Cenzic 232 Patent
Paid Advertising
web application security lab

Sometimes it Sucks Being a Search Engine Spammer

Somehow I ended up on the dumb side of a search engine spammer. I have no idea why anyone would think this would be a good site to rip off - you have to be a serious newbie to think that’s a good idea. Anyway, there I was, getting pingbacks and referring URLs and people telling me that my site was being ripped off by some dumbass. The only vaguely amusing side of this is that other SEO blogs have been hit by this recently too.

I’ve got to think this is just some sort of dumb joke, but that would be way too smart. No, this is just stupidity. So anyway, it was fairly trivial to figure out who was ripping my RSS feed. So it took me a few seconds to modify my document management system to do some IP delivery to the moron, and a few seconds of searching on the web for some nice prescription drug spam and poof! His site now looks like a bad spam doorway page and will continue to do so even more so with every post he indexes.

Then I do a little research on the idiot himself and I find out all his infoz:

– removed –

Why on earth would you hand pick this site, out of every site on the web, and think for a second I wouldn’t fuck with you? Way to go, moron. I’m not a spammer hater, but come on. Get a clue!

He also registered all his domains with Godaddy, and this is totally against their TOS - (copyright infringement). He’s lucky I don’t get all his sites nuked, dumbass.

54 Responses to “Sometimes it Sucks Being a Search Engine Spammer”

  1. Vic Says:

    Now THAT is just too damned funny!

    Vic

  2. RSnake Says:

    Thank you, thank you… Some people just don’t “get” it. But at least it was worth a laugh.

  3. Tux Says:

    OMFG ROFL , such a dumbass
    btw, that was a cool way to pay it back, even if you should have put a warez or pr0n site on his webspace ^^
    anyway– i had to laugh about ten minutes about this

  4. Here’s What Happens When You Scrape a Haker Site SEO Black Hat: SEO Blog Says:

    […] He thought wrong. I’ve got to think this is just some sort of dumb joke, but that would be way too smart. No, this is just stupidity. So anyway, it was fairly trivial to figure out who was ripping my RSS feed. So it took me a few seconds to modify my document management system to do some IP delivery to the moron, and a few seconds of searching on the web for some nice prescription drug spam and poof! His site now looks like a bad spam doorway page and will continue to do so even more so with every post he indexes. […]

  5. RSnake Says:

    Heheh, I love that he works at Best Buy… that’s my favorite part. Btw, in case anyone is curious, I believe he uses Magpie RSS to aggregate the content.

  6. Ich denke nicht… » Blog Archive » ungefährlich Says:

    […] Manchmal sollten sich die Scriptkiddies wirklich überlegen, wen sie aufs Korn nehmen. Manche finden es ja eine tolle Idee den Feed einer fremden Seite als eigenen Inhalt zu verkaufen. Dumm nur, wenn man sich ausgerechnet die Seite eines Hackers aussucht. […]

  7. countzero Says:

    Very nice Rsnake!

    Would you mind sharing the code? He is scraping me as well, not that I care, just for the fun.

  8. zigzo is dead Says:

    countzero and rsnake,

    i own zigzo and i have removed that plus the rest of the splogs that were created. magpie RSS was not installed on the server and i think that someone was using an application rather than a script to splog. The actual blog script was wordpress-mu.

    Some of the other splogs that were listed on zigzo had redirect codes and whatnot injected into the posts some how.

    Anyways, to both of you i am sorry your content was stolen and please know it has been totally removed.

    On another note Brett is NOT the owner of the sites and has absolutely nothing to do with any of the sites you mentioned via the RSS comments that were posted on seojournal.zigzo.com. He is a friend of mine and he used to own angelicamateurs.com. This site was hosted on my server at one point but it is no longer and clearly says so by the whois. He got out of that game a LONG time ago.

    I beg you to please stop posting his information.

    Again i apologize to both rsnake and countzero for the bs this shit has put you both through and myself included. Also, i have included my email in this comment… zigxxx@gmail.com you can both email me for anything at all.

    thank you.

