Weird referers - guestbook spammers - Website Analytics - Tracking and Logging forum at WebmasterWorld - WebmasterWorld

Forum Moderators: DixonJones

Message Too Old, No Replies

Weird referers - guestbook spammers

nafmo

2:18 pm on Apr 6, 2003 (gmt 0)

10+ Year Member

I've recently started to get a few requests with referrers like this:

(address masked).net - - [21/Mar/2003:20:38:26 +0100] "GET /guestbook/old/10.html HTTP/1.1" 200 33071 "file:///C:/Dokumente%20und%20Einstellungen/Svet/emailtool/LINK.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
(adress masked).de - - [22/Mar/2003:23:16:03 +0100] "GET /book/old/7.html HTTP/1.1" 200 19561 "file:///C:/emailtools/LINK.htm" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; X5Dys9B; yLqyCuom)"

that seem to link directly into my guestbook pages. They never go anywhere else but look at the guestbook pages. I haven't really figured out if they try to spam my guestbook, or steal addresses.

I'm currently trying to trap those, and send them on to my page explaining what I'll do to spammers, I just wondered if anyone else has been targetted by this?

Anyway, to mask the addresses in my guestbooks, I've started rewriting the entries to mAilto:name@domain.com to trap the automated spiders. This seems to work well:

(deleted).aol.com - - [21/Mar/2003:23:42:05 +0100] "GET /book/old/m%26 HTTP/1.1" 404 6164 "-" "-"
(deleted).aol.com - - [21/Mar/2003:23:42:14 +0100] "GET /book/m%26 HTTP/1.1" 404 6164 "-" "-"

or even:

trek7.sv.av.com - - [29/Mar/2003:22:21:49 +0100] "GET /book/m HTTP/1.1" 200 45 "-" "Scooter/3.2"

("m" is just a text file that says that your browser is broken...)

[edited by: Brett_Tabke at 6:04 am (utc) on April 8, 2003]
[edit reason] fixed side scroll [/edit]

communitynews

4:00 pm on Apr 7, 2003 (gmt 0)

10+ Year Member

Not sure why you call them spammers, they aren't sending you anything.

From the looks of it someone has the requested pages in their bookmarks.

nafmo

6:58 pm on Apr 7, 2003 (gmt 0)

10+ Year Member

No, they haven't sent anything yet. My suspions come from the "emailtools" path name. I've seen it in a few places, doesn't seem very comforting to be linked from such a page.

There are other people that spam my guest book. Mainly German people, for some reason, but I do get spams in other languages as well. I usually delete their entries within the hour, though, so they don't get very much out of it. These spammers (and the ones above) *never* request anything other than the guest book pages. :-/

communitynews

4:03 am on Apr 8, 2003 (gmt 0)

10+ Year Member

I believe "file:///C:/Dokumente%20und%20Einstellungen/Sveta/Desktop/emailtools/LINKS.htm" is the referrer. This is a file on the disk in the machine the person is using. Its probably the german equilivent for a folder on their desktop called emailtools. This folder has a file called LINKS.htm. LINKS.htm has the link that they clicked on to get to your site.

Hence, I said it is their "bookmarks". It's actually just a HTML file they have on their disk that has a link to your site. They apparently had enough interest in your site to save the link. I think you should be happy. There is nothing in this by itself that is out of the ordinary and it doesn't mean they are spidering you. In fact, it indicates to me that it's a normal user.

nafmo

5:43 am on Apr 8, 2003 (gmt 0)

10+ Year Member

Yeah, they obviously come from a local file. It's the "emailtools" name that scares me, that it points to one archived part of my guestbook, combined with the fact that the guestbook CGI I use once was found to be quite unsecure (I had already removed most of the configurability, like selecting destination address from the the sending form and such), and that I have been targeted by guestbook spammers for a while now. And that's not the only occurrance of the local path "emailtools/LINKS" that I have seen in my logs, they seem to occur elsewhere as well, which kind of makes me think that they'er part of some spammers package.

I can't see why anyone would like to save a link to a part of my guestbook, and come back and just browse around my guestbook files from time to time, I just can't. The only explanations would be that they're trying to spam someone using my guestbook script, trying to spam my guestbook, or are harvesting e-mail addresses from my guestbook.

Anyway, that referer (and similar ones) will now send you on to a page I have with a statement regarding spamming.