdie for them, alright! And, I am not afraid to use it!

JMac

I think I saw something on this site somewhere about this, but I can't find it now.
I followed a link this morning from my "latest visitors" from my control panel to a site that had a link TO my control panel on their site. Looking up the info on the site came up with a wrong phone number, a street that doesn't exist, etc. When I tried to call the hosting company, I get answering machines and no returned calls. I don't think without my id and password that it's accessible to the "regular public", but I don't like the idea of the situation and the fact that I can't reach anyone to take care of it.
Should I be worried about this, and is there anything I can do to get it resolved??
Sue
www.lovinghandsboutique.us

<mod note> I found it and merged them for you Sue - Carju1

I don't quite understand the question, could you rephrase it please.

sorry - I found on someone elses website a link to my websites "control panel". All the info to that website (phone number, address, etc) is phoney and I can't reach anybody where the site is hosted. should I be concerned about this link being on that site and if so what can I do to fix it - or am I being concerned about nothing.

Sue

Well if all the info on the page seems to be phony then, it's probably not a very good site to have your link on.

But as you can't get in touch of the site owners or the hosting company, then there is not much else you can but sit back and see what happens,
if you want to give me the info, I would be happy to look into it for you.

Without your user and pass It won't be possible to access your control panel, so it's not the end of the world.

Good Look

The site was www.mikesspot.com and is hosted on Stargate.com. Thanks,
Sue

guess my post got moved to be included in the post I couldn't find, but didn't realize it until after replying. Sorry for continuing when most of what I was asking was already answered. (it's been a very long monday)
sue

That website seems harmless, might just be an a coding error in Movabletype, I don't know that much about Blogs so I'm not sure, sorry.

Thanks for your help Chris
Sue

Looking up the info on the site came up with a wrong phone number, a street that doesn't exist, etc. When I tried to call the hosting company, I get answering machines and no returned calls.

I had a problem with someone sending spam with my email address as the return address. The spam was coming variously from China, South Africa, Brazil, etc. Companies in these countries are difficult to track down. The advertised site was registered in the US (it was a .us domain), but hosted in Malaysia. The single page at the site contained an information-gathering form that linked to an IP number belonging to a cable company in Arizona.

I called the telephone number listed in the contact information for the domain, but the number was that of an individual who had no idea about the site. The area code and exchange were correct for the address listed. Directory assistance had no listing for the person associated with the domain name.

Registrars generally have a clause in their terms of service (TOS) specifying that contact information must be correct, and must be changed within a certain period of time if necessary. I contacted the registrar (godaddy.com in this case) and informed them of the situation, particularly the incorrect contact information. The site was shut down (no DNS) the next day. Their spam still went out, but it was now useless. I hit them where it hurts: in their wallet.

If you have problems with a site that has incorrect contact information (I often use samspade.org to get this information) contact the registrar associated with their domain name, not their web hosting service, and let them know about it. GoDaddy was very helpful in this particular case.

Best Regards,
Narasinha

I too have had a log ref to mikes spot blog, but no visible link when trying to verify...

vfaulkner:
It's only by fluke that I saw the link to our control panel - they have a rotating links script or something (underhanded) and you need to arrive at their page within 10-15 minutes of seeing them in your "latest visitors" or else you won't see the link - but it WAS there!

Besides mike's blog, websearchus.com, worldnewsblog.com, there's another one at teoras.com - looks like a blog, smells like a blog - but it's not a blog. Under each of these sites is a folder called "adult-webcam" and many of the links on the page, including ones hidden as transparent gifs, are links to their naughty section. Even accidentally clicking into those links will have you slammed with up to 100 popups in 20 seconds - on my PC, everything crashes - on my Mac, I do a Force Quit before the family wonders what the heck I am doing. So far, since adding the ip number 141.85.3.130 to my IP deny list, I haven't had any links through from these sites. All of these sites have come through on that IP number.

Click through on Minstrel's provided link above to the other post here called "Why are these bloggers linking to my site?" - more information there as well. Including my exchange of emails with the company who registered their domain name - apparently they used to also host them. They aren't a very helpful company though - the guy's response was to say "since i don't visit porn sites, i won't have a problem with their popups crashing my browser". Ah yes, very helpful!! :-(


Have a pleasant day all!

JMac

Same message entered twice - oops!

