New Spam Frontier: Referer Logs

geoffsmith writes "Wired News is reporting that spammers are using referer logs as a cheap new way to spam small sites. Anyone running a website has probably already seen this phenomenon; I'm thinking of writing a script to remove these entries from my access_log by looking for hits that don't grab my images. (sorry lynx users!)"

They will never stop.

[SexyKellyOsbourne (606860)]

The entire internet will eventually go down in a deluge of spam unless it is made illegal and the laws are enforced!

Re:They will never stop.

[kryonD (163018)]

True, but at the same time wrong. Has anybody else noticed that the internet is currently the most active battlefield in hostory?

Lowlife (but capitolist god bless 'em) pigs generate spam to sell their penis enlargement scam and mail clients develop ways to filter and block email. Distraction.

Distributed Denial of Service attacks attempt to shake the very foundations of the NET through bandwidth flooding and sysadmins implement redundancy and load balancing. Jamming - Frequency Hopping.

Remote exploits and virus appear everyday and patches are generated quickly for the more quality OS's and virus updates are required daily for Micro$oft OS's. Infiltration.

Governing bodies exist that the people disagree with such as the RIAA and MPAA. Demonstrations are held in both violent(DDoS) and non-violent(civil disobedience of P2P) manners. Revolution.

Needless to say, civilization has managed to survive for thousands of years despite man's desire to control everything including his fellow men. I think the internet will find a way.

Re:They will never stop.

[IIRCAFAIKIANAL (572786)]

Please do not equate civil disobedience and P2P. Civil disobedience is essentially something you do in the open with the intention of getting caught and possibly prosecuted.

If you want to learn about what civil disobedience really is, check this [eserver.org] or this [actupny.org] out.

If you think that the Internet is the most active battlefield today, you need to visit [un.org] a [disastercenter.com] few [yahoo.com] places [yahoo.com].

Re:They will never stop.

[IIRCAFAIKIANAL (572786)]

Perhaps linking to or publishing the code to DeCSS would have been a better example.

Yes, it would have :)

You have no concept of either A)what a battlefield is, or B)what's REALLY going on in the world.

I agree that the Internet can be and is a battlefield. So can Wall Street or the TSE. Or major media sources. Or the telephone. I don't agree that it is the most active - perhaps from a first world perspective, but I try and think a little more globally than that.

Just a note: We have more attacks per day on one of our public .mil servers than we have had real contingency issues(to include disasters and humanitarian aid) in the whole theater all year.

And how many people died due to those attacks on the public .mil servers? (Yes, I am sure they are important for various reasons, but if I was *attacking* the USA, I would be hacking hospital databases - there is a scary potential for warfare there).

Has anybody else noticed that the internet is currently

the most active battlefield in hostory?

Hacking a .mil server certainly qualifies as warfare but you basically said that the internet is a more active battlefield than, say, WW2. I disagree. [hitler.org]

(And anyone considering invoking Godwin's law... piss off :)

I concede that the Internet certainly *is* a battlefield. However, considering that conflict on the Internet barely affects most of the people of the world, I wouldn't rate it so high.

The spammer speaks...

[reaper20 (23396)]

"I'll adapt or I'll discontinue. I'm not planning on becoming the major annoyance of the blogging world.... I'm not too worried my reputation. Marketing is all about being innovative, different, adaptive, taking risks and knowing how to use the technology. I'm trying to be all that."

Heh, it's funny that this guy can make this statement and expect to be taken seriously. It's even more pathetic that he actually thinks he's "innnovative".

Re:The spammer speaks...

[Ponty (15710)]

It is innovative. I was surprised and amused. It's awful, though. There's no rule that innovative things have to be positive.

Anyhow, unless the traffic is completely disabling, I don't see this as more than an annoyance that technology will filter out when it becomes sufficiently obnoxious.

You can do better than that

[Subcarrier (262294)]

Actually it would be quite nice to see some of these "marketing gurus" put a little more thought into their spam. Today, some of the most carefully crafted content on TV is commercials (lamentably, also some of the worst). Watch and learn. I wouldn't mind receiving a spam that is fresh, funny, engaging, and didn't involve a virgin, my cock, a septic tank, or a gentleman from Nigeria. I wouldn't mind a funny beer commercial, for instance.

