Search

Recent Posts

Tags


« | Main | »

NFL Jersey Web Link-SPAM via Romania for China?

By Dale Reagan | February 1, 2011

The Internet is great at creating anonymous opportunities to connect – you don’t really know ‘who you are talking to’ unless you dig for information.

Using GeoIP data (geographical pin-pointing based in IP address) as a basis for network filtering has some ‘holes’ – it is possible for network activity to present ‘false’ (or at least mis-leading/non-current) network traffic origin information; it is also possible that the an IP might transition to a new geographic location.  In this example mod_geoip is not sufficient since the GeoIP data is mis-leading (network traffic is actually from a country other than the one reported by the current GeoIP data set.)  By combining mod_security, mod_geoip, network firewalls and other filters you can reduce some of the un-wanted network activity that your servers will see – but it will take some effort/time.

Before going too far in this discussion, a disclaimer: The hosting providers and/or ISPs mentioned in this post are (hopefully) not responsible for this SPAM-type activity, but, it does appear that such traffic is passing through their IP space. It is also, always possible that traffic is being spoofed in some manner – and the real ‘bad guy’ is unknown…

In this case we have a popular, seasonal US sport where products are being sold on-line and they are most likely produced in (and most product $ most likely going to)  a foreign country.  Should you have any concerns about on-line transactions from unknown (but seemingly good) web sites?   Unless the web sites provide this information, how do you know if you are transacting e-commerce with a business in a foreign country?

A Web Link-SPAM definition: accessing any third party web site solely for the purpose of creating a ‘false link relationship’ in an effort to somehow boost traffic to a particular domain. In prior years search engines would scrape web server log files that were public; these bogus entries in log files might indicate that a particular site was worthy of links, i.e. improve the search ranking for the domain being ‘promoted’ via this process.  A similar, related type of Web SPAM is ‘blog spam’ – usually created by a bot of some sort that adds anonymous comments that include links to external sites (another form of Link-SPAM.)

Side Note – the Feb 2011 (Wired 19-02) edition of Wired just happens to contain several articles on cybercrime (or crimes using global network technology) and one of the articles discusses a small town in Romania which seems to be a cyber-crime hub – at this point I don’t see a direct connection to the Romanian IP space mentioned in this post… (“Why does a remote town in Romania have so many Cybercriminals?”, by Yudhijit Bhattacharjee.)

The domains in question appear to be hosted by Bluehost.com – are these domains violating the TOS? (Not unless they are behind the network activity; there is no direct ‘proof’ that these domains are the source of the problem…)

[snip] notices anything suspicious from the Bluehost.com network, Subscriber agrees to report the violation or suspicious activity to tos@bluehost.com for investigation. Bluehost.com reserves the right to and will immediately terminate any account which Bluehost.com concludes to be in violation of any of these Terms.

——–

Domain name: packer jersey shop .com

Registrant Contact:

liaoxianying
xianying liao pekingtrade@live.cn
0594-2639558 fax: 0594-2639558
putianshichengxiangqufengdashanzhuang1haolou
putian fujian 351100
cn  [China]

From the About page on for the Above Domain:

About Us
Welcome to [Yet-Another-Jersey- site  ].com, where you will find so many surprises. Providing you with the best products and the best customer service has always been our goal. Our company was founded several years ago. Currently we are committed to internet marketing businesses. Our vision is to empower people worldwide in buying online. You can find a big selection of jerseys here at
[Yet-Another-Jersey- site  ], no tax sale; we stock all types of jerseys at the most favorable prices. Low prices and big selection makes [Yet-Another-Jersey- site  ].com the right spot to get all of your NFL, NBA and MLB gear. And these Jersey is a great way to show off your favorite player and feel like a part of the team!
We promise to:
1. Offer our best service to customers.
2. Provide the best prices.
3. Help you discover the newest product online.
4. Provide 24 hour customer support on weekdays.
5. If you need to wholesale, we help you find wholesaler
We strive to provide the best quality service available anytime. Our customer service team wants to assure you have a pleasure shopping online.

The above page also presents links to US Shippers, the BBB, and McAffee Secure (tested today!There is no indication of where the company is actually located. A quick look at pricing shows shirts starting at $99 with free shipping.

