Referer spammers: New scourge of the web
When someone creates a link to a webpage you have, and someone clicks on that link, the standard browsers include code that carries over information that tells you what server "referred" you. This information shows up in your standard webserver log, and can also be grabbed by cgi and serverside scripts. For example in PHP that information can be gotten using the $_SERVER superglobal array:
echo $_SERVER['HTTP_REFERER'];
As an aside, yes they did spell that REFERER, and I assume that the history of that misspelling goes back to the folks who created the CGI-BIN API.
The referrer comes in as part of the http header sent by the browser with its request, and it has always been possible to suppress or change the referer information, so most folks consider "referer" information as a useful indication of sites that have linked to you, but nothing you can depend on.
Lately, there seem to be more and more unscrupolous people marketing software to others which does nothing but waste bandwidth hitting long lists of sites and generating referrer entries in your web logs. Their reasoning is that you will check your logs (and every website reporting package includes information about the refers you get) and very possibly click on them to see how you're being linked, or what their site is about.
echo $_SERVER['HTTP_REFERER'];
As an aside, yes they did spell that REFERER, and I assume that the history of that misspelling goes back to the folks who created the CGI-BIN API.
The referrer comes in as part of the http header sent by the browser with its request, and it has always been possible to suppress or change the referer information, so most folks consider "referer" information as a useful indication of sites that have linked to you, but nothing you can depend on.
Lately, there seem to be more and more unscrupolous people marketing software to others which does nothing but waste bandwidth hitting long lists of sites and generating referrer entries in your web logs. Their reasoning is that you will check your logs (and every website reporting package includes information about the refers you get) and very possibly click on them to see how you're being linked, or what their site is about.
Needless to say, there is no link to your site, and their only purpose is to trick you into visiting them. Lately I've seen this practice increase on sites I'm involved with, and I only expect it to get worse. The best thing we as website developers can do is build tools, or implement existing tools that will block these folks from hitting your port 80, or at very least, getting rid of their referer spam entries from our logs.
In that spirit here's a few sites I know of that are already at this. Feel free to add your own to the comments section. If anyone has any good ways of combatting these folks, lets hear about it, either in comments or over on my forum.
Known refer spammers:
------------------------
http://www.xopy.com/
http://www.adminshop.com/
http://www.atelebanon.com/
http://www.yottacars.com/
In that spirit here's a few sites I know of that are already at this. Feel free to add your own to the comments section. If anyone has any good ways of combatting these folks, lets hear about it, either in comments or over on my forum.
Known refer spammers:
------------------------
http://www.xopy.com/
http://www.adminshop.com/
http://www.atelebanon.com/
http://www.yottacars.com/
Defined tags for this entry: Web Tech
Trackbacks
No Trackbacks
Comments
Display comments as Linear | Threaded
Anon on :
http://www.blogincome.com/
Bill Platt on :
blogincome dot com AND
adminshop dot com
(No PR value gained by the spammers here.)
are tied together through a common name server: acyon dot com
or the registration address:
8939 S. Sepulveda Blvd
Westchester, CA 90045
This address seems to point to a Mailboxes, etc. just outside of the boundaries of LAX.
Acyon dot com is shown to be hosted on:
http://managed.com/
I know that there are more websites in this scheme, because I have tracked it several times before trying to figure out who is at the helm. The owner of these sites uses whoisguard.com to hide his identity.
Now, when you do a whois search of acyon dot com, you find that this person likely resides somewhere in Norway.
To understand the point and purpose of this scheme, you must visit another acyon site: warrenoates dot com
When you hit warrenoates, you realize that the acyon spammers are in the business of selling domains.
This is what seems to be afoot.
They are buying these domains as an investment. Then they work their referer spamming to build traffic to the sites.
They provide the site of their current referer (your site) as a "friend" of their site which throws most people off the scent of spam.
Since they are dabbling with people who run site tracking, they are dealing with people who likely use the Google toolbar and the Alexa toolbar. This helps them take advantage of the people who can build their Google PR and more importantly, their Alexa Traffic Rankings.
Bingo, there is the key!
A site with higher Alexa Traffic Rankings is bound to generate a higher resale value!
It is a slick scheme that reeks of dishonesty when dealing with their end customers: the people who buy domains from them.
2McAbre on :
Fortunecity and V3 dot coms are both using this to insert pop up HTML code via SSI's at unsuspecting sites, these referrers are "pinged" into your blogs "Latest" referrer lists and have extensions that end in get.to
These links lead to a bogus page, that includes JS that redirects you to a site, inserts the pop up code into the header, and you get a pop up window advertising V3 dot com!
Another recent discovery involves a German firm using the same technique described above. There referrer links end in info.ms.
IP ranges to block all their BS?
FC&V3 (weirdname.get.to) ranges are 64.246.160.0/64.246.191.255 and 66.179.0.0/66.179.255.255 Blocking both those range's will stop their BS.
The German equivalent sites nic dot de & their associated ad server cydots dot com (weirdname.info.ms) ranges to block are 213.133.115.128/213.133.115.143 and 213.239.192.0/213.239.207.255
2McAbre on :
FortuneCity dot Com (adserver)
V3 dot com (referrer spammer owned by the same CO.)
Links that will relate to their scam end in get.to
IP ranges to block…
64.246.160.0/64.246.191.255 (FC)
66.179.0.0/66.179.255.255 (V3)
Another player at this game is out of Germany.
Cydots dot com (referrer spammer owned by the same CO.)
nic dot de (adserver)
Links that will relate to their scam end in info.ms
IP ranges to block…
213.133.115.128/213.133.115.143 (cydot)
213.239.192.0/213.239.207.255 (nic)
Sadie on :
Be delighted to publish the I.P. ranges of the cretins who've been spamming my B2 Evolution.Is it O.K. if I link one of the pieces we've written to here? Thought it best to ask for fear you'd think it was another bogus referrer!