More Fun With Spam!
October 12, 2005 on 9:51 pm | In Insider View, Tech News by nate |Well, so, Josh didn’t get his wish about the video Airport Express, but I still think the new iPod video stuff is neat (especially the part about downloading TV shows). But we’ve been a bit too busy today to debate the finer points.
The thing keeping us busiest this morning was a huge influx of referer spam. This is a really dumb problem. The spammers just want to have a high ranking on our customers’ pages that list referers, like this one:
This not only gets their URLs in front of anybody who views that page, but they also believe that it’ll help their Google ranking. Which is dumb because it’s easy for Google to spot and work around.
And the absolute DUMBEST thing they do is post this referer spam at a high enough rate that it actually overwhelms the webserver. Which creates obvious headaches for us and makes us do something to stop them. We usually can just isolate individual cases and block the attacking IPs, but this morning was so huge and pernacious and widespread we sort of had to solve the referer-spam problem itself, just so these jerks will leave us alone.
So we’ve stopped most of it with mod_security and will keep our eyes on things.
The biggest lesson is that if you write or run any sort of bloggy software that has a page for the top referers, get rid of it! It’s just asking for abuse from unsavory types!
21 Responses to “More Fun With Spam!”
Leave a Reply
Categories:
Archives:
- June 2008 (3)
- May 2008 (6)
- April 2008 (2)
- March 2008 (3)
- February 2008 (5)
- January 2008 (7)
- December 2007 (3)
- November 2007 (3)
- October 2007 (5)
- September 2007 (3)
- August 2007 (4)
- July 2007 (4)
- June 2007 (7)
- May 2007 (3)
- April 2007 (3)
- March 2007 (8)
- February 2007 (4)
- January 2007 (6)
- December 2006 (5)
- November 2006 (2)
- October 2006 (4)
- September 2006 (4)
- August 2006 (5)
- July 2006 (3)
- June 2006 (3)
- May 2006 (5)
- April 2006 (6)
- March 2006 (7)
- February 2006 (6)
- January 2006 (8)
- December 2005 (7)
- November 2005 (5)
- October 2005 (8)
- September 2005 (19)
- August 2005 (11)
- July 2005 (4)
Other Sites
- DreamHost Status - An off-network page for all DreamHost Announcements! (Not as silly as this blog.)
- DreamHost! - The host behind the blog.
- Forum - Discuss DreamHost and web hosting!
- Web Control Panel - Manage your account.
- Wiki - On DreamHost and web hosting.
Powered by WordPress. Pool theme by Borja Fernandez, modified by DreamHost.
Entries and comments feeds.
^Top^
October 13th, 2005 at 4:17 am
The thing I’ve never figured out is why spammers continue to leave 30 comment/trackback spams on my page every day, when none of them make it to the live site. I even renamed the comment- and trackback-submission php files, so they’re apparently scraping the form. As far as I can tell, they’re getting absolutely no benefit from hitting my site, yet they continue to do so. I just don’t get it.
(I’m not expecting you to know the answer; I’m just venting.)
October 13th, 2005 at 4:50 am
Are you guys actively blocking open proxies at firewall level? Those are often abused by spammers. I now have a huge .htaccess block list but firewalling the proxies is a lot better. They are also used by comment spammers by the way, which also puts a very high load on the server depending on what anti-comment-spam package the blogger is running.
