Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spam Through HTTP Referrer Logs

Posted by timothy on from the laundering-kiddie-porn-money dept.

Max Romantschuk writes "This morning while doing my usual log review of reader activity on my weblog, I discovered some rather strange sites, porn sites, which were linking to me. Closer inspection revealed that they weren't linking to me at all, but that someone had falsified the HTTP referrer header to inject the links into my logs." (Read more below.)

Max Romantschuk continues: "It took a moment to realize what was going on, but then it dawned to me, I was being spammed through my referrer logs! A quick google search on the words "referrer spam" confirmed my suspicions, this was indeed a widespread practice, and not new at all. In fact, Wired had an article on the subject dating almost a year back. It turns out the spammers aren't after blog authors, but what they are actually doing is targetting people which publish their referrer logs on their sites automatically. Fortunately, I don't.

I run a very small site, and get about 20 to 50 visits a day, and I don't publish my logs. Not exactly a likely target, am I? Clearly these spammers seem to do this in volume, and the phenomenon is bound to increase as email spamming is becomming increasingly hard. With email spam, IM spam, Windows Messaging spam (NET SEND popups) and HTTP referrer spam, how long will it take until every open technology has to be locked down? I hate to say it, but I doubt Wikis and similar systems will stay open for very long if things keep going in this direction."

17 of 52 comments (clear)

  1. The idea behind a Wiki by jjshoe · · Score: 3, Insightful

    The idea behind a Wiki is that anyone can maintain it. The more people that maintaining something, (Linux) means all the more people to remove nasties. In this case the nasties just happen to be spam. As long as copies of the Wiki are kept after every N changes all should be good, just in case a spammer deletes everything...

    --
    -- botsex is {grep;touch;strip;unzip;head;mount} /dev/girl -t {wet;fsck;fsck;yes;yes;yes;umount} {/de
    1. Re:The idea behind a Wiki by cfradenburg · · Score: 2, Interesting

      Due to the fact that anyone can maintain it spammers can add and change it. Now, can any number of people find and delete spam in a Wiki faster than however many bots the spammers decide to throw at it?

    2. Re:The idea behind a Wiki by RyoSaeba · · Score: 2, Informative
      I'm contributing to Wikipedia, and we have some ways to deal with vandalism. We weren't (yet !) victims of determined spammers with bots, so it's theoritical, but here are things we can use:
      • first, all changes appear in a special page, so anyone can see them, and switch back to a previous version in history. Anyone can in one click see differences with the previous version
      • all contributions of users (anonymous or not) are easily viewable by anyone, thus cleaning after finding a spammer is made easier
      • sysops (contributors with some maintenance rights) can revert last changes of anonymous users in a few clicks
      • sysops can delete pages (to clear new pages created by bots, in this case)
      • sysops can block IPs if needed, preventing the edition of pages from those IPs
      • sysops can also block usernames
      • sysops can protect pages, preventing any edition (to protect main page for instance, in case of repeated vandalism)
      • worse case, a filter can be added to the computer's firewall settings.

      And, given the number of contributors and sysops, it's almost certain there's a sysop nearby at any time. Of course, if spammers attack from 50 IPs, one sysop alone will have a hard time to fight & clean the mess :)
      --
      Tsuyoikoto ha taisetsu da ne, dakedo namida mo hitsuyousa (Strength is an important thing, but tears too are necessary)
  2. Not Always Spam by Anonymous Coward · · Score: 2, Interesting
    If you snoop on people, you get what you deserve.

    Personally I don't like people tracking my referrer links. Mind your own business. If you want to see who is linking you, you can do that with google. I know people disagree, since your website is your business. But I don't like being monitored that closely.

    Maybe I'll set my referrer to goats.cx.

    BTW, this story has been seen on Slashdot before.

  3. Well, by noselasd · · Score: 2, Interesting

    Last time I asked people about this, I was told this was script kiddies
    scanning for open proxies and similar things, using some certain scripts/whatever which annoyed the logs with falsifyed referes.

