New Spam Frontier: Referer Logs

geoffsmith writes "Wired News is reporting that spammers are using referer logs as a cheap new way to spam small sites. Anyone running a website has probably already seen this phenomenon; I'm thinking of writing a script to remove these entries from my access_log by looking for hits that don't grab my images. (sorry lynx users!)"

They will never stop.

[SexyKellyOsbourne]

The entire internet will eventually go down in a deluge of spam unless it is made illegal and the laws are enforced!

Re:They will never stop.

[rtscts]

If blacklists stop getting sued everything will be fine.

Re:They will never stop.

[kryonD]

True, but at the same time wrong. Has anybody else noticed that the internet is currently the most active battlefield in hostory?

Lowlife (but capitolist god bless 'em) pigs generate spam to sell their penis enlargement scam and mail clients develop ways to filter and block email. Distraction.

Distributed Denial of Service attacks attempt to shake the very foundations of the NET through bandwidth flooding and sysadmins implement redundancy and load balancing. Jamming - Frequency Hopping.

Remote exploits and virus appear everyday and patches are generated quickly for the more quality OS's and virus updates are required daily for Micro$oft OS's. Infiltration.

Governing bodies exist that the people disagree with such as the RIAA and MPAA. Demonstrations are held in both violent(DDoS) and non-violent(civil disobedience of P2P) manners. Revolution.

Needless to say, civilization has managed to survive for thousands of years despite man's desire to control everything including his fellow men. I think the internet will find a way.

Re:They will never stop.

[Jucius+Maximus]

"Needless to say, civilization has managed to survive for thousands of years despite man's desire to control everything including his fellow men. I think the internet will find a way."

So are you saying that spam, DDOSs, exploits and the (RI|MP)AA all drive natural selection in the ecosystem that is the internet? What an interesting thought.

Re:They will never stop.

[IIRCAFAIKIANAL]

Please do not equate civil disobedience and P2P. Civil disobedience is essentially something you do in the open with the intention of getting caught and possibly prosecuted.

If you want to learn about what civil disobedience really is, check this or this out.

If you think that the Internet is the most active battlefield today, you need to visit a few places.

Re:They will never stop.

[ntp]

> Wow, you are so full of shit!

That's so profound, Dick. Please, could you elaborate on your point?

Re:They will never stop.

[goon+america]

True, but at the same time wrong. Has anybody else noticed that the internet is currently the most active battlefield in history?

haha I've also noticed the beer inside my stomach is the most delicious outside of my body. And the milk in my fridge is the best drink on my desk. And the car that's in my driveway is at the shop.

riiiight.

Re:They will never stop.

[kryonD]

Perhaps P2P was a bad example, although I do know people who specifically use Kazaa to get music because they refuse to pay the high prices charged for CDs. They openly admit what they do, although they probably don't expect anything serious to happen to them. Perhaps linking to or publishing the code to DeCSS would have been a better example.

As far as what's going on in the middle east... You can link to web sites all you want, but until you come and work with me out here in the III Marine Expeditionary Force, where our Area Of Responsibility includes Afghanistan, Iraq, Indi-Pakistan, North Korea, the Philippines and Indonesia; You have no concept of either A)what a battlefield is, or B)what's REALLY going on in the world. Just a note: We have more attacks per day on one of our public .mil servers than we have had real contingency issues(to include disasters and humanitarian aid) in the whole theater all year.

Re:They will never stop.

[sparkz]

I have the DeCSS source on my site (steve-parker.org) but that's not civil disobedience, it's a public service. I am in the UK (as is the server) and - until December - it is perfectly legal to distribute it. After December, it seems that I won't be able to do so. But at the moment, my country doesn't have a problem with me doing it, so I do it.

Re:They will never stop.

[IIRCAFAIKIANAL]

Perhaps linking to or publishing the code to DeCSS would have been a better example.

Yes, it would have :)

You have no concept of either A)what a battlefield is, or B)what's REALLY going on in the world.

I agree that the Internet can be and is a battlefield. So can Wall Street or the TSE. Or major media sources. Or the telephone. I don't agree that it is the most active - perhaps from a first world perspective, but I try and think a little more globally than that.

Just a note: We have more attacks per day on one of our public .mil servers than we have had real contingency issues(to include disasters and humanitarian aid) in the whole theater all year.

And how many people died due to those attacks on the public .mil servers? (Yes, I am sure they are important for various reasons, but if I was *attacking* the USA, I would be hacking hospital databases - there is a scary potential for warfare there).

Has anybody else noticed that the internet is currently the most active battlefield in hostory?

Hacking a .mil server certainly qualifies as warfare but you basically said that the internet is a more active battlefield than, say, WW2. I disagree.

(And anyone considering invoking Godwin's law... piss off :)

I concede that the Internet certainly *is* a battlefield. However, considering that conflict on the Internet barely affects most of the people of the world, I wouldn't rate it so high.

Re:They will never stop.

blacklists == censorware

Re:They will never stop.

blacklists !== censorware

All you have to do to stay off the blacklists is administer your machine(s) properly. Any other opinion is not an opinion, it is FUD.

ROBOTS = unl33t

[Overand]

Any way to bypass some of the obnoxious bots... Of course, will this affect the ever-dubious "Archive.org?" I think it doens't snag images, at least on the first pass.

The spammer speaks...

[reaper20]

"I'll adapt or I'll discontinue. I'm not planning on becoming the major annoyance of the blogging world.... I'm not too worried my reputation. Marketing is all about being innovative, different, adaptive, taking risks and knowing how to use the technology. I'm trying to be all that."

Heh, it's funny that this guy can make this statement and expect to be taken seriously. It's even more pathetic that he actually thinks he's "innnovative".

Re:The spammer speaks...

[Ponty]

It is innovative. I was surprised and amused. It's awful, though. There's no rule that innovative things have to be positive.

Anyhow, unless the traffic is completely disabling, I don't see this as more than an annoyance that technology will filter out when it becomes sufficiently obnoxious.

Re:The spammer speaks...

[marcs]

Some actual web logs for these spammers :

adsl-64-173-20-67.dsl.sntc01.pacbell.net - - [22/Oct/2002:04:04:33 -0700] "GET / HTTP/1.0" 200 4636 "http://www.successmath.com/viral.shtml" "Mozilla/4.0 (compatible; MSIE 4.5; Windows 98; 518.5546875)"

adsl-64-161-26-73.dsl.sntc01.pacbell.net - - [27/Oct/2002:17:10:24 -0800] "GET / HTTP/1.0" 200 4636 "http://www.datashaping.com" "Mozilla/4.0 (compatible; MSIE 4.5; Windows 98; 147.5830078125)"

There's plenty more, those are the domain names I could remember.

Marc

Re:The spammer speaks...

exactly! think of land mines... very innovative, but not positive.

spam

Spam will always find a way to evolve.

Spam Lite

[Cyno01]

I don't know if i'm the only one, but has anyone else who doesn't filter their e-mail noticed a drop off in the amount of spam they recieve? For about the past 2 weeks, the amount of spam in my hotmail inbox has dropped from about 40 to around 15 a day. Anyone else had something similar to this happen?

Re:Spam Lite

[Em+Emalb]

Actually, yeah I have. I normally get 20-30 a day on my throw-away hotmail account, I just checked it for the first time in a week and had a total of 4 messages in my inbox--all spam of course, but there were NONE in the junk mail folder. Hopefully they put some sort of spam stopper in place? We can only dream.

Re:Spam Lite

I noticed the same thing.

I use mailwasher, and recently they added support for hotmail, so I thought that was why. But then I realized the hotmail spam that mailwasher was filtering wasn't as much as I usually received.

Weird.

Re:Spam Lite

[NorthWoodsman]

I do believe MS upgraded/improved their junk mail filtering software for Hotmail

Re:Spam Lite

Did any of you see the hottie in the the MSN 8 email in your hotmail accounts?

BLAM!

Re:Spam Lite

[sidster]

I've noticed an increase on my yahoo! account.

I used to get zero (honest zero!) spam on that
account. The only mistake I think I made was to
use that account in my purchases both at buy.com
and outpost.com. So, I have those two sites under
suspicion of selling my email address.

My personal address though, I used to get about
may be 3 or 4 spams a day. A tolorable amount.
These were spams where I was in the To or Cc list
as I filter emails where my email address isn't
in those field into a spam folder which I browse
through for valid emails from friends once a month
or so.

Then I noticed a big jump in amount of spam:
10-15 spams a day!

Keep in mind I have been using ordb.org for
quite a while now.

This increase in spam prompted me to start my own
blacklist. I started keeping my spam and parsing
source IP addresses. Originally I had about 900
IPs listed. I didn't see a dramatic decrease in
spam though. Though I did notice soon after using
my blacklist that i got a few emails confirming my
subscription to "so and so list" was.

Next I noticed a huge flood of spam from
azoogle.com servers. So they just got firewalled
out! (a quick search on them also showed quite
a few sites, including universities, that blocked
out azoogle.com completely).

Now, my blacklist is roughtly at 2200 IP addresses
and I get about 5-8 spams a day. A fair decrease
from the original 10-15 a day I would say. And
every week i keep adding to my blacklist.

Does anyone else have similar experiences?

Re:Spam Lite

[testharness]

Shouldn't be to difficult for them to do. Most of the spam I get originates from Hotmail.

Re:Spam Lite

You're experiencing a drop off in spam... whats your e-mail address again?

Re:Spam Lite

[BurritoWarrior]

I read somewhere (sorry, can't remember where ) that Microsoft updated their anti-spam service to coincide with the rollout of MSN 8. I believe it was Brightmail that they are using now.

Wish I could remember where I read it, I would give you a link. Best I can find right now is:

http://join.msn.com/?page=features/junkmail&pgma rk et=en-us&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3d misc%2fspecialoffers%26pgmarket%3den-us

Re:Spam Lite

[Tablizer]

For about the past 2 weeks, the amount of spam in my hotmail inbox has dropped from about 40 to around 15 a day. Anyone else had something similar to this happen?

Yes, when I stopped using Hotmail.

Re:Spam Lite

[NeMon'ess]

One day soon I'm going to tell everyone using my hotmail account to use a yahoo account I've set up. I tolerated the increasing spam by using the custom filters. This worked until I hit the limit of 36. Then I had to get creative to work within that boundry. This was okay until last week when the my custom filters page now tells me I am over my limit of 10 filters and must delete 26 of them or pay for Hotmail Extra Extortion Services. Fuck them. I had the account before MS bought Hotmail and I tolerated all the crap until now. Yahoo's junk mail filters actually work so that's where I'll be.

Re: Spam Lite

[Black+Parrot]

> I don't know if i'm the only one, but has anyone else who doesn't filter their e-mail noticed a drop off in the amount of spam they recieve? For about the past 2 weeks, the amount of spam in my hotmail inbox has dropped from about 40 to around 15 a day. Anyone else had something similar to this happen?

Actually, I think the 'net has finally become so spam-saturated that the world's mail servers are having trouble delivering it on time. You may be seeing a delay, not a cutback.

Re:Spam Lite

I never got any spam. Then I started conversing with two relatives over email. I now get spam everytime I check my email.

P.S. One relative used Hotmail, the other MSN.

Re:Spam Lite

[DancingSword]

Cute Filter Trick:
set a filter that works like this

if 'To:' doesn't contain my e-mail address
send to trash

Put it after your 'friends' filters ( who may bcc or cc you ).

Re:Spam Lite

[Bartmoss]

That's probably coz they're sending the spam MY way instead. (Seen a rise of about 2-3 spams that get through my rbls a day, vs. zero before.)

Re:Spam Lite

[p00ya]

Yeah I've gone from 30+ down to 7 per day.

Re:Spam Lite

[Timinithis]

Nope. I use both a hotmail and a yahoo email account. I have set Hotmail to place only email from those in my address book/safe list into my inbox, and I have set all other mail (ie junk mail) to be instanly deleted. I get about 3 emails a week from lists I am on, that is it.

The way I see it. If I don't know you, or I have not emailed you requesting correspondance, I don't need to hear from you. If I've met you online via IRC, I 'know' you. I also ask what email address the person will be sending from so I can add them to the 'in' list.