  9. zigzo is dead Says:

    i see you have removed his info already.

    thank you SO much. i appreciate this x 1 million.

  10. RSnake Says:

    No need, countzero! Woo! I was able to completely shut down the site! Here is the text from the website (zigzo.com):

    To Whom it May Concern,

    Zigzo has been officially closed down due to a small spammer network causing a personal friend of mine to be personally attacked by means of extracting extremely personal information.

    To the affected parties please accept this apology and know that the website has been shut down for the time being. If you have questions you may contact me directly @ zigxxx@gmail.com .

    Thank you and again sorry for the inconvenience — especially to the owners of legit blogs. :(

    Wait, who’s the spammer? Nooo, that would be YOU Zigx - I just made use of your own automated copywrite infringement and turned it against you. Sucks to be taught a lesson, huh? Try swimming with the kiddies before jumping in with the sharks, kay? I’ve just got to say it again, because it just amazes me - why on EARTH would you think ripping this site, out of every site in the whole wide world, would be a good idea?

    Now the schmuck would have me believe that the owner of the domain the machine was hosting was not the same owner as the website on it. If Zigx would like to tell us his real identity, I could redirect my efforts towards him instead. He’s lucky I didn’t completely wipe out every machine in his whole IP range AND get his domains revoked. Frankly I think I was pretty nice. I barely did anything to him actually.

    And btw, ALL of the webmasters that had their sites ripped off run legitimate blogs, Zigx was the only one who wasn’t! Anyway, since I was effective in my anti-newbie mission I’ve removed the personal info from my site, so he can rest easy at nights.

    And now, it’s miller time!

  11. RSnake Says:

    Zigx, I saw your posts after I posted mine, which is why this seems out of order. Anyway, all’s forgiven, data’s been removed (stored, but removed), and the world is all back to normal.

    Next time, ask. Nuff said.

  12. Matt Cutts Says:

    Alrighty then, nothing for me to do here. :) Moving on..

  13. pete Says:

    “So anyway, it was fairly trivial to figure out who was ripping my RSS feed. So it took me a few seconds to modify my document management system to do some IP delivery to the moron”

    Nice, nice work :) Would love to hear a technical explaination of how you did it. I’ve got a few people stealing my stuff, too.

  14. Jaimie Sirovich Says:

    Pete: Read my blog in a bit, I’m posting on it — www.seoegghead.com

  15. RSnake Says:

    Hahah, no no, Matt, I’ve got this one covered, you can rest easy. ;) Thanks for posting!

    Pete, sure, it was pretty trivial actually. I saw a pingback from an IP address (66.28.59.112) that had my stuff in it pointing to a server at 66.28.59.117 (seojournal.zigzo.com). Notice how close those IPs are together. That’s how I was able to get all those other domains tied together.

    Then I went and parsed through my logs seeing what other things that IP address had done. It turns out it also happened to be checking my RSS feed once every hour or so (kinda random, I’m not sure why exactly).

    So then I modified my trusty blogging tool (finding the right place to modify was the only hard part) to do some IP delivery based on the IP address with something like so:

    if ($_SERVER[’REMOTE_ADDR’] == “66.28.59.112″) :

    And in the case of that IP address, I delivered some Cialis spam to him, plus some specially crafted HTML that ended in an open comment tag.

    The open comment tag killed any content after it until it reached the end of the next comment (which was WAAAAY down the page). Making it so that the link to me and my domain was now commented out, and most of the rest of the content on the page was messed up.

    I also added a Chinese bad word that will block the China firewall from letting traffic through so that no one in China could see the page (including Baidu.com and it’s robots).

    And then, every time I posted, it would update the time of day it was posted, with the real title, but with my fake Cialis spam content, and poof! The deed was done.

    The only hard part was finding out everything about him (his age, his birthday, his domains, his email addresses, his phone numbers, where he lived, who he lived with (his Dad, and his Dad’s info), where he worked, what he looked like, what his hobbies were, where he went to school, what his major was, who he was friends with, where they went to school, blah blah blah…). I included that in the spam, just for good measure. That was the clincher.

