I Hope Kelkoo Gets A Clue

Again, referrer spamming has reached a new degree of stupidity. Someone (either from Kelkoo or in their payroll) is spamming my referrer listing with pseudo-brand names registered under the .co.uk domain (things like http://lexmarkprinterandscanner.co.uk, kodak-digital, etc.). These links, when clicked, map into product listings inside Kelkoo.

I am sure that this is, in some way, illegal. Call it misappropriation of brand names, theft of intellectual property, unsolicited linking, abuse of my server and bandwidth resources, whatever. As soon as I have amassed enough data, I intend to complain to their ISP and e-mail them. Plus, if I can spare the time, I'll write up a short memo describing how these people are abusing brand names on the UK DNS registrar and send it to the companies whose names are being used.

But I think the point will get across better if I toss this into my RSS stream and persuade people to trackback, link to and post this to del.icio.us.

Come on people, link to this! Help fight referrer Spam by exposing these lowlife marketeers.

URL Ricochet Time

Update: To their credit, Kelkoo took less than one hour to reply by e-mail to my complaint (which I filed via their contact form):

From: [email protected]
Subject: speak2us
Date: September 23, 2004 3:58:53 PM GMT+01:00
To: Rui Carmo

Dear Rui,

Many thanks for your enquiry.

Kelkoo is a shopping search engine, and as such should not have any interest
in requesting pages from your site and are sorry you feel we have done
something which maybe harmful to your business.

Kelkoo does have an affiliate scheme which allows third parties to direct
traffic to us and to be paid for this action.  Sadly, we cannot be held
accountable for their actions unless they are endorsed by Kelkoo, nor will
we take action unless they are breaking UK Law or our partnership rules.

If you have an issue with a particular domain or website (e.g.
www.lexmarkprinterandscanner.co.uk) - we suggest you look up the registering
authority and contact them directly.  In this case it appears to be a
company called "Computoz", registered via http://registrar.schlund.info

However, if you wish to send us more details regarding the fake HTTP
requests, we will gladly offer you any information we can if it may help.


(name withheld, since the person who contacted me has nothing to do with this)
Kelkoo Customer Services


I filed the complaint at 15:01 (right after returning from my lunch break - and yes, I finally had lunch this week). The last request from the spammer, at IP address, was at 15:47: - - [23/Sep/2004:16:47:00 +0100] "GET /space/MinhasBookmarks HTTP/1.0" 200 31549 "http://www.nec-mobilephones.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)"

(Yes, yes, I should be extra-neat and fix my logs to match my time zone - I'm used to reading it like this.)

Tracking Down The Spammer

As to that IP address, it is apparently part of Savvis' hosting network:

$ whois
SAVVIS Communications Corporation SAVVIS2 (NET-209-44-0-0-1)
RASER, Inc. SAVV-RASER5 (NET-209-44-12-0-1)

# ARIN WHOIS database, last updated 2004-09-22 19:10

Of course I looked up Raser, but it doesn't seem to have anything to do with Computoz, whose site ( is apparently hosted at Realpoptel. Maybe whois is stale. Nevertheless, there are a few interesting things to be learned from this:

Conclusions, Before We Get Sidetracked

  • Complaining about spam referrers works. People with a higher "conspiracy theory coefficient" are likely to construe that someone at Kelkoo picked up the phone and called someone at Computoz (if it was Computoz at all since they might just be handy scapegoats) and then asked someone else at customer service to reply to my little note (my sentiments, buddy, I know it mustn't have been easy).
  • Spam Referrers are generated by bogus clients with fake User-Agents in order to escape the usual anti-bot tricks. They also don't care about how much bandwidth they suck out of your site doing it, since they always got a full HTML page (but none of the associated images, CSS, etc.).
  • Kelkoo is happy to get third parties to drive traffic to their site, but did not bother to enforce an acceptable conduct policy on its partners (i.e., they'll reap the benefits, but don't care how they get the clicks). American lawyers would have a field day with this (one of my Portuguese lawyer friends half-jokingly told me that I was likely to get "legal aid" spam in the next couple of days from clueless US lawyers who don't realize my site is in Portugal). In my book, if they pay someone to get referrals, they're responsible for how they get them - just like "real" advertising, you're liable for the way it's done.
  • The UK DNS registrar has absolutely no clue as to what they should be doing, since apparently anyone can register domain names which contain trademarks:
$ grep access_log | cut -d\  -f 11 | uniq | \
sed -e 's-http://--g' | xargs -I {} nslookup {} 2>&1 | grep -A1 Name:
Name:   pennystocksmaster.com
Name:   www.insulation-directory.co.uk
Name:   www.jvcdvdplayers.co.uk
Name:   www.kodak-digitalcameras.co.uk
Name:   www.lexmarkprinterandscanner.co.uk
Name:   www.lgdvdplayers.co.uk
Name:   www.motorola-mobilephones.co.uk
Name:   www.mustekdvdplayers.co.uk
Name:   www.nikon-digitalcameras.co.uk
Name:   www.nec-mobilephones.co.uk

The Plot Thickens

Not happy with this, I decided to take a look at that repeated IP address. Obviously the spammer is advertising for more than one contract, but the one that interested me was, which happens to be kundenserver.de, hosted at schlund.net.