October 13th, 2005 at 5:20 am
And I have thought that they have only targeted my site (which resulted in a very biased visitors statistics), while it seems whole Dreamhost was their target. Interesting…
October 13th, 2005 at 5:30 am
Also, among others I have these rules in my .htaccess. They block HUGE amounts of referrer spam:
# PHARMACY CRAP
RewriteCond %{HTTP_REFERER} medicine [NC,OR]
RewriteCond %{HTTP_REFERER} health [NC,OR]
RewriteCond %{HTTP_REFERER} retin-a [NC,OR]
RewriteCond %{HTTP_REFERER} ionamin [NC,OR]
RewriteCond %{HTTP_REFERER} adipex [NC,OR]
RewriteCond %{HTTP_REFERER} xenical [NC,OR]
RewriteCond %{HTTP_REFERER} tramadol [NC,OR]
RewriteCond %{HTTP_REFERER} cialis [NC,OR]
RewriteCond %{HTTP_REFERER} fluoxetine [NC,OR]
RewriteCond %{HTTP_REFERER} pharmacy [NC,OR]
RewriteCond %{HTTP_REFERER} ultram [NC,OR]
RewriteCond %{HTTP_REFERER} tramadol [NC,OR]
RewriteCond %{HTTP_REFERER} imitrex [NC,OR]
RewriteCond %{HTTP_REFERER} ultracet [NC,OR]
RewriteCond %{HTTP_REFERER} levitra [NC,OR]
RewriteCond %{HTTP_REFERER} triphasil [NC,OR]
RewriteCond %{HTTP_REFERER} estradiol [NC,OR]
RewriteCond %{HTTP_REFERER} diflucan [NC,OR]
RewriteCond %{HTTP_REFERER} zyban [NC,OR]
RewriteCond %{HTTP_REFERER} phentermine [NC,OR]
RewriteCond %{HTTP_REFERER} drugs [NC,OR]
RewriteCond %{HTTP_REFERER} prozac [NC,OR]
RewriteCond %{HTTP_REFERER} valtrex [NC,OR]
RewriteCond %{HTTP_REFERER} aldara [NC,OR]
RewriteCond %{HTTP_REFERER} condylox [NC,OR]
RewriteCond %{HTTP_REFERER} acyclovir [NC,OR]
RewriteCond %{HTTP_REFERER} famvir [NC,OR]
RewriteCond %{HTTP_REFERER} denavir [NC,OR]
RewriteCond %{HTTP_REFERER} zovirax [NC,OR]
RewriteCond %{HTTP_REFERER} cyclobenzaprine [NC,OR]
RewriteCond %{HTTP_REFERER} zanaflex [NC,OR]
RewriteCond %{HTTP_REFERER} carisoprodol [NC,OR]
RewriteCond %{HTTP_REFERER} skelaxin [NC,OR]
RewriteCond %{HTTP_REFERER} paxil [NC,OR]
RewriteCond %{HTTP_REFERER} prescription [NC,OR]
RewriteCond %{HTTP_REFERER} valium [NC,OR]
RewriteCond %{HTTP_REFERER} hydrocodone [NC,OR]
RewriteCond %{HTTP_REFERER} viagra [NC,OR]
RewriteCond %{HTTP_REFERER} propecia [NC,OR]
RewriteCond %{HTTP_REFERER} celebrex [NC,OR]
RewriteCond %{HTTP_REFERER} pills [NC,OR]
RewriteCond %{HTTP_REFERER} xanax [NC,OR]
RewriteCond %{HTTP_REFERER} meridia [NC,OR]
RewriteCond %{HTTP_REFERER} pharmacie [NC,OR]
RewriteCond %{HTTP_REFERER} viagra [NC,OR]
RewriteCond %{HTTP_REFERER} ambien [NC,OR]
# GAMBLING CRAP
RewriteCond %{HTTP_REFERER} poker [NC,OR]
RewriteCond %{HTTP_REFERER} blackjack [NC,OR]
RewriteCond %{HTTP_REFERER} black-jack [NC,OR]
RewriteCond %{HTTP_REFERER} casino [NC,OR]
RewriteCond %{HTTP_REFERER} roulette [NC,OR]
RewriteCond %{HTTP_REFERER} gambling [NC,OR]
RewriteCond %{HTTP_REFERER} texas- [NC,OR]
RewriteCond %{HTTP_REFERER} holdem [NC,OR]
# FINANCIAL / MARKETING CRAP
RewriteCond %{HTTP_REFERER} paying [NC,OR]
RewriteCond %{HTTP_REFERER} mortgage [NC,OR]
RewriteCond %{HTTP_REFERER} finance [NC,OR]
RewriteCond %{HTTP_REFERER} insurance [NC,OR]
RewriteCond %{HTTP_REFERER} credit [NC,OR]
RewriteCond %{HTTP_REFERER} credit-card [NC,OR]
RewriteCond %{HTTP_REFERER} loan [NC,OR]