As far as web based mail goes, I hate to say it, but Microsoft has it going on. I don't know of any other web email that will let me send anything labeled 'junk' to /dev/null. Yahoo doesn't let me do it, and I get about 20 emails of spam a day, and one or 2 actaully make it into my inbox rather than the junk folder.

Re:Spam Lite

[tetranz]

Shouldn't be to difficult for them to do. Most of the spam I get originates from Hotmail.

Oh really? Do you check the headers?

Please learn the difference between the real source of a message and simply what the 'From:' address is set to.

huh

the article doesnt make it clear, how exactly is it done?

http://www.yoursite.com/Go_To_http://www.wilddon ke ysex.com_for_Wild_Donkey_Sex!!

And your logs show:

255.255.255.255 - - [27/Oct/2002:00:00:00 -0400] "GET /Go_To_http://www.wilddonkeysex.com_for_Wild_Donke y_Sex!! HTTP/1.1" 404 5275 "-" "WildDonkeySex.com (SpamBot5000)"

??

Re:huh

[ergo98]

It's as simple as using a modified HTTP client. HTTP 1.1 defines a "referer" (it's actually misspelled in the spec and in usage) HTTP request header that allows clients to pass the page which forwarded it to that location. A lot of sites use referrer tag checking to ensure that people don't use their images on webpages at other domains.

Anyways, using common tools and about 10 seconds of time you can make a spider which iterates through the web, always passing your bogus referrer header.

Re:huh

[calyxa]

no, they hit the page with their link in the referrer field. some sites post reports from their web logs showing where hits are referred from, so it'd be like:

255.255.255.255 - - [27/Oct/2002:00:00:00 -0000] "GET /perfectly/valid/page/at/yoursite.html" 200 2467 "http://www.wilddonkeysex.com_for_Wild_Donkey_Sex/ " "(SpamBot5000)"

and then people looking at the report would say, "hey, the page at wilddonkeysex links to my perfectly/valid/page and it's getting like 500 hits a day from there, woo! let's click on that url and see what the link to my page looks like!"

-calyxa

Re:huh

[CySurflex]

let's click on that url and see what the link to my page looks like!

I think it's more than the web site's owner clicking on the page - a lot of bloggers post a list of "top referrers" on their web site as a way of thanking the referrers, and therefore they generate a lot of traffic to their referrers from their own visitors.

Re:huh

[ShaunC]

and then people looking at the report would say, "hey, the page at wilddonkeysex links to my perfectly/valid/page and it's getting like 500 hits a day from there, woo! let's click on that url and see what the link to my page looks like!"

Actually it's even better than that. As you mentioned, many sites place their server logs online for public viewing; but take that a bit further. A lot of website stats packages will automatically turn referring URLs (and other data) into hyperlinks, to "pretty up" the stats pages. Because some search engines rank your page, in part, based upon how many other sites link to you... Well, you see where I'm going with this.

People don't have to visit the "victim" site at all, and they certainly don't have to browse the stats. The stats programs and search engine spiders will take care of everything. Got a low-ranking, poor traffic site that nobody links to? No problem, you can have 1,000 people linking to you by the end of the week, whether they know it or not. This really is nothing new, and the spamming side of it (i.e. repeatedly hammering a site) reminds me of how most TopSites work. These have been around forever, and so have the many methods of tricking them.

Placing your URL as the referer to sites with public stats can be quite helpful in boosting your rank, and a slightly hacked copy of wget or w3mir can make it an easy task. I guess the only real "news" here is that, once again, a few village idiots have failed to realize that some things are only good in moderation. There's neither a need nor an excuse to log yourself as a referer to any particular site more than once a month; and hundreds or thousands of times in a day is just plain stupid.

Shaun

Re:huh

Big search engines respect robots.txt. Put an exclude in there for however you publish your logs. That way, people still see them and there's no worth to these marketers.

Re:huh

[termigator]

A lot of website stats packages will automatically turn referring URLs (and other data) into hyperlinks, to "pretty up" the stats pages. Which seems to make a site ripe for cross-site scripting (XSS) attacks.

Lynx users?

(sorry lynx users)

Don't worry. It's highly unlikely that any of the 4 current users will visit your website anyway.

Re:Lynx users?

[AvitarX]

why sorry lynx users is my question.

I use opera most of the time with images off if I am on dial-up. Surely at least 3 percent of the population turns of images for non porna browsing.

It is a very convienient way to avoid adds and decrease load times.

Re:Lynx users?

(sorry lynx users)

Don't worry. It's highly unlikely that any of the 4 current users will visit your website anyway.

You mean there's another 3 lynx users out there? I'm not alone!

Re:Lynx users?

[NeMon'ess]

Too many sites use pictures as links for navigation for me to turn off all images. I just block the adds and that's enough for me. I live with flash 5 adds and stop flash 8 adds as soon as they start. I also let .gifs animate only once. The result is my browsing doesn't look so bland and it loads pretty fast as well.

Re:Lynx users?

hmm, that must mean... *queries* ...179 of the distinct Lynx visitors I've had in this past year must be faking their user_agent then. (Or switching ip and lynx versions a lot that is of course also possible.)

Re:Lynx users?

I just block the adds and that's enough for me.

Two posts in a row so I had to comment: The abbreviation for advertisements is "ads", not "adds". Carry on.

Re:Lynx users?

r u kidding? LYNX R0XX0RS TEH HOUSE!!!!

especially if u are on the dial-up tip.

word.

Re:Lynx users?

thanks

Re:Lynx users?

[Hope+Thelps]

hmm, that must mean... *queries* ...179 of the distinct Lynx visitors I've had in this past year must be faking their user_agent then. (Or switching ip and lynx versions a lot that is of course also possible.)

Of course, it's all us Internet Explorer users who've hacked it to report as Lynx so that we can be outraged when web sites refuse us too. Why should the rest of you get all the fun?

Re:Lynx users?

[woogieoogieboogie]

We had a lynx user once, but then found out is was me testing the company website in Lynx.

Re: Lynx users?

[Omniscient+Ferret]

> You mean there's another 3 lynx users out there? I'm not alone!

Heh. I'm using links right now; it does tables, frames, and mouse clicks.

Re:Lynx users?

I'm the other one! I use it under windows, no less! Oh happy day! We're not so alone! Now then, where are the other two!

Re:Lynx users?

I use Lynx now and again. It's a good browser... no security holes, no crashes, no enlarge your cock images! It's great! User #4!

Re: Lynx users?

[Rinikusu]

I know at least 3 other avid Links users locally, including myself. Links fucking rocks.

Re:Lynx users?

Count me as another Lynx user. On Windows.

It is the BEST text web browser for actual information browsing. Keyboard nav is much better than links (use numbered links with "G," as in "25g" takes you to - but doesn't follow - link/text entry box #25 on the screen, etc.). No mouse required, but it is supported.

Links is better for maintaining layout and some other things, but that only helps in a few cases. Lynx is far superior for slashdot, webmail pages, etc., where links would simply produce a 2" column of whitespace along the left side of the screen, forcing you to scroll to the right to make heads or tails out of anything.

Links elitists can kiss my ass. Someone accustomed to lynx browsing can locate usable information (such as searching for a URL and copying it to the clipboard) MUCH faster than someone who's used to using links.

Re:Lynx users?

Word.

Re: Lynx users?

[Pius+II.]

Even Lynx fucking rocks if you have to use our universities SunStation4 with Netscape 4.7... Half the pages simply crash this pathetic excuse for a browser, and using Opera is not possible (too large for the quota).

Re:Lynx users?

[rafa]

Lynx users and people with screen readers. People with impaired vision surfing the web would also be unable to browse that site.

Re:Lynx users?

[Elitist+Snob]

What he doesn't realise, is that the spammers may soon wise up to this, in the same way that they have learned to forge headers etc. It shouldn't be too difficult to make a script that calls wget in a way that looks like a genuine browser, by generating GET requests for the images too (and possibly other tricks), in order to keep themselves generating links. But the lynx users [waves] will keep ignoring the images, so only the lynx users will be affected in the long run.

Re:Lynx users?

[CyberKnet]

Correction: Lynx users and people with screen readers would not show up in the access statistics for that site. They would still very much be able to browse that site though.

Re: Lynx users?

Isn't that now "eLinks"?

Re: Lynx users?

links is great

I use it whenever I actually have to read a website, not just look at the pretty formatting.

Re: Lynx users?

[phorm]

Use it all the time when downloading drivers, etc for my linux box. We should take a poll on lynx/links and who likes it.

Re:Lynx users?

[Yottabyte84]

Set up a cron job to visit refering sites to see if they link you. If not, delete them. If so, allow. (course, then the spammers will start linking you, and you'll have to come up with something else.

Re: Lynx users?

[Omniscient+Ferret]

Yup. I went back to the version of eLinks that was in Debian stable because the new Links version lacked persistent cookies & it couldn't work with my bookmarks.

I forgot about this comment for a while...

*sigh*

[Ummagumma]

Well, what do you know? I just went and checked my website referral logs, and what do you know? SPAM!

Don't these people realize that by spamming me - by email, by false referrers, by pop up/under ads, etc., it virtually *gurantees* that they will never get my business?

Re:*sigh*

[joyoflinux]

I think their logic is that there are some stupid idiots that will fall for the tricks. They send spam to everyone they can, looking for those few...

Re:*sigh*

Ever heard of IIS?

Re:*sigh*

sadly yeah

Re:*sigh*

[Dyolf+Knip]

The few stats I've come across regarding spam 'success' suggests that if they get more than a dozen responses (excluding the fools who actually send back "Take me off your list") per one million emails they're having a good day.

[Wishful thinking mode ON!]
This implies that there are, maybe, all of 10,000 suckers who keep every spammer on the planet in business. If we find them and cut them off, spam response would drop to about 1 per billion and there's just no way they could make any money off of that.

Re:*sigh*

[AirLace]

I know why this problem is endemic. It's certainly down to more than the "10,000 suckers" you suggest.

I always use the example of my father, who is your archetypical pre-UNIX geek. He did all the PDP-11 stuff, worked with the VAXes and hacked machine code in ways that I don't yet understand -- an intensely intelligent man. Yet, every few months when I go to visit him, we get to talking about the internet and the first thing he does is talk about what he's bought online. For him, paying spammers is part and parcel of buying online -- he's paid spammers for search engine placings for his personal site, silly trinkets like water pumps and gardening tools and books.

To people who aren't part of the current 'geek' cognoscenti, spam is just another form of valid advertising, like the leaflets they get in the post and the billboards they walk past on their way to work. This isn't a specific group of people -- you can't "find them and cut them off" -- you need to target the problem at its source.

Re:*sigh*

[ealar+dlanvuli]

I actually bought something from a spam. It was a slightly topical T-Shirt that I thought was clever. Cost me $15 (PayPal).

The guy who sold it to me was obviouly a late teen, and was making ok money selling shirts at about $5 profit per when I called him.

I think most geeks have no problem with spam itself (in fact targeted spams that interest me often get clicks, I get about two of those a year), they have a problem with the number of scams that are sent using spam.

Re:*sigh*

Ever heard of shutting the fuck up? It's morons like you that don't know shit that make the internet suck.

Re:*sigh*

[joyoflinux]

Did you read the article? Some sites like to brag and show visitors where people are coming from--if you spam the referrer log, you can get your links on these kinds of pages...

Re:*sigh*

I agree. I don't mind spam if it applies to me. I even sometimes give these a click through, even though I can't afford what they're selling. BUT, when I receive 3 enlarge you cock ads in one day, that just sickens me. I don't have a credit card and I get at least 1 consolodate your debts ad a day. I get mortgage ads and car loan ads, but I don't have a house and I don't technically own my car. If I got an ad selling me a Tungsten|T (despite what you think, I kinda like it) or an iMac, I would give them a click through and take a look-see. It's called "targeted advertising." I think the tv networks got it down pretty good, now the NET advertisers need to figure it out.

Re:*sigh*

[Dyolf+Knip]

It's certainly down to more than the "10,000 suckers" you suggest.

