Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Spam Frontier: Referer Logs

Posted by timothy on from the die-spammers-die dept.

geoffsmith writes "Wired News is reporting that spammers are using referer logs as a cheap new way to spam small sites. Anyone running a website has probably already seen this phenomenon; I'm thinking of writing a script to remove these entries from my access_log by looking for hits that don't grab my images. (sorry lynx users!)"

12 of 252 comments (clear)

  1. The spammer speaks... by reaper20 · · Score: 5, Interesting

    "I'll adapt or I'll discontinue. I'm not planning on becoming the major annoyance of the blogging world.... I'm not too worried my reputation. Marketing is all about being innovative, different, adaptive, taking risks and knowing how to use the technology. I'm trying to be all that."

    Heh, it's funny that this guy can make this statement and expect to be taken seriously. It's even more pathetic that he actually thinks he's "innnovative".

  2. Re:Spam Lite by Em+Emalb · · Score: 3, Interesting

    Actually, yeah I have. I normally get 20-30 a day on my throw-away hotmail account, I just checked it for the first time in a week and had a total of 4 messages in my inbox--all spam of course, but there were NONE in the junk mail folder. Hopefully they put some sort of spam stopper in place? We can only dream.

    --
    Sent from your iPad.
  3. referer information should be disabled by default by jukal · · Score: 5, Interesting

    I don't know who started it - but I find it very odd that browsers send referer info by default. Why? It does not provide anything extra for the user but problems. It is not once or twice that you find URLs to "confidential" pages if you browse through your webserver logs. And... I bet 95% of web surfers do not even know that they are sending this information all the time. Is there really any reason why the default is to send the referer info? I have seen people riot on much less important privacy issues. Why not about this? The referer plague exists in almost all browsers - and only in few browsers you actually can easily turn it off. What's going on?

  4. Re:They will never stop. by kryonD · · Score: 5, Interesting

    True, but at the same time wrong. Has anybody else noticed that the internet is currently the most active battlefield in hostory?

    Lowlife (but capitolist god bless 'em) pigs generate spam to sell their penis enlargement scam and mail clients develop ways to filter and block email. Distraction.

    Distributed Denial of Service attacks attempt to shake the very foundations of the NET through bandwidth flooding and sysadmins implement redundancy and load balancing. Jamming - Frequency Hopping.

    Remote exploits and virus appear everyday and patches are generated quickly for the more quality OS's and virus updates are required daily for Micro$oft OS's. Infiltration.

    Governing bodies exist that the people disagree with such as the RIAA and MPAA. Demonstrations are held in both violent(DDoS) and non-violent(civil disobedience of P2P) manners. Revolution.

    Needless to say, civilization has managed to survive for thousands of years despite man's desire to control everything including his fellow men. I think the internet will find a way.

    --
    I've dirtied my hands writing poetry, for the sake of seduction; that is, for the sake of a useful cause. --Dostoevsky
  5. what is this? by Dr.+Awktagon · · Score: 3, Interesting

    I'm not sure I understand. Does this mean the spammers put links on their own porn (or whatever) sites, and casual surfers will click into the blog from the porn site, thus making the porn site show up in the logs as the referer? That's how the referer is supposed to work, right?

    Or are they just bots that hit random web sites and send fake referers along?

    Either way, I have absolutely no clue why this would be abusive or even annoying? Can someone explain? Do people sit around checking their referers all day long?? (Then again, I don't understand why anyone would run a blog, so maybe I'm just out of touch).

    I clean out all my outgoing referers (thanks squid), so maybe I subconciously assume everybody else does too. Never thought of the referers as anything but a silly waste of bandwidth, since they can be forged so easily.

    1. Re:what is this? by crapulent · · Score: 3, Interesting

      My interpretation of this article is that the spammers are setting their client's "Referer:" header field to their porn site, and then retrieving pages from the blogs. The result is that links to the porn/spam sites appear in the Apache referer log file on the blog site. The spammers do this because they know the blog operators pay extra attention to their referer logs and are likely to follow those links (either out of curiosity or out of the desire to maintain reciprocity with other blogs that may link to them.) Apparently the bloggers have scripts that automatically harvest all the URLs from these referer logs to make this process easier.

