Welcome to WebmasterWorld Guest from 54.221.28.179

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

xurl referrer spam

how to block?

     

crobb305

5:34 pm on Apr 13, 2012 (gmt 0)

WebmasterWorld Senior Member crobb305 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



For a few months I have been getting slammed by referrer spam using the format:
http: //83.133.124.xx/?xurl=http: //83.133.124.xx/dKF0hECx8vc7cf603d0c543052a48f3acafa625g&xref=http://example.com

I have tried denying access based on IP and CIDR, but that doesn't work.

Dozens of visits a day, two or three pageviews (homepage only), never internal pages.

Any suggestions?

wilderness

6:07 pm on Apr 13, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



http: //83.133.124.xx/?xurl=http: //83.133.124.xx/dKF0hECx8vc7cf603d0c543052a48f3acafa625g&xref=http://example.com


Is this the actual (modified for this forum) raw log refer?
OR
is this the requested page?

If the aforementioned?
Please keep in mind that denials via referral are less than ideal, although useful.
Also keep in mind that denying access will NOT prevent the request from appearing in your raw logs.

One method
#keep_out or what ever name you use. Requires use of env=.
#Any of these will work
SetEnvIfNoCase Referer example keep_out
SetEnvIfNoCase Referer xurl keep_out
SetEnvIfNoCase Referer 83 keep_out
SetEnvIfNoCase Referer 133 keep_out

another method in mod_rewrite
RewriteEngine on (note; if not already on)
#contains any of these, than deny access
#note the missing [OR] on last RewriteCond line is REQUIRED
RewriteCond %{HTTP_REFERER} example [OR]
RewriteCond %{HTTP_REFERER} xurl [OR]
RewriteCond %{HTTP_REFERER} 83 [OR]
RewriteCond %{HTTP_REFERER} 133
RewriteRule .* - [F]

incrediBILL

7:34 pm on Apr 13, 2012 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



That looks more like either a URL redirect or an exploit hack attempt, maybe Trojan.Downloader.Agent, but hardly referrer spam.

crobb305

7:50 pm on Apr 13, 2012 (gmt 0)

WebmasterWorld Senior Member crobb305 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Yes I guess I used the wrong phrase. It is indeed a URL redirect (the "example.com" at the end is my domain), just looks like spam in my logs. I am trying to deny access. They are Russian/German IPs. Not sure what their purpose is (hack attempt, etc). Thank you for the tips wilderness.

wilderness

7:59 pm on Apr 13, 2012 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



are they coming from the 192 Class A?
I get 10-12 visits daily requesting the same page, with 2-6 attempts in succession per visit.
They all include spam refers with ru domains.

Everybody else is getting them also, if that's any comfort.

lucy24

2:56 am on Apr 14, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



I feel left out. I get Ukrainians from 92, 95 and 193 but nobody in particular from 192.

Referer blocks can be a useful backup if they suddenly switch IPs on you.

:: shuffling papers ::

RewriteCond %{HTTP_REFERER} \.(trafficfaker\.com|su|mobi)(/|^) [NC]
RewriteRule (\.html|/)$ - [F]

RewriteCond %{HTTP_REFERER} yandsearch\?text=(www\.)?example\.com
RewriteRule (\.html|/)$ - [F]

RewriteCond %{HTTP_REFERER} \.(ru|ua)(/|^) [NC]
RewriteCond %{HTTP_REFERER} !(google|yandex)\.
RewriteRule (\.html|/)$ - [F]

RewriteCond %{HTTP_REFERER} fun/AlonzoMelissa\.html
RewriteRule fun/AlonzoMelissa\.html - [F]

They have to be in that order so the right ones get caught at the right time. I have tried and failed to find a construction that covers auto-referers globally, so I have blocks for a couple of specific pages that seem to be especially attractive to robots.

The second Rule is for the case where a robot-- probably Ukrainian-- puts in a bogus yandsearch referer giving only your domain name. (Yes, I get bona fide humans from Yandex.)

btherl

3:34 am on Jul 4, 2012 (gmt 0)

5+ Year Member



I block this one by referrer, there's just no other way. It appears to be related to this:

[sub0day.com...]

Sometimes there's an ip address, sometimes a hostname. Since it's a botnet the IP changes constantly.

mihomes

11:44 pm on Jul 19, 2012 (gmt 0)

10+ Year Member



Would this be suitable to deny any links with xurl or xref?

RewriteCond %{HTTP_REFERER} xurl [OR]
RewriteCond %{HTTP_REFERER} xref
RewriteRule .* - [F]

I realize the last line sends a 403 forbidden... is this the best way? I also am seeing these for many of my sites and would like to prevent it as much as possible assuming none of these are legit in anyway which they do not seem to be.

lucy24

6:40 am on Jul 20, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Yes, well, you do want to block them don't you? I hope you are not worried about hurting their feelings ;)

Try to avoid the [OR] construction in RewriteConds. Sometimes it does the opposite of what you intended. And sometimes there's a shorter easier way, as in

%{HTTP_REFERER} x(url|ref)

I generally constrain Rewrite blocks to requests for pages, so the server doesn't have to take that extra hiccup every single time. Robots don't usually walk in off the street and start asking for stylesheets.

That's where you get the
(\.html|/)$
above. Substitute your own extension, of course. And you may need some further tweaking if they're asking for your top-level Index page.

mihomes

7:02 am on Jul 20, 2012 (gmt 0)

10+ Year Member



In the particular case I am talking about they are asking for the top level domain - no extension... the way I figure it I will never be using xurl or xref on the site so I can simply use the 'RewriteRule .* - [F]' for anything that contains either or... sounds good to me.

mihomes

7:03 am on Jul 20, 2012 (gmt 0)

10+ Year Member



In the particular case I am talking about they are asking for the top level domain - no extension... the way I figure it I will never be using xurl or xref on the site so I can simply use the 'RewriteRule .* - [F]' for anything that contains either or... sounds good to me.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month