Log spamming - they just want their URL in your logs.

Rather popular in some circles.

Two reasons:

A: You or whoever uses the logs might just visit and buy.

B: (the far more likely one) A lot of sites still have their logs sitting out in the open in spiderable locations. In many cases the log program also renders the referring URLs as hyperlinks. 1+2=easy backlinks.

Can you really see the links on the porn pages or do these pages just occur as referrers in your website statistics/logs? If you don't find any links on the pages, they are doing weblog spamming.

Weblog spammers know that some people have publicly accessable weblogs. They use a program to request a large number of innocent peoples' pages. Among them you. The spammers set the referrer of the request to one of their own pages, pretending that a user clicked a link from their page to your page. But that link isn't there. Your weblog package tracks that fraudulent click and creates an entry in the referrer statistics. Most weblogs conveniently create a link back to referring page such that the webmaster (you) can easily click on the pages that send users to your page.

What's in it for the spammer? It generates traffic for the spammers and sometimes even PageRank as long as GoogleBot can access the weblog and sees the links back to the referring pages.

Deejay & Hanu,

Thanks for the quick response. Weblog spamming seems to be what they are doing. It felt like I had fallen into the Twilight Zone.

Hmmmm......

I'm seeing a very similar thing in my logs.
Is there a way to control it or is it not worth it?
Does it do any harm/good to the reciprical site?

......interesting!

tbear,

I ended up blocking the IP addresses for the offenders. On my hosting site the Control Panel has a way to block IPs, which makes modifications to the .htaccess file.

The offenders use bandwidth. In my case I can contribute close to 100MB just to a handful of IPs. As I see it the problem would get worse.

tbear, I haven't had it on a scale worth doing anything about, but Storyman has the right of it - just look at blocking the IPs.

Blocking IP's doesn't sound like a good idea. The fake requests don't come from the porn site. They can come from anywhere, even from dynamically assigned IPs (dial-in accounts). You don't wanna block those, especially not forever.

There would be an easy solution but I don't know of any weblog package that does this: Before including a referring page in the stats the weblog software should verify that the link really exists. I don't think the spammers would actually put up links to all the sites whose weblogs they spam. Of course, they could also cloak their page and serve a version that has a link. But that can also be detected by running the link check from a different IP. Arms race ...

Hanu,

I'm using AWSTATS and there are some IPs that are unresolved. What I did is look at the IPs that were the source for heavy activity. Using those IP addresses they opened hard core porno sites. It turned out that they all came from a server that started with 210.0.0.0 through 215.0.0.0.

What I did was ban that entire range of IP--at least for now. Since it is a test site I'm not concerned about banning a full range of IPs, but would appreciate your comments in regards to using this approach on a legit site.

You could use DNS Stuff [dnsstuff.com] in order to find out more about an IP. Make sure it's not a dial-up IP by using the SPAM (email spam, not weblog spam) lookup. Some email spam blacklists have a database of dialin IP's. If it's one of those, do not block the IP because the IP may have already been reassigned to some innocent user that may be a potential legitimate user of yours.

I doubt that the fake requests to your site came from a dial-in IP, as the IP does not resolve to an DNS name and most if not all proper ISP's provide reverse DNS entries for their dynamically assigned IPs. {Objections, anybody?} So in your case the spammer seems to be stupid enough to do the requests from the IP that hosts their site.

BTW: I'm using AWStats, too. Maybe it would not be too difficult to add the link check functionality I described in my previous post.

There seems to be some confusion the link that was clicked to get to the web site.

This kind of thing happens by the spammer re-writting the header that gets sent from the browser so it looks like they were referred by the offending web site. There was never an actual link that was clicked, but rather just the act of the browser viewing the web page makes the web site record the visit as being referred from the spammers web site.

This is actually pretty easy to do with most browsers. I'm kind of surprised that more people don't do this so that they 'leave a trail' where ever they visit. I'm not condoning this in any way, I just think that it's surprising that we don't see more of this.

Dataguy,

I see what you mean.

For the past week I've been tracking the log-spammers and have found that they are coming from a dozen different IP ranges. So far all of them have been successfully blocked using .htaccess. Incidently, they also all have a porn site as the referring site.

