50 scamming fucktards.

Bingo! This is what we can do to help. The progams may contol the money but the affiliates control the traffic. We are the front line for educating and protecting our surfers.

I would also say it would go a long way towards instilling good will if program owners emailed their members about ways to protect themselves as well...

:thumbsup

Sorry I was hung over when I wrote that and didn't have my head on straight


No, what I meant was, did you ever SEE what installs DH was promoting on his P2Pads.com network?


I kinda see it as a conflict of interest, personally. How can you sell traffic to people with a straight face if you are allowing Zango installs on your network? Basically helping your customers on one end lose money because of Zango hijacks, but profiting off of Zango hijacking your other customer's browsers?


Although I doubt DH would do Zango installs because of this, that's why I'm asking YOU Will76 if you had any proof of what DH was installing? I know he admitted to profiting off of doing installs on p2pads.com but nobody has any clue as far as I know about WHAT installs he was doing?

Could this problem be solved by not trading with any of the offending domain registrars/hosts?
Someone should set up a blacklist of domains/IPs...maybe even trade scripts could implement this.

it may help, but it will not solve the problem, unfortunately.

no and he would never disclouse that info, even after asked several times. I went as far as to ask him if he could name a couple "adware" companies that he thought were "ok". Not real adware like google, but "adware" companies, not like google would pay him anyway. He wouldn't even mention any adware companies muchless ones that he did business with.... He claims he never sold traffic for zango installs but I guess you have to take his word on that.

I simply check every new trade domain if it's registered with ESTDOMAINS, and if so I'm adding it to my blacklist. Quite often they're also hosted at either ATRIVO, INHOSTERS or INTERCAGE.

So when a new trade signs up the first thing I'm doing is to search for "domain.com" in google, most of the time somebody else had a problem with them already and posted the domain in some boards cheater section, so you can easily check that through google.
Next I'm checking his registrar at http://whois.domaintools.com, if it's ESTDOMAINS I'm having a new IP to blacklist.

And I've added the following server IP ranges to my blacklist:
74.52.6.43
66.29.35.37
216.255.189.123
216.255.189
70.84.80.50
216.240.149.117
74.52.6
66.29.35
216.255.189
70.84.80
216.255.178
216.240.149
67.15.187.2
72.232.215.76
216.255.176.124
216.255.176
74.52.6.43
216.255.178.52
216.255.178.60
216.255.178
72.232.194.58
72.232.215.74
72.232.215.77
209.8.19.242
209.51.132.202
91.192.117.46
69.50.160
69.50.161
69.50.162
69.50.163
69.50.164
69.50.165
69.50.166
69.50.167
69.50.168
69.50.169
69.50.170
69.50.171
69.50.172
69.50.173
69.50.174
69.50.175
69.50.176
69.50.177
69.50.178
69.50.179
69.50.180
69.50.181
69.50.182
69.50.183
69.50.184
69.50.185
69.50.186
69.50.187
69.50.188
69.50.189
69.50.190
69.50.191
85.255.112
85.255.113
85.255.114
85.255.115
85.255.116
85.255.117
85.255.118
85.255.119
85.255.120
85.255.121
85.255.122
85.255.123
85.255.124
85.255.125
85.255.126
85.255.127
72.55.148.87
88.85.81.195

And webmaster IPs:
88.151.106.252
81.169.235.6
70.84.80.50
83.188.23.87
81.169.224.98
83.69.20.130
81.169.234.219
69.166.67.221
91.192.117.46
72.232.65.178
64.151.36.201
86.57.128.201
91.124.155.94

And domains:
shyteenies.com
mashathumbs.com
sexgall.net
hotdailynudes.com
yourthumbnails.com
asianscity.com
xxxdesert.com
startfreevideo.com
tgpporn.net
100freegalls.com
fuckingcraft.org
extrablow.com
brothervids.com
onlinesexmovie.net
pjunkie.net
perky-teenies.com
sappypussy.com
dullworld.com
pinkyteenies.com
hardsaloon.com
pushpussy.com
teensseduction.com
angelsvids.com
chickswar.com
mixteenies.com
smokyvids.com
teensinlaw.com
good-teens.com
try-girls.com
pinkypussies.com
sexymovs.com
youngperfection.net
mpeggalls.com
lookmycunt.com
girlsrussian.net
pornstarocean.com
lovelyteenvids.com
porn-cinema.net
need4pornvids.com

The server IPs cover a wide range of INHOSTERS, ATRIVO and INTERCAGE, since I'm using that I didn't had any further problem with these guys, so I suggest that everybody uses these IP ranges as a temporary addition to their blacklist.

what are the namerservers for those hosts? I can add name servers to the ban list in the tgp script I'm using.

scrap my last question. I found the nameservers.

interesting reading

/what method did you use to find them with?

does whois not showing them anymore?

