Welcome to WebmasterWorld Guest from

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

New referrer spammer

example.com is being referer-advertised

2:06 pm on May 17, 2005 (gmt 0)

New User

10+ Year Member

joined:May 17, 2005
votes: 0

Today, there's a new web spamming phenomenon going on.

Referrer spamming isn't actually a new phenomenon, but it's a rare sight (for me at least), and it's a rare sight when it's being done in a distributed way.

Today, for the last 6 hours, my web server's access log has been filled with this kind of lines:

<ip address> "GET /something" "http://www. example.com/example-location-subject.html" "user agent"
Where the ip address varies a lot, as if a virus/worm is on spree,
and the referer field points to
http ://www.example.com/some-words.html ,
where the "some-words" are randomly selected rants about the subject.
Of course, my site has nothing to do with the subject and that site has nothing to do with my site (no links in either direction).

The user-agent varies, but these values have been seen:

"Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)"
"Mozilla/4.0 (compatible; MSIE 4.01; AOL 4.0; Windows 98)"
"Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"
"Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
"Mozilla/4.0 (compatible; MSIE 4.01; Windows NT Windows CE)"
"Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
"Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC; AtHome021)"
"Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]"
"Mozilla/4.0 (compatible; MSIE 5.0; YANDEX)"
"Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; NetCaptor 6.5.0RC1)"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; AIRF)"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.0.3705)"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; N_o_k_i_a)"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 95; Transmission Segment; Hotbar 2.0)"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Crazy Browser 1.x.x)"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; KITV4.7 Wanadoo)"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; SAFEXPLORER TL)"
"Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 3.0)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iRider 2.21.1108; FDM)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)"

Which even further lets believe it's a virus.

I don't know what I can do, except ban this abuser on my server, but I certainly hope someone takes it to their ISP and possibly even files a lawsuit against that hoodlum...

(I broke the links in this post to prevent the vermins gaining anything in the google ranks.)

[edited by: engine at 3:35 pm (utc) on May 17, 2005]
[edit reason] specifics [/edit]

4:46 pm on May 19, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 12, 2004
votes: 0


Your domain has most likely been selected by the "Bulgarians" for infinite referrer spam runs.

These come from hundreds of open proxies and these guys have thousands of domains.

I've been pounded by these and others for months. A few of these runs were so heavy it was almost like a Denial Of Service attack.

First check that your web server stats are not public. Use the term Spampop in Google and the first site should give you pointers on how to at least give them some 403's, which means creative use of .htaccess will help.

6:56 am on May 20, 2005 (gmt 0)

New User

10+ Year Member

joined:May 17, 2005
votes: 0

Thank you MaxM.

Even though my webalizer logs are not public (or any logs for that matter), they have picked my host and I guess there's no hope they'll ever stop.

Yesterday, I did a Google search on the Wednesday's spamvertised host, and it appears they've created a real mess - spam posts on all kinds of web forums and guestbooks.
Virtually, it's like they have decided to publicly defecate on other people's websites... (which is, not really anything new.)

Anyway, thank you. Now, to find how I can stop those ugly hits from appearing in my logs (Apache)...