JMac

Ok I am convinced I will never have a blog on my site.

Greyhawk

Hi V!

That's okay Greyhawk, I already got one there..

Odd... why the link to us? I found the link to us on the left hand side, where you'd normally see a navigation menu - and it wasn't just any link - it was a link to our control panel. Of course, without the password and such, people can't get in... but why?

Some people have their stats pages viewable to the general public, including search engine bots. If there is a link to the stats page, it gets crawled and indexed into the Google database, resulting in a backlink for the spammer? Could this be possible?

rlrouse-
We don't have our stats page viewable by the public and the link is to the control panel, not to the stats page. It just brings up the sign in box - which is okay I guess - no one has the password.
Also, the links rotate so quickly on their page, as well as on our stats page that it would hardly seem worthwhile because the chances are that Google (or other bots) won't be indexing just at the right moment.

There are a lot of discussion boards talking about this new activity. Yesterday, I found a legit blog site that uses the same technique of rotating links of referrers. There was no adult content and the information provided there is quite useful within the mathematics tech field so I haven't bothered myself with it but I'm still curious as to how these links help them. (The bloggers, legit and not.)

JMac

We don't have our stats page viewable by the public and the link is to the control panel, not to the stats page. It just brings up the sign in box - which is okay I guess - no one has the password.

My stats page isn't viewable by the public either and their hitting my control panel page as well. I just wonder if this is some kind of bot that harvests domains and then "probes" the control panel trying to get in. Conspiracy theory maybe, but why else would they target the control panel of all these sites?


Also, the links rotate so quickly on their page, as well as on our stats page that it would hardly seem worthwhile because the chances are that Google (or other bots) won't be indexing just at the right moment.

Google crawls millions of pages each day. The bots only have to get lucky a few hundred times to build a few thousand backlinks in a matter of days.

Go to google and do this search query:

/stats.html+daily

This returns over 10,000 stats pages, and that just includes the ones with the word daily on the stats page.

But like I said, this is just a theory...

I posted this reply in response to another thread, but would like to post it again here.
I also noticed a referral (in my webstats) from Jennifersblog... when I went there, I noticed she had a link to my control panel.. so I clicked on it... lo and behold, I went right to my control panel... no password was asked for. So, obviously changing my password is an exercise in futility...
I checked with whois and found that the owner of this site is a Brian Mcwatters in Bloomington, MN and that the site is hosted through Stargate.com (same host site as mentioned several posts up).

I again went to jennifers site and now, I find my link is no longer there...any explanations????

info202-
It is not futile to change your password - you can and should do so right away.
You'll find information of the "Brian Mcwatter" at http://www.idly.org/2003/11/14/porn_sites_hiding_behind_blogs.php

He doesn't exist - neither do any of the "webmasters" at the other blog sites.

It won't help to email him - do block the IP 141.85.3.130 through your control panel. Or, if the IP number is not the same, block the one you see when the blog sites is the referrer.

The most important thing is to change your password - that means everyone has access to your control panel - that can only go badly. You don't want people uploading files and hotlinking to them and using up your bandwidth, among other negative implications.

I'll let you know as I find out more, all!

JMac

just an addendum to my last post..
Last weekend, my site was was down for quite a long time... and I emailed my host... I was sent a forum type page which indicated that the server was hacked into...
This happened on 11/15/03 and I noticed that jennifers blog was created on 11/10/03. I don't know if there is any significance between the server being hacked into and the link to my site on jeniffersblog (which seems innocent enough to me)
Any thoughts or ideas?????

hmmmm........ mikesspot sounded familiar to me out of the group so i clicked on the provided link... we aren't listed in those links anymore.. i'd say we were and would pop up again if i sat there and refreshed the page long enough... as now guess what link is provided? www.webprworld.com ..... the links rotate.. interesting, huh? one of the members culling addies?

all those sites mentioned in both threads on this topic have showed up in both sites from my signature.. I have another site that isn't in my signature, it's clean of those links... problem is, I can't say the same about the link being to the control panel.. it goes directly to the main pages of those sites.

So what should I do about this? I can't complain that somebody is trying to get into our control panel or anything..although I'm not thrilled to be listed on a site that links to porn, they are regular links to both sites.

Correction... I thought I had both sites listed in my signature... that is incorrect.. however.. one of my partners is also a member of this forum and the other site is listed in his profile.