Spam Lite

[Cyno01 (573917)]

I don't know if i'm the only one, but has anyone else who doesn't filter their e-mail noticed a drop off in the amount of spam they recieve? For about the past 2 weeks, the amount of spam in my hotmail inbox has dropped from about 40 to around 15 a day. Anyone else had something similar to this happen?

Re:Spam Lite

[Em Emalb (452530)]

Actually, yeah I have. I normally get 20-30 a day on my throw-away hotmail account, I just checked it for the first time in a week and had a total of 4 messages in my inbox--all spam of course, but there were NONE in the junk mail folder. Hopefully they put some sort of spam stopper in place? We can only dream.

Re:Spam Lite

[BurritoWarrior (90481)]

I read somewhere (sorry, can't remember where ) that Microsoft updated their anti-spam service to coincide with the rollout of MSN 8. I believe it was Brightmail that they are using now.

Wish I could remember where I read it, I would give you a link. Best I can find right now is:

http://join.msn.com/?page=features/junkmail&pgma rk et=en-us&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3d misc%2fspecialoffers%26pgmarket%3den-us

Re:Spam Lite

[NeMon'ess (160583)]

One day soon I'm going to tell everyone using my hotmail account to use a yahoo account I've set up. I tolerated the increasing spam by using the custom filters. This worked until I hit the limit of 36. Then I had to get creative to work within that boundry. This was okay until last week when the my custom filters page now tells me I am over my limit of 10 filters and must delete 26 of them or pay for Hotmail Extra Extortion Services. Fuck them. I had the account before MS bought Hotmail and I tolerated all the crap until now. Yahoo's junk mail filters actually work so that's where I'll be.

Lynx users?

[by Anonymous Coward]

(sorry lynx users)

Don't worry. It's highly unlikely that any of the 4 current users will visit your website anyway.

Well..

[joyoflinux (522023)]

He just got a link posted on /. and Wired--I wonder how many spammers are going to target him now...This seems a little aganist logic

In other news...

[CySurflex (564206)]

Windows users are complaining that Microsoft is filling up their computer's System Event Log with spam about illegal exceptions and page faults.

referer information should be disabled by default

[jukal (523582)]

I don't know who started it - but I find it very odd that browsers send referer info by default. Why? It does not provide anything extra for the user but problems. It is not once or twice that you find URLs to "confidential" pages if you browse through your webserver logs. And... I bet 95% of web surfers do not even know that they are sending this information all the time. Is there really any reason why the default is to send the referer info? I have seen people riot on much less important privacy issues. Why not about this? The referer plague exists in almost all browsers - and only in few browsers you actually can easily turn it off. What's going on?

Re:referer information should be disabled by defau

[Openadvocate (573093)]

There are many reasons, mostly for those who program websites. Sometimes you don't want people to see a page before another. this could also be solved with cookies, but some blocks those too.
Then there is the statistics, learn how people navigate around your site. referer can help you see a pattern and improve your layout.
Also it can prevent bandwidth hogs, mostly a issue with ad. graphics and pron sites where people use graphics from others servers on html pages on their own sites but also on free servers where people place graphics and files and link to those directly without using any html and then not showing any of the free servers ad's which provides them with money to run the sites in the first place.

Re:referer information should be disabled by defau

[stienman (51024)]

It's nice, as a site operator, to know where your guests are coming from. A good portion of my visitors come from Google and other search engines. The referrer log lets me know what they were searching for, and in nearly 95% of the cases they were looking for a specific topic on my site. I can send them directly there, give them a specific welcome message if they haven't been to my site before, etc.

Furthermore I can restrict traffic for some areas of my site (like some sites that block links from slashdot) for particular reasons or uses. "You just came from the page of an associate and are able to receive a discount." "This page is restricted to users of xyz.com. Please go there first."

Lastly, it protects my image content. My images are not stellar, and yet other sites continue to use them on their pages. I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

Referrer information may be annoying to you, but it's an extrememly useful tool. If taken away one restricts opportunities for the site operator to personalize and protect content on their site. Not a huge loss, but it isn't really as great a privacy issue as you seem to believe.

-Adam

Re:referer information should be disabled by defau

[Permission Denied (551645)]

I can send them directly there, give them a specific welcome message if they haven't been to my site before, etc.

