New Spam Frontier: Referer Logs

geoffsmith writes "Wired News is reporting that spammers are using referer logs as a cheap new way to spam small sites. Anyone running a website has probably already seen this phenomenon; I'm thinking of writing a script to remove these entries from my access_log by looking for hits that don't grab my images. (sorry lynx users!)"

They will never stop.

[SexyKellyOsbourne]

The entire internet will eventually go down in a deluge of spam unless it is made illegal and the laws are enforced!

Re:They will never stop.

[kryonD]

True, but at the same time wrong. Has anybody else noticed that the internet is currently the most active battlefield in hostory?

Lowlife (but capitolist god bless 'em) pigs generate spam to sell their penis enlargement scam and mail clients develop ways to filter and block email. Distraction.

Distributed Denial of Service attacks attempt to shake the very foundations of the NET through bandwidth flooding and sysadmins implement redundancy and load balancing. Jamming - Frequency Hopping.

Remote exploits and virus appear everyday and patches are generated quickly for the more quality OS's and virus updates are required daily for Micro$oft OS's. Infiltration.

Governing bodies exist that the people disagree with such as the RIAA and MPAA. Demonstrations are held in both violent(DDoS) and non-violent(civil disobedience of P2P) manners. Revolution.

Needless to say, civilization has managed to survive for thousands of years despite man's desire to control everything including his fellow men. I think the internet will find a way.

Re:They will never stop.

[IIRCAFAIKIANAL]

Please do not equate civil disobedience and P2P. Civil disobedience is essentially something you do in the open with the intention of getting caught and possibly prosecuted.

If you want to learn about what civil disobedience really is, check this or this out.

If you think that the Internet is the most active battlefield today, you need to visit a few places.

Re:They will never stop.

[IIRCAFAIKIANAL]

Perhaps linking to or publishing the code to DeCSS would have been a better example.

Yes, it would have :)

You have no concept of either A)what a battlefield is, or B)what's REALLY going on in the world.

I agree that the Internet can be and is a battlefield. So can Wall Street or the TSE. Or major media sources. Or the telephone. I don't agree that it is the most active - perhaps from a first world perspective, but I try and think a little more globally than that.

Just a note: We have more attacks per day on one of our public .mil servers than we have had real contingency issues(to include disasters and humanitarian aid) in the whole theater all year.

And how many people died due to those attacks on the public .mil servers? (Yes, I am sure they are important for various reasons, but if I was *attacking* the USA, I would be hacking hospital databases - there is a scary potential for warfare there).

Has anybody else noticed that the internet is currently the most active battlefield in hostory?

Hacking a .mil server certainly qualifies as warfare but you basically said that the internet is a more active battlefield than, say, WW2. I disagree.

(And anyone considering invoking Godwin's law... piss off :)

I concede that the Internet certainly *is* a battlefield. However, considering that conflict on the Internet barely affects most of the people of the world, I wouldn't rate it so high.

The spammer speaks...

[reaper20]

"I'll adapt or I'll discontinue. I'm not planning on becoming the major annoyance of the blogging world.... I'm not too worried my reputation. Marketing is all about being innovative, different, adaptive, taking risks and knowing how to use the technology. I'm trying to be all that."

Heh, it's funny that this guy can make this statement and expect to be taken seriously. It's even more pathetic that he actually thinks he's "innnovative".

Re:The spammer speaks...

[Ponty]

It is innovative. I was surprised and amused. It's awful, though. There's no rule that innovative things have to be positive.

Anyhow, unless the traffic is completely disabling, I don't see this as more than an annoyance that technology will filter out when it becomes sufficiently obnoxious.

Spam Lite

[Cyno01]

I don't know if i'm the only one, but has anyone else who doesn't filter their e-mail noticed a drop off in the amount of spam they recieve? For about the past 2 weeks, the amount of spam in my hotmail inbox has dropped from about 40 to around 15 a day. Anyone else had something similar to this happen?

