« YIM for unix forum | Main | Referer spam, take 2 »

Referer spam bots

What an annoyance, referer spam bots (a whole lot of them) hit my friend's website.. resulting in over 7000 hits today from nearly 2000 unique IP addresses. All for about 25 domains. All porn sites, of course.. all but one. We expect slimy behaviour from porn sites, right? That doesn't suprise anyone.. but it seems a wannabe webhosting company akiraweb is using this lovely method to advertise their website. Not nice.. So looking for hosting? Go elsewhere.. anywhere else. Don't give these assholes a dime.

For those who are already filtering referer spam with mod_rewrite rules.. here's a few domains to add [text file].

And here's a complete list of their 1574 unique IP address for your hosts.deny file.. not like they probably don't have more anyway.. but.. what the hell.. [Nevermind, see my comment below].

I'm annoyed.. they've been going at it for hours and are not stopping.. so.. akiraweb is now getting all this spam traffic.. have a taste of your own medicine guys... Thankfuly, these are stupid bots.. they do follow redirect.. tested and confirmed, heh. At least that's worth a modemecum of amusement.

Posted by kasia on August 12, 2003 10:46 PM |

TrackBack

Listed below are links to weblogs that reference Referer spam bots:

» Oh, those wacky porn sites from Compendium
Kasia and her readers report a new wrinkle on referrer spam: Porn sites are adding image tags that link to images on particular Weblogs. [Read More]

Tracked on August 13, 2003 09:14 AM

» On the State of the World from The ArcterJournal
A quick little rant about the shit we have to put up with these days. I just want to know... [Read More]

Tracked on August 13, 2003 01:06 PM

» Why are Porn Site Linking to me? from Riz's Waste of Bandwidth
I have been wondering why porn sites keep appearing as referers to my page. Kasia (and her readers) have pointed out why. Apparently these sites just include a <img src="http://www.tunerds.com/somethingThatDNE.jpg"> on their page. Whenever someon... [Read More]

Tracked on August 13, 2003 02:37 PM

» Remember the weird referal from a google search? from Ensight
Well, it turns out that someone visiting a porn site might create weird referrals to a blog. According to Network Fusion Magazine: "Porn sites have found a new way to increase their Google rankings: They link to images on unsuspecting... [Read More]

Tracked on August 19, 2003 04:01 PM

» New version of google-bombing from The Blinne Blog
I have been google-bombed by auto-commenting scripts. Here's another technique reported by kasia in a nutshell: Remember the good old days when you could make a search phrase on google point to a certain page? Who can forget when the phrase 'go to hell' [Read More]

Tracked on September 10, 2003 01:02 PM

Comments

View the source of the referring site. Most likely they have put an [img src='http://your/url/'] in their source. If so, then it's not a bot -- those 1574 unique IP addresses you're banning are customers who are simply visiting that porn site in their browsers. They've never heard of your site, don't realize they're contributing to your referrer spam problem, and no amount of IP banning will help stop the flood of new customers.

It happened to me, which is why I know about it. When I looked at the source I saw 30 other img tags, all targetting high-profile blogs. I redirected the requests based on referrer to a password-protected file, so any customer who tries to visit the porn site gets a password challenge dialog with a rude message. I believe that got their attention, they removed my img tag and I haven't heard from them since.

Posted by: Mark | August 13, 2003 12:44 AM

hm, clever tactic, that didn't occur to me.. you're right, that's exactly what it is. I didn't ban the IPs.. I assumed they were hijacked pc's or open proxies (too many IPs) and just used rewrite rules to re-direct the traffic at someplace else.

Thanks Mark.

Posted by: kasia | August 13, 2003 01:14 AM

Hm, just occured to me.. not only slimy in how they try to generate traffic, they obviously don't care much about their users' privacy.. I inadvertly published a list of IPs of users who visit porn sites.. heh, that's funny.

Posted by: kasia | August 13, 2003 01:21 AM

*sigh* And for one glorious moment I though my blog was really really popular ;)

Posted by: Matt | August 13, 2003 01:36 AM

Just find the image they link and replace it

:D

Posted by: Chris (another one) | August 13, 2003 03:46 AM

They don't link to an image. They link directly to your home page, but within an img tag, so visitors will hit your page trying to download the image. It won't display because it's not a valid image, but the damage (showing up in your referrer logs) has already been done.