This is so damned annoying. If I'm searching for some specific information, I don't give a damn about your idiotic welcome page. I don't care what your website is about or what you have to say on your other pages - all I care about is the specific technical information that google told me you have.

More and more, I'm finding myself using googles cache instead of clicking on the actual links. I know you couldn't care less about my insignificant browsing habits, but the more people start doing annoying crap like this, the more people start using google instead of the web.

"This page is restricted to users of xyz.com. Please go there first."

Do you realize how stupid this is? You're trying to control how I use my browser. Of course I'm not going to go to xyz.com and try to use their idiotic navigation looking for a link to you. You're simply advocating another form of advertisement and I'm not interested. I care about the data you're providing, not how you're getting funded.

I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

And this is, of course, broken behaviour. Did you know that when you open a new link in Netscape/Mozilla that the browser does not send any referer at all? This means that I can't open your images in new windows and I'm constrained to view your images one at a time. Also, the some browsers change the referer for images when you "save" images (eg, right-click and choose "Save as..." may not send the referer you're expecting).

If taken away one restricts opportunities for the site operator to personalize and protect content on their site.

If you're using this to restrict content to your site ... well, forget it. If you have something I really want, I'll open up a terminal and telnet to port 80. Yes, this is indeed effective restriction. (Quiz to see if you really know what you're doing: how would you set it up so that you know that a user has previously visited another site, with cryptographic confidence?)

As for "personalizing" content, please stop. The only times I've seen that word being used in a web context is to personalize advertising (and also restricting content because I'm not using IE, but don't get me started on that). I've never seen anyone "personalize" a site in a useful way, eg, "You're a C programmer who writes Solaris kernel modules, so you're probably not going to spring for my Herbal viagra scheme and I'm going to cut the marketing BS and give you only useful information."

Why do these "blogs" even keep logs of referer links? This is pure narcisism (and more importantly, a waste of disk space - even though disk is cheap, it's still worth more than someone else's paltry feeling of acceptance). If you're going to say something, just say it. Don't base your life around how many people like what you say. "Ohh, somebody linked to my journal, that means I'm special and I can now feel good about myself." Ahh - get a life.

I swear, "webmasters" piss me off.

Referer checking for images

[achurch (201270)]

I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

And this is, of course, broken behaviour.

So do you have an alternative proposal to prevent resource (i.e. bandwidth) theft? That is a very real problem, and no amount of arguing that the current solution is "broken" will get people to change unless you provide them an alternative.

Re:Referer checking for images

[Permission Denied (551645)]

So do you have an alternative proposal to prevent resource (i.e. bandwidth) theft?

Session cookies based a cryptographic hash of browser-identifiable information. Just hashing the IP and some secret string will prevent the bandwidth-stealing problem (not ideal since it breaks with NAT, but that's irrelevant if you're only trying to solve the deep-linking problem).

In php, setcookie('hash', md5($ENV[REMOTE_ADDR] . "TOPSECRET)) on page load, link to a file "image.php" instead of the .jpg and "image.php" does something like this: if (getcookie('hash') != md5($ENV[REMOTE_ADDR] . "TOPSECRET")) { header("Location: /error-documents/403.html"); exit(); }. This isn't complete (probably not even syntactically correct and be careful with what image.php allows one to download), but you get the idea. The actual image files can't be downloaded by apache, but can only be opened and sent to the browser through "image.php". For extra fun, re-generate the secret string from /dev/random every ten minutes (and keep around the last version of the key to avoid breaking on-going sessions).

This stops everyone from stealing bandwidth (including telnet-wielding network programmers like me) and it annoys no one.

Re:referer information should be disabled by defau

[phliar (87116)]

Do what I do: use Privoxy [privoxy.org]. Not only can you use it right now with whatever your favourite browser is, it's free. Not only does it block ads, it allows you to set Referer: on all outgoing requests to whatever you want. (I set it so Referer: is always the base URL of the page being viewed.)

Incidentally, I don't know why anyone bothers with logging referrer information. The only use sounds like what the bloggers do. If you're not a blogger, why do you even care who the referrer is? Half the time it's bogus or one of your own pages.

Re:referer information should be disabled by defau

[FTL (112112)]

>I don't know who started it - but I find it very odd that browsers send referer info by default. Why? It does not provide anything extra for the user but problems.

