Spam Through HTTP Referrer Logs

Max Romantschuk writes "This morning while doing my usual log review of reader activity on my weblog, I discovered some rather strange sites, porn sites, which were linking to me. Closer inspection revealed that they weren't linking to me at all, but that someone had falsified the HTTP referrer header to inject the links into my logs." (Read more below.)

Max Romantschuk continues: "It took a moment to realize what was going on, but then it dawned to me, I was being spammed through my referrer logs! A quick google search on the words "referrer spam" confirmed my suspicions, this was indeed a widespread practice, and not new at all. In fact, Wired had an article on the subject dating almost a year back. It turns out the spammers aren't after blog authors, but what they are actually doing is targetting people which publish their referrer logs on their sites automatically. Fortunately, I don't.

I run a very small site, and get about 20 to 50 visits a day, and I don't publish my logs. Not exactly a likely target, am I? Clearly these spammers seem to do this in volume, and the phenomenon is bound to increase as email spamming is becomming increasingly hard. With email spam, IM spam, Windows Messaging spam (NET SEND popups) and HTTP referrer spam, how long will it take until every open technology has to be locked down? I hate to say it, but I doubt Wikis and similar systems will stay open for very long if things keep going in this direction."

Check this link for a suggestion to stop it

[Brandon T.]

I was having the same problem; getting literally thousands of hits to my site from referrers for all kinds of porn and other random domain names. I did a google search and found this site: http://www.spywareinfo.com/articles/referer_spam/ [spywareinfo.com]. It shows how to use mod_rewrite with apache to block the most frequent domains. I took Mike's blacklist and created this page [resynthesize.com], which automatically creates the .htaccess file for you. The problem is that they seem to be registering tons of new domain names so it's hard to keep up a decent blacklist.

Re:The idea behind a Wiki

[RyoSaeba]

I'm contributing to Wikipedia [wikipedia.org], and we have some ways to deal with vandalism. We weren't (yet !) victims of determined spammers with bots, so it's theoritical, but here are things we can use:

• first, all changes appear in a special page, so anyone can see them, and switch back to a previous version in history. Anyone can in one click see differences with the previous version
• all contributions of users (anonymous or not) are easily viewable by anyone, thus cleaning after finding a spammer is made easier
• sysops (contributors with some maintenance rights) can revert last changes of anonymous users in a few clicks
• sysops can delete pages (to clear new pages created by bots, in this case)
• sysops can block IPs if needed, preventing the edition of pages from those IPs
• sysops can also block usernames
• sysops can protect pages, preventing any edition (to protect main page for instance, in case of repeated vandalism)
• worse case, a filter can be added to the computer's firewall settings.

And, given the number of contributors and sysops, it's almost certain there's a sysop nearby at any time. Of course, if spammers attack from 50 IPs, one sysop alone will have a hard time to fight & clean the mess :)

Re:So blank it

[Anonymous Coward]

4) "base" URL of the site being accessed -- ie if you were acccessing http://www.yahoo.com/some/path/some/file.html the referer would be "http://www.yahoo.com/"

privoxy [privoxy.org] can do this.

Re:So blank it

[Carnildo]

The Proxomitron does #3 -- with the side benefit of letting me view images that people have hotlinked from Geocities and other free hosting providers.