Re:Spam Lite

[Em+Emalb]

Actually, yeah I have. I normally get 20-30 a day on my throw-away hotmail account, I just checked it for the first time in a week and had a total of 4 messages in my inbox--all spam of course, but there were NONE in the junk mail folder. Hopefully they put some sort of spam stopper in place? We can only dream.

Re:Spam Lite

[BurritoWarrior]

I read somewhere (sorry, can't remember where ) that Microsoft updated their anti-spam service to coincide with the rollout of MSN 8. I believe it was Brightmail that they are using now.

Wish I could remember where I read it, I would give you a link. Best I can find right now is:

http://join.msn.com/?page=features/junkmail&pgma rk et=en-us&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3d misc%2fspecialoffers%26pgmarket%3den-us

Re:Spam Lite

[NeMon'ess]

One day soon I'm going to tell everyone using my hotmail account to use a yahoo account I've set up. I tolerated the increasing spam by using the custom filters. This worked until I hit the limit of 36. Then I had to get creative to work within that boundry. This was okay until last week when the my custom filters page now tells me I am over my limit of 10 filters and must delete 26 of them or pay for Hotmail Extra Extortion Services. Fuck them. I had the account before MS bought Hotmail and I tolerated all the crap until now. Yahoo's junk mail filters actually work so that's where I'll be.

Lynx users?

(sorry lynx users)

Don't worry. It's highly unlikely that any of the 4 current users will visit your website anyway.

Well..

[joyoflinux]

He just got a link posted on /. and Wired--I wonder how many spammers are going to target him now...This seems a little aganist logic

In other news...

[CySurflex]

Windows users are complaining that Microsoft is filling up their computer's System Event Log with spam about illegal exceptions and page faults.

referer information should be disabled by default

[jukal]

I don't know who started it - but I find it very odd that browsers send referer info by default. Why? It does not provide anything extra for the user but problems. It is not once or twice that you find URLs to "confidential" pages if you browse through your webserver logs. And... I bet 95% of web surfers do not even know that they are sending this information all the time. Is there really any reason why the default is to send the referer info? I have seen people riot on much less important privacy issues. Why not about this? The referer plague exists in almost all browsers - and only in few browsers you actually can easily turn it off. What's going on?

You can do better than that

[Subcarrier]

Actually it would be quite nice to see some of these "marketing gurus" put a little more thought into their spam. Today, some of the most carefully crafted content on TV is commercials (lamentably, also some of the worst). Watch and learn. I wouldn't mind receiving a spam that is fresh, funny, engaging, and didn't involve a virgin, my cock, a septic tank, or a gentleman from Nigeria. I wouldn't mind a funny beer commercial, for instance.

Sorry 'bout what?

[PissingInTheWind]

...(sorry lynx users!)

Sorry about what? Why should they care wether you keep them in your log or not?

Boost search engine ranking?

[j7953]

From the wired article:

... even though they ruefully admit that the log spamming may falsely boost their ranking on some search engines.

Umm, huh? I don't think the spammers actually link to the sites, they probably just send HTTP requests with faked referrer headers that contain the URLs of the spammer's web site. That won't boost your search engine rankings.

Score another for Opera!

[RevRagnarok]

In the regular prefs and the "quick prefs" (F12 under Windows version) Opera lets you turn off referrer logging. The only time I need to turn it on is certain sites, like my credit union, which is no big deal...

Re:huh

[calyxa]

no, they hit the page with their link in the referrer field. some sites post reports from their web logs showing where hits are referred from, so it'd be like:

255.255.255.255 - - [27/Oct/2002:00:00:00 -0000] "GET /perfectly/valid/page/at/yoursite.html" 200 2467 "http://www.wilddonkeysex.com_for_Wild_Donkey_Sex/ " "(SpamBot5000)"

and then people looking at the report would say, "hey, the page at wilddonkeysex links to my perfectly/valid/page and it's getting like 500 hits a day from there, woo! let's click on that url and see what the link to my page looks like!"

