1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Referrer spam

Discussion in 'Plesk for Linux - 8.x and Older' started by bsysbvba, Nov 15, 2005.

  1. bsysbvba

    bsysbvba Guest

    0
     
    Hi,

    there is something new hitting my linux boxes : refferer spam!!

    Instead of the allready accepted (but still hated) unwanted junkmail we receive over and over again, one of my client is hit hard by referrer spam!! I'v been looking onto google what can be done, but there is no easy solutions for it.

    What it does: your website is accessed from a script who has a referrer link of a porn/diet pills/whatever related domainname. Then if you have a look at the webstats of that domain, you will see that those statistics are all messed up and that your top-10 has turned into porn/diet pills/whatever related billboard!

    Have a look at some lines of this access_log file (found under statistics/logs of that specific domain):

    213.203.193.163 - - [15/Nov/2005:12:22:32 +0100] "GET / HTTP/1.0" 403 4114 "http://www.hot-comic.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    85.107.88.54 - - [15/Nov/2005:12:22:39 +0100] "GET / HTTP/1.1" 200 717 "http://sborra-sopra-piedi.com/" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"
    69.28.242.87 - - [15/Nov/2005:12:22:44 +0100] "HEAD / HTTP/1.1" 200 158 "http://hydrocodone3.miwww.net" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    69.28.242.87 - - [15/Nov/2005:12:22:54 +0100] "HEAD / HTTP/1.1" 200 158 "http://phentermine.org.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    69.28.242.87 - - [15/Nov/2005:12:22:58 +0100] "HEAD / HTTP/1.1" 200 158 "http://online-phentermine.keepkidshealthy.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    213.203.193.163 - - [15/Nov/2005:12:23:32 +0100] "GET / HTTP/1.0" 200 717 "http://www.men-strip-angebot.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    221.208.204.16 - - [15/Nov/2005:12:23:47 +0100] "GET / HTTP/1.1" 200 717 "http://foto-porno-amatoriale.com/" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"
    69.73.166.108 - - [15/Nov/2005:12:23:54 +0100] "HEAD / HTTP/1.1" 200 158 "http://phentermine.org.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    220.28.102.189 - - [15/Nov/2005:12:24:07 +0100] "GET / HTTP/1.1" 200 717 "http://sborra-sopra-piedi.com/" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"
    69.28.242.87 - - [15/Nov/2005:12:24:22 +0100] "HEAD / HTTP/1.1" 200 158 "http://phentermine.keepkidshealthy.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    Anybody have a idea what I could do? As it eat resources and makes my webstats unusable!! IP addresses and domainnames changes all the time, so I can't filter that out, can I?

    TIA,

    Eddy
     
  2. Sins

    Sins Guest

    0
     
    Stats Spam

    I had the same problem and I went into the control panel for the site and passworded the stats pages. For some reason they were hammering one of my sites with porn links on the stats. But passwording the stats put a quick and easy end to it.
     
  3. bsysbvba

    bsysbvba Guest

    0
     
    Re: Stats Spam

    Sins, that doesn't stops the spam!! Have a look at your access_log file under domainname/statistics/logs. You will notice that your access_log files grows every second with those porn/whatever links!!
     
  4. Sins

    Sins Guest

    0
     
    The other day they had stopped and after now looking I see they just started up again. So I guess I am stumped too and need to know. Luckily for me it is only one of the sites I host. I scan my boxes regularly and can't find any type of trojan or virus.
     
  5. bsysbvba

    bsysbvba Guest

    0
     
    Luckily for you. Yes, but did you check your other domains yet??? I am sure there are other domains who have the same problem. And, Sins, this has nothing to do with your machine being infected with a virus. It's another machine on the net who is spamming your site!!!
     
  6. Sins

    Sins Guest

    0
     
    I just looked at the logs for the other 28 sites on that box and none of the other ones have that. I guess so far it is just on one.
     
  7. Who-m3

    Who-m3 Guest

    0
     
    I, too, had this problem with one of my sites. I went from getting from 200-600 hits a day to getting almost 4000 hits a day. Upon reviewing the access_log, as well as my referrals log (yes, I keep that one too), I found the same things that's described above. I used google to find what I could, and as previously mentioned (also above), setting the webstat dir to require login/pass did cut down on the hits.

    However, this wont make it stop immediately. This "spambot" is trying to get the websites it's using more hits by filling up the referral blocks on your webstat pages. With those pages previously being "public" pages, google would index them. Google using those links would then increase that pages rank within google, thereby increasing its' likelyhood of receiving hits.

    Side note: If you've checked any of those referrals, when it loads, you'll find absolutely nothing about your site on their site. Additionally, 99% of those that were hitting my site were the same site in the long run. They'd all forward to a porn site, generally the exact same one. It kinda made me mad, but it's amusing at the same time. For now, though, my site is auto-banning the most common referral sites I've found it coming from. Although this may be a bit more work than you're ready for, it helped in my case, and I hope it'll help you too.
     
  8. faris

    faris Guest

    0
     
    A very simple and effective way to top [a large proportion of] the referrer spam is to install mod_security and use Scott and Mike's rules (which include referrer spam rules).

    www.gotroot.com/mod_security+rules is the place to go for easy, step by step instructions on installing mod_security and for downloading the rules.

    Faris.
     
Loading...