RewriteCond %{HTTP_REFERER} buy [NC,OR]
RewriteCond %{HTTP_REFERER} cheap- [NC,OR]
RewriteCond %{HTTP_REFERER} commercial- [NC,OR]
RewriteCond %{HTTP_REFERER} webmaster [NC,OR]
RewriteCond %{HTTP_REFERER} affiliate [NC,OR]
RewriteCond %{HTTP_REFERER} order- [NC,OR]
RewriteCond %{HTTP_REFERER} business [NC,OR]
# SEX / PORN CRAP
RewriteCond %{HTTP_REFERER} -rape [NC,OR]
RewriteCond %{HTTP_REFERER} xxx [NC,OR]
RewriteCond %{HTTP_REFERER} bestiality [NC,OR]
RewriteCond %{HTTP_REFERER} sodomy [NC,OR]
RewriteCond %{HTTP_REFERER} rape- [NC,OR]
RewriteCond %{HTTP_REFERER} sperm [NC,OR]
RewriteCond %{HTTP_REFERER} semen [NC,OR]
RewriteCond %{HTTP_REFERER} ejacula [NC,OR]
RewriteCond %{HTTP_REFERER} blowjob [NC,OR]
RewriteCond %{HTTP_REFERER} blow-job [NC,OR]
RewriteCond %{HTTP_REFERER} gay [NC,OR]
RewriteCond %{HTTP_REFERER} -sex [NC,OR]
RewriteCond %{HTTP_REFERER} -teen [NC,OR]
RewriteCond %{HTTP_REFERER} teen- [NC,OR]
RewriteCond %{HTTP_REFERER} -pics [NC,OR]
RewriteCond %{HTTP_REFERER} sex- [NC,OR]
RewriteCond %{HTTP_REFERER} incest [NC,OR]
RewriteCond %{HTTP_REFERER} lesbian [NC,OR]
RewriteCond %{HTTP_REFERER} adult [NC,OR]
RewriteCond %{HTTP_REFERER} hentai [NC,OR]
RewriteCond %{HTTP_REFERER} porn [NC,OR]
# MISC
RewriteCond %{HTTP_REFERER} cruises [NC,OR]
RewriteCond %{HTTP_REFERER} premature [NC,OR]
RewriteCond %{HTTP_REFERER} ejaculation [NC,OR]
RewriteCond %{HTTP_REFERER} penis [NC,OR]
RewriteCond %{HTTP_REFERER} replica [NC,OR]
RewriteCond %{HTTP_REFERER} watches [NC,OR]
RewriteCond %{HTTP_REFERER} diet [NC,OR]
RewriteCond %{HTTP_REFERER} cams [NC,OR]
If you want the whole file, I’ve got a link to it from my weblog’s frontpage.
October 13th, 2005 at 6:57 am
I get massive amounts (well, maybe not massive) of referrer spam - I don’t display a top list of sites on my blog, but it still makes things icky in my stats pages. I hope the changes you’ve made helps!
October 13th, 2005 at 8:05 am
Would these changes being made cause issues with a site? One site that is on basic-moon is not responding this morning but another site I have is doing just fine and it is on basic-heavy.
Ed
October 13th, 2005 at 12:01 pm
jgt, I assume they keep leaving spam because it is cheaper to have the spam bot crawl and comment regardless of the result.
October 13th, 2005 at 2:39 pm
For all the Wordpress users out there, you may already know about this, but there’s a plugin called Bad Behavior, which blocks spam pretty well. The scripts can be adapted to work with any PHP-based system, too. If anyone is having problems with spam, I hope this helps.
October 14th, 2005 at 1:19 am
Just a small question guys!
How much are you guys already stopping with mod_security? Could you tell me what kind of rules you’re using? Maybe (parts of) my .htaccess file isn’t even necessary. If that’s the case I can save some resouces here!
October 14th, 2005 at 2:17 am
Extra remark: I don’t know all that much about mod_security but if you could block the above word-patterns at server-level through mod_security whenever they occur in a referrer it would save a LOT of bandwidth and cpu cycles.