-calyxa

what is this?

[Dr.+Awktagon]

I'm not sure I understand. Does this mean the spammers put links on their own porn (or whatever) sites, and casual surfers will click into the blog from the porn site, thus making the porn site show up in the logs as the referer? That's how the referer is supposed to work, right?

Or are they just bots that hit random web sites and send fake referers along?

Either way, I have absolutely no clue why this would be abusive or even annoying? Can someone explain? Do people sit around checking their referers all day long?? (Then again, I don't understand why anyone would run a blog, so maybe I'm just out of touch).

I clean out all my outgoing referers (thanks squid), so maybe I subconciously assume everybody else does too. Never thought of the referers as anything but a silly waste of bandwidth, since they can be forged so easily.

Re:what is this?

[crapulent]

My interpretation of this article is that the spammers are setting their client's "Referer:" header field to their porn site, and then retrieving pages from the blogs. The result is that links to the porn/spam sites appear in the Apache referer log file on the blog site. The spammers do this because they know the blog operators pay extra attention to their referer logs and are likely to follow those links (either out of curiosity or out of the desire to maintain reciprocity with other blogs that may link to them.) Apparently the bloggers have scripts that automatically harvest all the URLs from these referer logs to make this process easier.

I don't think the spammer would bother creating an actual link on their porn/spam site to the blog, although this would work as well. It's silly though since it's more work and it still requires that someone actually click on the link for the porn URL to make it into the referer log. Why bother when they could just run an automated script to hit the blog with the forged "Referer:" and then discard the results. The only possible reason to do it this way is that the spam URL would be sent multiple times from different IP addresses, and hence harder to filter or ignore.

The confusing bit is that the article mentions that this might prop up the blog's SearchRank relevancy. This would only be the case with the latter method (creating an actual link) whereas the more straightforwad way would have no such effect.

Re:*sigh*

[Dyolf+Knip]

The few stats I've come across regarding spam 'success' suggests that if they get more than a dozen responses (excluding the fools who actually send back "Take me off your list") per one million emails they're having a good day.

[Wishful thinking mode ON!]
This implies that there are, maybe, all of 10,000 suckers who keep every spammer on the planet in business. If we find them and cut them off, spam response would drop to about 1 per billion and there's just no way they could make any money off of that.

Re:referer information should be disabled by defau

[jukal]

I have come across a few sites that use the refer info to let you access files and images, so other sites can't just link directly to the file.

Yes, referrer information makes an excellent authentication scheme for highly confidential system dealing with transfer of mission critical information. ... Just also check for a magic string in the user agent and voila! trusted computing reinvented. To make it unhackable - just add a few more levels of obfuscation. ;))) The sad part of this, is that I have actually seen authentication schemes like this. Don't know whether I should cry or laugh :)

Re:referer information should be disabled by defau

[Openadvocate]

There are many reasons, mostly for those who program websites. Sometimes you don't want people to see a page before another. this could also be solved with cookies, but some blocks those too.
Then there is the statistics, learn how people navigate around your site. referer can help you see a pattern and improve your layout.
Also it can prevent bandwidth hogs, mostly a issue with ad. graphics and pron sites where people use graphics from others servers on html pages on their own sites but also on free servers where people place graphics and files and link to those directly without using any html and then not showing any of the free servers ad's which provides them with money to run the sites in the first place.

Re:huh

[CySurflex]

let's click on that url and see what the link to my page looks like!

I think it's more than the web site's owner clicking on the page - a lot of bloggers post a list of "top referrers" on their web site as a way of thanking the referrers, and therefore they generate a lot of traffic to their referrers from their own visitors.

Re:*sigh*

[AirLace]

I know why this problem is endemic. It's certainly down to more than the "10,000 suckers" you suggest.

