TinkerToys #3

I've been surfing through the TinkerToys splog farm for over a week now, using prjSiteOnline, and vURL. And the size of this thing I have yet to estimate. A friend at church, who teaches mathematics, thinks that maybe we can look at the mathematical structure of the thing, and develop a formula to estimate the size.

So I'm surfing downward, through the tree.

Let's look at some of the branches. I'm going to start with http://dhgisnavk.blogspot.com.

Dhgi contains links to the following 4 branch blogs.

http://acoipaova.blogspot.com
http://bgsxtrpfkn.blogspot.com
http://flliwlyghiur.blogspot.com
http://hbovryhpsin.blogspot.com

Dhgi contains links to the following 10 leaf blogs.

http://aahuflbuj.blogspot.com
http://acsvphkjisgy.blogspot.com
http://acwpdqlqeynr.blogspot.com
http://aebmcwaiyo.blogspot.com
http://aevgtmkqlbp.blogspot.com
http://agglzqqyaf.blogspot.com
http://amferszfj.blogspot.com
http://ammrsikoimdp.blogspot.com
http://anycnoryz.blogspot.com
http://aoygsicfgd.blogspot.com

And Dhgi contains links to 486 other branch and leaf blogs, some active, others not.

Let's next look at http://bgsxtrpfkn.blogspot.com.

Bgsx contains links to the following 4 branch blogs.

http://cokeitkiht.blogspot.com
http://cuzuqvnlxbkt.blogspot.com
http://ouqawohck.blogspot.com
http://pjgjwghhtc.blogspot.com

Bgsx contains links to the following 10 leaf blogs.

http://afbhyiojtpwr.blogspot.com
http://ahhkstfoq.blogspot.com
http://ajryyyslbrda.blogspot.com
http://asqmipefp.blogspot.com
http://atohutuvnv.blogspot.com
http://bahuyxklu.blogspot.com
http://baiycdstyg.blogspot.com
http://bexznmibwyt.blogspot.com
http://binxnphbzoin.blogspot.com
http://biurjkjirpr.blogspot.com

And Bgsx contains links to 486 other branch and leaf blogs, some active, others not.

Let's next look at http://cokeitkiht.blogspot.com.

Coke contains links to the following 4 branch blogs.

http://gcilbqgta.blogspot.com
http://hkbhuzqabmkn.blogspot.com
http://khkdjivbbln.blogspot.com
http://mwxrqfijjb.blogspot.com

Coke contains links to the following 10 leaf blogs.

http://adavbhmsgdt.blogspot.com
http://aebgdipcjyo.blogspot.com
http://afvchzeplux.blogspot.com
http://akngpknbpum.blogspot.com
http://aptttnvuwu.blogspot.com
http://arftdzhmagsu.blogspot.com
http://atskxcyrotg.blogspot.com
http://auecoondnzwr.blogspot.com
http://avalbxsuu.blogspot.com
http://bbrwhjtfoa.blogspot.com

And Coke contains links to 486 other branch and leaf blogs, some active, others not.

-- More --

>> Top

TinkerToys #2

Interesting news this evening. The following TinkerToys splogs, discussed earlier, are now offline.

http://krdrffpgv.blogspot.com/
http://ieqjiravs.blogspot.com/
http://iiebbmogoii.blogspot.com/

You have to look at vURL logs, if you've already cached any one of them on your computer.

*****************************************************************

vURL Desktop Edition v0.1.7 Results

Source code for: http://krdrffpgv.blogspot.com/

Server IP: 72.14.207.191

Date: Sunday, October 21, 2007

Time: 23:07:38:07

*****************************************************************

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html dir="ltr"><head><meta http-equiv="Content-type" content="text/html; charset=utf-8">
<title>Blogger: Login to read</title>
<link href="/v-css/3241057453-blogger_lowend.css" rel="stylesheet" type="text/css">
<style type="text/css">
@import url("/v-css/417867530-blogger_main.css");
@import url("/v-css/1877526874-flexible_buttons.css");
@import url("/v-css/3884842752-buttons.css");



@media tty {
i{content:"\";/*" "*/}} @import url("/v-css/1784484781-blogger_ie5win.css"); /*";}
}/* */