Oh I agree. Like I said, Wishful Thinking. I actually do follow a couple of the more realistic ads. But for the love of Pete, I had to set my Hotmail account to automatically discard spam since it was filling up the entire account faster than the spam bucket was being emptied! We're talking three or four hundred spams in less than a week! And 99% of them fall into one of three categories: sex organ enlargement and various performance improvement widgets, though I'm quite satisfied with mine already; a fake college degree, though I already have a real one; debt consolidation, though I'm 5 years ahead on my college loans. I simply don't need this kind of harrassment.

I really do wish spammers would actually target their audience. I might get just as much junk, but it'd at least bear some resemblance to stuff that relates to me.

Re:*sigh*

I feel so left out. No spam in my logs.
Maybe your web site has the logs visible, or has keywords such as "log" or "links" which might be common on the targeted blogs?

It's probably

[CySurflex]

...just some blogger that was slashdotted, unwilling to believe that (s)he's really getting that many hits referred to from just one site.

Well..

[joyoflinux]

He just got a link posted on /. and Wired--I wonder how many spammers are going to target him now...This seems a little aganist logic

In other news...

[CySurflex]

Windows users are complaining that Microsoft is filling up their computer's System Event Log with spam about illegal exceptions and page faults.

Re:In other news...

Jul 10 14:55:37 vibram kernel: Unable to handle kernel paging request at
virtual address 1a2d231c
Jul 10 14:55:37 vibram kernel: printing eip:
Jul 10 14:55:37 vibram kernel: c0129157
Jul 10 14:55:37 vibram kernel: *pde = 00000000
Jul 10 14:55:37 vibram kernel: Oops: 0000
Jul 10 14:55:37 vibram kernel: autofs dmfe ipv6 iptable_nat ip_conntrack
iptable_filter ip_tables ide-cd cdro
Jul 10 14:55:37 vibram kernel: CPU: 0
Jul 10 14:55:37 vibram kernel: EIP: 0010:[] Not tainted
Jul 10 14:55:37 vibram kernel: EFLAGS: 00010206
Jul 10 14:55:37 vibram kernel:
Jul 10 14:55:37 vibram kernel: EIP is at __find_get_page [kernel] 0x17
(2.4.18-3)
Jul 10 14:55:37 vibram kernel: eax: 1a2d2314 ebx: 0000007f ecx: c6e945f4
edx: 0000003e
Jul 10 14:55:37 vibram kernel: esi: c012a3d0 edi: 0000003e ebp: c7fad4bc
esp: c767fe50
Jul 10 14:55:37 vibram kernel: ds: 0018 es: 0018 ss: 0018
Jul 10 14:55:37 vibram kernel: Process sh (pid: 2728, stackpage=c767f000)
Jul 10 14:55:37 vibram kernel: Stack: c012a48c c6e945f4 0000003e c7fad4bc
0000007f c6e94540 c6e945f4 c40c7220
Jul 10 14:55:37 vibram kernel: c3d32344 c0126546 080b3966 c7c29260
c4bd6de0 c012a3d0 08086cd0 c4bd6de0
Jul 10 14:55:37 vibram kernel: c01265a1 c4bd6de0 08086000 00000000
00299a31 00000003 c7f2f005 c7bb42c0
Jul 10 14:55:37 vibram kernel: Call Trace: [] filemap_nopage
[kernel] 0xbc
Jul 10 14:55:37 vibram kernel: [] do_anonymous_page [kernel] 0xf6
Jul 10 14:55:37 vibram kernel: [] filemap_nopage [kernel] 0x0
Jul 10 14:55:37 vibram kernel: [] do_no_page [kernel] 0x51
Jul 10 14:55:37 vibram kernel: [] handle_mm_fault [kernel] 0xca
Jul 10 14:55:37 vibram kernel: [] get_chrfops [kernel] 0x74
Jul 10 14:55:37 vibram kernel: [] do_page_fault [kernel] 0x12a
Jul 10 14:55:37 vibram kernel: [] chrdev_open [kernel] 0x36
Jul 10 14:55:37 vibram kernel: [] dentry_open [kernel] 0x165
Jul 10 14:55:37 vibram kernel: [] filp_open [kernel] 0x4d
Jul 10 14:55:37 vibram kernel: [] getname [kernel] 0x5e
Jul 10 14:55:37 vibram kernel: [] sys_ioctl [kernel] 0x223
Jul 10 14:55:37 vibram kernel: [] do_page_fault [kernel] 0x0
Jul 10 14:55:37 vibram kernel: [] error_code [kernel] 0x34
Jul 10 14:55:37 vibram kernel:
Jul 10 14:55:37 vibram kernel:
Jul 10 14:55:37 vibram kernel: Code: 39 48 08 75 f4 39 50 0c 75 ef 85 c0 74 03
ff 40 14 c3 8d b4

Re:In other news...

So that's what they look like. After 10 years of running linux on at least ten computers, I've never seen one of those.

Re:In other news...

From Google:

Searched the web for "kernel oops". Results 1 - 10 of about 16,300. Search took 0.41 seconds.

Searched the web for "windows crash". Results 1 - 10 of about 4,920. Search took 0.42 seconds.

This is even more amazing when you consider the number of users of Windows vs. linux.

Re:In other news...

It's about time you learn to read your logs, fucko!

Re:In other news...

[PD]

The search for "blue screen of death" comes back with 30,500 results

Re:In other news...

Even so, that is less than double the results of "kernel oops". Which is much less in proportion to the number of users.

Re:In other news...

The issue is that windows crashes "kernel oopses" can be in MANY forms.... those were just TWO possibilites... [look for the wording of error "0E"] for another...

Re:In other news...

[Yottabyte84]

Kernel oopses aren't usualy fatal, are they?

I don't know if these are *as* bad.

[Find+love+Online]

For one thing, I only get about 2-3 legit emails a day, vs 20-30 spams.

On the other hand, I usually get a few thousand refer logs, and I *already* get a bunch of bogus refer logs from buggy browsers or something (like, a refer from a site I link to, I guess from people hitting the back button, that kind of thing).

On the other hand, I could see how it could get annoying for small sites.

The "solution" you mentioned wouldn't really work, as the spammers could simply download your images as well.

A more effective way to block these would be to scan sites in your logs and check to see if they link to you. It might take a while for huge sites, but then huge sites probably don't look through their refer logs as much.

OTOH, you would miss out on hits from sites that have random URLs or that kind of thing (like goggle's 'get lucky button')

Re:I don't know if these are *as* bad.

[dattaway]

The "solution" you mentioned wouldn't really work, as the spammers could simply download your images as well.

I see a solution in this. It would be the spammer's own DOS attack. If they willing to download /dev/zero in order to place their refer entry, that's great, more power to them. If they don't download data, that invalid refer entry could easily be dismissed. Solution? I'm sure someone will crank out a spammer-refer-mod to include in apache.conf over this. :)

Re:I don't know if these are *as* bad.

[Sebby]

On the other hand, I usually get a few thousand refer logs, and I *already* get a bunch of bogus refer logs from buggy browsers or something (like, a refer from a site I link to, I guess from people hitting the back button, that kind of thing).

Most probably buggy IE; I've seen this happen on my system. Gets worse if you use frames too.

referer information should be disabled by default

[jukal]

I don't know who started it - but I find it very odd that browsers send referer info by default. Why? It does not provide anything extra for the user but problems. It is not once or twice that you find URLs to "confidential" pages if you browse through your webserver logs. And... I bet 95% of web surfers do not even know that they are sending this information all the time. Is there really any reason why the default is to send the referer info? I have seen people riot on much less important privacy issues. Why not about this? The referer plague exists in almost all browsers - and only in few browsers you actually can easily turn it off. What's going on?

This is a minor problem.

[saskboy]

I don't browse the blogs, but I make my own. In fact my Slashdot journal is a blog of a sort, and I haven't seen this type of spam activity, because as my journal clearly states I have a life elsewhere and don't care who looks at my journal.
Now please look at my journal and reply to me so my life has meaning.
Thank you for your time,
saskboy

You can do better than that

[Subcarrier]

Actually it would be quite nice to see some of these "marketing gurus" put a little more thought into their spam. Today, some of the most carefully crafted content on TV is commercials (lamentably, also some of the worst). Watch and learn. I wouldn't mind receiving a spam that is fresh, funny, engaging, and didn't involve a virgin, my cock, a septic tank, or a gentleman from Nigeria. I wouldn't mind a funny beer commercial, for instance.

Re:You can do better than that

I don't know spam that managed to involve a virgin, a cock, a septic tank, and a gentleman from Nigeria would almost have to be interesting.

Re:You can do better than that

You ever heard of a comma? you need one between know and spam.

Question.

[mindstrm]

Suppose I have a form on my site to collect customer information.

Could filling this form with obviously bogus information and advertising be considered theft of services, or fraud, or something else?

Re:Question.

spammers use my contact form all the time to spam me, which of course gets me their ip address and any other information i can log

Re:Question.

[wotevah]

You are the sad reason that laws are so complicated. If people actually had common sense and consideration for others things would be very different. Just because something isn't explicitly outlawed does not mean it is ethical to do it.

Re:Question.

[mindstrm]

I am sad? I am posing a question in the first person.

Perhaps I should have said "Can we sue spammers who do this because they are filling out forms with fraudulent information?"

Oh.. and you mean laws and ethics are two different thigns? Everyone knows that.. thanks for sharing.

Re:referer information should be disabled by defau

I cant tell you how many times a referer log in my access log files contains someones email account pw for their web based email service... and being the ass that I am, i read their email. its quite fun.

Well..

[Find+love+Online]

Yeah, I havn't been getting much spam in my hotmail box anymore. But then again I did block all email into the thing...

Sorry 'bout what?

[PissingInTheWind]

...(sorry lynx users!)

Sorry about what? Why should they care wether you keep them in your log or not?

Re:Sorry 'bout what?

[irc.goatse.cx+troll]

lynx users are people to:(

stand up and be counted, fellow lynxians!
UNITE!

Spam heavy...

[stefanlasiewski]

No, I've noticed the opposite in my Yahoo account. I use their spamguard feature, but still, I've noticed an increase by a factor of 10x. I get ALOT of spam now.

Perhaps hotmail is redirecting spam to Yahoo??? :)

Boost search engine ranking?

[j7953]

From the wired article:

... even though they ruefully admit that the log spamming may falsely boost their ranking on some search engines.

Umm, huh? I don't think the spammers actually link to the sites, they probably just send HTTP requests with faked referrer headers that contain the URLs of the spammer's web site. That won't boost your search engine rankings.

Re:Boost search engine ranking?

[chromatic]

Several weblogs make their referrer lists public. To a spider, a spammed link is very hard to distinguish from a normal hyperlink. That's how the boost occurs.

Re:Boost search engine ranking?

> Several weblogs make their referrer lists public.
> To a spider, a spammed link is very hard to
> distinguish from a normal hyperlink.
> That's how the boost occurs.

Sorry, but the boost goes to the site that is linked too, not the one that publishes the link.

The spammer has no actual link to your site so you get no boost.

But now you have a link to him so the spammer gets boosted on the search engines.

How nice.

-HJC
http://www.io.com/~hcobb/

Comment removed

[account_deleted]

Comment removed based on user account deletion

The worst case

[Alejo]

Is this damn pr0n referer.

Re:Spam Lite Hotmail?

[saskboy]

Spam to Hotmail has decreased the past few days. I have 5 different accounts, and each one is getting about 70% less spam per day. The stuff I do get is more likely to get by my custom filters though because Hotmail has restricted the number of custom filters to only 10, unlike the previous 30something.

Re:referer information should be disabled by defau

[Student_Tech]

I have come across a few sites that use the refer info to let you access files and images, so other sites can't just link directly to the file.

That is one use I have seen and know of.

Score another for Opera!

[RevRagnarok]

In the regular prefs and the "quick prefs" (F12 under Windows version) Opera lets you turn off referrer logging. The only time I need to turn it on is certain sites, like my credit union, which is no big deal...

Re:Score another for Opera!

And this really has nothing to with the issue at hand. All this does is mean your hit won't "count." The problem is spammers are adding fake referal hits, which link back to their sites.

Re:Score another for Opera!

[singularity]

iCab, for the Mac, allows you to turn it off, or, even better, to restrict it to only within the same site.