————-

Domain name: steeler super bowl jerseys .com

Registrant Contact:

liaoxianying
xianying liao techie8@163 .com
0594-2639559 fax: 0594-2639559
xiamenshiruanjianyuan2qiwanghailu
xiamen fujian 361008
cn [China]

The About page is the same for the above domain.  The [Yet-Another-Jersey- site  ].com info:

Registered through: Go Daddy .com, Inc. (http://www.go daddy .com)
Domain Name: FAN RAIDERS JERSEYS .COM
Created on: 17-Sep-10
Expires on: 17-Sep-11
Last Updated on: 12-Nov-10

If you visit the [Yet-Another-Jersey- site  ].com site then you arrive a Domain-for-sale type page – there was no jersey-related information when I visited….

————–  Since 1/20/2011, 700+ web SPAM-Link connections have been recorded in server logs – sample below.

173.234.158.211 - - [31/Jan/2011:06:48:03 -0500] "GET /page/6/ HTTP/1.0" 412 2092 "http://www.packer jersey shop.com/ajhawk-jersey-c-8.html" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.221.7 Safari/532.2"

A review of GeoIP data shows a clear Indication that Traffic is originating from similar Hosting services/Networks.  (Note that GeoIP data may not be accurate, and in this case the situation ‘looks like’ a US ISP problem.)

  1. 173.234.121.247  |  US, CA, Los Angeles, 90015, 34.039600, -118.266098, 803, 213
  2. 173.234.122.228  |  US, CA, Los Angeles, 90015, 34.039600, -118.266098, 803, 213
  3. 173.234.123.227  |  US, CA, Los Angeles, 90015, 34.039600, -118.266098, 803, 213
  4. 173.234.38.156   |  US, CA, Los Angeles, 90015, 34.039600, -118.266098, 803, 213
  5. 173.234.46.81    |  US, CA, Los Angeles, 90015, 34.039600, -118.266098, 803, 213
  6. 64.120.30.211    |  US, CA, Los Angeles, 90015, 34.039600, -118.266098, 803, 213
  7. 173.234.143.198  |  US, GA, Atlanta, 30303, 33.751598, -84.391502, 524, 404
  8. 173.234.229.23   |  US, NJ, Newark, 07101, 40.734001, -74.186798, 501, 973
  9. 173.234.152.155  |  US, NY, New York, 10011, 40.742100, -74.001801, 501, 212
  10. 173.234.153.149  |  US, NY, New York, 10011, 40.742100, -74.001801, 501, 212
  11. 173.234.158.211  |  US, NY, New York, 10011, 40.742100, -74.001801, 501, 212
  12. 173.234.159.194  |  US, NY, New York, 10011, 40.742100, -74.001801, 501, 212
  13. 173.208.125.108  |  US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
  14. 173.208.125.249  |  US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
  15. 173.208.22.218   |  US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
  16. 173.208.70.118   |  US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
  17. 173.234.18.162   |  US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
  18. 173.234.19.93    |  US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214
  19. 173.234.228.24   |  US, TX, Dallas, 75207, 32.782501, -96.820702, 623, 214

—–

So, who is responsible for this IP space?

Based on DNS information: Hambilios LCC NOBIS-CUSTBLK-173 (Hambilios, a client of Nobis (US ISP), is located in Bucharest, Romania.)

Nobis Technology Group, LLC (also referred to as ‘the Company’, ‘Ubiquity’, and ‘Ubiquity Server Solutions’ in the proceeding text) agrees to furnish services to the Subscriber, subject to the following TOS (Terms of Service).  Use of Nobis Technology Group, LLC Service constitutes acceptance and agreement to Nobis Technology Group, LLC’s AUP as well as Nobis Technology Group, LLC’s TOS policy (Terms of Service).” [A review of the Nobis TOS does not specifically label web-link-SPAM as a violation of TOS…]

For the Uniq Ip Addresses in question, DNS info is:

How to Block this type of activity

While it appears that there is a mix of IP space (US and non-US) the noted behaviours suggest a possible bot-net (or simply a web link-SPAM farm.)  Some possible solutions for blocking:

  1. using mod_geoip – block by country (won’t work in this case since the ‘wrong country’ is reported)
  2. usiing mod_security – block via IP address or other pattern matching means (domain, arguments, etc.)
  3. using firewall rules – block at the network level

A closer look shows that the activity is limited to a sub-set of IP addresses all associated with  ‘Hambilios LCC’ (Romania) and using network resources with ‘Nobis Technology Group, LLC‘ (aka, Ubiquity Server Solutions – USA.)  Calculated CIDR & Netmask info is provided below in case you want to implement network level restrictions (of course, you should confirm the information prior to using it…)

# Start IP      |  End IP          |  CIDR          |  Netmask
#---------------|------------------|----------------|---------
 173.208.0.0    | 173.208.127.255  | 173.208.0.0/17 | 173.208.0.0/255.255.128.0
 173.234.0.0    | 173.234.255.255  | 173.234.0.0/16 | 173.234.0.0/255.255.0.0
 64.120.0.0     | 64.120.127.255   | 64.120.0.0/17  | 64.120.0.0/255.255.128.0
 #####################################

Sample BSD ipf rules (add to appropriate locations in your ‘rules file’)

# BSD: block in log quick from  173.208.0.0/17 to any
# BSD: block in log quick from  173.234.0.0/16 to any
# BSD: block in log quick from  64.120.0.0/17 to any

################################

Sample Linux iptables rules (this is NOT a complete solution – just one possible approach – More on iptables… In the example, a new ‘chain’ (Restrict_all) would need to be created.)