:thumbsup :thumbsup

sorry can you post a few links to?

Like u-bob said, the ESTHOSTERS and ESTDOMAINS guys post here...post a request for hosting spam and watch them jump in the thread.
After looking at the domains used by these people I think 80% of the problem would be solved by looking up the registrar or host before accepting the trade.
It shouldn´t be too hard to write a quick script that will check wether the trade is hosted with the offending hoster or the domain is registered with them.

Something like this ?

http://ihave.bushiq.com/cgi-bin/estdomains.cgi

superdio: might wanna add cernel.net to that list. It's another one of those fake hosting companies used by scammers/thieves.

Nice, I was thinking to write something myself, but as you already did it I might suggest to add a feature to check domains in bulk. Cause it would be great if someone could just copy/paste all his trades into your script, and have them checked at once :)

I.e. http://whois.domaintools.com/porn-cinema.net shows the nameservers (NS1&2.PORNSTAR-SITE.NET) for porn-cinema.net (I've just taken a random one from my blacklist).

Unfortunately these guys use quite many nameservers, so blocking their server IP ranges was the most effective solution on my side. There are still 2-3 signup attempts from these giys to our sites each day, but the IP blacklisting blocks them :)

We should have added some naked chicks to the first post(s), to get more bumps

Making it Sticky would also be great :thumbsup

So I went to triplexporn.org which links/trades to top-amateur.com and on top-amateur.com there is a popup to nichetgp.com. Nichetgp and top-amateur are owned by the same individual.
On nichetgp.com is this code
Now codecsoft.net has this code
exp1.htm contains this code

triplexporn.org(an ESTDOMAIN) came from Tolik's sig btw.
also on triplexporn is a javascript that includes /cgi-bin/counter2.pl which has this code--
which contains a popup to--
nichetgp.com/amateur/in.cgi?a=340
which contains the code(win32.exe) explained above

Incase anyone misses that

Why don't we img src the fuck out of these people?

I know The Hun used to do that when someone stole his shit/copied his page....img src them until their server melted.

I'm sure all of us collectively could bring down an entire hosting company if we really wanted to. Why not IMG SRC all of the domains on all of our high traffic pages until his host shuts his account off?

congrats you two lame losers. original full line of code:

<script language="Javascript">
document.write('<img src="cgi-bin/counter2.pl?' + inc + '" style="visibility:none" height="0" width="0">');
</script>

now explain me how img src redirect traffic?

one more thing - "tolik" account name - not my account name at fpctraffic.

Registrant Organization:UltraHoster
this company registering domain under esthost. does not see any problem here. i have all my domains at same place for years. and i does not force anyone to trade width me. dont like - dont trade. anyway most time i trading with same people for years.

who said it redirects traffic?

Thanks man, added em to my blacklist! :thumbsup

later
c-lo

triplexporn.org(an ESTDOMAIN) came from Tolik's sig btw.
also on triplexporn is a javascript that includes /cgi-bin/counter2.pl which has this code-- blablabla

who care what code have img src what wroting 0*0 image at bottom of page?

and i cannot get at all where you get and for what this at all frame/iframe breaking code what you posted?

and also - for what this here:
_____________________________
which contains a popup to--
nichetgp.com/amateur/in.cgi?a=340
_____________________________

i never traded or have a links to this site.
if some toplist open this link for some countries - not for me or i have popup blockers on.

cannot understand what relation this have to me?

Your counter2.pl redirects to triplexporn.org/err.html which has the frame breaker code you asked about.
This err.html redirects to erotiqsex.com/cgi-bin/td/tfr.pl?act=out&acc=topyo which earlier had the popup to nichetgp, but now amazingly is 404

As far as how it relates to you. Well these were sites that you force traffic to, so anyone that trades with you is essentially getting their traffic infected with the sites where you force traffic.

You are right, everyone has a choice with who they trade with, and honest webmasters don't like to trade with sites that get their potential customers infected with shitware.

did you have any idea what will be if img src html file?

as i see no.

Makes no difference to me.
The point is your site forces traffic to places on the web that infect users with trojans/malware/zango and whatever else.

yes. very clever. sure. i forcing traffic using img scr of html site.
go faster register pattent for this new technology.
you will be reach in seconds.

Sorry, you can try to deflect this all you want, but your trade script specifically is what I am referring to. The err page just tied you to more shit sites.
Your site forces traffic to these sites--
xtoplist.com/topteen/toplist.php3?Action=In&Login=porevo -- a zango spot
and
top-amateur.com/?28363 a site that is explained above

1. ultrahoster = russian
2. ultrahoster.com = a domain used in tons of guestbook (and other) spam campaigns.
3. ultrahoster.com is on several spyware lists (including the coolwebsearch (=spyware) domain lists)

so - how this related to me if i just purashed domains using this company?
and this was been more then 2 years ago. what wrong with this?