So Sony cano trace how I navigated through their site, but cannot tell that I linked there from Amazon.com

Why do all not web browsers offer this amount of easy security and preferences?

(iCab also features built-in ad blocking and the ability to identify itself as any browser).

Nope

[Find+love+Online]

The exact opposite for me. Spammers finaly figured out one of my new email address on my own mail server, I'm guessing through 'name combinations' (IE they know my domain, they know my name, and they spam every combination)

Re:Nope

It's called a "Rumplestilskin attack".

Re:referer information should be disabled by defau

[jukal]

referer log in my access log files contains someones email account pw for their web based email service... and being the ass that I am, i read their email. its quite fun.

And why wouldn't you? The user is basically direct marketing his/her user credentials especially for you. Also ever wonder how these highly confidential web pages entered google. Yes, ofcourse google indexed a cool "these guys referred us page". And ofcourse the poor author of the page "for your eyes" only, did not think he would need to password protect it - because it will only be accessed by the 100 company executives (...who happily browse to pr0n sites to leave referral marks after reading the study on intranet security...)... I think I will pop!

what is this?

[Dr.+Awktagon]

I'm not sure I understand. Does this mean the spammers put links on their own porn (or whatever) sites, and casual surfers will click into the blog from the porn site, thus making the porn site show up in the logs as the referer? That's how the referer is supposed to work, right?

Or are they just bots that hit random web sites and send fake referers along?

Either way, I have absolutely no clue why this would be abusive or even annoying? Can someone explain? Do people sit around checking their referers all day long?? (Then again, I don't understand why anyone would run a blog, so maybe I'm just out of touch).

I clean out all my outgoing referers (thanks squid), so maybe I subconciously assume everybody else does too. Never thought of the referers as anything but a silly waste of bandwidth, since they can be forged so easily.

Re:what is this?

i guess since this is modded at +4 but nobody's answered the question, means nobody else knows the answer either? :o

Re:what is this?

[mesocyclone]

From what I have seen on my logs...

They hit your site with a referrer address of whatever they want you to read. They count on your curiosity to go there when you are investigating your referrer logs.

I have been bitten by this once or twice.

Re:what is this?

[crapulent]

My interpretation of this article is that the spammers are setting their client's "Referer:" header field to their porn site, and then retrieving pages from the blogs. The result is that links to the porn/spam sites appear in the Apache referer log file on the blog site. The spammers do this because they know the blog operators pay extra attention to their referer logs and are likely to follow those links (either out of curiosity or out of the desire to maintain reciprocity with other blogs that may link to them.) Apparently the bloggers have scripts that automatically harvest all the URLs from these referer logs to make this process easier.

I don't think the spammer would bother creating an actual link on their porn/spam site to the blog, although this would work as well. It's silly though since it's more work and it still requires that someone actually click on the link for the porn URL to make it into the referer log. Why bother when they could just run an automated script to hit the blog with the forged "Referer:" and then discard the results. The only possible reason to do it this way is that the spam URL would be sent multiple times from different IP addresses, and hence harder to filter or ignore.

The confusing bit is that the article mentions that this might prop up the blog's SearchRank relevancy. This would only be the case with the latter method (creating an actual link) whereas the more straightforwad way would have no such effect.

Re:Spam Lite Hotmail?

[guidemaker]

Haven't Microsoft started using brightmail to filter spam from hotmail?

According to MS themselves: Brightmail to Deploy Server-Side Technology on MSN Hotmail

This might be something to do with it...

Re:referer information should be disabled by defau

Only server admins can access those logs. Since these admins are networking professionals, we can expect the same amount of discretion from them as from any other professional like your doctor or your lawyer.

Well...

[devphil]

...personally, I was hoping that one of the victims of the Washington, D.C., sniping spree would turn out to be a major spammer. Guess they were all humans instead.

Re:referer information should be disabled by defau

[jukal]

I have come across a few sites that use the refer info to let you access files and images, so other sites can't just link directly to the file.

Yes, referrer information makes an excellent authentication scheme for highly confidential system dealing with transfer of mission critical information. ... Just also check for a magic string in the user agent and voila! trusted computing reinvented. To make it unhackable - just add a few more levels of obfuscation. ;))) The sad part of this, is that I have actually seen authentication schemes like this. Don't know whether I should cry or laugh :)

Re:enlarge your penis now!

Actually, it should be o and double l. Not trool.

Re:referer information should be disabled by defau

[jukal]

Only server admins can access those logs. Since these admins are networking professionals, we can expect the same amount of discretion from them as from any other professional like your doctor or your lawyer.

Hah. Since this is highly competed marketed, the first argument used when selling a 8-year old his first "web space" is "YES! Ofcourse you have full access to log files, what did you expect?!" "Don't believe us?! Let's look at this company's report as a showcase, just for you..boy...ermm. Sir."

Re:enlarge your penis now!

[SoSueMe]

T-r-o-o-l?
There is no excuse for poor spelling. Or as you would obviously put it, "S-p-e-e-l-i-n-g"

Re:referer information should be disabled by defau

[Openadvocate]

There are many reasons, mostly for those who program websites. Sometimes you don't want people to see a page before another. this could also be solved with cookies, but some blocks those too.
Then there is the statistics, learn how people navigate around your site. referer can help you see a pattern and improve your layout.
Also it can prevent bandwidth hogs, mostly a issue with ad. graphics and pron sites where people use graphics from others servers on html pages on their own sites but also on free servers where people place graphics and files and link to those directly without using any html and then not showing any of the free servers ad's which provides them with money to run the sites in the first place.

Re:referer information should be disabled by defau

[analog_line]

This isn't for authentication.

This is for people who don't want people "deep linking" to material within their sites. As an example www.gamefaqs.com allows people to link to some of the pages within their site, but not directly to the FAQs they host (which are merely sumbitted text files) by using the refer info. This stops people from bypassing the ads which pay for the site.

Re:referer information should be disabled by defau

you're retarded, you didn't read the parent post at all, you're just looking to try and look smart by discussing a use of referral info that has NO bearing on what the parent poster said. So in summary: you're retarded, try reading instead of karma whoring.

Re:referer information should be disabled by defau

[man_ls]

Apache mod_rewrite (difficult for me to use because of the bizzare Unix shell syntax that I am not familiar with) does just that. I use it to keep people from stealing my images in my main web directory, but allow them to link to them freely in the Uploads directory.

Page fault ignorance

Page faults happen all the time. They're probably happening to you right now. A computer without page faults is a computer without virtual memory. Page faults aren't going to reported in any System Event Log.

Re:Page fault ignorance

[CySurflex]

Page faults happen all the time. They're probably happening to you right now. A computer without page faults is a computer without virtual memory. Page faults aren't going to reported in any System Event Log. you're right... my mistake. I meant Global Protection Faults !

Re:enlarge your penis now!

Actually, it should be o and double l. Not trool.

That would make it trooll.

Llooser...

Re:referer information should be disabled by defau

[stienman]

It's nice, as a site operator, to know where your guests are coming from. A good portion of my visitors come from Google and other search engines. The referrer log lets me know what they were searching for, and in nearly 95% of the cases they were looking for a specific topic on my site. I can send them directly there, give them a specific welcome message if they haven't been to my site before, etc.

Furthermore I can restrict traffic for some areas of my site (like some sites that block links from slashdot) for particular reasons or uses. "You just came from the page of an associate and are able to receive a discount." "This page is restricted to users of xyz.com. Please go there first."

Lastly, it protects my image content. My images are not stellar, and yet other sites continue to use them on their pages. I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

Referrer information may be annoying to you, but it's an extrememly useful tool. If taken away one restricts opportunities for the site operator to personalize and protect content on their site. Not a huge loss, but it isn't really as great a privacy issue as you seem to believe.

-Adam

Re:referer information should be disabled by defau

[Dr.+Awktagon]

Just also check for a magic string in the user agent and voila! trusted computing reinvented. To make it unhackable - just add a few more levels of obfuscation. ;))) The sad part of this, is that I have actually seen authentication schemes like this. Don't know whether I should cry or laugh :)

probably cry... what you described could easily be enforced with the DMCA.

If you use wget, watch out when using "--referer" and "--user-agent".... you just might be breaking TEH LAW!!!

+1 funny

mod dat sumbitch up

Re:referer information should be disabled by defau

[phliar]

Do what I do: use Privoxy. Not only can you use it right now with whatever your favourite browser is, it's free. Not only does it block ads, it allows you to set Referer: on all outgoing requests to whatever you want. (I set it so Referer: is always the base URL of the page being viewed.)

Incidentally, I don't know why anyone bothers with logging referrer information. The only use sounds like what the bloggers do. If you're not a blogger, why do you even care who the referrer is? Half the time it's bogus or one of your own pages.

Re:referer information should be disabled by defau

[Xformer]

That would only happen if one of those executives pt links to pr0n sites on the page.

<sarcasm>Of course, that would never happen. All executives are clean and honest.</sarcasm>

Re:referer information should be disabled by defau

[phliar]

Yes, referrer information makes an excellent authentication scheme for highly confidential system dealing with transfer of mission critical information. ... Just also check for a magic string in the user agent and voila! trusted computing reinvented.

Heh-heh! It's amazing how moronic some "security" is. I use an HTTP proxy (Privoxy) that not only blocks all ads, it allows me to set the Referer: on all outgoing requests to the base URL. Most of these sites just check that Referer: is a URL on their own site.

RTFA

[Galvatron]

As it says in the article, some blogs have automated lists of the top referrers, so that visitors can see who links to the blog. And yes, we're talking about bots sending fake referrers.

Re:referer information should be disabled by defau

[commodoresloat]

Yes, referrer information makes an excellent authentication scheme for highly confidential system dealing with transfer of mission critical information.

I.e. for something other than the WWW.

Re:referer information should be disabled by defau

[FTL]

>I don't know who started it - but I find it very odd that browsers send referer info by default. Why? It does not provide anything extra for the user but problems.

It is extremely useful for security purposes.

No, not the security most people are thinking of. Checking to see if the user came from FeedBack.html before executing FormMail.pl is no security, since spammers can forge any referer they want.

I'm talking about security which stops a human user who is logged in to a particular website from being tricked into performing actions they didn't authorise. For instance: I log into my server's adminsitrative area. Then, in another window, I browse someone's blog. And I click on their "search" button. As it turns out, this search button is a trap, which sends me to my own admin area with a command to delete someone's account. I'm logged in, I have a valid network address, I'm active, there's no problem. Except that fortunately my browser sends "Referer: www.blog.org" instead of "Referer: www.admin.com".

That's why referer info is useful: to prevent a user from being hijacked.

Re:referer information should be disabled by defau

[Gumber]

This isn't a bad way to keep other sites from "abusing" your content or bandwidth since it requires a client-side mod to get around. It, of course, does nothing against determined clients, but that is a different matter.

No, it isn't perfect, but it is one mechanism.

Re:referer information should be disabled by defau

[Permission+Denied]

I can send them directly there, give them a specific welcome message if they haven't been to my site before, etc.

This is so damned annoying. If I'm searching for some specific information, I don't give a damn about your idiotic welcome page. I don't care what your website is about or what you have to say on your other pages - all I care about is the specific technical information that google told me you have.

More and more, I'm finding myself using googles cache instead of clicking on the actual links. I know you couldn't care less about my insignificant browsing habits, but the more people start doing annoying crap like this, the more people start using google instead of the web.

"This page is restricted to users of xyz.com. Please go there first."

Do you realize how stupid this is? You're trying to control how I use my browser. Of course I'm not going to go to xyz.com and try to use their idiotic navigation looking for a link to you. You're simply advocating another form of advertisement and I'm not interested. I care about the data you're providing, not how you're getting funded.

I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

And this is, of course, broken behaviour. Did you know that when you open a new link in Netscape/Mozilla that the browser does not send any referer at all? This means that I can't open your images in new windows and I'm constrained to view your images one at a time. Also, the some browsers change the referer for images when you "save" images (eg, right-click and choose "Save as..." may not send the referer you're expecting).

If taken away one restricts opportunities for the site operator to personalize and protect content on their site.

If you're using this to restrict content to your site ... well, forget it. If you have something I really want, I'll open up a terminal and telnet to port 80. Yes, this is indeed effective restriction. (Quiz to see if you really know what you're doing: how would you set it up so that you know that a user has previously visited another site, with cryptographic confidence?)