      I don't think the spammer would bother creating an actual link on their porn/spam site to the blog, although this would work as well. It's silly though since it's more work and it still requires that someone actually click on the link for the porn URL to make it into the referer log. Why bother when they could just run an automated script to hit the blog with the forged "Referer:" and then discard the results. The only possible reason to do it this way is that the spam URL would be sent multiple times from different IP addresses, and hence harder to filter or ignore.

      The confusing bit is that the article mentions that this might prop up the blog's SearchRank relevancy. This would only be the case with the latter method (creating an actual link) whereas the more straightforwad way would have no such effect.

  6. Re:Spam Lite by BurritoWarrior · · Score: 3, Interesting

    I read somewhere (sorry, can't remember where ) that Microsoft updated their anti-spam service to coincide with the rollout of MSN 8. I believe it was Brightmail that they are using now.

    Wish I could remember where I read it, I would give you a link. Best I can find right now is:

    http://join.msn.com/?page=features/junkmail&pgma rk et=en-us&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3d misc%2fspecialoffers%26pgmarket%3den-us

  7. Re:Spam Lite by NeMon'ess · · Score: 3, Interesting

    One day soon I'm going to tell everyone using my hotmail account to use a yahoo account I've set up. I tolerated the increasing spam by using the custom filters. This worked until I hit the limit of 36. Then I had to get creative to work within that boundry. This was okay until last week when the my custom filters page now tells me I am over my limit of 10 filters and must delete 26 of them or pay for Hotmail Extra Extortion Services. Fuck them. I had the account before MS bought Hotmail and I tolerated all the crap until now. Yahoo's junk mail filters actually work so that's where I'll be.

  8. Re:I don't know if these are *as* bad. by dattaway · · Score: 3, Interesting

    The "solution" you mentioned wouldn't really work, as the spammers could simply download your images as well.

    I see a solution in this. It would be the spammer's own DOS attack. If they willing to download /dev/zero in order to place their refer entry, that's great, more power to them. If they don't download data, that invalid refer entry could easily be dismissed. Solution? I'm sure someone will crank out a spammer-refer-mod to include in apache.conf over this. :)

  9. Re:referer information should be disabled by defau by FTL · · Score: 4, Interesting
    >I don't know who started it - but I find it very odd that browsers send referer info by default. Why? It does not provide anything extra for the user but problems.

    It is extremely useful for security purposes.

    No, not the security most people are thinking of. Checking to see if the user came from FeedBack.html before executing FormMail.pl is no security, since spammers can forge any referer they want.

    I'm talking about security which stops a human user who is logged in to a particular website from being tricked into performing actions they didn't authorise. For instance: I log into my server's adminsitrative area. Then, in another window, I browse someone's blog. And I click on their "search" button. As it turns out, this search button is a trap, which sends me to my own admin area with a command to delete someone's account. I'm logged in, I have a valid network address, I'm active, there's no problem. Except that fortunately my browser sends "Referer: www.blog.org" instead of "Referer: www.admin.com".

    That's why referer info is useful: to prevent a user from being hijacked.

    --
    Slashdot monitor for your Mozilla sidebar or Active Desktop.
  10. Guestbook spam by AlpineR · · Score: 4, Interesting
    Here is another form of spam that was new to me. Apparently some German pr0n site operators are filling my guestbook with bogus entries linked to their offerings. It seemed an odd way to advertise at first (who the heck visits my site, much less reads my guestbook ;-), but now I realize that it helps their Google stats.

    For now I'll delete the entries by hand, but if this increases it could get really annoying.

    AlpineR

  11. Referer checking for images by achurch · · Score: 4, Interesting
    I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

    And this is, of course, broken behaviour.

    So do you have an alternative proposal to prevent resource (i.e. bandwidth) theft? That is a very real problem, and no amount of arguing that the current solution is "broken" will get people to change unless you provide them an alternative.