Forum Moderators: phranque
I've been using this site for a long time, and learned a lot. My sites are far better because of it. Time for some payback...
Recently, one of my sites has just been rocked by viral marketers. Not my biggest or most popular, nor does it post any referral log or anything, so I am not sure why it was targeted. But hey, no one ever claimed spammers were geniuses, either! Persistent, yes, but not geniuses. Anyway, I was getting 100's of hits a day, and it made me mad- so to action!
The IP's are from all over, and usually only 3-5 hits per IP per day, so IP bans would not work. At least, not well. I started analyzing things, and the closest thing I could get to a pattern was the site names they were trying to set in my referral log. So I figured out this way to attack back! I made a list of key words I found being used over and over- Poker, Casino, Mortgage, etc.- and thought I would use that to key in on the Spammers.
First, this is set up for my system, which is FreeBSD/Apache. I would assume with a slight mod, this should work well for most *Nix servers, but I am not an expert there (heck, I can barely run my FreeBSD server!) Anyway, you will need mod_rewrite (which I THINK excludes MS servers...). To make this work REALLY well, you should be using "ipfw"- a firewall that is part of FreeBSD. You will also need a "Honey Pot" script up and running. There is none better than the one Key_Master posted in 2001 on this very forum- see:
[webmasterworld.com...]
This is a good script to run on your server anyway, so grab it, install it, and tune it to your needs!
Now, once that is working, we need to mess with our httpd.conf file. Here is the mod I added- read through this and make SURE there are no words that may match ANYTHING on your server! You will ban everyone if you do. Also, if you happen to have a lot of traffic from a site with one of the included words- say "blogspot.com"- you may want to delete that from this. Anyway, here is what I have added to httpd.conf:
RewriteCond %{HTTP_REFERER} (credit-card¦24x7¦poker¦pharmacy¦credit.com¦-mortgage¦mortgage-¦-loans¦loans-) [NC,OR]
RewriteCond %{HTTP_REFERER} (-poker¦poker-¦slot-machine¦blackjack¦roulette¦online-casino¦online-poker¦blogspot) [NC,OR]
RewriteCond %{HTTP_REFERER} (-insurance¦insurance-¦credit-¦-credit¦-cheap¦cheap-¦texas-hold¦casino-¦-casino¦debt-) [NC,OR]
RewriteCond %{HTTP_REFERER} (-debt¦-hotel¦hotel-¦paydayloan¦-party¦party-¦-mortgage¦mortgage-¦-finance¦finance-) [NC,OR]
RewriteCond %{HTTP_REFERER} (cheap-¦affiliate-marketing¦clicbnk.com¦hotels-¦viagra¦cialis)[NC]
RewriteRule ^/.* /cgi-bin/trap.pl [NC,PT,L]
REMEMBER: this board changes vertical lines into vertical dashed lines (¦). ALL of these must be changed for this to work!
Now, restart Apache, and start watching your .htaccess file. Run a grep on any returned IP's in your acccess log, and make sure the bans are correct. You may need to adjust some of the match-words for your site.
Now, an addition I made to this was I added an extra tag in trap.pl so I could readily identify the viral marketer bans. I pulled ALL those IP's, and insert them into ipfw. After all, hits that are banned by trap.pl still show in the logs, and we want to get rid of these bad boys, right? IPFW will make it look like your server is not even there! This has the additional benefit of protecting ALL my sites, in case they decide to move over to more sites.
I run a check on all IP's- I see them from all over. I go ahead and block the whole IP block if the hits are from a place generally considered bad- Poland, Malaysia, most of Africa, Russia, I just ban the whole block. If I see multiple hits from within an IP block, I just block the IP block, too. I am pretty merciless! I am now (just for this!) blocking 300 or so IP blocks. I am not going to post that list, you can easily make your own!
So there you go- if Viral Marketers from multiple IP's are bugging you, here is a way to stop them. It does take a little work, and maybe the pay off is not all that great... but I feel better now!
Best to all!
Dave
[edited by: jdMorgan at 5:51 pm (utc) on May 6, 2006]
[edit reason] Reformatted to stop side-scroll. [/edit]