As for "personalizing" content, please stop. The only times I've seen that word being used in a web context is to personalize advertising (and also restricting content because I'm not using IE, but don't get me started on that). I've never seen anyone "personalize" a site in a useful way, eg, "You're a C programmer who writes Solaris kernel modules, so you're probably not going to spring for my Herbal viagra scheme and I'm going to cut the marketing BS and give you only useful information."

Why do these "blogs" even keep logs of referer links? This is pure narcisism (and more importantly, a waste of disk space - even though disk is cheap, it's still worth more than someone else's paltry feeling of acceptance). If you're going to say something, just say it. Don't base your life around how many people like what you say. "Ohh, somebody linked to my journal, that means I'm special and I can now feel good about myself." Ahh - get a life.

I swear, "webmasters" piss me off.

Re:referer information should be disabled by defau

[goon+america]

I would agree with you, but for some reason the creepos at freerepublic.org love to link to my images. It's a giant, sudden bandwidth waste. Don't know why they do that, don't care, I stopped them and I needed their referer headers to do it.

Re:referer information should be disabled by defau

There are many reasons, mostly for those who program websites.

Okay, but I expect my browser to do things for me, not for those who program websites.

Sometimes you don't want people to see a page before another. this could also be solved with cookies, but some blocks those too.

Okay, but that doesn't explain why the browser sends this information. Someone not wanting me to see something in the order I choose should not expect help from my software.

Then there is the statistics, learn how people navigate around your site. referer can help you see a pattern and improve your layout.

Okay, but that doesn't explain why the browser sends this information.

Also it can prevent bandwidth hogs, mostly a issue with ad. graphics and pron sites where people use graphics from others servers on html pages on their own sites but also on free servers where people place graphics and files and link to those directly without using any html and then not showing any of the free servers ad's which provides them with money to run the sites in the first place.

Okay, that's a reason why the web site would want this information, not why I would want to send it. If I want to follow a link directly to a web site then the last thing I want is for my browser to be actively undermining me.

For clarity, I think the original question was why the browser sends this information by default, not why people on the other end would want to receive it.

Re:referer information should be disabled by defau

[Lumpy]

Lastly, it protects my image content. My images are not stellar, and yet other sites continue to use them on their pages. I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

no it doesn't... it protects your BANDWIDTH. by keeping joesimagewhores.com from embedding your images directly in their html you protect your BANDWIDTH.. there is nothing you can do to keep me from copying your images from your site and using them in my site.. you can try the lame Java and Javascript solutions... those won't even slow down a web-user with 1/2 a brain.

so please, tell us the truth, you are protecting your bandwidth and rightfully so.

Me? I have more fun with it... I have a perl script that returns random porn if the photo is asked for from outside my site or it uses imagwmagick's mogrify to place "stolen from MEMEME.COM" in the center of the image... depending on my mood... (No I will NOT post my personal website on slashdot... I'm not about to get a huge bandwidth bill because of you guys!)

I dont care if they steal my images. I care if they try to steal my bandwidth though...

Re:referer information should be disabled by defau

[Guppy06]

"Why? It does not provide anything extra for the user but problems."

Because it's nice for us site hosts to know where the traffic is coming from, helping us to realize just how few constituents are visiting our sites...

*mutter* Last damn time I put a URL in my sig...

What?

[Find+love+Online]

Well, if you whent around putting image links to /dev/zero, I doubt many people would visit your website anyway.

And secondly, if you're making raw HTTP connections to the client (which they probably are, to fake the browser version) then there is no way to download anything that isn't on your computer. And, they don't even need to actually download it, they can just ignore whatever comes back from the pipe. As long as they make a request, it's in the logs.

Ultimately, there is no real way to tell the difference between a refer-spammer making a request and a regular user.

Re:referer information should be disabled by defau

This sort of thing is why I normally have referer set to 'off' (Opera user). Also why someone proposed a third setting for Opera that I hope but doubt will be implemented: Instead of just 'on' or 'off', add an option that says 'claim site you're are visiting is the referer' -- so that no real referer info is sent, but that 'image protection' schemes get satisfied. I would use this setting if I had it available to me.

The internet is NOT unique

[MacAndrew]

The internet is so often dealt with as if it were entirely novel. For the most part it's not, and simply complements telephone, fax, USPS, television, and so on for delivering information. (Granted, it is pretty neat.)

So at minimum the internet deserves regulatory parity with these other media. Abuse of telephones and faxes was dealt with years ago -- (albeit incompletely -- our phone rings off the hook, I'll rant another day). For some reason business was quick to push for the outright ban on junk faxes, but hasn't for email which must waste a lot of their employees' time and hassle IT, in the end costing them money. Money talks, so I which there was a more concerted effort by those businesses that would never themselves spam.

As with junk faxes (again, analogies everywhere) the injury from each incident is too small to do anything about; but we can act collectively through our government to attack the collective harm that is quite large.

I won't comment on the current political obsessions in DC on anything but domestic policy, but I hope we see something soon. I don't think state-by-state legislation will do the trick. Your opinion will count if you express it to the right people. Writing your congresspeople for one is NOT a futile activity: they carefully tally what their constituents are saying, and you will likely get at least a form letter in reply. (BTW, I think a real paper letter carries more punch than email.)

Exasperated outside DC, Andrew

Re:The internet is NOT unique

eh, your congress people don't care what the people think. ALOT of people phoned,faxed, wrote letters, to tell them NO WAR against IRAQ, and they all voted for it anyways. (one who didnt, is now dead..) screw 'em and their law.

Re:The internet is NOT unique

[Cramer]

• Abuse of telephones and faxes was dealt with years ago

No it wasn't. If it were, in fact, dealt with then we wouldn't have so many asses sending junk faxes and 100% automated telephone marketing. I get at least one call a week from either some dumbass carpet cleaning company (I live in an apartment. Carpet cleaning is not my problem. And they know damn well it is) or an equally stupid insurance company ("... here's Frank to tell you more.") Both of those are 100% illegal -- there MUST be a human at the other end of the line; a computer can dial and answer, but it has to put a human on when I answer.

The collective harm of email SPAM is, provablly, orders of magnitude greater than junk faxes. How much bandwidth is consumed globally in both carrying and fighting spam? Why do we need faster and faster connections globally and to the end user...

As for government and politics... these have never worked and never will. The only people qualified to run a country won't come anywhere near it. The least qualified are the ones lining up to screw things up. And even the most qualified people become corrupted by the process and power. And the winds changing directions every few years doesn't help.

Re:referer information should be disabled by defau

[jonbrewer]

Incidentally, I don't know why anyone bothers with logging referrer information.

It's good to know who is sending users to a dead link. Just by checking the referrer information for the 404 entries in your logs can determine what website is pointing users to a document that you have deleted or moved.

Re:referer information should be disabled by defau

[nial-in-a-box]

Not to knock your sig, which is admittedly funny, tecnicalities could lead one to conclude that regardless of Linux's price you will get zero performance. Perhaps I'm insane, but that's the order I use when converting ratios to division expressions. Peace.

The referer information can be useful

[amemily]

I use it on my employer's site for a central feedback form that sends feedback to the proper person based upon what the refering page was

Re:referer information should be disabled by defau

Thanks. That covered my rant. But I still want to say, don't look at my referrer link. It's none of your business. You want to put pages up, put them up and stop spying on everyone. The referrer field was for diagnostics not snooping.

Oh, guess I still had some ranting left.

I'm sick of being modded down for being "overrated". My my anonymous post all you like.

Re:referer information should be disabled by defau

[t]

That's not useful, that's obnoxious. If you put a link out, you should keep it alive using a redirect or whatever. If you continually expect other people to fix their links every fucking time you move shit around then forget it.

Why not fight back against the scumbags?

[FyRE666]

When I'm feeling bored, I'll take a look through some of the crap procmail catches, and visit a site being advertised (if it's still up). But I don't just visit once! No! I leave lynx visiting the biggest page I can find by starting a script on my server, then forgetting about it for a day or so.

If only a few hundred more people started doing this - absolutely flooding these spammed Pr0n sites, and get-a-big-dick-quick scams they would have HUGE bandwidth bills, and think twice about using the same marketting technique again.

It's no use trying to email abuse depts, or reason with this scum, you have to hit them where it hurts, in the wallet. The only way to do this (for us at least) is to suck their bandwidth dry ;-) If you have a DSL connection at home (and you're not capped), why not use it to do some good when it would otherwise sit idle?

Re:Why not fight back against the scumbags?

[t1m0r4n]

they would have HUGE bandwidth bills, and think twice about using the same marketting technique again

Actually, any smart spammer won't host the web page on a real server (at least in most countries). Even in the adult industry spam is strictly forbidden by service providers and sponsors.

The web page you are hitting almost always is on a temporary account with the intent of being shut down quickly. The web server is probably sitting in an apartment somewhere and bandwidth bills are no concern. In a couple of days the computer will be unplugged, reformatted, and connected to a different internet service provider.

Spammers usually aren't computer illiterate. By day they are highly skilled sys admins or consultants in the corporate work place. They send spam by night because it pays better.

Quite simply, if people didn't make purchases the spam would go away. But, alas, that is not the case.

Re:Why not fight back against the scumbags?

[GeekWithGuns]

I looked through my weblogs and noticed this crap in my logs, so I though about filling there log with a few hundred links to a picture that would properly express my feelings, but my wife convenced me otherwise. Since I was able to track the assholes down, I just emailed there ISP and ironicly the spammer assholes at there abuse address. Check out the nasty gram I shot off to them. I doubt it will make a diffrence, but it made me feel better.

Re:referer information should be disabled by defau

[Tarpan]

Ehh.. no it doesn't, it only stops the ones not able to do it correctly. Ie fake the referer in this case.

Re:referer information should be disabled by defau

[sparkz]

Glad someone said that, I was about to make the same comment. Dividing zero by a positive is not an error - the result is just zero.

Finding bad links

[Fastolfe]

One of the primary uses I have for referrer information is locating bad or malicious links. If someone is sending large volumes of traffic to a particular page on my site, I'd like to know where that traffic is coming from. In addition, even to pages on my own site, if I see someone following a link to somewhere they either shouldn't be going or to a mistyped URL, the referrer information allows me to identify where they're coming from, and if it's a problem with my own site, it lets me correct it.

Perhaps referrer information should be released depending on the site's posted P3P privacy policies. If a site is interested in collecting information like this for marketing purposes, I can understand someone's reluctance to have their browser provide it. But for the rest of the sites (including those I maintain), the information is only ever used strictly for legitimate needs like those mentioned above. Please don't advocate that referrer information be restricted by default or for everyone, because that hampers my ability to troubleshoot problems.

Re:referer information should be disabled by defau

[sparkz]

The point is, if I design a site which steals your bandwidth by using your images, most people who view my page can't see the images (if you block external referers to your images) Unless that changes so that most people don't send HTTP_REFERER [sic] you're safe.

Backlinking

[CaptainSuperBoy]

Backlinking, or posting your referral logs, is doomed to failure and rightly so. It's just a glorified way of making your site into a link farm, with the expectation that your fellow bloggers will do the same. It is serendipitous that this practice is open to 'abuse' although I would never call the abusers spammers. They are just utilizing a method for submitting data that the site owners themselves have provided. I don't see any reason to call this 'spam' since the site owners are inviting users to submit data through HTTP referral headers.

Also, this quote from the article is ludicrous: "bloggers are not thrilled, even though they ruefully admit that the log spamming may falsely boost their ranking on some search engines."

There is no search engine that bases your rank on the number of sites that you LINK to. I believe the bloggers actually mean that they're sorry to see their backlinks (read: link farms) go, since those do in fact raise search rankings. What a travesty- Sites may have to rely on the actual quality of their content, rather than trading links!

Amidst the alarmist cries in the article, "spammers will destroy our practice of posting referral logs," nobody has even mentioned that there is a ridiculously easy technical solution. Before posting a referral link, why not just have your software visit the referring site and detemine if it actually links to your page? This will defeat the referral advertisers.