# Linux:  iptables -A Restrict_all -i eth+ -s 173.208.0.0/17 -j LOG --log-prefix Restrict_ALL
# Linux:  iptables -A Restrict_all -i eth+ -s 173.208.0.0/17 -j DROP
# Linux:  iptables -A Restrict_all -i eth+ -s 173.234.0.0/16 -j LOG --log-prefix Restrict_ALL
# Linux:  iptables -A Restrict_all -i eth+ -s 173.234.0.0/16 -j DROP
# Linux:  iptables -A Restrict_all -i eth+ -s 64.120.0.0/17 -j LOG --log-prefix Restrict_ALL
# Linux:  iptables -A Restrict_all -i eth+ -s 64.120.0.0/17 -j DROP

More edited web Link-SPAM log details: Early in the AM on 1/31/2011 log files show:

 1. http://www. packer jersey shop .com                                            | 173.234.19.93
 2. http://www. packer jersey shop .com/aaron-kampman-jersey-c-6.html              | 173.208.125.108
 3. http://www. packer jersey shop .com/aaron-kampman-jersey-c-6.html              | 173.208.70.118
 4. http://www. packer jersey shop .com/aaron-kampman-jersey-c-6.html              | 173.234.19.93
 5. http://www. packer jersey shop .com/aaron-kampman-jersey-c-6.html              | 173.234.38.156
 6. http://www. packer jersey shop .com/aaron-rodgers-jersey-c-3.html              | 173.208.125.108
 7. http://www. packer jersey shop .com/aaron-rodgers-jersey-c-3.html              | 173.208.125.249
 8. http://www. packer jersey shop .com/ajhawk-jersey-c-8.html                     | 173.234.158.211
 9. http://www. packer jersey shop .com/al-harris-jersey-c-11.html                 | 173.234.153.149
 10. http://www. packer jersey shop .com/al-harris-jersey-c-11.html                 | 173.234.19.93
 11. http://www. packer jersey shop .com/al-harris-jersey-c-11.html                 | 64.120.30.211
 12. http://www. packer jersey shop .com/bj-raji-jersey-c-1.html                    | 173.234.121.247
 13. http://www. packer jersey shop .com/bj-raji-jersey-c-1.html                    | 173.234.46.81
 14. http://www. packer jersey shop .com/brett-favre-jersey-c-9.html                | 173.234.19.93
 15. http://www. packer jersey shop .com/brett-favre-jersey-c-9.html                | 173.234.229.23
 16. http://www. packer jersey shop .com/charles-woodson-jersey-c-13.html           | 173.208.125.108
 17. http://www. packer jersey shop .com/charles-woodson-jersey-c-13.html           | 173.234.123.227
 18. http://www. packer jersey shop .com/charles-woodson-jersey-c-13.html           | 173.234.229.23
 19. http://www. packer jersey shop .com/charles-woodson-jersey-c-13.html           | 64.120.30.211
 20. http://www. packer jersey shop .com/clay-matthews-jersey-c-7.html              | 173.208.70.118
 21. http://www. packer jersey shop .com/clay-matthews-jersey-c-7.html              | 173.234.152.155
 22. http://www. packer jersey shop .com/clay-matthews-jersey-c-7.html              | 173.234.153.149
 23. http://www. packer jersey shop .com/clay-matthews-jersey-c-7.html              | 173.234.158.211
 24. http://www. packer jersey shop .com/donald-driver-jersey-c-5.html              | 173.234.159.194
 25. http://www. packer jersey shop .com/donald-driver-jersey-c-5.html              | 173.234.18.162
 26. http://www. packer jersey shop .com/donald-driver-jersey-c-5.html              | 173.234.228.24
 27. http://www. packer jersey shop .com/greg-jennings-jersey-c-4.html              | 173.208.22.218
 28. http://www. packer jersey shop .com/greg-jennings-jersey-c-4.html              | 173.234.228.24
 29. http://www. packer jersey shop .com/jermichael-finley-jersey-c-2.html          | 173.234.121.247
 30. http://www. packer jersey shop .com/jermichael-finley-jersey-c-2.html          | 173.234.38.156
 31. http://www. packer jersey shop .com/michael-crabtree-jersey-c-16.html          | 173.208.125.108
 32. http://www. packer jersey shop .com/michael-crabtree-jersey-c-16.html          | 173.234.38.156