JMac
Thanks for the advice... I changed my password, contacted my hosting service..
I tried to find the IP address for the Jennifersblog referral... (I know there had to be one, because I clicked on the link and went to my control panel), but all I could find were familiar IP addresses and, of course, my own...
I looked through Webalizer, AWstats, and the latest visitors... nothing...
the info on the first referral from jenniferslink does not indicate an IP address and of course, I don't know the date when it occured...
thanks again for your info....

I've been hit by these today from 217.73.164.106 and 141.85.3.130 using fake referrers http://www.saulem.com/ and http://www.bongohome.com/

I got hit with the jennifersblog etc. ones a few days back.

The request uses the faked User Agent "MSIE 6.0" which makes it easy to spot. The referrers are apparently blog sites but there are no links to my site - I am sure the referrers are just faked by the robot.

These IP addresses actually take you to the search engines iaqi.com and kwmap.com, so I suppose they are running the robot for themselves or a third party. Or the IP could be faked too - maybe its a slur/DDOS campaign against these sites?

I dont know what they are trying to acheive by this, only idea is that they could raise Alexa rankings for these sites if the fake blog entries cause lots of curious webmasters with the Alexa toolbar to visit them to find out how they got visitors referred from the site. I often use the Alexa toolbar when visiting my own sites and sometimes leave it on so I suppose that could work. Alexa has been vulnerable to scams like this.

There is so much wierd stuff going on in the background of the Internet that I ignore most of this stuff. Can't pretend that this isn't intriguing though.

A thought though on the not being asked for panel passwords...
Are you trying this from your own computer? could a cookie/autocomplete be autologging you in?

I know that when I go to my panel at home in IE, I am immediately there, no matter where else I have surfed. I have changed my settings to stop this, I hope...

I am also getting a LOT of strange bot hits too. in research of this and their validity I found http://www.robotstxt.org/wc/active/html/index.html , which is a registry of valid bots and attributes...

FYI

Hello,

I guess you were looking for information about the following site: Or anything else?
------

Domain Name: mikesspot.com

Name Servers
ns1.mikesspot.com
141.85.3.108

ns2.mikesspot.com
141.85.3.108

Domain Created: 11/8/2003
Domain Expires: 11/8/2004

mikesspot.com resolves to 141.85.3.108

www.mikesspot.com resolves to 141.85.3.108

Mail for mikesspot.com is handled by mail.mikesspot.com (10) 141.85.3.108


Registrant
Jeffrey Steinhauer
11921 S. Cricket Ln.
Dublin, CA 94568
United States
email:
phone:
fax:

Administrative
Jeffrey Steinhauer
11921 S. Cricket Ln.
Dublin, CA 94568
United States
email: admin@mikesspot.com
phone:
fax:

Technical
Jeffrey Steinhauer
11921 S. Cricket Ln.
Dublin, CA 94568
United States
email: admin@mikesspot.com
phone:
fax:

Billing
Jeffrey Steinhauer
11921 S. Cricket Ln.
Dublin, CA 94568
United States
email: admin@mikesspot.com
phone:
fax:

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

ReferralServer: whois://whois.ripe.net

NetRange: 141.0.0.0 - 141.85.255.255
CIDR: 141.0.0.0/10, 141.64.0.0/12, 141.80.0.0/14, 141.84.0.0/15
NetName: RIPE-ERX-141-0-0-0
NetHandle: NET-141-0-0-0-1
Parent: NET-141-0-0-0-0
NetType: Early Registrations, Transferred to RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2003-04-02
Updated: 2003-06-18

OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail: search-ripe-ncc-not-arin@ripe.net

# ARIN WHOIS database, last updated 2003-11-18 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.


Trying whois -h whois.ripe.net 141.85.3.108
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 141.85.0.0 - 141.85.255.255
netname: PUB-NET
descr: RoEduNet
descr: "Politehnica" University of Bucharest
descr: Communication Center
descr: Splaiul Independentei 313
descr: Bucharest 77206
country: RO
admin-c: EA1284-RIPE
tech-c: GB6367-RIPE
rev-srv: pub.pub.ro
status: ASSIGNED PI
mnt-by: PUB-MNT
changed: george@roedu.net 20011028
source: RIPE

