Hello all

I' ve got the habit of blocking referrer spammers in my .httacess. I know that it is not such a big deal as my referrer logs are not public accessible, but I really don't like the bad guys sniffing my site and waisting my bandwith. (I' ve got 3000+ pages in my drupal sites and sometimes uncivilized robots can cost some money).

A simple "RewriteCond %{HTTP_REFERER}" used to work but for some reason it didn't work with the b###rds from "tecrep - inc dot net". Them I decided to block the IPs used by these spammers using the "deny from ..." also in the .htaccess. It also didn't work.

My sites are made with Drupal 4.5.2 running in a Apache 1.3.33 with php 4.3.10.

So here is my question... Is it possible that they are faking the IPs in the Drupal's log?

I am not a techie, so please excuse me if this is a stupid question. Sorry for my broken english, too.

[]s
China
http://www.br101.org

Comments

autowitch’s picture

There not using fake IPs - It's a farm of comprimised zombie PCs that are flooding you. It seems like the attacks are getting worse - sites that have fairly narrow pipes connecting them to the net are now being DDos'd.

This article may help a bit:

http://www.spywareinfo.com/articles/referer_spam/

it uses the .htaccess file to block the referrals by domain. Unfortunately, the domains seem to change frequently (but not as frequently as the ip addresses), so a better solution is needed. But this should help slow down the flow a bit.

-aw

china243@drupal.org’s picture

Thanks for the tips... I´ve seen it and applied it before I wrote the message... It works with most of the spammers.

But... The strange thing that I noticed is: blocked supected IPs in the Drupal log continue bother me.

[]s
China
http://www.br101.org

ericatkins’s picture

You might want to see this discussion: http://drupal.org/node/16553

china243@drupal.org’s picture

After googling and some experiences I found a solution a temporary for the referrer spam that is working for me at this site:

http://cavlec.yarinareth.net/archives/2005/01/11/killing-referrer-spam/

Not sure if it's off-topic ' cause it is a server solution, but may be usefull for some.

Here is a copy of part of my .htaccess that I've added some keywords to the original reference.

I am not an expert... There must be something more elegant, but it is working

Hope it helps

[]s
China
http://www.br101.org

RewriteCond %{HTTP_HOST} !^br.br101.org$ [NC]
RewriteCond %{HTTP_REFERER} ^(.*)$ [NC]
RewriteRule ^(.*)$ %1 [R=301,L]

SetEnvIfNoCase Referer ".*(credit|canadianlabels|8gold|texas-hold|hold-em|holdem|fidelityfunding|condo|sportsparent|mortgage|spoodles|money|cash|hotel|houseofseven|stmaryonline|newtruths|popwow|oiline|flafeber|thatwhichis|tmsathai|pisoc|crepesuzette|mediavisor|commerce|easymoney|911|////.vi|gb////.com|4free|macsurfer|teen|pussy|discount|blogincome|lillystar|aizzo|webdevsquare|laser-eye|escal8|xopy|vixen1|linkerdome|youradulthosting|fick|inkjet-toner|fuck|ime.nu|perfume-cologne|italiancharmsbracelets|shoesdiscount|psnarones|hasfun|casino|gambling|poker|porn|sex|paris|gabriola|nude|xxx|hilton|pics|video|adminshop|devaddict|iaea|empathica|insuranceinfo|atelebanon|handy-sms|peng|just-deals|pisx|rimpim|didrex|reductil|party-poker|tramadol|soma|meridia|poker-hands|personal-loans|pay-day-loan|cialis|888|carisoprodol|future-2000|ronnieazza).*"BadReferrer
order deny,allow
deny from env=BadReferrer