</style>
<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript">
</script> <script type="text/javascript">
_uacct="UA-18003-7";
_uanchor=1;
urchinTracker();
</script> </head>
<body><div id="header"><div id="h2"><div id="h3"><a href="/" id="logo" title="Blogger home"><img src="/img/logo40.gif" width="150" height="40" alt="Blogger"></a>
<p id="tag"><em>Push-Button Publishing</em></p>
<span class="r"></span></div></div></div>
<div id="body"><div id="main"><div id="m3"><h2>This blog is in violation of Blogger's Terms of Service and is open to authors only</h2>
car rental buffalo ny
<br>
<a href="http://krdrffpgv.blogspot.com/">http://krdrffpgv.blogspot.com/</a>
<p style="margin-top:2em; line-height:1em;">If you are an author of this blog, tell us who you are! Sign in using your
<img src="/img/google_transparent_accounts.gif" style="vertical-align:middle;" alt="Google"> Account.</p></div>
<iframe id="login-iframe" name="login-iframe" src="https://www.google.com/accounts/ServiceLoginBox?service=blogger&continue=https%3A%2F%2Fwww.blogger.com%2Floginz%3Fd%3Dhttps%253A%252F%252Fwww.blogger.com%252Fblogin.g%253FblogspotURL%253Dhttp%25253A%25252F%25252Fkrdrffpgv.blogspot.com%25252F%2526zx%253Dj8zbj94xuedm&alwf=true&uilel=3&skipvpage=true&rm=false&naui=8&showra=1&fpui=2&hl=en&nui=6&alinsu=1&skipll=true" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" height="450" width="100%"><a href="https://www.google.com/accounts/ServiceLogin?service=blogger&continue=https%3A%2F%2Fwww.blogger.com%2Floginz%3Fd%3Dhttps%253A%252F%252Fwww.blogger.com%252Fblogin.g%253FblogspotURL%253Dhttp%25253A%25252F%25252Fkrdrffpgv.blogspot.com%25252F%2526zx%253Dj8zbj94xuedm&alwf=true&uilel=3&skipvpage=true&rm=false&naui=8&showra=1&fpui=2&hl=en&alinsu=1&skipll=true">Click here to sign in.</a></iframe></div></div></body></html>

But let us not become complacent. This is but 3 splogs, in one huge farm. Next we look at the peers to krdr, ieqj, and iieb, which are still in business.

>> Top

Tools

None of the probing of the TinkerToys, or even the AFF, splog farms, could be done by hand. Clicking on each link in the browser, and waiting while another page loaded, would take forever.

All of this was done thanks to Steven of IT-Mate, who provided a pair of essential utilities.

To find the links in splogs like http://orowmsagn.blogspot.com/, I use vURL. I provide the URL of any web site to vURL, and it walks through the web site, and strips out all links. I save the result of a vURL probe to a text file, clean up the file, and in 10 minutes can have a clean list of all links, from any one splog, to the other splogs in the farm.

Taking any list from vURL, I run a second utility, prjSiteOnline. prjSiteOnline checks each URL in the list for existence, and returns a response byte count. When you run SO, you'll see about 10% are non-existent blogs. Of the remaining 90%, anywhere from half to 3/4 will show a byte count of under 50 bytes. This corresponds to leaf blogs. The remainder will show over 300 bytes, which corresponds to branch blogs.

Observing any one of the entries in SO to show 300+ bytes, I take that URL and run it through vURL. This gives another control file for SO, and so on.

vURL is useful in another way - parsing the Recently Updated Blogs list. You feed it the RUB URL, and it presents you with a neatly alphabetised and un duplicated list - of URLs, not titles - making it possible to look for naming patterns. You do have to have patience - 1 to 2 hours for a 10 minute RUB List. So if we're ever going to have a constant monitoring of the list, we'll need a couple dozen computers, running in parallel. If anybody has access to a small botnet, this wouldn't be a bad thing to do with one.

Both prjSiteOnline and vURL are free, and you are welcome to install and run either one, and verify what I am telling you. vURL requires that you close all applications, and prjSiteOnline runs immediately from any folder where it's downloaded. As noted above, loading any of the splogs in your browser may not be a good idea, but you can run any web site of interest through prjSiteOnline and / or vURL, in perfect safety.

>> Top

TinkerToys

Ever play with TinkerToys when you were young? That was a favourite toy of mine - and I never got any larger set than maybe 1/2 what's in the picture in the linked WikiPedia article. Whenever I built something, I always ran out of parts before I was done. That's a problem with physical things - you always run out before you are done.

How about with blogs?

Let's start by looking at http://orowmsagn.blogspot.com.

Note the blog name, in the URL.
orowmsagn
orowmsagn <== 6 to 12 random alphabetic characters.

Go Next Blogging, and you'll see a lot of blogs like this one.