route: 141.85.0.0/16
descr: RoEduNet
descr: "Politehnica" University of Bucharest
origin: AS2614
mnt-by: PUB-MNT
notify: pubadmin@roedu.net
changed: george@roedu.net 20020516
source: RIPE

person: Eduard ANDREI
address: RoEduNet, Bucharest NOC
address: 313 Splaiul Independentei,
address: "Rectorat" Building, R506-507,
address: sector 6, Bucharest - 77206
address: ROMANIA
phone: +401 410 16 39
fax-no: +401 410 16 39
e-mail: eandrei@roedu.net
nic-hdl: EA1284-RIPE
notify: pubadmin@roedu.net
mnt-by: PUB-MNT
changed: ccris@roedu.net 20000811
source: RIPE

person: George BOULESCU
address: RoEduNet, Bucharest NOC
address: 313 Splaiul Independentei,
address: "Rectorat" Building, R506-507,
address: sector 6, Bucharest
address: ROMANIA
phone: +401 410 16 39
fax-no: +401 410 16 39
e-mail: george@roedu.net
nic-hdl: GB6367-RIPE
notify: george@roedu.net
mnt-by: PUB-MNT
changed: george@roedu.net 20030201
source: RIPE

JMac posted a link to idly.org, which I went to and found that there are tons of people who found their links on these bogus blogs...
One of the posters mentioned that if you go the blog site from your own control panel, you will see your link as the last in their link structure.. but if you type in the URL, your link is not there any longer....
anyway, in one of my previous posts (either here or in the other thread about the same subject), I mentioned that my host's server was hacked into last weekend...and I felt that this might have some significance... sooo.. since I have several sites hosted there, I decided to check into each of site's stats... I did not find any referrer in those site's stats that match any of the blog sites... so, I thought that perhaps there is someone at WebProWorld who has decided that we were ripe pickings for this kind of crap... because I came to WebProWorld through Jayde.. and although I submitted all the sites I did to Jayde, I obviously received the same invitation to join here, but did not because there would be no point in having multiple identities... so, the only web URL that is listed here (every time I make a post) is for my own site....and that happens to be the only site on which I could find any of the pseudo blogs referrals...

...when I went there, I noticed she had a link to my control panel.. so I clicked on it... lo and behold, I went right to my control panel... no password was asked for.

You're fine. Of course you went right to your control panel without logging in. You were already logged in!

When you clicked on the link in your stats to go to the blog page, that didn't log you out. So when you clicked on the link back to your control panel, you were already logged in. Just because you surf to another site doesn't mean you're automatically logged out of your control panel.

I realized that only a short while after I made that post... ~smack me right on the head for not thinking~

however, it was too late to take back the post... ~smack me again...~~~

No need to smack yourself Mary Ann. It's easy to miss the obvious when something like that happens and you aren't expecting it. And changing your password often is a good idea anyway.

i have my site there too ... so here are a few things that i realize about that site

1 - none of the archive links work
2 - the links that they display are URL of recent referrers
3 - they have an invisible link to a porn site
4 - i found them in my stats as a referrer but i cannot find a link to my site in their site
5 - the search is handled by a script at mhudack.com, which doesn't work too

so ... at first i was fine, but now i am starting to feel suspicious. could it be that he is trying to pull traffic to somehow increase his alexa ranking or google pr so that the porn site is getting a link from a high reputation site ... ??? or is there any other objective?

and another question ... how did his site turn out to be a referrer in my stats when he don't have a link to my site. could it be a crawler ... ??

another question ... now, who's mike mhudack? is he the same person? is the one who behind all these ... ??

Pardon my ignorance, but would someone please explain to me why these sites are linking to you.
How does it improve their pagerank or serps?

Adding a set of outbound links to unrelated sites will dilute the page rank at most.

What am i missing here?

Thanks

Being the emotional webmistress that I am, I have to say I'm pretty overwhelmed to find these bloggers in my logs - I had noticed them and tried to backtrack the link but strangely couldn't find it - really odd - will password protecting our stats save the day or just prevent them from benefiting from the fraud?

...will password protecting our stats save the day or just prevent them from benefiting from the fraud?

Both. Unless you have a compelling reason for having your stats available to the public (as an advertising sales aid for instance) IMO it's best to put them behind a password.

This prevents your potential customers and competitors from seeing your traffic level, and it prevents crawling by robots.

