homepage Welcome to WebmasterWorld Guest from 54.167.174.90
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
xurl referrer spam
how to block?
crobb305

WebmasterWorld Senior Member crobb305 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4440570 posted 5:34 pm on Apr 13, 2012 (gmt 0)

For a few months I have been getting slammed by referrer spam using the format:
http: //83.133.124.xx/?xurl=http: //83.133.124.xx/dKF0hECx8vc7cf603d0c543052a48f3acafa625g&xref=http://example.com

I have tried denying access based on IP and CIDR, but that doesn't work.

Dozens of visits a day, two or three pageviews (homepage only), never internal pages.

Any suggestions?

 

wilderness

WebmasterWorld Senior Member wilderness us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4440570 posted 6:07 pm on Apr 13, 2012 (gmt 0)

http: //83.133.124.xx/?xurl=http: //83.133.124.xx/dKF0hECx8vc7cf603d0c543052a48f3acafa625g&xref=http://example.com


Is this the actual (modified for this forum) raw log refer?
OR
is this the requested page?

If the aforementioned?
Please keep in mind that denials via referral are less than ideal, although useful.
Also keep in mind that denying access will NOT prevent the request from appearing in your raw logs.

One method
#keep_out or what ever name you use. Requires use of env=.
#Any of these will work
SetEnvIfNoCase Referer example keep_out
SetEnvIfNoCase Referer xurl keep_out
SetEnvIfNoCase Referer 83 keep_out
SetEnvIfNoCase Referer 133 keep_out

another method in mod_rewrite
RewriteEngine on (note; if not already on)
#contains any of these, than deny access
#note the missing [OR] on last RewriteCond line is REQUIRED
RewriteCond %{HTTP_REFERER} example [OR]
RewriteCond %{HTTP_REFERER} xurl [OR]
RewriteCond %{HTTP_REFERER} 83 [OR]
RewriteCond %{HTTP_REFERER} 133
RewriteRule .* - [F]

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4440570 posted 7:34 pm on Apr 13, 2012 (gmt 0)

That looks more like either a URL redirect or an exploit hack attempt, maybe Trojan.Downloader.Agent, but hardly referrer spam.

crobb305

WebmasterWorld Senior Member crobb305 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4440570 posted 7:50 pm on Apr 13, 2012 (gmt 0)

Yes I guess I used the wrong phrase. It is indeed a URL redirect (the "example.com" at the end is my domain), just looks like spam in my logs. I am trying to deny access. They are Russian/German IPs. Not sure what their purpose is (hack attempt, etc). Thank you for the tips wilderness.

wilderness

WebmasterWorld Senior Member wilderness us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4440570 posted 7:59 pm on Apr 13, 2012 (gmt 0)

are they coming from the 192 Class A?
I get 10-12 visits daily requesting the same page, with 2-6 attempts in succession per visit.
They all include spam refers with ru domains.

Everybody else is getting them also, if that's any comfort.

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4440570 posted 2:56 am on Apr 14, 2012 (gmt 0)

I feel left out. I get Ukrainians from 92, 95 and 193 but nobody in particular from 192.

Referer blocks can be a useful backup if they suddenly switch IPs on you.

:: shuffling papers ::

RewriteCond %{HTTP_REFERER} \.(trafficfaker\.com|su|mobi)(/|^) [NC]
RewriteRule (\.html|/)$ - [F]

RewriteCond %{HTTP_REFERER} yandsearch\?text=(www\.)?example\.com
RewriteRule (\.html|/)$ - [F]

RewriteCond %{HTTP_REFERER} \.(ru|ua)(/|^) [NC]
RewriteCond %{HTTP_REFERER} !(google|yandex)\.
RewriteRule (\.html|/)$ - [F]

RewriteCond %{HTTP_REFERER} fun/AlonzoMelissa\.html
RewriteRule fun/AlonzoMelissa\.html - [F]

They have to be in that order so the right ones get caught at the right time. I have tried and failed to find a construction that covers auto-referers globally, so I have blocks for a couple of specific pages that seem to be especially attractive to robots.

The second Rule is for the case where a robot-- probably Ukrainian-- puts in a bogus yandsearch referer giving only your domain name. (Yes, I get bona fide humans from Yandex.)

btherl

5+ Year Member



 
Msg#: 4440570 posted 3:34 am on Jul 4, 2012 (gmt 0)

I block this one by referrer, there's just no other way. It appears to be related to this:

[sub0day.com...]

Sometimes there's an ip address, sometimes a hostname. Since it's a botnet the IP changes constantly.

mihomes

10+ Year Member



 
Msg#: 4440570 posted 11:44 pm on Jul 19, 2012 (gmt 0)

Would this be suitable to deny any links with xurl or xref?

RewriteCond %{HTTP_REFERER} xurl [OR]
RewriteCond %{HTTP_REFERER} xref
RewriteRule .* - [F]

I realize the last line sends a 403 forbidden... is this the best way? I also am seeing these for many of my sites and would like to prevent it as much as possible assuming none of these are legit in anyway which they do not seem to be.

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4440570 posted 6:40 am on Jul 20, 2012 (gmt 0)

Yes, well, you do want to block them don't you? I hope you are not worried about hurting their feelings ;)

Try to avoid the [OR] construction in RewriteConds. Sometimes it does the opposite of what you intended. And sometimes there's a shorter easier way, as in

%{HTTP_REFERER} x(url|ref)

I generally constrain Rewrite blocks to requests for pages, so the server doesn't have to take that extra hiccup every single time. Robots don't usually walk in off the street and start asking for stylesheets.

That's where you get the
(\.html|/)$
above. Substitute your own extension, of course. And you may need some further tweaking if they're asking for your top-level Index page.

mihomes

10+ Year Member



 
Msg#: 4440570 posted 7:02 am on Jul 20, 2012 (gmt 0)

In the particular case I am talking about they are asking for the top level domain - no extension... the way I figure it I will never be using xurl or xref on the site so I can simply use the 'RewriteRule .* - [F]' for anything that contains either or... sounds good to me.

mihomes

10+ Year Member



 
Msg#: 4440570 posted 7:03 am on Jul 20, 2012 (gmt 0)

In the particular case I am talking about they are asking for the top level domain - no extension... the way I figure it I will never be using xurl or xref on the site so I can simply use the 'RewriteRule .* - [F]' for anything that contains either or... sounds good to me.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved