Comments on: Is Google Referrer Spamming Too Now?

By: Weekly Search & Social News: 02/23/2010 | Search Engine Journal

Weekly Search & Social News: 02/23/2010 | Search Engine Journal — Tue, 23 Feb 2010 15:58:05 +0000

[...] Is Google Referrer Spamming Too Now? – one of my fav ranters, Michael VanDermar picked up on some interesting goof-ups from the Google gang. This one was a fun ride and even the Googlers responded apparently. Give it a read. [...]

By: Michael VanDeMar

Michael VanDeMar — Thu, 18 Feb 2010 22:51:27 +0000

@Robert – I posted an update with their reply a couple of hours ago, which does state that it is malware they are looking for, but I think I forgot to clear WP-Cache after I did so. My bad.

By: Robert

Robert — Thu, 18 Feb 2010 20:47:18 +0000

The reason they’re doing this is to look for malware. Most of the time when a script is uploaded that contains redirects to malware it will only respond to specific referrers or browsers. This is because scripts will often chain together their redirects in an attempt to hide from researchers.

This is particularly common with pages that are landing pages for google ads- malware authors will create the ads, have them point to a page that looks fine to the google bot but for someone with an exploitable browser, coming from the right place, the page will redirect to an exploit.

So, for example-

1) This page looks like an ad normally, but with the right into will redirect to 2
2) If the browser is exploitable and the referring was the original ad, redirect to 3
3-?) If the browser is exploitable and the referrer is correct, redirect to next
?+1) exploit the browser.

So its very important to find that initial page, since even if you know where the final exploit is you still need to have all the pieces to unlock it.

By: Outtanames999

Outtanames999 — Thu, 18 Feb 2010 16:08:07 +0000

Hmm. Interesting observation in the log files. Still, it’s difficult to know why this is occurring. However, is it possible that Google is spidering as IE6 to understand how some web pages may break under that version, especially given Google’s move ?RKTML5 in its own apps?

By: Michael VanDeMar

Michael VanDeMar — Thu, 18 Feb 2010 14:03:02 +0000

@Mk – you’d think so, right? But there are lots of things that Google does that don’t live up to the standards we hold them to.

By: Mk

Mk — Thu, 18 Feb 2010 13:45:13 +0000

I think the informations and idea in this article are wrong.

If Google wanted really to do anonymous spidering with cloaked User Agents, they simply would buy new ips and servers under another company name – instead of locking down reverse dns for some already bought ips in some google ip blocks. I mean we talk about Google not some wannabe-script-kiddies here.

By: Michael VanDeMar

Michael VanDeMar — Wed, 17 Feb 2010 23:41:55 +0000

Quick note to the inbred who was asking how I knew that the IP addresses belonged to Google... they are linked in the article. You can click on them and it will take you to the ARIN IP whois utility. If you are going to try to call people out on the interwebs about technical shit then you should probably educate yourself a little bit better about how it all works first. Just a suggestion though. If you want to know why your comment wasn't approved, you can read about that here: On Freedom Of Speech And Social Media (A Quick Note To Anonymous Commenters).

By: Michael VanDeMar

Michael VanDeMar — Wed, 17 Feb 2010 22:48:24 +0000

Arthur, her being logged in is a separate issue than her traffic logs, but no, she wasn’t.

By: Arthur Czuma

Arthur Czuma — Wed, 17 Feb 2010 20:05:02 +0000

This may be a silly question. But did she have personalized search enabled?

This will usually cause that kind of irregularity.

By: Sebastian

Sebastian — Wed, 17 Feb 2010 00:50:53 +0000

IF, and that’s a big IF, Google’s checking for cloaking pages with such blatantly faked requests, I’d call that sneaky, too. As for the IPs you’ve published, these could very well be assigned to AppEngine what opens just another can of worms, but has nothing to do with spam filters.