What do all the sites that have been targeted by the fake blogger sites have in common? Have we entered free links programs? Is there one engine they are gleaning their knowledge from? It seems really odd to me that they would target my site with the lowest traffic and one that I haven't optimised as I haven't needed to - my stats aren't spidered and I couldn't find my url in the 'view source' despite recording their visits in the stats - A big thankyou for explaining their presence to me -

Hi JMac and everyone -

Gosh, I was WONDERING about this. I have almost every one of those blogs linking into me from time to time.

I'm just not tech saavy enough to understand this end of things. How exactly does it help them? Is it because we all go and click the links in our stats?

Is there reason to worry regarding the safety of our traffic? I was checking stats for one of my sites recently and was horrified to find a child porn site linking into me. There was no link to my site on theirs that I could find and I was just totally confused, researched their ip and betterwho is info and reported them to authorities.

But I never UNDERSTOOD how they got into MY stats...

Yuck.

Lori

I am also getting a LOT of strange bot hits too. in research of this and their validity I found http://www.robotstxt.org/wc/active/html/index.html , which is a registry of valid bots and attributes...
Thanks, V (may I call you that, not very original I suppose, how about VF?)

I've been getting al kinds of 'obscure' crawls myself. Lots from University's labs, a lot of 'hobbyists', etc., but at least they are registered.

And, rlrouse,


Both. Unless you have a compelling reason for having your stats available to the public (as an advertising sales aid for instance) IMO it's best to put them behind a password.

Done!

mikmik said:
"...Thanks, V (may I call you that, not very original I suppose, how about VF?)..."

V is short for Vicki but whatever makes you feel comfortable...:-g

Hi, I have seen several ask this question but no one has answered it that I can see.

Why do I care if a blog links to my site and how does it help them?

I would really like to understand that and why would looking at my stats help someone else?

Color me really confused.

Daphne
www.ucihealth.com

Hi daphne-
While I am, for the most part, still confused about how this helps them achieve higher rankings, the theory put forward by rlrouse as well as the one at idly.org (see above or previous page for link) seems to be thus:
If Google is indexing your stats page (because many sites make their stats pages public as a means of proving how popular they *really* are) and it finds a link to the "blog" site - that will boost their numbers of inbound links. As rlrouse mentioned, if they are doing this to thousands of sites, and only a small percentage of them makes their stats page viewable - that will still results in hundreds of links back to their site.
The hidden links on their page lead to their "adult" section but that is still a portion of their site so its rankings will also be positively affected.
The links to your site won't negatively affect you (I hope) since they are not from a link farm page.
My problem is not that the links are from a blog but rather that they are from what LOOKS like a blog but is actually a porn site. I manage several family related sites that would be very upset to think that Google or anyone else out there might think the sites are related in any way.

You know, there have probably been replies to your question since I started this post - working from home is a true pleasure but not everything progresses at the same pace with little ones running around!

Have a great day!

JMac

Thanks JMac! That does help some.

Daphne
www.ucihealth.com

I sent an e-mail to multiple university of bucharest administrators (including the rector) on the 19th. They responded by not responding, though the sites have now been replaced by default apache pages....that still have the adult webcam link. The e-mail follows, feel free to use the e-mail address below to contact me.
---------------------------------------------------

This e-mail is in reference to the following internet domains, which seem to be hosted on University of Bucharest computers, or using University IP addresses.

http://www.akksess.com 141.85.3.114

http://www.kwlablog.com 141.85.3.109

http://www.malixya.com 141.85.3.104

http://www.wr18.com 141.85.3.110

http://www.bongohome.com 141.85.3.112

http://www.jennifersblog.com 141.85.3.106

http://www.saulem.com 141.85.3.105

http://www.worldnewslog.com 141.85.3.113



Hello:

I am the webmaster for a small farming business here in America located on the Net at http://www.ruffseedfarm.com.

Lately, I have noticed a mysterious surge in referred URL’s from the set of domains listed above. I became curious, because most visitors to this particular site are referred by the company’s print literature. I tried e-mailing the administrator addresses listed in WHOIS, but got no response. I noticed, however, that all of these sites were registered to people in the US, with telephone numbers listed that did not match the geographic areas they were supposedly in.

So, I dug a little deeper. I quickly noticed that all of these site’s DNS address IP numbers were administered by the Politehnica University of Bucharest. I tried simulating a HTTP 404/201 response to get more information on the servers.