It is extremely useful for security purposes.

No, not the security most people are thinking of. Checking to see if the user came from FeedBack.html before executing FormMail.pl is no security, since spammers can forge any referer they want.

I'm talking about security which stops a human user who is logged in to a particular website from being tricked into performing actions they didn't authorise. For instance: I log into my server's adminsitrative area. Then, in another window, I browse someone's blog. And I click on their "search" button. As it turns out, this search button is a trap, which sends me to my own admin area with a command to delete someone's account. I'm logged in, I have a valid network address, I'm active, there's no problem. Except that fortunately my browser sends "Referer: www.blog.org" instead of "Referer: www.admin.com".

That's why referer info is useful: to prevent a user from being hijacked.

Re:referer information should be disabled by defau

[jukal (523582)]

I have come across a few sites that use the refer info to let you access files and images, so other sites can't just link directly to the file.

Yes, referrer information makes an excellent authentication scheme for highly confidential system dealing with transfer of mission critical information. ... Just also check for a magic string in the user agent and voila! trusted computing reinvented. To make it unhackable - just add a few more levels of obfuscation. ;))) The sad part of this, is that I have actually seen authentication schemes like this. Don't know whether I should cry or laugh :)

Re:referer information should be disabled by defau

[Dr. Awktagon (233360)]

Just also check for a magic string in the user agent and voila! trusted computing reinvented. To make it unhackable - just add a few more levels of obfuscation. ;))) The sad part of this, is that I have actually seen authentication schemes like this. Don't know whether I should cry or laugh :)

probably cry... what you described could easily be enforced with the DMCA.

If you use wget, watch out when using "--referer" and "--user-agent".... you just might be breaking TEH LAW!!!

Sorry 'bout what?

[PissingInTheWind (573929)]

...(sorry lynx users!)

Sorry about what? Why should they care wether you keep them in your log or not?

Boost search engine ranking?

[j7953 (457666)]

From the wired article:

... even though they ruefully admit that the log spamming may falsely boost their ranking on some search engines.

Umm, huh? I don't think the spammers actually link to the sites, they probably just send HTTP requests with faked referrer headers that contain the URLs of the spammer's web site. That won't boost your search engine rankings.

Score another for Opera!

[RevRagnarok (583910)]

In the regular prefs and the "quick prefs" (F12 under Windows version) Opera [opera.com] lets you turn off referrer logging. The only time I need to turn it on is certain sites, like my credit union, which is no big deal...

what is this?

[Dr. Awktagon (233360)]

I'm not sure I understand. Does this mean the spammers put links on their own porn (or whatever) sites, and casual surfers will click into the blog from the porn site, thus making the porn site show up in the logs as the referer? That's how the referer is supposed to work, right?

Or are they just bots that hit random web sites and send fake referers along?

Either way, I have absolutely no clue why this would be abusive or even annoying? Can someone explain? Do people sit around checking their referers all day long?? (Then again, I don't understand why anyone would run a blog, so maybe I'm just out of touch).

I clean out all my outgoing referers (thanks squid), so maybe I subconciously assume everybody else does too. Never thought of the referers as anything but a silly waste of bandwidth, since they can be forged so easily.

It's ironic...

[puppetman (131489)]

One of the quotes from the story was,

"... they are hitting my site so hard. One day there were more than a thousand hits from one single porn site," complained Åsk Wäppling, known to bloggers as "Dabitch."

Ok - this guy's name is Dabitch in an obvious reference to the whole pimp-bitch-rape-mysogynist thing that seems to be all over the Internet (and that I can't stand), and he's complaining that a porn site is effectively doing a denial-of-service. I think it's just desserts.

Re:It's ironic...

[pjrc (134994)]

and he's complaining that a porn site is effectively doing a denial-of-service.

By making over 1000 "hits" in a day, which isn't even one per minute. Sounds like "Dabitch" needs to consider hosting that blog at an ISP instead of over a 28kbps modem.

referer not trusted information

[fermion (181285)]

It seems that this only affects sites that automatically publish referrer logs. Now, since the referrer is generated by an unknown foreign machine, and therefore is not to be trusted, automatically publishing this information to the world does not seem too smart in the first place. At most, this 'spam' will only stop the act of automatically publishing referrer logs. At least I would expect a method for a certain link to be automatically marked as a spam site as soon as one blogger hits it. Of course, the question will then be how to decide if a site is a spam site.