    I’d be a really good stalker if I weren’t so damned lazy.

  16. SEO Egghead » Blog Archive » How to Deal with Content Theft Says:

    […] Incidentally, some scraper, here, was stealing my content and posting it, verbatim, on his site.  I never authorized this.  He was even linking back and thusly sending pings to me — I got alerted to each "citation."  Not so bright.  He also struck ha.ckers.org, a site about software security with some SEO stuff as well.   That was even less bright.  I was eventually going to report the site (see below), but RSnake at ha.ckers.org had a rather amusing way to deal with the problem. […]

  17. Steve Says:

    Hey - thanks for the great, amusing post. That’s a great way to turn the tables on a full-RSS scraper - I also subscribed to your SEO Egghead feed to keep uptodate on other tactics you come up with. :)

    BTW, I noticed you have both Yahoo YPN and Google Adsense ads on the very bottom of your page here. It may have been an oversight on your part when redesigning or otherwise switching up ad networks, but I *think* it violates (at least) Adsense TOS to show their ads with similar ads from another network on the same page…

    Just FYI and thanks again for this post,

    -Steve

  18. pete Says:

    Rsnake - cheers! I’m going to have some fun with this…

  19. countzero Says:

    I’ve no idea why this didn’t occur to me earlier. I just implemented a similar system to a couple frequently scraped sites of mine and I’m now even thinking of setting up some scraping honeypots.

    Of course, instead of making the scraper sites look bad, I just put my ads/links on there. This is so fun! (and easy money)

  20. RSnake Says:

    Haha, I’m glad to hear this post was more than just amusing. Please let me know how it goes when you get the results back. I’m always curious to know how these things turn out.

  21. rxbbx Says:

    amusing indeed.. don’t scrape that much :)

  22. IP Delivery For Sploggers: How To Prevent People Hijacking Your Feeds Says:

    […] There is a great post over at hackers.org detailing how to stop content thieves republishing your blog. […]

  23. pip Says:

    this gonna be the “best practice” for any future case of rss-scraping. thanks a lot.

  24. PlagiarismToday » Cloaking to Stop Scraping Says:

    […] White hats, recently, found another positive use for cloaking, the ability to stop scraping by providing different content to a scraper than to the rest of the world. This has proved detrimental to one splogger and has earned one hacker his fifteen minutes of fame. […]

  25. Isulong SEOPH (with SEO Comics) » Isulong SEOPH 29, Stealing Content From Other Sites… Says:

    […] The comics above is inspired by what Ha.ckers.org did to a content thief.  It was so funny. I’m just guessing here though — I don’t actually know if RSnake could turn off electrical power at the offending party’s home. That would’ve been cool though. […]

  26. WhiteAcid’s Scribblings » Leeching off me Says:

    […] Now have a look at this and this. This remind of the people who rip off blog content of capable people such at RSnake over at ha.ckers.org. […]

  27. Jonathan Says:

    Just in case I find myself in this situation, where was the modification made to your software? Please feel free to email me if you don’t want to post it.

  28. ha.ckers.org web application security lab - Archive » Content Theft Comic Says:

    […] Isulong SEOPH just published an amusic comic I thought I’d share with all of you. It’s regarding the content theft that happened last week. It was pretty funny, so I thought you might get a kick out of it. (Click to enlarge) […]

  29. RSnake Says:

    Hi, Jonathan, if you check out http://www.plagiarismtoday.com/?p=287 you can get a look at a few different methods of doing this. I gave the peice of code to him, although there are more ways than one to skin this cat, this is just the particular way I chose to do it.

  30. Ian Clifton Says:

    That’s definitely a good way of dealing with the scraper, but I think you were too nice! I probably would have been more harsh, making it add content that specifically violated the GoDaddy and/or host’s TOS and then report it. Either way, it makes for an amusing story.

