Skip to content

Archives

Referrer Spam Gets Smarter

So, it seems the referrer-log spamming is getting worse. The earlier attempts all used a limited set of IPs; probably the real source machines.

However, the latest crop are now relaying through open proxies. Out of a sample size of 10 random IPs, every one was a proxy listed in the OPM blacklist.

The URLs being spamvertised are all pr0n; lots of .ws and .biz hits with pretty colourful names. Take a look here, under any of the top 5 hits. They’re outnumbering the legit hits by about 20 to 1.

BTW, it’s now pretty clear the practice of referrer-spamming is intended to gain Googlejuice; plenty of other sites have noticed it too. It’s worth noting that in my case, it won’t work — my log pages are all off-limits to the Googlebot for quite a while, but the referrer spammers haven’t figured this out yet…

Some notes:

  • the spamvertized URLs include perlcoders.com, openproxies.com,
    • cgifactory.net, so steer clear of those sites.
  • the User-Agents are randomised, similar to spamware’s randomised X-Mailer headers. Some samples include:
    • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN 6.1; MSNbMSFT; MSNmen-ca; MSNc00; v5m)

    • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SC/5.10/1.14/Telenor; .NET CLR 1.1.4322)

    • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

    • Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Wanadoo 5.6)

      My guess is they just took a large list of legit user agents, and used that.

  • I’ve now left them a few little surprises ;)