 33. http://www. packer jersey shop .com/michael-crabtree-jersey-c-16.html          | 64.120.30.211
 34. http://www. packer jersey shop .com/paul-hornung-jersey-c-15.html              | 173.234.152.155
 35. http://www. packer jersey shop .com/paul-hornung-jersey-c-15.html              | 173.234.38.156
 36. http://www. packer jersey shop .com/paul-hornung-jersey-c-15.html              | 64.120.30.211
 37. http://www. packer jersey shop .com/reggie-white-jersey-c-14.html              | 173.208.125.108
 38. http://www. packer jersey shop .com/reggie-white-jersey-c-14.html              | 173.234.153.149
 39. http://www. packer jersey shop .com/reggie-white-jersey-c-14.html              | 173.234.19.93
 40. http://www. packer jersey shop .com/ryan-grant-jersey-c-12.html                | 173.208.125.249
 41. http://www. packer jersey shop .com/william-henderson-jersey-c-10.html         | 173.234.158.211
 42. http://www. packer jersey shop .com/william-henderson-jersey-c-10.html         | 173.234.18.162
 43. http://www. steeler super bowl jerseys .com                                     | 173.234.158.211
 44. http://www. steeler super bowl jerseys .com                                     | 173.234.38.156
 45. http://www. steeler super bowl jerseys .com                                     | 64.120.30.211
 46. http://www. steeler super bowl jerseys .com/ben-roethlisberger-jersey-c-16.html | 173.208.125.249
 47. http://www. steeler super bowl jerseys .com/ben-roethlisberger-jersey-c-16.html | 173.234.152.155
 48. http://www. steeler super bowl jerseys .com/ben-roethlisberger-jersey-c-16.html | 173.234.18.162
 49. http://www. steeler super bowl jerseys .com/ben-roethlisberger-jersey-c-16.html | 173.234.38.156
 50. http://www. steeler super bowl jerseys .com/brett-keisel-jersey-c-25.html       | 173.208.70.118
 51. http://www. steeler super bowl jerseys .com/brett-keisel-jersey-c-25.html       | 173.234.152.155
 52. http://www. steeler super bowl jerseys .com/brett-keisel-jersey-c-25.html       | 64.120.30.211
 53. http://www. steeler super bowl jerseys .com/byron-leftwich-jersey-c-10.html     | 173.234.159.194
 54. http://www. steeler super bowl jerseys .com/byron-leftwich-jersey-c-10.html     | 173.234.38.156
 55. http://www. steeler super bowl jerseys .com/casey-hampton-jersey-c-24.html      | 173.208.125.108
 56. http://www. steeler super bowl jerseys .com/casey-hampton-jersey-c-24.html      | 173.234.123.227
 57. http://www. steeler super bowl jerseys .com/casey-hampton-jersey-c-24.html      | 173.234.38.156
 58. http://www. steeler super bowl jerseys .com/chris-kemoeatu-jersey-c-15.html     | 173.208.125.108
 59. http://www. steeler super bowl jerseys .com/chris-kemoeatu-jersey-c-15.html     | 173.208.125.249
 60. http://www. steeler super bowl jerseys .com/chris-kemoeatu-jersey-c-15.html     | 173.234.159.194
 61. http://www. steeler super bowl jerseys .com/chris-kemoeatu-jersey-c-15.html     | 173.234.38.156
 62. http://www. steeler super bowl jerseys .com/evander-hood-jersey-c-23.html       | 173.234.143.198
 63. http://www. steeler super bowl jerseys .com/evander-hood-jersey-c-23.html       | 173.234.152.155
 64. http://www. steeler super bowl jerseys .com/evander-hood-jersey-c-23.html       | 173.234.228.24
 65. http://www. steeler super bowl jerseys .com/heath-miller-jersey-c-18.html       | 173.234.152.155
 66. http://www. steeler super bowl jerseys .com/hines-ward-jersey-c-19.html         | 173.234.153.149
 67. http://www. steeler super bowl jerseys .com/hines-ward-jersey-c-19.html         | 173.234.158.211
 68. http://www. steeler super bowl jerseys .com/hines-ward-jersey-c-19.html         | 173.234.46.81
 69. http://www. steeler super bowl jerseys .com/hines-ward-jersey-c-19.html         | 64.120.30.211