This thread keeps getting better by the day.

I like this thread

Great thread thanks for the info
If you are using xclicks.net here's all you have to do:cut-copy-paste this into the banned page in your script:
83.69.20.130, 81.169.224.98, 83.188.23.87, 70.84.80.50, 88.85.81.195, 72.55.148.87, 85.255.127, 85.255.121, 85.255.120, 85.255.119, 85.255.118, 85.255.117, 85.255.116, 85.255.115, 85.255.114, 85.255.113, 85.255.112, 69.50.191, 69.50.190, 69.50.189, 69.50.188, 69.50.187, 69.50.186, 69.50.185, 69.50.175, 69.50.169, 69.50.170, 69.50.168, 209.51.132.202, 209.8.19.242, 72.232.215.77, 72.232.215.74, 72.232.194.58, 216.255.178, 72.232.215.76, 216.255.178.60, 67.15.187.2, 216.240.149, 216.255.178, 70.84.80, 66.29.35.37, 74.52.6.43, lookmycunt.com,
mpeggalls.com, youngperfection.net, sexymovs.com, trygirls.com, pinkypussies.com, good-teens.com, teensinlaw.com, smokyvids.com, angelsvids.com, mixteenies.com, teensseduction.com, chickswar.com, pushpussy.com, hardsaloon.com, pinkyteenies.com, sappypussy.com, dullworld.com, perkyteenies.com, onlinesexmovie.net, pjunkie.net, brothervids.com, extrablow.com, fuckingcraft.org, 100freegalls.com, tgpporn.net, startfreevideo.com, sexgall.net, hotdailynudes.com, mashathumbs.com, shyteenies.com, yourthumbnails.com, xxxdesert.com, asianscity.com, girlsrussian.net, pornstarocean.com, lovelyteenvids.com, porn-cinema.net, need4pornvids.com, 216.255.189.123, 70.84.80.50, 216.255.189, 216.240.149.117, 66.29.35, 74.52.6, 216.255.189, 216.255.176.124, 74.52.6.43,
216.255.176, 216.255.178.52, 91.192.117.46, 69.50.160, 69.50.161, 69.50.162, 69.50.163, 69.50.167, 69.50.166, 69.50.165, 69.50.164, 69.50.171, 69.50.172, 69.50.173, 69.50.174, 69.50.176, 69.50.177, 69.50.178, 69.50.179, 69.50.180, 69.50.181, 69.50.182, 69.50.183, 69.50.184, 85.255.122, 85.255.123, 85.255.124, 85.255.125, 85.255.126, 88.151.106.252, 81.169.235.6, 81.169.234.219, 69.166.67.221, 91.192.117.46, 72.232.65.178, 64.151.36.201, 86.57.128.201, 91.124.155.94

hey bro.. would you like a Fuck Spyware T shirt?

http://justak.com/fspyware

Haha nice!

Fuck Spyware.

Back to what the original post in this thread was about.
If you haven't installed this stuff, you should find a way to research it further.
This affects anyone that buys traffic via PPC engines, gets natural traffic from the SE's, or even has just a little bit of traffic.

Say for instance that a surfer with this malware searches for "thehun.net" into google. The first result is of course thehun.net, but clicking on it won't get you there.
After several clicks that surfer might actually get to TheHun, but clicks from there are just redirected as well. This scenario seems to ring true for most sites and all keywords. Users are redirected to either their(zlob) sponsor, or redirected through a PPC engine to another destination.

If you use any of the smaller ppc engines, search123, goclick, searchfeed etc., you might have noticed a huge drop in your campaign returns since this scumware(moviebox,zlob) came out, especially for more generic terms.

There is a lot more to it, if you have a spare computer, check it out. You might be surprised :(

Anyone else watch the videos or download this MOVIEBOX 'codec'?
http://img89.imageshack.us/img89/653...ivexvidbt6.jpg

May 4th. This is why sales are down to the point that they are the past 3-4 days

Sponsors need to open their eyes and look at the big picture. Look at your sales the past 3-4 days, compare your join page VS 1st bill page. You will see that your join page traffic has not changed, however your biller page traffic went to shit.

Bump for an interesting thread which is posing a real issue to this industry. This needs to be stopped, and learning about it's workings is the first step. :thumbsup

This thread would deserve a STICKY !

Simple.

GEOIP check the user's country on ALL of your sites. If the user/webmaster is from Russia... Send them to an auto-install badware page that monetizes off of their legacy of scamming and unscrupulous methods of doing business.