Orowmsagn, or "orow" as I will abbreviate, contains links to 500 other splogs in the TinkerToys splog farm. We will look at 2 of those links.

Look first at http://acmmfmrcw.blogspot.com.

Acmm contains a very little bit of text (look at it), and no links. It's close to being a stub blog. In data structure terms, we call acmm a "leaf" splog. It's the edge of the tree structure. When acmm gets actual content, it will be termed a "money" splog.



Next look at http://krdrffpgv.blogspot.com. Krdrffpgv, or "krdr" as I will abbreviate, contains links to 500 other splogs in the farm. We will look at 2 of those links.

Krdr contains lots of text, and lots of links (500 links to be exact). We call krdr a "branch" or "trunk" splog.

As additional splogs are added to the farm, they are added as leaves, and linked through an existing leaf splog. The latter leaf splog, now linking to other leaf splogs, has turned into a branch splog. This is how the splog farm grows.



One of the links in krdr is to http://ieqjiravs.blogspot.com, and a second to http://iiebbmogoii.blogspot.com. Each of those splogs contains 500 links, to other splogs.

Ieqj contains a link to http://bzuucozih.blogspot.com (and 499 more).

There are other peers to Acmm, Bzuu, Ieqj, Iieb, Krdr, and Orow, 499 each to be specific. Many such peers, in turn, contain 500 more links. Very few branch nodes probed, to date, contain only links to leaf nodes, most contain 2 - 4 (minimum) links to additional branch nodes. Last week, the numbers were higher.

Are you getting a picture of the numbers, in your mind? I hope so. I, personally, am getting a headache.

Last week, Tinkertoys leaf splogs contained a redirect to a search for "free sex" online, which appears be be dead now. Sometime on Saturday, October 13, all splogs were reformatted, and are now as you see above.

Current speculation is that the owner is seeking a new content provider (more money content). When he gets it, you'll soon see lots of interesting splogs in BlogSpot, and lots more complaints, in Google Blogger Help, about porn and spam blogs.

Do you remember "Oedemera.Com" being discussed in Google Blogger Help, just last week? There are links to that, in the TinkerToys splogs.

Does the splog farm name "TinkerToys" make sense now?

>> Top

Adult Friend Finder Ads

This is a newly discovered splog farm, found from perusing the Recently Updated Blogs list. It appears to be rather small. It's connection with the well known Adult Friend Finder splog farm is unknown.

Here's a recently observed member of the farm.

http://annacascada-blog.blogspot.com/

Note the blog name, in the URL.
annacascada-blog
anna <== Prefix - appears to be constant.
cascada <== Blog Name / Title.
-blog <== Suffix - again, appears to be constant.

It comes with the well known bogus list of willing locally available females, the exact same list that's observed in every location worldwide. Obvious fraud there. And look at the links in the ad - not to "Adult Friend Finder" - now we have "Date Fun Club".





>> Top

Adult Friend Finder

This is one of the best known and describable splog farms. If your computer is well protected, all that you see is a pretty bland front page, with a single link to "Friendfinder" in a linklist in the sidebar.

The text in the splogs appears to be scraped from blogs all over the Blogosphere. The template is generally Minima or Rounders, little to no customisation.

Here's an entry taken from the Recently Updated Blogs list, during the morning of 10/15/2007.

http://049768cqslkhc.blogspot.com/

Note the blog name, in the URL.
049768cqslkhc
049768 <== Splog Number: Always 6 digits (right now).
cqslkhc <== Suffix: 6 - 12 alphabetic characters, possibly dictionary filtered.

This is what you'll see, if your computer is properly protected, with a layered security strategy.

Note the name of the blog ("049768" here), from the URL, is displayed as the title.




This is approximately what you'd see, if your computer isn't fully protected. If you didn't use Microsoft Paint, there would even be pictures in place of the white space.

I don't see this crap on my primary computer, because I use a Hosts file based site blocker. So simple - and requires very little effort to install.



And thanks to Firefox, and its pop up blocking, I don't see this either.



All of the ads in the latter two pictures change constantly. What you see there is purely a vague approximation, provided to give you a hint of what the splog master is doing. Sometimes, what he's doing may make your computer the newest member of the botnet being offered, if you're not protected.

The above article, originally published in Real Blogger Status: The AFF Splog Farm #3, was originally published mid morning 10/15, and contained the above pictures (some slightly more munged). When this post was made, maybe 2 hours later, the text content of the splog had changed. This illustrates the volatility of content of this splog farm, and shows why any RUB list will typically contain dozens of links to splogs in this farm.

>> Top