Here's some scripts ...

[andrewm (9862)]

I use the noimg.pl for showing stats on sites not pulling images. Viruses and spambots are obvious.

Also, showpath.pl and spampath.pl are handy to see where the vister went, and check for obvious robot behaviour:

http://www.turnstep.com/Spambot/Programs/

What do small website admins do with apache logs?

[trentfoley (226635)]

I, for one, look at the referrer for two things:

1. To see how search engine users have found my pages. I think it is amazing that I will get hits from people looking at the 100th page generated by google. I mean, c'mon on, 100 clicks on "next" before you think the I have the info you are looking for?! All I have is crap.

2. To see if slashdotters actually click on my postings' links.

Come to think of it, the only other thing I even look at the logs for are to see what search engines are indexing me (and are they obeying robots.txt) and to harrass people with infected iis machines.

You mean code red is spam?

[KPU (118762)]

All this time I thought "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" was code red. Now I know it's spam :-).

Obligatory Simpsons Reference

[Guppy06 (410832)]

"die-spammers-die"

"No! That's German for 'the spammers, the.'"

"No one who speaks German could be an evil man."

ewww!

[digitalsushi (137809)]

I didnt even notice they were in there til you made me look! EWwwwwwwwwwwwwwwww! That is just fantastic. I host a site for a rather religious young girl's artwork- imagine my shock at nakednewbies.com linking to her! Glad I read this story first!

Old trick

[dmiller (581)]

I remember seeing weird stuff in logs as far back as 1994. Back when Netscape Commerce server had a large percent of the webserver market, there was an "exploit" which allowed the placement of HTML code from untrusted sources directly into the log reports (basically, it didn't check whether referrers, source domain names, etc did not contain metacharacters). I remember seeing lots of adverts which used this technique to sell stuff, mainly web-log analysis software.

I asked the owner....

[mkelley (411060)]

I sent an email to the owner of Mastodon and here is what he wrote:

From: "[ f ]"
Date: Thu, October 24, 2002 12:19 pm
Subject: Re: logs
Hi!

You can send us your URL and we'll permenantely remove it from our database.
It's not a spider, it reads only the blogs in the database.

Regards,

Francois

And to add to that, one of the comments on my weblog was that there is also an opt-out list [mastodonte.com].

check for valid referrers

[lambsonic (512680)]

This is a non-issue for me. I run a script that validates the referrers [tautology.org].

backlink links

[luap2000 (314919)]

Backlinking [iawiki.net] has become popular lately on a lot of blogs. The term describes scripts built to automatically display links from referrer logs [devhelper.net]. The idea was to automatically create a list of links [disenchanted.com] to sites that might possibly have related content because someone came from that site to yours. A good example of its use can be found at diveintomark [diveintomark.org].

While the process has gained some popularity [decafbad.com] of late in the blogosphere, the idea has been around [unrealities.com] for quite some time [gmu.edu].

Are tactics like this legitimate forms of marketing? Would you term it Gonzo Marketing [gonzomarkets.com]? Viral Marketing [wilsonweb.com]? Whatever term you use, it will definitely be interesting to see where this one goes.

Script to check it out...

[dargaud (518470)]

I haven't noticed this trend yet but I will... I have a small shell/perl script that does a simple analysis of referer logs (search engine keywords, other external referers...). Get it from my website [gdargaud.net] if interested.

Backlinking

[CaptainSuperBoy (17170)]

Backlinking, or posting your referral logs, is doomed to failure and rightly so. It's just a glorified way of making your site into a link farm, with the expectation that your fellow bloggers will do the same. It is serendipitous that this practice is open to 'abuse' although I would never call the abusers spammers. They are just utilizing a method for submitting data that the site owners themselves have provided. I don't see any reason to call this 'spam' since the site owners are inviting users to submit data through HTTP referral headers.

Also, this quote from the article is ludicrous: "bloggers are not thrilled, even though they ruefully admit that the log spamming may falsely boost their ranking on some search engines."

