Archives for: December 2003

Sun, 28 December 2003

Permalink 03:57:18 am

Referer Spam and Meta Refresh - The Evidence and a Potential Problem

It seems I'm getting a bit preoccupied with spam at the moment. A couple of days ago I posted that I thought referer spam was being generated using meta-refresh. I've since stumbled across some evidence of this. Going through my server logs, I found a referal from:

**www.rob-smith.com/GlamourPhotographer/BlogIndexer.php**

The *s are to prevent a hyperlink - I won't give him the satisfaction. If you're going to take a look at it make sure you've disabled meta-refresh in your browser otherwise you may be generating more spam (and be aware that the site is NSFW).

This appears to be just a gateway page, but uses a meta refresh to redirect to a random site. At the moment it just goes to the main site, so how do I know it was used for spamming? This Google search is the giveaway. Google's cache, that is supposedly of the page, is actually of a completely different site that just happened to be the one randomly redirected to when Googlebot visited.

This raises a potential problem when using a .htaccess file to block spam based on referer - could you be inadvertantly blocking search engine spiders from crawling your site? If, like I do, you redirect to an external site when the referer is a known spammer, if the spider passes this referer then it may index the other site. Similar will happen if you return a 403 forbidden - the spider will record that against your URL and may not come back for some time.

So where does that leave sites that have a 'recent referers' section but don't want to risk blocking search engine spiders? Unless your blog software has specific blacklists to block referer spam, you're USCWAP. Maybe the days of vanity lists (which in all honesty is what the recent referers sections are) are numbered.
Permalink 12:56:50 am

Weird Spam - From Juror No.4 to Juror No.3

I was skimming through my hotmail junk and found one very strange email:
From : Juror No. 4 JurorNUMBER4@ev24.net
Subject : Help, I'm Looking for Juror #3 Van Nuys Superior Court

To: Juror #3, Van Nuys Superior Court, Dept E, Los Angeles, CA, excused on
November 13.

This is Juror #4 and I would really like to say Hi and continue our
conversation.
You can reply to this email or call 818-831-1492.
Dear ******
DO YOU KNOW JUROR #3?

She is WF, 30's, 5'5", slender build, short light brown hair.
She served on jury duty November 12 & 13, Van Nuys Superior Court in the
San Fernando Valley, Los Angeles, CA.

Contact me or please pass this message along to her. Thanks, and Happy
Holidays!

Before anyone flames me for posting this, I know it's spam, but what I can't work out is what it's for - is the phone number premium rate, or is it just to validate email addresses?

**UPDATE** 29/12/2003
This Google cache of an Excel document has that phone number belonging to someone called Steve Davis, email Future_Process@msn.com. Could he genuinely be looking for someone?

**UPDATE 2** 29/12/2003
It appears to be this guy - Steve Davis, CPIM. The career description fits as well as them both being in California. The question still remains - is he genuinly trying to find 'Juror #3', or is someone else pissed off at him enough to spread his phone number around the internet? Steve, if you're out there, let us know.

Tue, 23 December 2003

Permalink 03:28:54 am

Referer Spam - Meta Refresh Used

Something that is becoming a real headache for sites like mine that display recent referers is referer spam. This is where a site, mostly porn sites, appears as a referer to yours, but if you check the site they don't actually link to you. The purpose of this is to increase their Google PageRank - the fake referer appears as a link, and the greater the number of links, the higher a page will be in a Google search.

The way that they are doing this is by having a list of targets and then generating a dynamic page on their site that uses a meta refresh tag to redirect to their next 'victim'. It would not be difficult for them to write a script that continually displays this page in a browser, thus generating thousands of fake referals.

There is no easy way to stop this whilst still allowing genuine referals through. b2evolution, the software that I use, has a function that blocks refers from a blacklist. A similar result is achieved by using a .htaccess file if your web server supports them. If you already have a file named .htaccess in the root of your site append the following to the bottom, else copy the following to a text editor, save it as .htaccess (including the leading .) and ftp it to your server. Replace domain.com and domain2.com with the domains you want to ban and add similar lines until you have included all sites that spam you.

RewriteEngine On #this line should only appear once in .htaccess

RewriteCond %{HTTP_REFERER} ^http://(www.)?domain.com(/)?.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www.)?domain2.com(/)?.*$ [OR]
RewriteRule .* - [F,L]

Be warned, this is not a permanent solution as new spammers seem to appear every couple of days, but it will allow you to keep your referers section relatively clean if you keep it updated.

There may be ways to crash the spammer's browser using this method. One that I'm going to try over the next couple of days is redirecting to a page that then uses javascript to try and get the browser in to a loop (window.location.history.go(-2) or infinite popups maybe?). I'll keep you posted.

<  December 2003  >
Mon Tue Wed Thu Fri Sat Sun
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        

UK Cloud Hosting
UK Cloud Hosting

Archives

Search

 

My Stuff

Other People's Stuff

Humour

Daily Reads

Politics

Technology

Other

Last Refering Searches

Syndicate XML

Contact

Please send your comments, complaints, legal threats or praise to this address

Privacy Policy

powered by
b2evolution