I got the administrators e-mail address: ddalex@cyclop.net. I tried visiting cyclop.net, and was re-directed to http://www.horia.com. I sent ddalex@cyclop.net a few e-mails trying to figure out why these sites, which seem to have ‘bogus’ content, were linking to my client’s site. I received no responses, but noticed that www.ruffseedfarm.com was dropped from the links/referrers section of these sites within five minutes of my e-mail.

All except for malixya.com. I ran a link extractor, available at http://www.webmaster-toolkit.com/link-extractor.shtml, and got the following response: http://www.malixya.com/adult-webcam/

I ran the same check on all of the above sites and got similar responses. There is a small, blank graphic at the bottom of each of these pages with a link to the ‘adult webcam’ site.

So after all this investigation, it seems that someone, probably the proprietor of horia.com, is using your university’s servers or IP addresses for pornographic material, setting up false sites with legitimate links to improve their pornography site’s standing in the search engines.

I tried e-mailing the ddalex@cyclop.net address one final time; to date I have received no response.

If indeed it is the proprietor of horia.com who is doing this, it would seem that he has a wife and child to support, meaning he needs his university degree or job. I would politely ask that this be treated with what we here in the States call a ‘slap on the wrist’, meaning that it would be inappropriate to ruin this person’s life over something so petty.

I took the liberty of adding the mysterious ddalex@cyclop.net to the recipients of this e-mail, in the hopes that he will correct his actions before he is caught by University authorities.

Again, I have no wish to ruin anyone’s life over this, but do not want my client’s site to be associated with pornography.

Thank you for your time; I hope this matter can be resolved in an even-handed manner.
------------------------

Brandon Dawson

brandon@greenapple.com

ruffsweb@ruffseedfarm.com

Brandon-

That is a great email you've got there!
I sent one to the roedu.net people after reading a post either here or in the other thread on this topic telling me to direct my emails to "George" there. I hae not yet heard from them either.

The other thread can be found at:
http://www.webproworld.com/viewtopic.php?t=8636&postdays=0&postorder=asc&start=25

And the WPW member (who just signed up) said that:
"JMac, if you want to do something about this bloggers, talk with george at roedu dot net. he can help you. send him all the info about the ip's you found and describe him your problem. the guys from uni will have some problems. (george is the main administrator from roedu.net). if he won't help you i suggest to try ijurca at utt dot ro. he is one of the founders of roedu.net. he will help you for sure."

I guess that's the next stop...

The only thing in your email I should point out is that everyone's link disappears within 5 - 10 minutes because it's a sneaky rotating links of "recent referrers". Your link disappearing probably had nothing to do with the email you sent but rather it just moved that quickly through the rotation.

Yesterday, I started visiting these sites ONLY through using the services of www.anonymizer.com so that my IP would not be available to anyone viewing their stats to find out who is "looking for them".

Thanks again for showing us that great email, Brandon - do let us know if you hear from anyone ... anywhere. :-) I'd like to think the Apache server page was a good sign. But the hidden link still present is just another underhanded trick. Obviously, these people need more than a slap on the wrist to make them stop now. How profitable can these sites be that they are willing to risk so much?
Oh, and of course, we haven't heard back yet but we did report all the sites listed to Google for hidden links and cloaked pages and spam and so on...

(Again, I'm not sure if the link to report them is in this thread or the other one here at WPW so do check through the other thread.)

JMac

[quote="JMac"]Brandon-

>That is a great email you've got there!
>I sent one to the roedu.net people after reading a >post either here or in the other thread on this >topic telling me to direct my emails to "George"
>there. I hae not yet heard from them either.

At this point, I believe that 'George' must have a certain degree of complicity. He hasn't responded to anyone's e-mails, and the only notable response we've received came after I e-mailed the senior leadership of the uni.

There's a chance that all this might somehow be related to legitimate research the university is doing: Check this link out.

http://rilw.emp.paed.uni-muenchen.de/2001/papers/marhan.html



To quote Judith from the other thread, "Kiumars had excellent advise, anyway.....don't try to chase these people all over cyber space."

Why chase 'em? 'Cuz it's fun. 'Cuz they messed with the wrong peepz. 'Cuz we got us a posse here, and it's time to saddle up, lock n' load. :)

But seriously, other than 'keeping up the skeer' to make sure this doesn't recur, I don't want to punish someone who merely made a poor, poor choice of breadwinning strategies for his family.


later
B

Hi JMac & Brandon, everyone,

Both: Excellent e-mails.

