Referrer spam

[bsysbvba]

Hi,

there is something new hitting my linux boxes : refferer spam!!

Instead of the allready accepted (but still hated) unwanted junkmail we receive over and over again, one of my client is hit hard by referrer spam!! I'v been looking onto google what can be done, but there is no easy solutions for it.

What it does: your website is accessed from a script who has a referrer link of a porn/diet pills/whatever related domainname. Then if you have a look at the webstats of that domain, you will see that those statistics are all messed up and that your top-10 has turned into porn/diet pills/whatever related billboard!

Have a look at some lines of this access_log file (found under statistics/logs of that specific domain):

213.203.193.163 - - [15/Nov/2005:12:22:32 +0100] "GET / HTTP/1.0" 403 4114 "http://www.hot-comic.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
85.107.88.54 - - [15/Nov/2005:12:22:39 +0100] "GET / HTTP/1.1" 200 717 "http://sborra-sopra-piedi.com/" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"
69.28.242.87 - - [15/Nov/2005:12:22:44 +0100] "HEAD / HTTP/1.1" 200 158 "http://hydrocodone3.miwww.net" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.28.242.87 - - [15/Nov/2005:12:22:54 +0100] "HEAD / HTTP/1.1" 200 158 "http://phentermine.org.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.28.242.87 - - [15/Nov/2005:12:22:58 +0100] "HEAD / HTTP/1.1" 200 158 "http://online-phentermine.keepkidshealthy.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
213.203.193.163 - - [15/Nov/2005:12:23:32 +0100] "GET / HTTP/1.0" 200 717 "http://www.men-strip-angebot.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
221.208.204.16 - - [15/Nov/2005:12:23:47 +0100] "GET / HTTP/1.1" 200 717 "http://foto-porno-amatoriale.com/" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"
69.73.166.108 - - [15/Nov/2005:12:23:54 +0100] "HEAD / HTTP/1.1" 200 158 "http://phentermine.org.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
220.28.102.189 - - [15/Nov/2005:12:24:07 +0100] "GET / HTTP/1.1" 200 717 "http://sborra-sopra-piedi.com/" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"
69.28.242.87 - - [15/Nov/2005:12:24:22 +0100] "HEAD / HTTP/1.1" 200 158 "http://phentermine.keepkidshealthy.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Anybody have a idea what I could do? As it eat resources and makes my webstats unusable!! IP addresses and domainnames changes all the time, so I can't filter that out, can I?

TIA,

Eddy

 

[Sins]

Stats Spam

I had the same problem and I went into the control panel for the site and passworded the stats pages. For some reason they were hammering one of my sites with porn links on the stats. But passwording the stats put a quick and easy end to it.

 

[bsysbvba]

Re: Stats Spam

Originally posted by Sins
I had the same problem and I went into the control panel for the site and passworded the stats pages. For some reason they were hammering one of my sites with porn links on the stats. But passwording the stats put a quick and easy end to it.

Sins, that doesn't stops the spam!! Have a look at your access_log file under domainname/statistics/logs. You will notice that your access_log files grows every second with those porn/whatever links!!

 

[Sins]

The other day they had stopped and after now looking I see they just started up again. So I guess I am stumped too and need to know. Luckily for me it is only one of the sites I host. I scan my boxes regularly and can't find any type of trojan or virus.

 

[bsysbvba]

Originally posted by Sins
The other day they had stopped and after now looking I see they just started up again. So I guess I am stumped too and need to know. Luckily for me it is only one of the sites I host. I scan my boxes regularly and can't find any type of trojan or virus.

Luckily for you. Yes, but did you check your other domains yet??? I am sure there are other domains who have the same problem. And, Sins, this has nothing to do with your machine being infected with a virus. It's another machine on the net who is spamming your site!!!

 

[Sins]

I just looked at the logs for the other 28 sites on that box and none of the other ones have that. I guess so far it is just on one.

 

[Who-m3]

I, too, had this problem with one of my sites. I went from getting from 200-600 hits a day to getting almost 4000 hits a day. Upon reviewing the access_log, as well as my referrals log (yes, I keep that one too), I found the same things that's described above. I used google to find what I could, and as previously mentioned (also above), setting the webstat dir to require login/pass did cut down on the hits.

However, this wont make it stop immediately. This "spambot" is trying to get the websites it's using more hits by filling up the referral blocks on your webstat pages. With those pages previously being "public" pages, google would index them. Google using those links would then increase that pages rank within google, thereby increasing its' likelyhood of receiving hits.

Side note: If you've checked any of those referrals, when it loads, you'll find absolutely nothing about your site on their site. Additionally, 99% of those that were hitting my site were the same site in the long run. They'd all forward to a porn site, generally the exact same one. It kinda made me mad, but it's amusing at the same time. For now, though, my site is auto-banning the most common referral sites I've found it coming from. Although this may be a bit more work than you're ready for, it helped in my case, and I hope it'll help you too.

 

[faris]

A very simple and effective way to top [a large proportion of] the referrer spam is to install mod_security and use Scott and Mike's rules (which include referrer spam rules).

www.gotroot.com/mod_security+rules is the place to go for easy, step by step instructions on installing mod_security and for downloading the rules.

Faris.