I've heard rumor that a "logspam honeynet" has been set up by disgruntled webmasters tired of "hits" from texas-blackjack-viagra-widget.com/tamiflu-longhand-poker and the like, which detects "genuine" referer spam and uses zombie nets to launch automated, massive DoS attacks against the offending sites.

Yes Zcat, this is true. I have reported a number of spammers to this service - and it seems to work because the log spamming has dropped off to almost zero.

If you guys are being serious then DDOSing would be a very sily thing to do for a webmaster as it is way more serious than just referral spaming

- probably involve law enforcement for one thing.

Why not simply password logs for example.

Hi, I am looking at some software which places hits in a web site's referral logs.

What's the advantage for the spammer here?

The awstat logs are spiderable so you get a back link, provided it is not overused - that is the main thing.

Just wanted to know if this type of thing still works or is it old hat now?

get real content or get life.

Why not simply password logs for example.

Logfile spam affects webmasters who don't even publish their logs.

I have never published mine, and the spam is a real pain.

I have noticed it drop completely in the last few days though. Interesting ;-)

TJ

The awstat logs are spiderable

Mine are in password protected directories and hopefully not spiderable. I put my install in cgi-bin and set it up to show raw server log.

I have returned to this forum after about a year (had to re-register) specifically over this issue - as my favorite but humble little site is exceeding it's 5 GIGAbyte bandwidth!

I've no idea how they're sucking up bandwidth exactly but looking through the stats I find thousands of spam 'referrals' by pages that have nothing resembling a link to my site.

Can't even understand why they're doing this? The month has only just started and already I'm getting emails warning me I'm about to exceed the 5 gig limit - this on a site that has only 30 members, none of them heavy users?

Is it anything to do with the hosting company? I've found them to be pretty awful in most respects and am seriously considering changing but if this is hitting the domain then a change of host isn't going to make much difference?

?

I have already lost members as they, quite rightfully, say they cannot access their services.

W.

I use Awstats and it is password protected. I still get thousands of these entries every week. It makes the "refering sites" part of awstats totaly useless to me. Quite an importaint feature that has been wasted!

Anyone have a solution to prevent log spam that works well?

Mack.

Hi, I am looking at some software which places hits in a web site's referral logs.

Any thoughts?

Yeah, here's a thought - why don't you keep your stinking spam out of my logfiles? And if I ever meet you in a dark alley, you should run as fast as you can.

Anyone have a solution to prevent log spam that works well?

I would love to know a solution as well - logspam is more than annoying - it's totally polluting things. Referrals in analyzers are now half-useless.

I use Awstats and it is password protected

Just curious is this the install done by your host or one that you did?

Also can someone give an example of what the log spam would look like in your log file?

Well I'm not sure about posting such urls but my stats look summat like this:

Links from an external page (other web sites except search engines)
Total: 326 different pages-url Pages Percent Hits Percent
[example(A).com...] 5809 4.9 % 5809 4.9 %
[example(B).com...] 5721 4.8 % 5721 4.8 %
[example(C).com...] 3863 3.2 % 3863 3.2 %
[example(D).com...] 3266 2.7 % 3266 2.7 %
[example(E).com...] 3266 2.7 % 3266 2.7 %
[example(F).com...] 3261 2.7 % 3261 2.7 %

etc etc etc.

Awstats has an "unresolved IP" thingy, so what i have just done, a moment ago, is used the "IP deny manager" of Cpanel and have put the top 6 IP addresses as banned. I'm not sure if that will make any difference or not but I note one of them had, in the last 5 days, used over 135 megabyte of bandwidth. I blocked the rest down to those using more than 40 megabyte. I've no doubt many, maybe all, of the list using 30, 20 even 10 megabyte are spam but don't want to risk banning an actual member.

W.

[edited by: Receptional at 1:51 pm (utc) on Nov. 7, 2005]
[edit reason] examplified URLs [/edit]

Wiggly: You are giving lines from awstats summary page but could you give the corresponding lines from the actual server log?

You can edit the URLs to say something else but those will probably have to go.

etrader, I hate you for even considering logfile spamming (which is a real pain for me and other webmasters), and I hope that someone punishes you severely if you attempt to do it.

Hi,

Sorry for the urls and I doubt the log-file will help much.

I have since had the site closed down as it twice crashed the (shared) server. In my case it appears the phpBB forum software was infected with some virus-thingy and sending huge volumes of spam, hence the ludicrous bandwidth issues.

As the forum was, at considerable expense, customised to fully intergrate with the rest of the site including direct links to people's blogs, full profiles and master control screen, it was not possible to simply patch the exploit issue.

I have had no choice but to delete the entire forum, losing every post of every member. Naturally, due to the in-depth intergration, doing so has now screwed up aspects of the rest of the site.

I JUST REALLY LOVE SPAMMERS!

Not.

W.

Dont mean to sound stupid or anything but what exactly is refferal log spamming?

When a user clicks on a link that takes them to another page, one of the fields it can send as part of the request header for the new page is the URL of that page.
What Referral log spaming is sending requests to a server where the referrer is set to a page which has no links to the page being requested.
In both cases these URL's end up in the server logs of the site of which the request is being made.
So why do they want to have URL's in your log? Because some peoples logs or summary stats created from those are visible to the general public and therefore also search engine spiders/bots, which gives the Referral log spammer inbound links.

If you do use log spam don't use it on a domain you care about. That is a good way to get a site banned in Google.

etrader:

Have you considered spamming guest-books? Its a lot safer.
If you offend webmasters you are just asking for trouble.
Anybody dumb enough to leave guest-books open is much less likely to raise a fuss.
Neither one will do any good, but guestbooks seem safer to me.

"Hi! Love your site about Belgian Waffles. I'll bet you didn't know that the best Viagra in town comes from Aruba, not to mention the casino and hot penny stocks all available at my tourism site www.yechbarf.com "

Can someone please post or link to a mod rewrite script or similar that can block every site with the word "phentermine" or "buy" in it from accessing my site?

A blacklist of sites like this would cut them out.

Doing a mod rewrite won't do anything, as they will still appear in your log files. If you want to stop even seeing these entries in your log file you would have to block them before this point, like at a firewall with filtering enabled.

Currently most of the spam I'm getting seems to be from one or two IP addresses. Is there any simple way of bouncing/blocking specific IP addresses rather than domain names through .htaccess? My bandwidth is being gobbled up by these guys!

If just a couple of IPs you should be able to do it from your hosting control panel.

If your host uses 'Cpanel' you should see an icon marked 'IP deny manager'

W.

If you guys are being serious then DDOSing would be a very sily thing to do for a webmaster as it is way more serious than just referral spaming

I don't think you appreciate the effect log spamming can have on a site. Spamming logs IS a DOS attack. It might not be critical for a web site, but it could affect a site's performace.

Spend your money on some business cards - they'll be more effective.