Friday, July 28, 2006

SCRAPER BUSTED #6 - Keyword Stuffing Porn Scraper Nailed

NSFW - This scraper is one of those that uses a website blender to scramble content around therefore it scrambled it's IP address around but 3 parts of the IP were more than enough to lock onto this site scraper/spammer with a blank user agent.

The website I found still contained the IP scrambled as 69, 186, 189 and 50, not in any particular order.

However, this gave me a clue:

PING biblogs.info (69.50.161.115)
So it looks like that IP starts with "69.50."

The winning combination logged in my archive was 69.50.189.186 which had a blank user agent.

This mess claims to be hosted at intercage.com which doesn't even have a fucking web page.
69.50.161.115-custblock.intercage.com
Probably the upsteam colo nlayer.net running this mess, hard to say.

These sites are NSFW so beware, and disable javscript before poking around as there are some eye-opening keyword stuffed pages with links to massively keyword stuffed pages at the root of "biblogs.info" and the others but a redirect elsewhere if you have javascript turned on.
  1. pregnant-sex.biblogs.info/pregnant-nude-photography.htm
  2. pregnant-sex.svemas.com/fine-art-pregnant-nude
  3. pregnant-sex.fervex.net/pregnant-nude-photography
  4. mature.vipzoner.info/differant-senior-pictures
Nothing much was learned from WHOIS in this case as each domain is registered to someone different in various countries even with the only thing they seem to have in common is the DNS servers:
Tech Email:sps@meteam.com
Name Server:NS1.2ESTDO.COM
Name Server:NS2.2ESTDO.COM
However, a little DNS digging turned up this pile of identical keyword stuffed shit sites on their servers:
altrosite.com
badmonth.com
banunet.info
biblogs.info
black2men.com
blyberry.com
bugsbugs.org
clickanewz.com
creo8.com
crochome.com
fervex.net
fillsbett.com
fonderm.com
gemalink.com
glibic.com
goglya.com
goremore.com
incestpicsmother.com
kftm3.com
leymfil.info
mdmover.com
neverbe.org
revilance.com
satinz.info
seysmograf.com
shnurlox.com
smesha.com
soma1s.com
sospils.com
spotrange.com
stopsneg.com
svet-dali.com
yoniru.com
The info and range for Intercage, if they still exist, that hosts this garbage is:
OrgName: InterCage, Inc.
OrgID: INTER-359
Address: 1955 Monument Blvd.
Address: #236
City: Concord
StateProv: CA
PostalCode: 94520
Country: US

NetRange: 69.50.160.0 - 69.50.191.255
Did a quick check and there are at least 3 scrapers coming from that range:
69.50.176.34 ""
69.50.189.186 ""
69.50.190.242 "Snoopy v1.2"
Where there's smoke, there's fire, block block block.

2 comments:

bull said...

Hey bill, do you also have a database full of log entries from the last years, like me ? ;)

IncrediBILL said...

Not all log entries, only those detected doing bad things.