 70. http://www. steeler super bowl jerseys .com/james-farrior-jersey-c-12.html      | 173.234.123.227
 71. http://www. steeler super bowl jerseys .com/james-harrison-jersey-c-21.html     | 173.208.125.108
 72. http://www. steeler super bowl jerseys .com/james-harrison-jersey-c-21.html     | 173.234.121.247
 73. http://www. steeler super bowl jerseys .com/jeff-reed-jersey-c-6.html           | 173.208.125.108
 74. http://www. steeler super bowl jerseys .com/jeff-reed-jersey-c-6.html           | 173.234.152.155
 75. http://www. steeler super bowl jerseys .com/jeff-reed-jersey-c-6.html           | 173.234.19.93
 76. http://www. steeler super bowl jerseys .com/jeff-reed-jersey-c-6.html           | 173.234.229.23
 77. http://www. steeler super bowl jerseys .com/jeff-reed-jersey-c-6.html           | 173.234.38.156
 78. http://www. steeler super bowl jerseys .com/jerome-bettis-jersey-c-8.html       | 173.208.125.249
 79. http://www. steeler super bowl jerseys .com/jerome-bettis-jersey-c-8.html       | 173.208.22.218
 80. http://www. steeler super bowl jerseys .com/jerome-bettis-jersey-c-8.html       | 173.234.152.155
 81. http://www. steeler super bowl jerseys .com/jerome-bettis-jersey-c-8.html       | 173.234.159.194
 82. http://www. steeler super bowl jerseys .com/kevin-greene-jersey-c-20.html       | 173.234.158.211
 83. http://www. steeler super bowl jerseys .com/lamarr-woodley-jersey-c-14.html     | 173.234.158.211
 84. http://www. steeler super bowl jerseys .com/lawrence-timmons-jersey-c-22.html   | 173.208.125.249
 85. http://www. steeler super bowl jerseys .com/lawrence-timmons-jersey-c-22.html   | 173.234.18.162
 86. http://www. steeler super bowl jerseys .com/lawrence-timmons-jersey-c-22.html   | 173.234.228.24
 87. http://www. steeler super bowl jerseys .com/lawrence-timmons-jersey-c-22.html   | 173.234.46.81
 88. http://www. steeler super bowl jerseys .com/limas-sweed-jersey-c-2.html         | 173.234.122.228
 89. http://www. steeler super bowl jerseys .com/limas-sweed-jersey-c-2.html         | 173.234.158.211
 90. http://www. steeler super bowl jerseys .com/maurkice-pouncey-jersey-c-13.html   | 173.234.158.211
 91. http://www. steeler super bowl jerseys .com/mike-wallace-jersey-c-3.html        | 173.208.125.249
 92. http://www. steeler super bowl jerseys .com/mike-wallace-jersey-c-3.html        | 173.208.70.118
 93. http://www. steeler super bowl jerseys .com/mike-wallace-jersey-c-3.html        | 173.234.228.24
 94. http://www. steeler super bowl jerseys .com/rashard-mendenhall-jersey-c-7.html  | 173.234.121.247
 95. http://www. steeler super bowl jerseys .com/rashard-mendenhall-jersey-c-7.html  | 173.234.46.81
 96. http://www. steeler super bowl jerseys .com/ryan-clark-jersey-c-5.html          | 173.234.153.149
 97. http://www. steeler super bowl jerseys .com/ryan-clark-jersey-c-5.html          | 64.120.30.211
 98. http://www. steeler super bowl jerseys .com/santonio-holmes-jersey-c-1.html     | 173.208.125.249
 99. http://www. steeler super bowl jerseys .com/santonio-holmes-jersey-c-1.html     | 173.234.152.155
100. http://www. steeler super bowl jerseys .com/santonio-holmes-jersey-c-1.html     | 173.234.153.149
101. http://www. steeler super bowl jerseys .com/troy-polamalu-jersey-c-11.html      | 173.234.18.162
102. http://www. steeler super bowl jerseys .com/willie-parker-jersey-c-9.html       | 173.208.22.218
103. http://www. steeler super bowl jerseys .com/willie-parker-jersey-c-9.html       | 173.234.38.156

As always, your mileage should vary. 🙂
Make backups , Use caution and test, test, test when changing network access related settings…

Topics: Computer Technology, Internet Search, Problem Solving, System and Network Security, Unix-Linux-Os | Comments Off on NFL Jersey Web Link-SPAM via Romania for China?

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________