October 14th, 2005 at 6:21 am
Thinking ahead, this helps quite a bit if you call it at the very beginning of your PHP scripts. I have this as the very first thing that’s called when someone requests my pages:
function killspammer() {
/* add items to this array at will */
$aSpamWords = array(
'medicine',
'health',
'retin-a',
'ionamin',
'adipex',
'xenical',
'tramadol',
'pareto',
'cialis',
'fluoxetine',
'pharmacy',
'ultram',
'tramadol',
'imitrex',
'ultracet',
'fioricet',
'zoloft',
'levitra',
'lipitor',
'triphasil',
'estradiol',
'diflucan',
'zyban',
'phentermine',
'drugs',
'prozac',
'valtrex',
'aldara',
'condylox',
'acyclovir',
'famvir',
'denavir',
'zovirax',
'cyclobenzaprine',
'zanaflex',
'carisoprodol',
'skelaxin',
'paxil',
'prescription',
'valium',
'hydrocodone',
'viagra',
'propecia',
'celebrex',
'pills',
'xanax',
'meridia',
'pharmacie',
'viagra',
'ambien',
'poker',
'blackjack',
'black-jack',
'casino',
'roulette',
'gambling',
'texas-',
'holdem',
'paying',
'mortgage',
'finance',
'insurance',
'credit',
'credit-card',
'loan',
'buy',
'cheap-',
'commercial-',
'webmaster',
'affiliate',
'order-',
'business',
'-rape',
'xxx',
'bestiality',
'sodomy',
'rape-',
'sperm',
'semen',
'ejacula',
'blowjob',
'blow-job',
'gay',
'-sex',
'-teen',
'teen-',
'-pics',
'sex-',
'incest',
'lesbian',
'adult',
'hentai',
'porn',
'cruises',
'premature',
'ejaculation',
'*beep*',
'replica',
'watches',
'diet',
'cams');
$sReferer = $_SERVER['HTTP_REFERER'];
foreach($aSpamWords as $sSpamWord) {
if(stripos($sReferer, $sSpamWord) != false) {
die();
}
}
return “”;
}
?>
October 14th, 2005 at 1:43 pm
Josh,
I’m really upset with you. You got my hopes up, and I was “dreaming” of the video airport at night… Then the video ipod came out and shot them down. DAMN YOU, MAN!
Oh ya… interesting entry, Nate. The fact that people would spam in that manner just makes me… laugh… a lot. lol.
October 14th, 2005 at 4:59 pm
Just install Referrer Karma and Spam Karma for WordPress.
My blog pass the 12,000 at 750 spam referer per day
October 15th, 2005 at 3:24 pm
None of my sites have traditional referrer pages that show any of these but all of my sites get hit by tons of referrer spam.
A few jackasses are selling software (and presumably, site lists) to do the spamming. Merely taking down your referring site stuff won’t stop the hits.
October 16th, 2005 at 11:23 pm
Hello Dreamhost crew? Are you actually reading this blog or are you only posting-and-forgetting?
My site is being hammered by one single asshole promoting his crap porn site for days already. Multiple requests PER MINUTE!
Another idiot is promoting tons of prescriptiondrugname.sie.pl and then there’s another porn spammer with tons of seeya.at domains.
212.175.112.152 - - [16/Oct/2005:23:21:20 -0700] “GET /weblog/ HTTP/1.0″ 200 0 “http://sesso-racconti.com” “Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)”
As you see in the access rule at least my little function keeps them from stealing bandwidth or many cpu cycles but still I’d like to know what you guys are doing to prevent/battle all this. I asked this by mail some days ago already but I didn’t get a response….
October 18th, 2005 at 11:43 am
Wordpress:
Gets rid of my comment spam:
http://elliottback.com/wp/archives/2005/05/11/wordpress-hashcash-20/
Uses a hashing algorithm.
Gets rid of my trackback spam:
http://blog.mytechaid.com/archives/2005/03/09/wordpress-trackback-spam-solution/
Uses modrewrite rules.
I haven’t gotten a single spam since using those. No blacklists or spam score or anything else required.
October 18th, 2005 at 12:28 pm
August and September traffic reports
I managed to skip doing a traffic report last month amidst all the excitement. August and September were both pretty…
October 18th, 2005 at 2:41 pm
Hashcash does nothing against referrer spam which is what this thread is all about.
October 23rd, 2005 at 8:43 am
With all these spam bots flying around automagically, might I suggest some of you check out Bad Behavior?
ESPECIALLY THOSE OF YOU USING WORDPRESS!
November 5th, 2005 at 4:05 pm
Thanks for that link Jason. I didn’t know that plugin existed for Wordpress. I’ll have to install that today.
December 3rd, 2005 at 1:24 pm
I don’t have a blog. But I have site and site’s Forum attacks by spamers a lot of times every day. Do you know some plugins which can help me?