Re:Backlinking

[Pembers]

Before posting a referral link, why not just have your software visit the referring site and detemine if it actually links to your page? This will defeat the referral advertisers.

Until the advertiser figures out that he can look at your referrer string (or put a ROT-13'd version of your URL into his referrer when he asks you for a page). When your script comes to check for a link back to you, he feeds your information into a CGI script that generates a page that includes the link you're looking for. Bingo! Your script is satisfied, and links to him.

Perhaps it won't get that far, but if it becomes a problem, bloggers will just have to check sites manually. It takes a pretty sophisticated script to work out that a hit from wilddonkeysex.com is probably bogus, but a human can reach that decision in about three seconds.

If there are too many to check manually, then perhaps they shouldn't backlink to a site until there have been more than a certain number of hits from it, or they should restrict their links page to the top 10, or the top 100.

I think you're right about link farms - it's quite possible for your site to link to too many others. Unless you organise the links in some way (which a script probably can't), it implies that you haven't thought about who's worth linking to and who isn't.

I run a website for a local club of amateur video-makers (stop sniggering at the back :-p ). We have rather a lot of links, but I've set up every one of them as the result of an email exchange. Either I asked the other website, or they asked me, if we would be interested in linking to each other. By this alone, our club is now in the top ten on a Google search for "camcorder". It's taken us two years to get there, but we can afford to be patient.

Re:Backlinking

[cascadingstylesheet]

They are just utilizing a method for submitting data that the site owners themselves have provided. I don't see any reason to call this 'spam' since the site owners are inviting users to submit data through HTTP referral headers.

By this logic, isn't anyone with an email address inviting any and all to send them email? How does that distinguish it from spam?

"By not building a fence aroud your entire yard, you are inviting dogs to come use it as a toilet". Not if I'm home and I have my garden hose hooked up ... ;)

Re:Backlinking

[CaptainSuperBoy]

Until the advertiser figures out that he can look at your referrer string

Well, your script doesn't have to send a referral string - it doesn't even have to work from the same IP as your website.

It takes a pretty sophisticated script to work out that a hit from wilddonkeysex.com is probably bogus

My favorite site!

Re:referer information should be disabled by defau

[guttentag]

Lastly, it protects my image content.

You think your images are safe, but they're not. Anyone determined enough to get your images can use a program like curl to tell your server it came from whatever URL you are looking for and pass itself off as any browser out there. My software uses this feature to grab comic strips from tight-fisted Web sites.

Referrer information may be annoying to you, but it's an extrememly useful tool. If taken away one restricts opportunities for the site operator to personalize and protect content on their site. Not a huge loss, but it isn't really as great a privacy issue as you seem to believe.

Thank you for that FUD, but we hear it all the time: "give us all your personal data or you will lose functionality." BS. As a Web site owner, you have no right to know what site I visited before yours. There are many powerful things you can do with that information.

For instance, if a person goes from a Monster.com search page to his Yahoo mail account, Yahoo now knows where the person is looking for a job, what type of job he is looking for, etc. (it's all encoded in the URL). Yahoo also has access to his address book and all his email messages.

I see a scenario where Yahoo subtly threatens to email your boss to let him know you're thinking about quitting... unless you upgrade your account/add more storage space. It won't happen tomorrow, but Yahoo is sleazy enough to try something like that and they have the information... all they need is the technology to make that connection.

That's just one example, but it illustrates the point that referrer information is none of your business. You only want it because you can profit from it without any complaints from your audience.

Another example:

A lot of people apparently email the URL of my site to their friends. In my site logs, I often see the email addresses of the person who sent the message and the poor sap who clicked the link. These people have no idea they have divulged their email addresses to me via referrer info. If they wanted me to have that info, they would have given it to me. Sometimes I also see the subject of the message, which is particularly funny when it was sent by a competitor along the lines of "Have you seen what <insert_url_here> is doing?"

But as you said, "it isn't really as great a privacy issue as you seem to believe." It's worse than you realize.

Bottom Line

Companies will do just about anything to make an extra buck. So it shouldn't surprise anyone that they use technology against users to that end. But it's a two-way street -- people just need to wake up and start using technology to protect themselves.

Solution?

[42forty-two42]

Log only one hit per unique IP per $TIMEINTERVAL. If it's a small blog, log only one hit per small (16 hosts?) subnet per $TIMEINTERVAL.

Re:referer information should be disabled by defau

[ichimunki]

Sure it's possible for a client or proxy to put whatever it wants in a referer string, that's the point of the article, but... Can someone use JavaScript on a web page to somehow convince the browser to fake the referer string? If not, checking the referer is pretty much guaranteed to prevent deep linking because no one is going to go around forging referer strings just in case they go to a site that does deep links.

No!

But if there were no referer info, then there couldn't be cool tricks like the time Somethingawful.com redirected visitors from Slashdot to goatse.cx!

Re:referer information should be disabled by defau

[Zaiff+Urgulbunger]

I found a site via Google that seemed to be using the referer data to highlight the keywords I was googling with.

I thought it was clever anyway!

Referer as a Security Mechanisim

I worked for a company that uses the referer as a security mechanism. I just rolled my eyes when I heard that. It seems that most of the people who do the www for a living or are on the whole blog bandwaggon are just art-school-dropout-losers who don't have the first clue about what they are doing

Moderate the Links

[herbierobinson]

The only scheme for verifying the links that can't be fooled by the spammer is human moderation...

Re:enlarge your penis now!

I'm seein' double! Four Krusties!

you are wrong!

[tkny]

there is hope! we need counter-exploitation! visit this site: http://www.cexx.org

my personal favorite is proxomitron! bye bye annoying popups!

Links

I use Links (not Lynx) by ssh'ing into my home box from work. That way I can fulfill my text porn (slashdot & freshmeat) addiction without anyone knowing what I'm doing. Besides it is actually faster that using a browser believe it or not.

Guestbook spam

[AlpineR]

Here is another form of spam that was new to me. Apparently some German pr0n site operators are filling my guestbook with bogus entries linked to their offerings. It seemed an odd way to advertise at first (who the heck visits my site, much less reads my guestbook ;-), but now I realize that it helps their Google stats.

For now I'll delete the entries by hand, but if this increases it could get really annoying.

AlpineR

Re:Guestbook spam

[odaiwai]

I had this problem too, with some germans spamming from mcbone.net and t-dialin.net.

I complained, but got no response, so I blocked them at the router.

mcbone.net are porn spamming scum.

dave

Re:referer information should be disabled by defau

It really depends on what use you make of the information, doesn't it? I once wrote code for a website that made decisions (based on referer) as to whether or not it should ask you if you wanted to log in, or browse the site as an anonymous user. That was kind of cool... no javascipt, just plain-jane HTML; asked you once when you first entered the site, then left you alone thereafter. That was just about the only good use of referer I've ever seen.

not spammers?

[luap2000]

Isn't that kind of like saying because someone has an email (a method for submitting data), it's okay to spam?

Plus, think of the numbers. If people are selling this 'service,' it's bound to have a negative effect on the overall quality of the web features like this offer.

Re:referer information should be disabled by defau

>> I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

> And this is, of course, broken behaviour. Did you know that when you open a new link in Netscape/Mozilla that the browser does not send any referer at all? This means that I can't open your images in new windows and I'm constrained to view your images one at a time. Also, the some browsers change the referer for images when you "save" images (eg, right-click and choose "Save as..." may not send the referer you're expecting).

You can also use the referer to not allow save as... from popular web browsers... If I didn't refer this IMG, then I guess it can't be downloaded. That may annoy you, but I think it's just another way to annoy the copy-cats.

Referer checking for images

[achurch]

I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

And this is, of course, broken behaviour.

So do you have an alternative proposal to prevent resource (i.e. bandwidth) theft? That is a very real problem, and no amount of arguing that the current solution is "broken" will get people to change unless you provide them an alternative.

Re:Referer checking for images

[Permission+Denied]

So do you have an alternative proposal to prevent resource (i.e. bandwidth) theft?

Session cookies based a cryptographic hash of browser-identifiable information. Just hashing the IP and some secret string will prevent the bandwidth-stealing problem (not ideal since it breaks with NAT, but that's irrelevant if you're only trying to solve the deep-linking problem).

In php, setcookie('hash', md5($ENV[REMOTE_ADDR] . "TOPSECRET)) on page load, link to a file "image.php" instead of the .jpg and "image.php" does something like this: if (getcookie('hash') != md5($ENV[REMOTE_ADDR] . "TOPSECRET")) { header("Location: /error-documents/403.html"); exit(); }. This isn't complete (probably not even syntactically correct and be careful with what image.php allows one to download), but you get the idea. The actual image files can't be downloaded by apache, but can only be opened and sent to the browser through "image.php". For extra fun, re-generate the secret string from /dev/random every ten minutes (and keep around the last version of the key to avoid breaking on-going sessions).

This stops everyone from stealing bandwidth (including telnet-wielding network programmers like me) and it annoys no one.

Re:Referer checking for images

[DickBreath]

So do you have an alternative proposal to prevent resource (i.e. bandwidth) theft?

If you're using server side scripting, for instnace, PHP, then you could make the link to a graphic require some kind of encrypted time when the image expires.

For example, for FRED.JPEG, I might make the link url contain something like...

/images/getImage.php?expire=58329782378&image=fred .jpeg

The script getImage.php would get the requested image only if the expiration timestamp had not already passed.

Have a similar function that generates the URL for the image in the first place. You might write your image tag containing something like...

<img src=" <? linkImage( "fred.jpeg" ); ?> ". . . . .

When the original page is requested, the browser has a couple minutes (or even hours?) which should be more than enough for it to request the images which also make up that page view.

By using even a trivial (i.e. read computationally inexpensive) encryption mechanism, you will prevent all but an extremely determined image thief.

By making your image timeout long enough, you still allow users to right-click, Save Image As... type of thing.

Re:Referer checking for images

[WWWWolf]

Session cookies based a cryptographic hash of browser-identifiable information.

The user screamed "Referer: header is a privacy risk! Let's get rid of it!"

Another shouted "But how do we prevent leeching?"

A wise fellow explained, "Ah, with but a few session cookies."

But another user screamed, "Cookies are a privacy risk! Let's get rid of them!"

And so, the discussion went nowhere.

...

You know, you can never trust the client anyway. Someone will rip away the Referer, someone will shred Cookies.

Any other suggestions?

Re:Referer checking for images

[Permission+Denied]

Fine, shred the session cookies. You then won't be able to see the images.

The point of the session cookies was to ensure, with cryptographic confidence, that a user has seen your main page before allowing them access to your images. Referer headers can be faked, but not the session cookies I described (eg, you can inject them into a wget session, but only after you've actually seen that main page from that specific IP).

Anyway, this is irrelevant - both will do fine for controlling your outgoing bandwidth, and I'm not really concerned about the "privacy" issue (if there even is a privacy issue - read my original post carefully, and you'll see that I don't care whether or not someone logs my referer, but I do care when it breaks my browsing session or they try to stupid things with the header like redirecting away from the data that originally attracted me; I'm perfectly OK with anyone logging all the headers my browser sends (although this is asinine pubescent behaviour in the case of these blogs), because, after all, that's what I sent to them).

My point is that using the referer header breaks under certain conditions - when I open an image in a new window, or when I "save" an image - but the session cookies I describe don't break under the same conditions. It's about broken, stupid behaviour, not some nutcase "privacy" thing.

Re:Referer checking for images

[some+guy+I+know]

This stops everyone from stealing bandwidth (including telnet-wielding network programmers like me) and it annoys no one.

Except, perhaps, people who have cookies turned off.
(Of course, I also have referer turned off (via JunkBuster), so the other method will annoy me just as much.)

The way to do it is to keep track of the IP address of the client.
This can't be turned off, since you (well, the connection-handling code) need the IP address to determine where to send the response.

Every time someone loads an HTML page, record it, the IP adress, and the time in a DB.
As records expire, delete them from the DB.
When an image is requested, check the DB for the IP address and page that the image should be linked from.
If the record's not there, redirect to a page that tells the user that (s)he must reload, or just redirect (302) to the HTML page itself.
To prevent problems due to cached pages, set the expiration time on the HTML page to less than that for the records in the DB.