Posted by: Mark | August 13, 2003 09:30 AM

Yep, the same scumbag is screwing up my logs too -- and I'm seeing akiraweb as well: http://jmason.org/refs/200308/ALL_PAGES.html (under /html). Nice company you're keeping there, Akiraweb!

Some points:

1. it's not loading from users' web browsers through IMG tags etc. AFAICS. I visited the 8thstreetlatinas site, checked the source, and checked my referrer logs to see if my access had resulted in a hit on jmason.org -- no sign. (although maybe it only works for MSIE.)

2. it's not open proxies; I checked that last time I got a bee in my bonnet about it. None of the hosts seem to have the right ports open.

3. However all of them AFAICS were running Windows 2000 or XP with MSIE -- so my theory is that it's tied in somehow to some scummy adware that affects users on Windows, and then without their knowledge, goes off hitting sites with referrer spam.

4. Akiraweb's WHOIS info is dodgy: Web, Akira mcpimp@mail.ru, PO Box 2521, Scottsbluff, NE 69361, US, (714) 734-8374. A PO box and a freemail address? That's exactly the kind of solid, reliable company *I'd* want to host with I don't think ;)

I've been trying to screw about with the clients, but they seem to be relatively resilient; e.g. returning an illegal 40-byte HTTP status code is ignored, and dumping 800Kb of data back at them from /html doesn't seem to have any effect. So I think they may be using MSIE (at least the URL control part).

I think I may try those mod_rewrite rules.

Posted by: Justin | August 13, 2003 12:38 PM

oh -- forgot to mention -- the problem is definitely lessening now that I put all my log analysis stuff into robots.txt as "noindex", AFAICS. So I think getting Google Page Rank is the aim.

Posted by: Justin | August 13, 2003 12:39 PM

Some more for your list from my supply this morning :(

RewriteCond %{HTTP_REFERER} dildo-sex-deep\.com [OR]
RewriteCond %{HTTP_REFERER} fetish-sex-bizarre\.com [OR]
RewriteCond %{HTTP_REFERER} free-porn-pics4u\.com [OR]
RewriteCond %{HTTP_REFERER} hairy-pussy-only\.com [OR]
RewriteCond %{HTTP_REFERER} huge-boobs-babez\.com [OR]
RewriteCond %{HTTP_REFERER} huge-cock-guys\.com [OR]
RewriteCond %{HTTP_REFERER} mithology.org [OR]
RewriteCond %{HTTP_REFERER} naked-celebrities-yard\.com [OR]
RewriteCond %{HTTP_REFERER} pissing-women-pix\.com [OR]
RewriteCond %{HTTP_REFERER} teen-sex-zone.net [OR]
RewriteCond %{HTTP_REFERER} tranny-sex-shemales\.com

All coming from 216.127.74.43 and 64.237.60.52 (blocked at the firewall for me now).

*sigh*

Posted by: Arcterex | August 13, 2003 01:42 PM

(feel free to edit the above comment to move those onto a separate page... just realized after I posted that that I'm probably helping the bastards :( )

Posted by: Arcterex | August 13, 2003 01:44 PM

According to my MySQL logs, my referer spam trickled to a stop over roughly three months after I restricted access to my log analysis pages. It appears that they're after search engine rankings...

Posted by: Harald | August 13, 2003 02:32 PM

I was just viewing this post and something occured to me. What if a rival company is doing this to Akira Web? I've scene this done with email spam a million times to degrade a company's image. It doesn't sound to me like Akira Web would really gain anything from doing this.

Posted by: Jinx | August 16, 2003 06:31 AM

When I do a whois on jinxco.net..

Akira Web
PO Box 2521
Scottsbluff, Nebraska 69361
United States
information@akiraweb.com

Looks familiar? Why is Jinx defending Akiraweb? Oh yeah.

Posted by: trashcan | September 5, 2003 01:50 AM

Yah, it's getting pretty bad.

Posted by: Tramadol | October 13, 2003 03:47 PM

Thanks for the Rewrite Rules, Geek Stuff & Arcterex!

Matt.

Posted by: Matt | November 9, 2003 06:44 PM