I always use the example of my father, who is your archetypical pre-UNIX geek. He did all the PDP-11 stuff, worked with the VAXes and hacked machine code in ways that I don't yet understand -- an intensely intelligent man. Yet, every few months when I go to visit him, we get to talking about the internet and the first thing he does is talk about what he's bought online. For him, paying spammers is part and parcel of buying online -- he's paid spammers for search engine placings for his personal site, silly trinkets like water pumps and gardening tools and books.

To people who aren't part of the current 'geek' cognoscenti, spam is just another form of valid advertising, like the leaflets they get in the post and the billboards they walk past on their way to work. This isn't a specific group of people -- you can't "find them and cut them off" -- you need to target the problem at its source.

Re:I don't know if these are *as* bad.

[dattaway]

The "solution" you mentioned wouldn't really work, as the spammers could simply download your images as well.

I see a solution in this. It would be the spammer's own DOS attack. If they willing to download /dev/zero in order to place their refer entry, that's great, more power to them. If they don't download data, that invalid refer entry could easily be dismissed. Solution? I'm sure someone will crank out a spammer-refer-mod to include in apache.conf over this. :)

Re:referer information should be disabled by defau

[stienman]

It's nice, as a site operator, to know where your guests are coming from. A good portion of my visitors come from Google and other search engines. The referrer log lets me know what they were searching for, and in nearly 95% of the cases they were looking for a specific topic on my site. I can send them directly there, give them a specific welcome message if they haven't been to my site before, etc.

Furthermore I can restrict traffic for some areas of my site (like some sites that block links from slashdot) for particular reasons or uses. "You just came from the page of an associate and are able to receive a discount." "This page is restricted to users of xyz.com. Please go there first."

Lastly, it protects my image content. My images are not stellar, and yet other sites continue to use them on their pages. I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

Referrer information may be annoying to you, but it's an extrememly useful tool. If taken away one restricts opportunities for the site operator to personalize and protect content on their site. Not a huge loss, but it isn't really as great a privacy issue as you seem to believe.

-Adam

Re:referer information should be disabled by defau

[Dr.+Awktagon]

Just also check for a magic string in the user agent and voila! trusted computing reinvented. To make it unhackable - just add a few more levels of obfuscation. ;))) The sad part of this, is that I have actually seen authentication schemes like this. Don't know whether I should cry or laugh :)

probably cry... what you described could easily be enforced with the DMCA.

If you use wget, watch out when using "--referer" and "--user-agent".... you just might be breaking TEH LAW!!!

Re:referer information should be disabled by defau

[phliar]

Do what I do: use Privoxy. Not only can you use it right now with whatever your favourite browser is, it's free. Not only does it block ads, it allows you to set Referer: on all outgoing requests to whatever you want. (I set it so Referer: is always the base URL of the page being viewed.)

Incidentally, I don't know why anyone bothers with logging referrer information. The only use sounds like what the bloggers do. If you're not a blogger, why do you even care who the referrer is? Half the time it's bogus or one of your own pages.

RTFA

[Galvatron]

As it says in the article, some blogs have automated lists of the top referrers, so that visitors can see who links to the blog. And yes, we're talking about bots sending fake referrers.

Re:referer information should be disabled by defau

[FTL]

>I don't know who started it - but I find it very odd that browsers send referer info by default. Why? It does not provide anything extra for the user but problems.

It is extremely useful for security purposes.

No, not the security most people are thinking of. Checking to see if the user came from FeedBack.html before executing FormMail.pl is no security, since spammers can forge any referer they want.

I'm talking about security which stops a human user who is logged in to a particular website from being tricked into performing actions they didn't authorise. For instance: I log into my server's adminsitrative area. Then, in another window, I browse someone's blog. And I click on their "search" button. As it turns out, this search button is a trap, which sends me to my own admin area with a command to delete someone's account. I'm logged in, I have a valid network address, I'm active, there's no problem. Except that fortunately my browser sends "Referer: www.blog.org" instead of "Referer: www.admin.com".

That's why referer info is useful: to prevent a user from being hijacked.