There is no search engine that bases your rank on the number of sites that you LINK to. I believe the bloggers actually mean that they're sorry to see their backlinks (read: link farms) go, since those do in fact raise search rankings. What a travesty- Sites may have to rely on the actual quality of their content, rather than trading links!

Amidst the alarmist cries in the article, "spammers will destroy our practice of posting referral logs," nobody has even mentioned that there is a ridiculously easy technical solution. Before posting a referral link, why not just have your software visit the referring site and detemine if it actually links to your page? This will defeat the referral advertisers.

Guestbook spam

[AlpineR (32307)]

Here is another form of spam that was new to me. Apparently some German pr0n site operators are filling my guestbook [umich.edu] with bogus entries linked to their offerings. It seemed an odd way to advertise at first (who the heck visits my site [umich.edu], much less reads my guestbook ;-), but now I realize that it helps their Google stats.

For now I'll delete the entries by hand, but if this increases it could get really annoying.

AlpineR

Re:huh

[calyxa (618266)]

no, they hit the page with their link in the referrer field. some sites post reports from their web logs showing where hits are referred from, so it'd be like:

255.255.255.255 - - [27/Oct/2002:00:00:00 -0000] "GET /perfectly/valid/page/at/yoursite.html" 200 2467 "http://www.wilddonkeysex.com_for_Wild_Donkey_Sex/ " "(SpamBot5000)"

and then people looking at the report would say, "hey, the page at wilddonkeysex links to my perfectly/valid/page and it's getting like 500 hits a day from there, woo! let's click on that url and see what the link to my page looks like!"

-calyxa

Re:huh

[CySurflex (564206)]

let's click on that url and see what the link to my page looks like!

I think it's more than the web site's owner clicking on the page - a lot of bloggers post a list of "top referrers" on their web site as a way of thanking the referrers, and therefore they generate a lot of traffic to their referrers from their own visitors.

Re:*sigh*

[Dyolf Knip (165446)]

The few stats I've come across regarding spam 'success' suggests that if they get more than a dozen responses (excluding the fools who actually send back "Take me off your list") per one million emails they're having a good day.

[Wishful thinking mode ON!]
This implies that there are, maybe, all of 10,000 suckers who keep every spammer on the planet in business. If we find them and cut them off, spam response would drop to about 1 per billion and there's just no way they could make any money off of that.

Re:*sigh*

[AirLace (86148)]

I know why this problem is endemic. It's certainly down to more than the "10,000 suckers" you suggest.

I always use the example of my father, who is your archetypical pre-UNIX geek. He did all the PDP-11 stuff, worked with the VAXes and hacked machine code in ways that I don't yet understand -- an intensely intelligent man. Yet, every few months when I go to visit him, we get to talking about the internet and the first thing he does is talk about what he's bought online. For him, paying spammers is part and parcel of buying online -- he's paid spammers for search engine placings for his personal site, silly trinkets like water pumps and gardening tools and books.

To people who aren't part of the current 'geek' cognoscenti, spam is just another form of valid advertising, like the leaflets they get in the post and the billboards they walk past on their way to work. This isn't a specific group of people -- you can't "find them and cut them off" -- you need to target the problem at its source.

Re:*sigh*

[ealar dlanvuli (523604)]

I actually bought something from a spam. It was a slightly topical T-Shirt that I thought was clever. Cost me $15 (PayPal).

The guy who sold it to me was obviouly a late teen, and was making ok money selling shirts at about $5 profit per when I called him.

I think most geeks have no problem with spam itself (in fact targeted spams that interest me often get clicks, I get about two of those a year), they have a problem with the number of scams that are sent using spam.

Re:I don't know if these are *as* bad.

[dattaway (3088)]

The "solution" you mentioned wouldn't really work, as the spammers could simply download your images as well.

I see a solution in this. It would be the spammer's own DOS attack. If they willing to download /dev/zero in order to place their refer entry, that's great, more power to them. If they don't download data, that invalid refer entry could easily be dismissed. Solution? I'm sure someone will crank out a spammer-refer-mod to include in apache.conf over this. :)

Re:Spamfilter

[phliar (87116)]

Run, don't walk, to SpamBouncer [spambouncer.org], a set of procmail scripts. Works wonderfully, and even has regular updates of the list of evildoers! It's currently blocking 95% of my spam, of about 30 messages a day.

(Sorry, Unix-like systems only.)