  4. Small site? by Hell+O'World · · Score: 4, Funny


    I run a very small site, and get about 20 to 50 visits a day,     until I posted a link to it on Slashdot.

  5. Check this link for a suggestion to stop it by Brandon+T. · · Score: 5, Informative

    I was having the same problem; getting literally thousands of hits to my site from referrers for all kinds of porn and other random domain names. I did a google search and found this site: http://www.spywareinfo.com/articles/referer_spam/. It shows how to use mod_rewrite with apache to block the most frequent domains. I took Mike's blacklist and created this page, which automatically creates the .htaccess file for you. The problem is that they seem to be registering tons of new domain names so it's hard to keep up a decent blacklist.

  6. Target Audience by Alethes · · Score: 2, Funny

    they are actually doing is targetting people which publish their referrer logs

    Hmmm, who reads the logs that aren't published? Geeks with no girlfriends, maybe? Sounds like a good target audience for a porn site to me.

    "Hey, why is [insert favorite porn site here] linking to my geek portal/blog? They must be a good site if they link to mine, and I can easily explain my visit to the boss!"

  7. So blank it by J_DarkElf · · Score: 2, Insightful
    Personally I don't like people tracking my referrer links. [snip] Maybe I'll set my referrer to goats.cx.


    Just leave your damn referrer blank then. I suppress the referrer through Opera everywhere, and only enable it on sites which are foolish enough to believe I want to leech their images, and on those maybe one or two sites where I know they use my referrer info for something useful.

    But don't set it to some bogus info, or you're no better than these crimina^H^H^H^H^H^H^H spammers.
    1. Re:So blank it by Anonymous Coward · · Score: 2, Informative
      4) "base" URL of the site being accessed -- ie if you were acccessing http://www.yahoo.com/some/path/some/file.html the referer would be "http://www.yahoo.com/"

      privoxy can do this.
    2. Re:So blank it by Carnildo · · Score: 2, Informative

      The Proxomitron does #3 -- with the side benefit of letting me view images that people have hotlinked from Geocities and other free hosting providers.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  8. Since when by Anonymous Coward · · Score: 2, Funny

    I don't think porn sites are strange at all, in fact there are lots of them.... how silly to think of them as strange...

  9. Legality of wiki spam? by TimButterfield · · Score: 2, Interesting

    Web sites can be defaced. This is typically thought of as illegal. Does the level of security on that site affect the legality of the defacement? Just because a wiki is more easily editable than an otherwise non-secure site should not automatically allow hijacking of that site for purposes other than those intended by its owner. Would the appearance of 'specific wording' on the site make enforcement of this easier?

  10. links to resumes by displague · · Score: 2, Interesting

    I would like to know who goes around posting links to their resumes as referers to your website?

    Is it the people looking for jobs, or is it some resume posting service? I get about a half-dozen of these per month.

    --
    Marques Johansson
  11. MovableType Blogs by ceejayoz · · Score: 2, Interesting

    It's becoming a rather large problem on MovableType blogs. Apparently, the spammed referrers are usually fake blogs, that are front sites to get a porn webcam link high in Google PageRank.

    http://echo.ashpool.org/blog/305/
    http://www.idly.org/2003/11/14/porn_sites_hiding_b ehind_blogs.php
    http://www.jayallen.org/comment_spam/2003/11/alert _referral_spamming

    1. Re:MovableType Blogs by Dachannien · · Score: 3, Interesting

      Fortunately, Google is working on this problem.

      As for solving the issue of false referrers, why not just modify where the referrer ends up based on whether the specified referring page actually has a link to you or not. The distributed effects of zillions of bloggers all spamming the spam site with automated HTTP requests should be enough to dissuade the spammers from continuing :)

  12. Spider them before publishing log by Anm · · Score: 2, Interesting


    I would think that it would easy enough to send a spider to the referrer page and search for the referred page. If you don't find it, delete it from the log. In fact, you wouldn't even need the spider because the link should be the exact page anyway.

    This also becomes a means to maintain the blacklists other have mentioned.

    Isn't this simple to do?