Re:Referer checking for images

[Permission+Denied]

You are, of course, correct.

Keeping all the state server-side is the most secure option, and the one least likely to break.

I've done a few things trying to keep state client-side in cookies - but it's proven too unreliable (in addition to people who don't accept cookies, you have to deal with browser bugs, clients whose clocks are not set correctly, and so on). I mostly just keep it server-side now, like you suggest. The only downside is that, well, you're keeping the state server-side. Even with a lot of traffic, this isn't really all that much overhead, however. I've also noted that for something this simple, using a database is actually faster than keeping the state in some file (at least with persistent database connections). But this in itself probably doesn't warrant having a database if the site doesn't need a database for anything else.

So, yeah, this is probably the best way, but it feels a little icky keeping this kind of state server-side when it could easily be offloaded onto the clients.

Another possibility I just thought of: on the main page, you generate your image links to look like this: image.php?code=2476DA8DA77FF349890ACB66" where the "code" is a hash of the IP, a timestamp and some secret string. image.php can then check the hash to make sure it matches up, and you don't end up keeping anything server-side and it doesn't have any extra file or database overhead.

Anyway, lots of possiblities - no need to use referer.

Re:Referer checking for images

IP addresses can be faked.

Re:Referer checking for images

[WWWWolf]

Excellent points. =) Both methods work to the extent they're needed, and I agree that there's no "privacy risk" in either.

This sort of stuff needs to be designed very carefully...

I said it before and I'll say it again...

[BurKaZoiD]

...I could give a good g*dd*mn about a "blog".

Re:referer information should be disabled by defau

[Zeinfeld]

It is not once or twice that you find URLs to "confidential" pages if you browse through your webserver logs. And... I bet 95% of web surfers do not even know that they are sending this information all the time. Is there really any reason why the default is to send the referer info?

My idea was to have a way to be able to construct backlinks from sites. At the time we had 100 users and the operating assumption was that all information put on the Web was public.

I did not write the code that implemented referer. However the security note I wrote did say that you should only send referer if you were actually following a link. The NCSA folk introduced the idea that it was a link to the 'last think you visited' which I consider to be buggy, there is no reason to reveal file: and bookmark: URLs.

We considered the privacy implications. Basically if someone wants to they can pass the linkage info explicitly via a query suffix.

There should be a toggle in my view, but folk seem to take a wierd view on security and privacy. Argument by analogy was the rule at the time. We can do BASIC password security because FTP does, DIGEST was written less than a week later, no interest of course because it was not compatible with the then rulling UNIX dogma of one way encrypted passwords, forget the fact that sending the password en-clair is a bigger problem. You can't have the password encrypted both on the wire and in storage without using public key which was patent encumbered at the time.

Oh yes, the mispelling was me. I am dyslexic. However we are petitioning to fix it. The next edition of the OED has the additional spelling referer which specifically describes my HTTP header. I am trying to get into the Guiness book of records first with the most serious spelling mistake ever.

Re:referer information should be disabled by defau

[Zeinfeld]

Heh-heh! It's amazing how moronic some "security" is. I use an HTTP proxy (Privoxy [privoxy.org]) that not only blocks all ads, it allows me to set the Referer: on all outgoing requests to the base URL. Most of these sites just check that Referer: is a URL on their own site

I invented the referer field before the IMG tag was proposed. So no, that application was not one that was ever considered. Nor is it the way I would have solved the problem.

I always thought the way IMG works somewhat broken but I happened to be asleep for the 8 hours it was up for review.

Good for tracking down 404's

[GT_Alias]

One nice thing about referer information is that it helps you to track down and fix 404's on your own site. If you look at all of your 404's and what is referencing them, you can either fix the offending link or get in touch with the site-admin who has an out-of-date link (if its something important).

You can also see which sites are using the images from your site on their own sites...which can sometimes be annoying. Particularly if you are running a college's web site and you have an image of a cheerleader somewhere that is getting linked to by every other cheerleader perv site out there. That's pretty damned annoying. Not that it has happened to my site or anything...

If you build it...

[Usefull+Idiot]

they will come... and rip it to shreds as fast as they can in any way possible.

It's the same deal if you have any kind of script that can be compromised. Example: FormMail.pl, if it didn't do strong checking someone could use it maliciously. There are a few ways to combat this, like setting a repetition checker so that if within n seconds if the same thing comes in m times ignore and remove it and/or ignore the ip address(es) it's coming from. You can also set it so it will only work for trusted people and you could have do some small monitoring to make sure none of the trusted people are flooding it. There are many ways to go about preventing the spammers from getting through you just have to think practically (ie: What do spammers do that would be different from your regular users) and do a little coding and your done... They obviously could care less about you, so there's no other way to really deal with them.

Re:referer information should be disabled by defau

[bitspotter]

If you're using this to restrict content to your site ... well, forget it. If you have something I really want, I'll open up a terminal and telnet to port 80.

You're right, it's not security. It's not a matter of security - it's a matter of convenience. How many people even know how to point a telnet seesion - and are they even in your web site's intended audience?

There are only two people I know of who actually do this. You don't strike me as someone who would EVER have a reason to visit any of my web sites, and the other person... well, the other one is me. :)

Now, that said, why should I design my sites for you instead for my users? They get some real usefulness out these techniques.

Websites are more than just file farms, and on many occasions referers are extremely useful in delivering the services many of them provide. If you can't imagine what possible use any services like that might offer, I have plenty of neat ideas. Just don't pretend your tastes are good enough for everyone - after all, you've already proven yourself technically exceptional by your use of telnet (believe it or not). I'm not trying to stop one person from doing certain things. I'm trying to stop a LOT of people. and, well, that works.

I agree about Google's cache, though. Gcache has proven invaluable to me on numerous occasions. I've even thought about POINTING people there FROM my website on occasion. great. go hard. That's what it's there for. It's not, however, what MY site is for.

If everyone only used technology the way it was intended, nothing would get invented at all.

Re:referer information should be disabled by defau

Did you know that when you open a new link in Netscape/Mozilla that the browser does not send any referer at all?

Either you didn't understand the question, or you're just plain wrong. Netscape/Mozilla (along with every other browser I know of) will almost always send as referrer for an image request the address of the page with the image embedded. To make sure I wasn't talking out my butt, I just tested this in Mozilla 1.2beta, and I'm right.

It won't send a referrer for just an html page you open without clicking on a link of course, but the dude you're trying to make feel stupid wasn't talking about that, he was talking about people embedding his images. So you instead made yourself look stupid.

PS: You're a moron. Quit complaining about how noone respects how you use your browser and find a girlfriend.

Re:referer information should be disabled by defau

You're not useful, you're obnoxious.

geese, I already found some in my referrers

[gumbysworld]

24 6 0.02% http://www.free-casino-gambling-online.com

I read the article, go check mine and sure enough 1 is there.

Re:referer information should be disabled by defau

Jackass, he doesn't mean that it protects his image from somebody saving it or using it on their own site. He means it makes it so people won't put on their site, thus burning his bandwidth without giving him a visitor.

Re:referer information should be disabled by defau

[phliar]

checking the referer is pretty much guaranteed to prevent deep linking because no one is going to go around forging referer strings just in case they go to a site that does deep links.

That's why you don't fake the Referer: string by hand; you use an HTTP proxy to do it. An ad-blocker like Privoxy does this automatically; if your browser requests a page a http://www.foo.com/bar/foobar/img.gif then the Referer: header is set to http://www.foo.com/. This works for the vast majority of the referrer checking sites out there.

The only way to do it right is to generate pages on the fly, with all URLs in it being re-written to be cryptographically signed and timestamped. A link would look something like

/foo/bar.gif?t=current-time&ttl=small-interval&sig =986HJytoJ7u67k7eR

The web server checks the signature and lifetime of every request before serving up the file. (I implemented Apache modules etc. to do all this at my job.)

Re:referer information should be disabled by defau

[jukal]

My idea was to have a way to be able to construct backlinks from sites. At the time we had 100 users and the operating assumption was that all information put on the Web was public.

You are forgiven :) No, seriously the world is different now. Is W3 the organisation which could try to push it through? Or do we just have to believe that the browser vendors realize it in time before every site utilizes this in their inner logic and the change to better is thus impossible.

Re:referer information should be disabled by defau

[jukal]

Is W3 the organisation which could try to push it through?

Where it == a change to how referrer information is sent. As there clearly is some benefits for the website developer/author for having the referrer info the situation after change could be an analogy to what is used with cookies :: the referrer info would be only sent if 1) the user is following a link (or similar mechanism) and 2) the link being followed resides in the same space.

Examples:

link from www.xyzzy.com/index.html to www.xyzzy.com/about.html - sent
link from www.xyzzy.com/index.html to www.othersite.com/ - not sent
link from www.xyzzy.com/~jukal/categories.html to www.xyzzy.com/~jukal/contents.html - sent
link from www.xyzzy.com/~jukal/ to www.xyzzy.com/~abuser/ - not sent
.

As you Zeinfeld, clearly are in the position to make a difference (being the "inventor" - or one of the inventors - of the mechanism) - what do you think about this? Do you know if w3.org for example is already considering this? If not, who should I, You, everyone else talk to?

Scripting vulnerability?

[m00nun1t]

I wonder if there is a vulnerability in here somewhere... people are displaying raw referrers on their sites, typically via a server script of some sort. Potential breeding ground for a new worm of some sort?

On the other hand, perhaps this is the first valuable use of spam: making people aware of the problem, and the smarter people shutting it down, before someone writes a worm to exploit it.

Re:referer information should be disabled by defau

[jukal]

One more comment to myself :) It seems the rfc2616 already covers this quite well. So the only problem is that the browser vendors have failed to follow the rfc:

15.1.3 Encoding Sensitive Information in URI's Because the source of a link might be private information or might reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information. Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol. Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where it might be visible to third parties. Servers can use POST-based form submission instead

Re:referer information should be disabled by defau

[TheMidget]

Lastly, it protects my image content. My images are not stellar, and yet other sites continue to use them on their pages. I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

How lame! Rather than blocking those offiste image references, just replace them by redirects to the goatse picture. Much more funny that way, and gets the point accross really quick...

Re:referer information should be disabled by defau

[BlueUnderwear]

For instance, if a person goes from a Monster.com search page to his Yahoo mail account, Yahoo now knows where the person is looking for a job, what type of job he is looking for, etc. (it's all encoded in the URL). Yahoo also has access to his address book and all his email messages.

Unless he got to his yahoo mail account by clicking on a link that he found at moster.com (highly unlikely), this won't happen. On most of today's browsers, if you enter an URL manually, or if you use your bookmarks, the referer field will be empty, rather than containing whatever page happened to be displayed in the browser window. It's called referer for a reason.

Some old versions of netscape sometimes did funny things with the referer, but who continues using netscape 3.01 nowadays?

Yes, I have...

[Cl1mh4224rd]

I have a Hotmail account that I registered with the intent of using for personal emails (it was my first and last name, big mistake), but I started receiving spam without even using the account. Ever.

I would get anywhere from 25-35 unsolicited emails a day to this account... Then it filled up, around the 17th of this month. After I cleared everything out, I noticed that I was only receiving 3-8 spams a day.

I still haven't used the account, but I log in twice a day just so I can keep a manual record of the "spam bombardment", which I realize is nothing compared to most of you out there. ;)

Re:referer information should be disabled by defau

[Permission+Denied]

Didn't mean to attack you personally. You were just a convenient target for a rant.

How many people even know how to point a telnet seesion - and are they even in your web site's intended audience?

I believe this kind of reasoning is a bit dangerous - it's very difficult to gauge your audience. You can, of course, gauge your intended audience, but you're always going to get some people in there that don't fit the demographic.

Example: a couple of years ago I wrote a bit of technical documentation for a system we were using internally in my department. I also linked it in from a couple of places, but I didn't restrict it to our local network since it wasn't any kind of secret.

I was quite surprised at some of the responses I got from that page. I, of course, didn't log referers, but I occasionally received mail from random people who found the site via a search engine. One mail was from a guy in India who needed some help with a technical problem and he found our site, and another mail was from an older gentleman in Japan that was not technically literate but found the site via an unexpected keyword search and was actually trying to research a literary text. The pages were written for our own users, but ended up being read by some quite unexpected people (and I thought this was pretty cool). All of our users had access to the latest browsers with all the gizmos, but if I had made that page using CSS2, DHTML and the latest javascript tricks, it may have not been accessible to some of the unintended readers.