Fortunately, my stats are already password protected, so I hope their linking to me is a complete waste of time?

I had a look at that academic white paper. Looks innocuous enough though not of a standard I’d have expected for an accredited University.

One thing I do have to take issue with is:

Brandon wrote:

“Again, I have no wish to ruin anyone’s life over this, but do not want my client’s site to be associated with pornography”.

While your compassion does you credit I really don’t think the perpetrators of this scheme have lost any sleep, unless it has taken that long to count the lukka they are earning themselves.

In addition, as they are using illegal methods of promotion this could indicate that their pornographic enterprise is similarly illegal and/or immoral with all the potential for human depravity that could imply.

Something else worth considering is that these seemingly innocent blogs, apart from the links, are also using educational or news articles copied directly from highly respected organisations, the BBC News website for example.

The avenues you have both taken are brilliant, you should both be congratulated, as should anyone else who has done likewise. I thought I’d take a slightly different tack and sent the e-mail (below) to the BBC Breakfast Show so they could (if suitably outraged) complete their own investigation:

Good Morning,

For a week or so now I've been getting strange Web-Log (BLOG) sites listed in my webstats referrer listings. Seemingly innocent, it was not until I found a forum thread about them being used as a ploy to improve the search engine standings of pornographic sites that I became concerned.

This is intensely annoying and, as the BLOB (url below) I've just found claims to be an educational site, and lists a link to a BBC page I thought you might be interested.

Go to url http://www.akksess.com/ and view the source code. What you are looking for is "http://www.akksess.com/adult-webcam/"><img src="/adult-webcam.gif" (about a third of the way down).

Some investigation of these sites has already been completed with the 'supposed' site owners personal details and contact information false. That is illegal and should lead to the site being removed from its ISP server if reported. This is a growing problem, one that should concern anyone interested in the development of web technology.

If you require further information please do not hesitate to reply.

Regards,

Martin Purnell
Student, University of Wales College, Newport

I have received a read receipt for the e-mail and will post any worthwile reply when I get one. I hope this meets with your collective approval?

Hi pete61uk (Martin),

It certainly meets with my approval, though you didn't need to ask. Someone asked me recently "well, if they have Apache pages up, even if they are false fronts, too, why is it any of your business anymore?" The fact is, I agree with you on the point concerning if this is what they're willing to do to improve their promotion, what else are they willing to do? How far are they willing to go? Sure, they aren't 'hurting' anyone, anymore.... but what do we really know about their activities? I can't decide.

{sitting on the fence}

I so favour freedom of speech and expression. That's what it's all about. (Besides your left hand in, and your left hand out...) I would consider it offensive if someone tried to interfere with what people choose to do in the privacy of their own homes. Then again, even that has boundaries.

I hope you hear back from the BBC with the news that somehow, with their clout, they've set up a 'team of specialists' to look into this. Somehow, I doubt it. In the meantime, I'm happy that they no longer link to my (and my fellow WPW members') sites.

Good luck!

JMac

Regards,Martin Purnell
Student, University of Wales College, Newport

Hi Martin,

Are you at the Allt-yr-yn campus? I was there 10 years ago as a mature student. Is Anghard Jones still lecturing there?

Regards
Julian

Hi carju1,

Yep, 'sunny' Allt-yr-yn. Was it like a sweetshop when you were here too?

Angharad is still at UWCN. I had her for HCI, VB, and as coordinator for my final year project on the HND. Was she as critical when you were there, and did you have Mary Evans too?

Hi Jmac,

I realise I didn't need your approval, I just thought that as I'm a lowly novice it'd be polite. Besides, if (as I hope) the BeeB do investigate they may well be using the data gathered on this and other forums'. Who knows, that could mean they'll contact others on the forum, including you?

Yep, 'sunny' Allt-yr-yn. Was it like a sweetshop when you were here too?

Angharad is still at UWCN. I had her for HCI, VB, and as coordinator for my final year project on the HND. Was she as critical when you were there, and did you have Mary Evans too?

Pete - It wasn't too bad when I was there, hard work, horrid grey cold buildings, but a nice friendly facility - It probably helped that I was a mature student and both my wife and myself were doing the same course.

