We get over 200 bogus referral log entries a day.

There is nothing new here.

Hi Brett,

It was new to me... and a search of SE World showed no entry for the offending site (I should have guessed you would edit those out) or the cgi program in use. It was the first time I have been hit... 14 times for this month alone. Cheers!

If you are listed in DMOZ, the amount of logspam will be noticably higher. This is indeed nothing new, but it is a pain to filter those out in order to get the unique visitor number.

I first saw this particular log spammer several months ago and I've been very interested in adjusting my .htaccess to send them back to their own ISP. Let them log spam someone who will be better equiped to rid us of these scurges.

I see Brett has 'examplified' the origional URL and that is best for liabilites sake.

Think of it this way:

The Best of the Example is a legitimate site.

The Best of Example is not.

My site is verry family friendly and the looked very much like a site that had fallen, only to be resurrected as a porno page, and caused me some consternation until I realized this was log spamming.

As for 200 a day. <phew!> Considering I get anywhere from 40-74 in the same period of time ( and considering the size/traffic differences between our sites ), take it from me, they're leavin you alone!

I get one-line drops.

I get one fool who drops twenty-thirty at a pop.

One even interlaces two URLS in the same log spam attack.

Another one shows their referral as coming from a site and dropping one in the Get line.

Yep, with someone's help, I'm gonna figure out a way to send these folks back to the IP their sending from....hint, hint

I have to agree with the potential future increases in this activity, but burying our heads in the sand will have little impact on these idiots as they get paid by the log entry. Roughly 8 cents apiece, I believe.

They get paid whether we ban them or let them run free.

Everyone gets the opportunity to make money off of us before we even have that chance ourselves.

It is still our bandwidth that is being stolen.

I don't even have my stats pages viewable, but the person paying for the log spamming isn't going to know that. I can see the potential for fraud there.

We've (collectively speaking) have had to make radical adjustments in how we handle UCE/SPAMers.

We've had to protect our machines from hackers and the like.

When are we going to take similar measures to protect ourselves against this inane practice?

All I see is lip-service and folks who say "Don't worry 'bout it". Yeah, well I especially worry when they tell me not to.......

For what it's worth, this particular miscreant comes exclusively from 194.X28.211.203. This makes banning them by IP number all the easier. Now all they get is 403's from my site. If anyone has other IP's to add, I'm all ears.

<gets on the soap-box>

What I worry about is the future. Considering how easy it is to completely spoof IP packets on Windows XP machines, the continued insecurity of the MS Windows OS, and the spreading practice of building armies of zombies for DDOS or DRDOS attacks, it's only a matter of time before folks who want to promote their pathetic promotion sites start using the same tactics (i.e. a big bunch of compromised machines) as the spammers and virii writers.

Sorting the stuff out then will not only be a lot harder, but a lot more aggravating as well. As Mr. Gibson at www.grc.com points out, ISPs could reduce the amount of spoofed P traffic simply by not allowing malformed packets to escape from their networks. This is a functionality built into their routers, a one-liner turns it on. But ISPs don't care because no-one has successfully taken them to court yet for being negligent operators.

Never mind the "prosecution" of folks, as Mr. Gibson points out, the big ISPs simply don't give a flying hoot about abuse. Yeah, we all get auto-generated replies to our Abuse queries, but the only folks to reply with follow-on results to my (typically formmail-related abuse letters) were Hotmail (!), a small ISP in Latvia, and some folks in Norway who tried to convince me that their clueless user wasn't using FrontPage to hack my site. Hundreds of other abuse-related letters are probably for the birds.

I guess what I'm hoping for is some tighter legislation with respect to ISP operations, considering how important their role in our society has become. Something along the lines of disconnecting machines that are packet storming, not allowing malformed packets to escape their network, and requiring *honest* follow-up to ALL abuse reports.

<gets off the soap-box>

Thanks for listening.

[edited by: DaveAtIFG at 11:41 pm (utc) on Mar. 7, 2004]
[edit reason] Obscured IP [/edit]

Yep, with someone's help, I'm gonna figure out a way to send these folks back to the IP their sending from

No you won't.

Those scripts simply ignore anything you return to them. They don't care if you show them a 200, 403, 301, or whatever, the'll get their entry in your log in any case. And they certainly won't follow redirects.

Your only recourse is to ignore the garbage.

I'm confused. Could somebody briefly explain whether we're talking about site traffic logs or some other kind of logs? I see a lot of references to blogs and am wondering if they have their own kind of log, perhaps a public one?

This thread is about website traffic logs, specifically the referer field/header being spoofed with inaccurate data.

Blogs can be spammed but it's more obvious when this happens because they tend to push a lot more spammable content into the site rather than leave it hidden (for example lists of referring sites as well as comments and feedback).

Either way they are really just mining for free publicity and/or backlinks.

- Tony