Re:referer information should be disabled by defau

[Permission+Denied]

I can send them directly there, give them a specific welcome message if they haven't been to my site before, etc.

This is so damned annoying. If I'm searching for some specific information, I don't give a damn about your idiotic welcome page. I don't care what your website is about or what you have to say on your other pages - all I care about is the specific technical information that google told me you have.

More and more, I'm finding myself using googles cache instead of clicking on the actual links. I know you couldn't care less about my insignificant browsing habits, but the more people start doing annoying crap like this, the more people start using google instead of the web.

"This page is restricted to users of xyz.com. Please go there first."

Do you realize how stupid this is? You're trying to control how I use my browser. Of course I'm not going to go to xyz.com and try to use their idiotic navigation looking for a link to you. You're simply advocating another form of advertisement and I'm not interested. I care about the data you're providing, not how you're getting funded.

I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

And this is, of course, broken behaviour. Did you know that when you open a new link in Netscape/Mozilla that the browser does not send any referer at all? This means that I can't open your images in new windows and I'm constrained to view your images one at a time. Also, the some browsers change the referer for images when you "save" images (eg, right-click and choose "Save as..." may not send the referer you're expecting).

If taken away one restricts opportunities for the site operator to personalize and protect content on their site.

If you're using this to restrict content to your site ... well, forget it. If you have something I really want, I'll open up a terminal and telnet to port 80. Yes, this is indeed effective restriction. (Quiz to see if you really know what you're doing: how would you set it up so that you know that a user has previously visited another site, with cryptographic confidence?)

As for "personalizing" content, please stop. The only times I've seen that word being used in a web context is to personalize advertising (and also restricting content because I'm not using IE, but don't get me started on that). I've never seen anyone "personalize" a site in a useful way, eg, "You're a C programmer who writes Solaris kernel modules, so you're probably not going to spring for my Herbal viagra scheme and I'm going to cut the marketing BS and give you only useful information."

Why do these "blogs" even keep logs of referer links? This is pure narcisism (and more importantly, a waste of disk space - even though disk is cheap, it's still worth more than someone else's paltry feeling of acceptance). If you're going to say something, just say it. Don't base your life around how many people like what you say. "Ohh, somebody linked to my journal, that means I'm special and I can now feel good about myself." Ahh - get a life.

I swear, "webmasters" piss me off.

Re:huh

[ShaunC]

and then people looking at the report would say, "hey, the page at wilddonkeysex links to my perfectly/valid/page and it's getting like 500 hits a day from there, woo! let's click on that url and see what the link to my page looks like!"

Actually it's even better than that. As you mentioned, many sites place their server logs online for public viewing; but take that a bit further. A lot of website stats packages will automatically turn referring URLs (and other data) into hyperlinks, to "pretty up" the stats pages. Because some search engines rank your page, in part, based upon how many other sites link to you... Well, you see where I'm going with this.

People don't have to visit the "victim" site at all, and they certainly don't have to browse the stats. The stats programs and search engine spiders will take care of everything. Got a low-ranking, poor traffic site that nobody links to? No problem, you can have 1,000 people linking to you by the end of the week, whether they know it or not. This really is nothing new, and the spamming side of it (i.e. repeatedly hammering a site) reminds me of how most TopSites work. These have been around forever, and so have the many methods of tricking them.

Placing your URL as the referer to sites with public stats can be quite helpful in boosting your rank, and a slightly hacked copy of wget or w3mir can make it an easy task. I guess the only real "news" here is that, once again, a few village idiots have failed to realize that some things are only good in moderation. There's neither a need nor an excuse to log yourself as a referer to any particular site more than once a month; and hundreds or thousands of times in a day is just plain stupid.

Shaun

Re:*sigh*

[ealar+dlanvuli]

I actually bought something from a spam. It was a slightly topical T-Shirt that I thought was clever. Cost me $15 (PayPal).

The guy who sold it to me was obviouly a late teen, and was making ok money selling shirts at about $5 profit per when I called him.

I think most geeks have no problem with spam itself (in fact targeted spams that interest me often get clicks, I get about two of those a year), they have a problem with the number of scams that are sent using spam.

Backlinking

[CaptainSuperBoy]

Backlinking, or posting your referral logs, is doomed to failure and rightly so. It's just a glorified way of making your site into a link farm, with the expectation that your fellow bloggers will do the same. It is serendipitous that this practice is open to 'abuse' although I would never call the abusers spammers. They are just utilizing a method for submitting data that the site owners themselves have provided. I don't see any reason to call this 'spam' since the site owners are inviting users to submit data through HTTP referral headers.

Also, this quote from the article is ludicrous: "bloggers are not thrilled, even though they ruefully admit that the log spamming may falsely boost their ranking on some search engines."

There is no search engine that bases your rank on the number of sites that you LINK to. I believe the bloggers actually mean that they're sorry to see their backlinks (read: link farms) go, since those do in fact raise search rankings. What a travesty- Sites may have to rely on the actual quality of their content, rather than trading links!

Amidst the alarmist cries in the article, "spammers will destroy our practice of posting referral logs," nobody has even mentioned that there is a ridiculously easy technical solution. Before posting a referral link, why not just have your software visit the referring site and detemine if it actually links to your page? This will defeat the referral advertisers.

Guestbook spam

[AlpineR]

Here is another form of spam that was new to me. Apparently some German pr0n site operators are filling my guestbook with bogus entries linked to their offerings. It seemed an odd way to advertise at first (who the heck visits my site, much less reads my guestbook ;-), but now I realize that it helps their Google stats.

For now I'll delete the entries by hand, but if this increases it could get really annoying.

AlpineR

Referer checking for images

[achurch]

I can use the referrer to limit the damage done by only allowing the images to be referred by pages from my own site.

And this is, of course, broken behaviour.

So do you have an alternative proposal to prevent resource (i.e. bandwidth) theft? That is a very real problem, and no amount of arguing that the current solution is "broken" will get people to change unless you provide them an alternative.

Re:Referer checking for images

[Permission+Denied]

So do you have an alternative proposal to prevent resource (i.e. bandwidth) theft?

Session cookies based a cryptographic hash of browser-identifiable information. Just hashing the IP and some secret string will prevent the bandwidth-stealing problem (not ideal since it breaks with NAT, but that's irrelevant if you're only trying to solve the deep-linking problem).

In php, setcookie('hash', md5($ENV[REMOTE_ADDR] . "TOPSECRET)) on page load, link to a file "image.php" instead of the .jpg and "image.php" does something like this: if (getcookie('hash') != md5($ENV[REMOTE_ADDR] . "TOPSECRET")) { header("Location: /error-documents/403.html"); exit(); }. This isn't complete (probably not even syntactically correct and be careful with what image.php allows one to download), but you get the idea. The actual image files can't be downloaded by apache, but can only be opened and sent to the browser through "image.php". For extra fun, re-generate the secret string from /dev/random every ten minutes (and keep around the last version of the key to avoid breaking on-going sessions).

This stops everyone from stealing bandwidth (including telnet-wielding network programmers like me) and it annoys no one.

Re:referer information should be disabled by defau

[jukal]

One more comment to myself :) It seems the rfc2616 already covers this quite well. So the only problem is that the browser vendors have failed to follow the rfc:

15.1.3 Encoding Sensitive Information in URI's Because the source of a link might be private information or might reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information. Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol. Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where it might be visible to third parties. Servers can use POST-based form submission instead

How is that any good?

[Wakko+Warner]

Keyboard nav is much better than links (use numbered links with "G," as in "25g" takes you to - but doesn't follow - link/text entry box #25 on the screen, etc.).

So, you mean you sit there and count how many links are on a page, then figure out where on the page #25 is, and then type all that in to go to it, instead of just scrolling down and clicking or something similar? How incredibly stone-age.

- A.P.