Yes Angharad was always critical - bit one of the best lecturers there. Please next time you see her tell her Julian & Caryl Tandy send there regards (We used to exchange x-mas cards with her but lost touch when we moved to the Netherlands).

We had a Mary for some fairly obscure subject or other (Comms?) and Mary Evans rings a bell - what subject does she teach.

Julian

carju1 wrote:

"Yes Angharad was always critical - but one of the best lecturers there. Please next time you see her tell her Julian & Caryl Tandy send there regards"

I've just sent an e-mail doing as you requested.

Mary Evans, among other subjects, is the senior lecturer in Communication Skills.

Although I have a great deal of respect for all the lecturers here I don't think I'd have survived the HND without their feedback, both positive and negative.

I've just sent an e-mail doing as you requested.

Mary Evans, among other subjects, is the senior lecturer in Communication Skills.

Thanks Pete,

Angharad has just e-mailed me. Yes must be the same Mary. A very nice lady who (as comminications wasn't REAL IT 10 years ago) must have thought the IT students a bunch of neo-barbs. Yet I suppose as I now have even written an article for WPN-UK at least some of Mary's teaching must have stuck.

Julian

Julian wrote:

"at least some of Mary's teaching must have stuck"

I spoke to Mary just the other day, it must have been after you had corresponded with Angharad (?), all I can say is that your positive comments have made at least two lecturers very happy.

On topic:

No reply from the BeeB. However, it has been at least a week since I last had a blog in my referrers list.

Instead, a new twist, I had one referral going back to an MSN Passport logon page and, more interestingly, Program Shareware 1.0.3 in my browser report, which would appear to be a spider looking for guestbooks and email links.

Apparently, anyone leaving an email address in your guestbook can expect to be bombarded with spam ads for (amongst other things) weight-loss drugs.

Could be useful after Christmas? LOL.

Anyone else had similar?

pete61uk reported
Good Morning,

For a week or so now I've been getting strange Web-Log (BLOG) sites listed in my webstats referrer listings. Seemingly innocent, it was not until I found a forum thread about them being used as a ploy to improve the search engine standings of pornographic sites that I became concerned.

This is intensely annoying and, as the BLOB (url below) I've just found claims to be an educational site, and lists a link to a BBC page I thought you might be interested.

Go to url http://www.akksess.com/ and view the source code. What you are looking for is "http://www.akksess.com/adult-webcam/"><img src="/adult-webcam.gif" (about a third of the way down).

Some investigation of these sites has already been completed with the 'supposed' site owners personal details and contact information false. That is illegal and should lead to the site being removed from its ISP server if reported. This is a growing problem, one that should concern anyone interested in the development of web technology.

For you espescially as well, JMac. I just read somewhere, damned if I can find it, but those 'links' to website logs are redirects for spamming!
Seems that is how the creepoids 'hide' their traacks, by using your site logs.

Well I took a quick look but I will have to do some 'dumpster diving' and search my recycle bin, but I found this article on tracking down spammers :http://www.pcmag.com/article2/0,4149,1309277,00.asp

mikmik. An interesting article.

I'm not sure which thread its on but I downloaded Mailwasher earlier, when I have time to set it up properly I'll put it on.

Whereas the software in the article you mention is designed to ascertain the status of e-mail accounts (whether created by people or bots), Mailwasher can be setup to simply 'bounce' spam back at the sender.

Presumably, since this could 'potentially' put a serious load on the webmail servers (such as Yahoo) that spammers’ use, this is why some are investing in the technique? The only problem, as mentioned in the article itself, is for the blind or partially-sighted who are wanting to open legitimate accounts.

along the same lines as now for something...

when analyzing my site stats, i came across several 'email' referrers that were nonsense addresses. then i found many 404s trying to access formmail, cgi, and the like, none of which on my site.
does this mean that someone was trying to send spam etc by hacking my site email system//

grrr...

Hi Vicki,

Hope you don't mind... but I merged your post into the original thread topic "and now for something completely different". By the way, I see plenty of attempts of visitors apparently trying to access formail scripts and the like on my own site.. I wouldn't worry unduly.. it's most likely to be 'potential' script-kiddies simply amusing themselves... however, if there's a major disruption in your email or other web services... maybe then you should start to worry! ;-)

Paul