  31. Protecting Your Content » JonLandrum.com Says:

    […] 8 ha.ckers.org article “Sometimes it sucks being a search engine spammer” […]

  32. Alistair Says:

    Considering the guy ripped my whole site, categories included I think he deserves all he gets. He was not too aplogetic when I emailed them about it, did not even bother replying actually.

    Only aplogetic now as someone with a bot of net savy caught him out !

    Rant Over !! :)

    Alistair

  33. johnon.com » Blog Archive » Why I think INGDirect.com affiliate program sucks Says:

    […] I’m liking this RSnake character more every day. I liked him when I first heard of him on ThreadWatch, and I truly enjoyed his handling of the splogger last week that was republishing his feed on an MFA site. I had been in conversations with IncrediBill previously trying to get him to understand that blocking content thieves is not merely as much fun as feeding them customized content, but I didn’t feel Bill was getting it… too caught up in that “shut ‘em down” behavior. And so now RSnake does a nice job of highlighting the stupidity of picking, of all the feeds in the world, his feed to steal. Well, now I am wondering the same thing about INGDirect. You are an online bank, highly regulated, and considered an enemy by many traditional banks. You have limited offerings, and have to go to great lengths justifying why your offerings might be ok opportunities for those in need of home loans and mortgages. You obviously need affiliates, since you signed on with RegNow. So why in the world would you treat your existing customers… especially the early adopters of online banking, like crap? […]

  34. ha.ckers.org web application security lab - Archive » SEO Content Theft Comic Part 2 Says:

    […] Insulong SEOPH published a follow on comic having to do with that SEO content theif a few weeks back. This time I apparently am getting him arrested for child pornography (something fairly easy to do, by the way - using XSS via browser caching no less). Also, I should probably comment on the last post as well, yes, I can turn people’s power off. That would have been a terrible idea though, as he already knew who I was. Federal time just isn’t worth it - I’d rather mess with him for a laugh to be honest. Anyway, enjoy: Click here to enlarge […]

  35. Michaël Niessen Says:

    Well done!

    “He also registered all his domains with Godaddy, and this is totally against their TOS - (copyright infringement). He’s lucky I don’t get all his sites nuked, dumbass. ”

    I personally think you should have notified GoDaddy, because he probably will continue ripping content out of other websites and put it on his other domains, just being careful to avoid content from other SEO/spam experts.

    Michaël

  36. Personal blog - Dragos Roua » Blog Archive » So, don’t u ever steal my blog, newbie, right? Says:

    […] http://ha.ckers.org/blog/20060712/sometimes-it-sucks-being-a-search-engine-spammer/ […]

  37. papaman Says:

    very very nice RSnake! that was an amazing and amuzing post. one of the best…
    I hate content thieves

  38. DCackle Says:

    Can I ask a question? How does somebody rip off your RSS or site? How does the average web owner detect it?

    Maybe this is a newbie question, but I have heard of some things like this, and I don’t quite get it yet.

    Any links or ideas would be appreciated.

    Thanks.

  39. RSnake Says:

    DCackle, unfortunately, there are about 50 different ways to steal web content from a site. The easiest way is just to set up a timed task to pull down the most recent content from the homepage once per day (you could use wget or some homegrown script to do that). That doesn’t work so well if you want to integrate it into a CMS, but there are a few programs out there that do that, like RSStoHtml scripts (a la http://www.feedforall.com/free-php-script.htm). The guy who was doing this was using something like the latter (although I never got confirmation on exactly what the code looked like).

    There are dozens of other ways. This particular guy was being extremely obvious, by pulling the information from the same machine he was posting to. There were no less than three signatures that allowed me to see him. Firstly, he did trackbacks which means my CMS was asking me if I wanted to post a link to his site from mine… uh, no! The second was the referring URLs coming from his server. I watch my HTTP logs like a hawk, so this was pretty obvious. The last, was that he was pinging technorati, so by doing a search for myself I saw him all over the search results with my content. Pretty obvious!