The logs also show a sharp decrease in bandwidth used.

Perhaps this is OT... would blocking IPs inhibit click-fraud on my PPC campaigns. I see the same spoof directories and garbage sites referring to my site (examples... m-unky.com). If I block their IP will that stop them from being able to click to my site? Or, am I charged for the clickthrough even when it doesn't resolve to my site?

I've been searching for a solution to this. But have a few questions. What do i need to do to the htacess file to fix this aside from blocking IPs? does anyone know how to do keywords or if an example list of keywords already exists?

thanks in advance.

[spywareinfo.com...]

I found this it may help someone else too, haven't tired it yet. instructions are at the bottom of the page.

[webmasterworld.com...]

Why is it as soon as you post a questino you find the answers on you rown?

Happens to me too.

Glad you posted the link.

BTW the IP address block worked for this one situation.

Can't you simply block access to your webstats? (access only with authentification.. ) So google will not have access, the spammer neither, and so there is no point to do this referrer spamming..

AcsCh,

The log spammers aren't actually using the web stats. All they do is hit the index page. (Doesn't make sense to me either.)

Every time they access the index page they are refreshing so the entire page downloads instead of accessing the cache on their computer. This translates into wasted bandwidth.

Exactly their motivation for doing this seems senseless, but somewhere down the line they must be gaining something whether it be perverse or practical. I'm just happy to see zero bytes going their way.

(Doesn't make sense to me either.)

What they are doing is creating entries in your web server log file. If this log file is publically available to the internet, then there is a good chance search engines will see it and add it (the log) to their indexes. And thus the porn sites get one way links to their site for free.

Rich,

Thanks for the explanation. Since search engines don't have access to the web logs, I guess I'm safe--for now!

Sorry if this is a stupid question...

But how do I prevent search engine bots from seeing my logs?

sselden,

Good question. Some people place the folder holding their log files in the main directory where the index file. That is a mistake. It is best if the folder is up one level in the site's root directory. In other words above the public_html folder.

Cool thanks.

Just to be sure I get it...anything outside the public_html folder is "invisible" to search engine bots?

Sorry this is my first website.

thanks in advance for your answers...also thanks to everyone for making these forums such an amazing resource!

The directory should look something like this:

/logfiles
/public_html

Spiders (and those mean hackers) should not be able to access logfiles.

True, spiders should not be indexing your logfiles; nor your statistics.
a LOT of site's have a public "webstat" that everyone can see, no need for that, simply close it down for everyone but you for this simple reason.

@StoryMan:
You blocked 210.0.0.0 - 215.0.0.0?
I think you should rethink that action.
I know I'm in that range and A LOT of other people I know here in the Netherlands are.
So you just banned a lot of visitors :).

I've got the same problem here and I'm just banning the single IP responsible for this.
after some time I remove the ban, but keep it on a list.
Most of the time I don't see them anymore after I banned them for 6 months or something like that :).

DoppyNL,

I had reconsidered blocking 215.0.0.0 after making the post. Somewhere I had come across DNSStuff dot com, where you can reverse look up domain names.

The site is able to provide the range of IP addresses that belong to the offender(s).

Thanks for reminding me because I should have included that info earlier.

Still possible that the range the offender is in is owned by some (possibly small and not very known) ISP.
So if you were to ban a complete range you would probably still be banning a lot more people then needed.

The things I've seen are mostly from 1 single IP, so I ban that specific IP.
After some time the spamming stops from that IP and I can release the ban again.

I haven't seen spamming like this from multiple IP's in the same range yet.
All spam`runs` came from a single IP; I've yet to see the first to come from more then 1 IP.

So, in my opinion, banning a complete A-net is a little over the top.

You're giving reason to pause and rethink this.

With the use of the site mentioned above, I first typed in the domain name and a specific IP address and owner came back. Again, using the service I looked up the IP address and the same owner along with a range of about 5 consecutive IP addresses came back.

Then I checked the logs and did find that all of these porno sites (they were really nasty) did come back from this range of IP addresses.

Your point is well taken and just to be on the safe side I'm going to review the procedure again.