Point being, although I'm not your intended audience, I might read some of your sites some day, so don't piss me off :)

NO and again NO!

"To make it unhackable - just add a few more levels of obfuscation. ;))) "

Obfuscation != security

now die PHP user

Re:NO and again NO!

[jukal]

Obfuscation != security

Pssst! it was a joke :)

Re:referer information should be disabled by defau

[raynet]

For instance: I log into my server's adminsitrative area. Then, in another window, I browse someone's blog. And I click on their "search" button. As it turns out, this search button is a trap, which sends me to my own admin area with a command to delete someone's account. I'm logged in, I have a valid network address, I'm active, there's no problem.

Except that any decent system should ask is you're sure about deleting that account. And while it does that is should give some nice random text as a hidden field and expect it when submitted before deleting the account.

Also I think the odds of having this sort of trap are minimal. And you should always be able to undelete accounts...

RE: mozilla referers

You are correct in that the latest mozilla sends referers for images opened in new tabs/windows. But you're still talking out your butt.

1. Many linux builds (debs and redhat rpms) of current stable builds do not correctly send referers.

2. "Save as" may not send correct referers. It should save from cache, but instead it requests a header. This is a known bug.

3. Opening an image via "View image source" and the "View Page Info" dialog box will sometimes fail because it does send the correct referer. There are bugs filed for these, and they are being worked on.

4. Reloading an image may send an incorrect referer. This leads to all kinds of errors. Bugs are filed and this is being worked on.

5. Loading large image files may result in error messages, as image requests are being sent twice, once from the cache and once from layout(?)--not sure about the details, but there are bug reports and the problem is being worked on. There should be a solution in 1.2b, but I don't believe that it's been confirmed. Presumably the next stable release will have this fixed.

I kind of agree with the point that webmasters shouldn't have to compensate for the shortcomings of this or that browser, or the fancies of this or that user. However, it seems obvious that the use of referers to block access to images is kludgy and not in the spirit of the www as it was originally designed and promulgated. The parent comment is on target.

Re:referer information should be disabled by defau

[vidarh]

The point isn't preventing people from downloading images - they can do that just by visiting his site. The point is to prevent "hotlinking" - referring to an image on someone elses site without permission. Often it's done out of stupidity, but some people go to greats lengths to reduce their bandwidth bills (and increase yours) that way.

As for someones right to see where you come from, yes, you're right. Which is why it is up to you whether or not you use a client that allow you to turn the referrer header off or fake it. But on the other hand, it is up to the webmaster of the site you're trying to visit whether he'll then decide to prevent you from accessing his site.

Search Engine Ranking?

[sfe_software]

Unsurprisingly, bloggers are not thrilled, even though they ruefully admit that the log spamming may falsely boost their ranking on some search engines.

So how is this, exactly? Search engines (think Google) may boost pages that are heavily linked to, but sending false referers to the website does *not* affect Google's rankings in any way.

Google goes by how many pages in its index contain a link to a site. It doesn't care what is in the site's logs, it wouldn't have any way to know this.

Just an observation...

Re:referer information should be disabled by defau

[driverEight]

I've never seen anyone "personalize" a site in a useful way

by Permission Denied on Sunday October 27, @07:02PM (Score:4) (#4543977) (User #551645 Info) [ Neutral ]

You are a Troll Permission Denied

How is that any good?

[Wakko+Warner]

Keyboard nav is much better than links (use numbered links with "G," as in "25g" takes you to - but doesn't follow - link/text entry box #25 on the screen, etc.).

So, you mean you sit there and count how many links are on a page, then figure out where on the page #25 is, and then type all that in to go to it, instead of just scrolling down and clicking or something similar? How incredibly stone-age.

- A.P.

Re:referer information should be disabled by defau

[Tadghe]

> No I will NOT post my personal website on slashdot... I'm not about > to get a huge bandwidth bill because of you guys!)

Chicken. :-)

Re:referer information should be disabled by defau

[mario]

You've to see things a little bit more from the average user's perspective.

When searching for some specific technical information page you may be right, but most people usually don't look for Solaris kernel modules (at least I assume that). And I can imagine lots of people are thankful if company XYZ presents related links and personalization that is of use for these people.

And on the other hand, I can't tell a customer:
Hey, don't know if your banner/marketing campagin was successful, we don't track those referers!

Re:referer information should be disabled by defau

[stienman]

Why does this bother you so much? You've turned off your referrer, right? My site treats you like you appeared out of the blue sky, and you have access to everything that any other surfer does, without any "annoying", "stupid", "broken" fluff.

Do you honestly think that Yahoo is going to extort you based on a referrer log? You've got some pretty far fetched ideas there. Do you also use an anonymizer service? If not, then I've gained a ton more information about you than I could with the referrer log. All the referrer log tells me is that another web site has a link to my site, and that you clicked on it. Monster.com has no links to my site, except to my full resume - and it's fun, though not particularily useful, to see that there are people going to my resume page from monster. It saves me the trouble of creating several different links so I can track where people come from.

In other words, you are really stretching the point you're trying to make. Yes, it's technically possible that the referrer could be used in a way that makes your life less private. YOU have control over that, though, since you can turn it off. Saying that it should be off by default without providing some real, tangible benefit is shortsighted.

I'm sorry that 'webmasters' piss you off. I don't have a welcome page, the most I do is provide an extra line of text at the top of the page giving additional info to those who go there from specific sites and links. Instead of blocking my images I've decided to simply get rid of them - they don't really add anything to the content except where the content is the image, and I've lowered their size as much as possible. Speed of serving is more important than annoying the few idiots who do refer directly to the images on my site.

In short, like "rm", it's a tool. It can be used for good and bad. You either visit sites you don't trust frequently, or you are paranoid enough to leave it off all the time. I can understand that, and I agree that it's probably the best thing for you to do.

It is not a tool of pure evil though, and I'm afraid you've become somewhat like the RIAA in your argument. You assume that either (1) it can only be used for evil/bad/annoying/stupid purposes or (2) most people use it that way, and the few that use it for good can be as effective at delivering useful content without it.

-Adam

Re:referer information should be disabled by defau

[ichimunki]

Silly me, I forgot that a proxy might do this automatically.

Very interesting to modify each outgoing URL to contain a time-stamp. Even better to add some authentication code to it. But very computationally expensive, no?

I guess if I had content that was that popular, where I suspected a lot of deep linking, I would probably go for a required registration or cookie-based scheme (as even requests for graphics return cookies, right?) before looking for more complicated solutions.

What next?

[BillX]

Putting ads in the User-Agent field for webmasters browsing their access_logs or server stats?

89% MSIE
8% Mozilla
2% Lynx
1% Visit My Porn Site! http://....

So much for my current User-Agent string of Mozilla/8.0 (compatible; This is the only ad-free space left on the internet)

Poison spammers' address lists

Check out http://www.spywareinfo.com/harvest_project/

They've got a project going to contaminate spammers' address databases with junk addresses. I set it up on http://www.samiam.com. It seems to me that every little bit helps.

Re:referer information should be disabled by defau

[phliar]

Very interesting to modify each outgoing URL to contain a time-stamp. Even better to add some authentication code to it. But very computationally expensive, no?

Not really. Remember, a 486 can saturate a T-1 serving static files; with a modern system (we use Sun Netras) it's no problem. The only overhead is one cryptographic hash (say MD5) to verify the signature per request. (There are a few other technical details like key management -- changing compromised keys etc. -- but with intelligent caching there is no significant overhead. Note that you don't need to use public-key crypto since the signing authority and the verifying authority are at the same site.) Since you don't have to keep track of web sessions, load balancing is easy too.

On the dynamic HTML generation side, most app. server based sites have to do that anyway; there's just one additional step of replacing some URLs with signed ones. If you handle web sessions through URL-rewriting rather than some hack like HTTP Basic Auth or cookies (ugh!) you pretty much get it for free.

BLogs...

[DraKKon]

Why do these "blogs" even keep logs of referer links? This is pure narcisism (and more importantly, a waste of disk space - even though disk is cheap, it's still worth more than someone else's paltry feeling of acceptance). If you're going to say something, just say it. Don't base your life around how many people like what you say. "Ohh, somebody linked to my journal, that means I'm special and I can now feel good about myself." Ahh - get a life.

Isn't that the whole point of blogs? To see who is reading you? and I'm sure that most of the blogging people are preteen/teen kids so: "Ohh, somebody linked to my journal, that means I'm special and I can now feel good about myself.", shallow yes, but most likely true.

Re:referer information should be disabled by defau

[Zeinfeld]

Where it == a change to how referrer information is sent. As there clearly is some benefits for the website developer/author for having the referrer info the situation after change could be an analogy to what is used with cookies :: the referrer info would be only sent if 1) the user is following a link (or similar mechanism) and 2) the link being followed resides in the same space.

The HTTP spec is not owned by the IETF. I have no intention to work on it in the near future, I am currently working on Web Services security.

The cookies model is the wrong one. We want to track across sites. It is important for the maintainer of CNN to be able to find out if the BBC has linked to their story.

The places where I would make changes is in the privacy area. The mechanism should be optional and be disabled by a switch. Referer links should never reveal the existence of a private document such as a bookmarks file.

However in terms of priorities I would put making popup windows optional much higher on the list. It should be possible to disable Javascript and Macromedia on a per site basis. IE is almost there in the later editions. I have killed a lot of popup ads by simply nominating their zone as being not authorized to run javascript. Jscript and Active-X should be managed the way images once were, the text would load and then you would press a button to load the images if you wanted them.

Another use for referers

[jcam2]

If you are running any kind of web-based interface
that can do dangerous things and normally requires
a password to login (such as webmin), referers
are very useful for protecting you from malicious
links.

For example, if you had webmin on localhost and
visited a web page with HTML like
<img src='http://localhost:10000/proc/run.cgi?cmd=rm+*' >
webmin will check the referer and save your files
from deletion. Without referer headers, there is
no way to tell the difference between the user
intentionally doing something, and the browser
being fooled into opening some dangerous URL!

Re:referer information should be disabled by defau

Do you really believe that all links created to your site will be 100% correct at that time?

The world is full of bozos who make typos. Should we ignore them because of that? If your ecomm site was mentioned at NYT.com but they fubarred the URL would you say "oh well", or try desperately to get them to fix their page before the traffic drops off, or simply do something on your end to redirect the bad-url to the intended destination?

Re:referer information should be disabled by defau

[t]

The parent post was two whole sentences, you could have at least read it.

It's good to know who is sending users to a dead link. Just by checking the referrer information for the 404 entries in your logs can determine what website is pointing users to a document that you have deleted or moved.

What part of "deleted" or "moved" do you not fucking understand? Fucking AC dipshits.

Referer sending policy in browsers

[paskie]

It would be maybe nice to have possibility in browsers to set whether referer should be actually sent and what should be sent inside. In fact, I know only about ELinks and Links now having this - you're free to set referer to "fake referer" (some string you're going to write down there is going to be sent), "normal referer" or referer containing URL of the page being loaded ("self-pointing referer" ;-). The "self-pointing referer" is set as default, and it helps workarounding most of the "protection" mechanisms, while effectively disclosing no possibly private information. Would be nice to see this in other browsers as well..

Re:referer information should be disabled by defau

I think that perhaps you should investigate the workings of a local HTTP proxy called WebWasher (http://www.webwasher.de/). It has a feature for dealing with referer, and one of the options implements your suggestion, and it also allows content-filtering for things like Flash, JavaScript, etc., as well as wholesale domain-based access-filtering. It can also filter pop-ups, and I use it alongside Mozilla, which contains it's own pop-up, cookie, and image-filtering features.

Together, I feel that they make my internet "surfing" experience unbeatable, and safe, something it should always have been, before MS decided to invade.

logs

[Elbow+Macaroni]

They keep logs so they can see if anyone is looking. But i agree all that personalization stuff is stupid. People come to the web for information. If we asked your name, email address etc. everytime you walked into a real store you would never come back.