So I decided to see what was there, and issued a perfectly normal GET request (wget output truncated for clarity):

$ wget -sO - http://www.nec-mobilephones.co.uk
--21:53:07--  http://www.nec-mobilephones.co.uk/
Resolving www.nec-mobilephones.co.uk...
Connecting to www.nec-mobilephones.co.uk[]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 133 [text/html]
HTTP/1.1 200 OK
Content-Length: 133
Content-Type: text/html
Connection: Close

<META HTTP-EQUIV="refresh" content="0;URL=/acatalog/main.html">

Fine, so let's see that acatalog thing:

$ wget -sO - http://www.nec-mobilephones.co.uk/acatalog/main.html

Out spewed a mass of JavaScript and HTML that I won't transcribe here, plus a sequence of HTTP redirections that eventually lead your browser to Kelkoo.

Spam Bucket Brigade

Here are just the redirections (apologies to RSS readers, since my CSS chops off the URLs):

$ wget -s http://www.nec-mobilephones.co.uk/acatalog/main.html
--21:53:50--  http://www.nec-mobilephones.co.uk/acatalog/main.html
Resolving www.nec-mobilephones.co.uk...
Connecting to www.nec-mobilephones.co.uk[]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.gamedata.co.uk/counter.php?from=nec-mobilephones.co.uk&to=http%3A//tracker.tradedoubler.com/click%3Fp%3D3431%26a%3D1015211%26g%3D554939%26url%3Dhttp%3A//audiovisual.kelkoo.co.uk/ctl/do/search%3FsiteSearchQuery%3Dnec%26catId%3D125301 [following]
--21:53:50--  http://www.gamedata.co.uk/counter.php?from=nec-mobilephones.co.uk&to=http%3A//tracker.tradedoubler.com/click%3Fp%3D3431%26a%3D1015211%26g%3D554939%26url%3Dhttp%3A//audiovisual.kelkoo.co.uk/ctl/do/search%3FsiteSearchQuery%3Dnec%26catId%3D125301
           => `counter.php?from=nec-mobilephones.co.uk&to=http:%2F%2Ftracker.tradedoubler.com%2Fclick?p=3431&a=1015211&g=554939&url=http:%2F%2Faudiovisual.kelkoo.co.uk%2Fctl%2Fdo%2Fsearch?siteSearchQuery=nec&catId=125301'
Resolving www.gamedata.co.uk...
Connecting to www.gamedata.co.uk[]:80... connected.
HTTP request sent, awaiting response... 302
Location: http://tracker.tradedoubler.com/click?p=3431&a=1015211&g=554939&url=http://audiovisual.kelkoo.co.uk/ctl/do/search?siteSearchQuery=nec&catId=125301 [following]
--21:53:51--  http://tracker.tradedoubler.com/click?p=3431&a=1015211&g=554939&url=http://audiovisual.kelkoo.co.uk/ctl/do/search?siteSearchQuery=nec&catId=125301
           => `click?p=3431&a=1015211&g=554939&url=http:%2F%2Faudiovisual.kelkoo.co.uk%2Fctl%2Fdo%2Fsearch?siteSearchQuery=nec&catId=125301'
Resolving tracker.tradedoubler.com...
Connecting to tracker.tradedoubler.com[]:80... connected.
HTTP request sent, awaiting response... 302 FoundSyntax error in Set-Cookie: TradeDoubler GUID=ce31b901f13b58150a9b28adb4c25fa4;expires=Wed, 18-Sep-2024 20:53:09 GMT;path=/;domain=.tradedoubler.com at position 13.

Location: http://audiovisual.kelkoo.co.uk/ctl/do/search?siteSearchQuery=nec&catId=125301 [following]
--21:53:51--  http://audiovisual.kelkoo.co.uk/ctl/do/search?siteSearchQuery=nec&catId=125301
           => `search?siteSearchQuery=nec&catId=125301.1'
Resolving audiovisual.kelkoo.co.uk...,,, ...
Connecting to audiovisual.kelkoo.co.uk[]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

Note how each consecutive jump goes through other domains (and machines), ricocheting across the net in a complex operation that passes enough information in the URLs to let referring sites keep track of both endpoints and figure out who ows referrals to whom. And I don't think this was built by someone who operates a tiny game shop.

At this point, I gave up. I have better things to do with my time, and this isn't it. But i'm positive this information will be useful to some one, if only to show how shady the HTTP referrals business is these days.

You Can Help Track Them Down Too

And don't think this is difficult to do. It's time-consuming, sure, but requires no superpowers, no special diet, and nothing more than a few basic UNIX commands (of which there are ample Windows and Mac OS X ports).

So if you're hit by something like this, remember - all you need are the server logs and some time and patience - it took me around half an hour before lunch to figure out what was happening and write the initial post, 15 minutes when I came back to find Kelkoo's contact form and type up a complaint, and less than one hour after dinner to research and write this addendum.

It's not the best use of my time, but it's definetly satisfying.