    For people who have no access to server logs and the code itself you can go the v7n route and insert a keyword into a few posts and search for them to see where they end up. If they ever show up in a post somewhere, you know someone has been stealing your content.

    If you don’t want to watch your logs, you can do something more automated like put absolute URLs to images in your listings. The absolute URL could be to a PHP script that then shows the image in question but logs the referring URL. If the referring URL is anything but your server, it’s time to investigate. I hope that helps a little!

  40. Jonathan Says:

    Thanks, RSnake! I appreciate the help.

  41. Com » Ferran » Cloacking contra ladrones de posts Says:

    […] Actualización 2: Creo que es justo mencionar que la idea del cloacking fue via Sigt.net y ha.ckers.org (otro domain hack por cierto). […]

  42. tercme Says:

    Would you mind sharing the code? He is scraping me as well, not that I care, just for the fun.

  43. aconline Says:

    Well it looks like someone removed his site anyway, so that ought to give you some piece of mind. If I ever found out that anyone was doing that with my site, I would find out who they were and I would take them to court and sue them for about a million dollars for destroying a growing enterprise and turning it into worthless spam. Sometimes I wish someone would do that just so I could show the world a lesson. Don’t you wish that sometimes too? On the other hand, it isn’t said all the time that imitation is the sincerest form of flattery? So you could take it as a complement that someone thought your site was good enough to copy and take advantage of. I know that at this point, my personal site isn’t quite large enough to have reached its full potential and I can use all the help I can get from people linking, etc. Although I certainly CAN’T use someone pushing me down in the Google rankings and making me look like a spammer. I already don’t have that high of a Google ranking and probably never will…so sad.

  44. magicinmarketing Says:

    If I were in your place Id also feel the same way. Knowing that this moron had his urls registered at GoDaddy, did you go after him at GoDaddy? Did you inform GoDaddy about this persons monkey business?

    Sometimes its frustrating to know that other people arent too busy that all they can think of is to destroy others peoples lives.

  45. Posi Says:

    nice story

  46. sohbet Says:

    Would you mind sharing the code? He is scraping me as well, not that I care, just for the fun.

  47. Vikas Says:

    heY Rsnake,

    It was a great way to deal with him. I am a newbie to this entire thing, was just looking to find out ways to avoid automated scrapers to scrape data from my site. Is there a way by which i can prevent the scraping of data from the pages instead of reacting to the scraping attacks.?
    I think it would be difficult to stop it but i want to make it as hard as possible so no newbie atleast can get hold of data.

    Thnks, looking forward to a helpful reply.

    rgrds,
    Vikas

  48. mirc indir Says:

    I think it would be difficult to stop it but i want to make it as hard as possible so no newbie atleast can get hold of data.

  49. mirc indir Says:

    If you dont want to watch your logs, you can do something more automated like put absolute URLs to images in your listings. The absolute URL could be to a PHP script that then shows the image in question but logs the referring URL. If the referring URL is anything but your server, its time to investigate. I hope that helps a little!

  50. Sohbet Says:

    Can I ask a question? How does somebody rip off your RSS or site? How does the average web owner detect it?

    Maybe this is a newbie question, but I have heard of some things like this, and I dont quite get it yet.

    Any links or ideas would be appreciated.

    Thanks.

  51. sohbet Says:

    Would you mind sharing the code? He is scraping me as well, not that I care, just for the fun.de

  52. sohbet odaları Says:

    If you dont want to watch your logs, you can do something more automated like put absolute URLs to images in your listings. The absolute URL could be to a PHP script that then shows the image in question but logs the referring URL. If the referring URL is anything but your server, its time to investigate. I hope that helps a little!

  53. tatil otelleri Says:

    Would you mind sharing the code? He is scraping me as well, not that I care, just for the fun.de

  54. gunz Says:

    Ive no idea why this didnt occur to me earlier. I just implemented a similar system to a couple frequently scraped sites of mine and Im now even thinking of setting up some scraping honeypots.

    Of course, instead of making the scraper sites look bad, I just put my ads/links on there. This is so fun! (and easy money)