This is a story of some of the dark corners of the inter\u00adnet, with a puzzle at the end and a request for advice\u2026<\/p>\n
Our story starts a few weeks ago. I had installed Stat\u00adcounter on the blog post\u00adings to keep an eye on who vis\u00adits my blog and why, with more inform\u00ada\u00adtion than you get from per\u00adus\u00ading access logs (I have those too). I also like fol\u00adlow\u00ading links back to refer\u00adrers to see why they\u2019re link\u00ading to my site, when I have time. A few weeks ago I noticed what looked like a spam site link\u00ading to my blog \u2014 you know the type of URL<\/span>, it\u2019s some non\u00adsensic\u00adal com\u00adbin\u00ada\u00adtion of let\u00adters and digits. So I fol\u00adlowed it back, only to find that it was a com\u00adplete frame of my blog. View source showed only that my site was being framed. No oth\u00ader con\u00adtent was being added as ads, as meta con\u00adtent, or any\u00adthing else that I could see. Noth\u00ading that explained why they\u2019re doing this.<\/p>\n So I looked up the whois for the site, dis\u00adcovered it\u2019s hid\u00adden by a com\u00adpany called \u201cDomains by Proxy\u201d, which spe\u00adcial\u00adizes in hid\u00ading regis\u00adtra\u00adtion data for web sites. They have lots of inform\u00ada\u00adtion on their site about how they cooper\u00adate with law enforce\u00adment if people are doing some\u00adthing illeg\u00adal, which leads me to sus\u00adpect that unless you can prove someone\u2019s doing some\u00adthing illeg\u00adal they won\u2019t do any\u00adthing or even talk to you. Not that I tried talk\u00ading to them, since simply fram\u00ading my site isn\u2019t illeg\u00adal, or even con\u00adtra\u00adven\u00ading my Cre\u00adat\u00adive Com\u00admons license. It is, how\u00adever, highly suspicious.<\/p>\n A little more invest\u00adig\u00ada\u00adtion was in order; the num\u00adber of hits on my web\u00adsite from this site were increas\u00ading and oth\u00ader ver\u00adsions of the URL<\/span> were show\u00ading up. The URL<\/span> was of the form \u201caff\u201d fol\u00adlowed by \u201c0000\u201d fol\u00adlowed by a num\u00adber, fol\u00adlowed by .com (yes, it\u2019s cir\u00adcuit\u00adous, but I don\u2019t want my site linked to theirs in search engines, for reas\u00adons that will become obvi\u00adous). I checked out and found that all num\u00adbers from 1 to 28 poin\u00adted to my site. So someone paid to register 28 domains, host 28 domains, and put in HTML<\/span> to point to my site? None of the URLs showed up in the com\u00admon search engines, but some\u00adhow they were being clicked on, seem\u00adingly by real people (spread of ISPs across the world, dif\u00adfer\u00adent OSes, screen res\u00adol\u00adu\u00adtions, and browsers, all stay\u00ading for approx\u00adim\u00adately zero seconds).<\/p>\n I con\u00adtem\u00adplated put\u00adting in some frame bust\u00ading code but decided to wait a little and see what happened, in case they were just get\u00adting ready to do some\u00adthing. In the mean\u00adtime more of these sites start point\u00ading at mine. And finally one of them showed up in a search engine, and there it points to an adult site. One of those ones that may not be safe at work, at least judging by the front page. In which case the frame bust\u00ading isn\u2019t the answer any\u00adway, the people vis\u00adit\u00ading this site don\u2019t want to see my mus\u00adings on tech\u00adno\u00adlogy, moth\u00ader\u00adhood, or knit\u00adting, they want the adult con\u00adtent they expect.<\/p>\n Tim had the bright idea at this stage of using a com\u00admand-line fetch on the \u201caff\u201d sites and found that the index page returns a list of poten\u00adtial mis\u00adspellings of the adult site\u2019s name. About 10000 of them. The oth\u00ader sites return sim\u00adil\u00adar lists; num\u00adber 28 only returns about 7000 mis\u00adspellings. If you search for one of these mis\u00adspellings in a com\u00admon search engine, you land on an \u201caff\u201d page, which then redir\u00adects you to the adult site. But only if you come from a search engine. If you type in that site name in the address bar, the redir\u00adect sends you to my blog.<\/p>\n So I have a couple of ques\u00adtions, and would appre\u00adci\u00adate any thoughts or exper\u00adi\u00adences you have.<\/p>\n The adult site itself does have a tech\u00adnic\u00adal con\u00adtact in the whois registry but the pur\u00advey\u00adors of the \u201caff\u201d sites might not be them. Sug\u00adges\u00adtions wel\u00adcome\u2026 the hits I\u2019m get\u00adting have grown from noth\u00ading a few weeks ago to now being a sub\u00adstan\u00adtial part of the dir\u00adect hits on my site so it\u2019s a prob\u00adlem I want to solve soon.<\/p>\n","protected":false},"excerpt":{"rendered":" This is a story of some of the dark corners of the inter\u00adnet, with a puzzle at the end and a request for advice\u2026 Our story starts a few weeks ago. I had installed Stat\u00adcounter on the blog post\u00adings to keep an eye on who vis\u00adits my blog and why, with more inform\u00ada\u00adtion than you \u2026 Con\u00adtin\u00adue read\u00ading \u201cFramed!\u201d<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"","activitypub_status":"","footnotes":""},"categories":[1,6],"tags":[],"class_list":["post-181","post","type-post","status-publish","format-standard","hentry","category-general","category-technology"],"_links":{"self":[{"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/posts\/181","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/comments?post=181"}],"version-history":[{"count":0,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/posts\/181\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/media?parent=181"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/categories?post=181"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/tags?post=181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n