OT: clone blogs and referrer log spam
Nov 17, 09:08 pm ·

updated – read a more current piece on referrer log spam here

Idly.org reports on a recent phenomenon: adult web site promoters are setting up bogus blogs, some copied verbatim from genuine blogs, and advertising them to real bloggers via referer log spamming. The “clone blogs” contain javascript traps to redirect clicks to porn sites.


It appears that these sites, using a clean little weblog as a front, are hosting a large amount of porn. I do not recommend visiting the above URL and I would suggest that if you do, you should disable Javascript as then the page is just rendered in text without strobing gif nakedness.

They’re attempting to increase the Google Juice of the main page of the site by spamming people’s referrers, and thereby increase the juice of the adult-webcam page. Currently, the sites have little or no juice, but they’ve only been at it for a little while.

– Idly.org, Porn Sites Hiding Behind Blogs.

Vigilant TV’s crack team of technical experts noticed some of these bogus blogs [ed: www.worldnewslog.com, www.wr18.com, www.saulem.com, etc – I won’t dignify them with HREF links, since that would help increase their google ranks] in our referrer logs several days ago, but didn’t pay them much attention until noticing the discussion on various blogs.

Here’s some analysis of our own:

The referer log entries themselves are clearly generated by a bot. The user-agent string “MSIE 6.0” is bogus; no real browser, Microsoft or otherwise, uses that string. It’s easy enough to spot that the referrer is bogus, since the site itself doesn’t contain the necessary HREF link to generate a real referrer.

In addition to the clone blogs already mentioned, there is at least one fake search engine, www.websearchus.com.

Here are the referer log entries that we know of sofar. Note that there are only two distinct source IP addresses used by the bot.

217.73.164.106 - - [12/Nov/2003:11:49:28 -0500] "GET / HTTP/1.0" 200 12709 "http://www.saulem.com/" "MSIE 6.0"
141.85.3.130 - - [17/Nov/2003:01:39:16 -0500] "GET / HTTP/1.0" 200 12709 "http://www.saulem.com/" "MSIE 6.0"
141.85.3.130 - - [16/Nov/2003:21:15:03 -0500] "GET / HTTP/1.0" 200 12709 "http://www.wr18.com/" "MSIE 6.0"
141.85.3.130 - - [17/Nov/2003:10:59:02 -0500] "GET / HTTP/1.0" 200 12709 "http://www.worldnewslog.com/" "MSIE 6.0"
217.73.164.106 - - [13/Nov/2003:04:45:19 -0500] "GET / HTTP/1.0" 200 154 "http://www.akksess.com/" "MSIE 6.0"
217.73.164.106 - - [17/Nov/2003:17:10:26 -0500] "GET / HTTP/1.0" 200 12709 "http://www.akksess.com/" "MSIE 6.0"
141.85.3.130 - - [17/Nov/2003:08:44:18 -0500] "GET / HTTP/1.0" 200 12709 "http://www.bongohome.com/" "MSIE 6.0"
141.85.3.130 - - [17/Nov/2003:03:54:34 -0500] "GET / HTTP/1.0" 200 12709 "http://www.malixya.com/" "MSIE 6.0"
141.85.3.130 - - [16/Nov/2003:19:10:13 -0500] "GET / HTTP/1.0" 200 12709 "http://www.websearchus.com/" "MSIE 6.0"

Whois says both of those IP addresses are located at educational facilities in Bucharest. One wonders whether roedu.net officials approve of the use of their network resources for copyright violation and advertising pornography.

$ <a href="http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searchtext=141.85.3.130&do_search=Search">whois 141.85.3.130</a>
inetnum:      141.85.0.0 - 141.85.255.255
netname:      PUB-NET
descr:        RoEduNet
descr:        "Politehnica" University of Bucharest
descr:        Communication Center
descr:        Splaiul Independentei 313
descr:        Bucharest 77206
country:      RO
admin-c:      EA1284-RIPE
tech-c:       GB6367-RIPE
rev-srv:      pub.pub.ro
status:       ASSIGNED PI
mnt-by:       PUB-MNT
changed:      george@roedu.net 20011028
source:       RIPE

	
[...]


	
$ <a href="http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searchtext=217.73.164.106&do_search=Search">whois 217.73.164.106</a>


	
inetnum:      217.73.164.0 - 217.73.165.255
netname:      RoEduNetBuc
descr:        RoEduNet
descr:        Bucharest branch
country:      RO
admin-c:      EA1284-RIPE
tech-c:       ROED-RIPE
status:       ASSIGNED PA
notify:       pubadmin@roedu.net
mnt-by:       PUB-MNT
changed:      ccris@roedu.net 20010619
source:       RIPE


	
[...]

As for stopping the referrer spam, bloggers can use a simple .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://www.bongohome.com [OR]
RewriteCond %{HTTP_REFERER} ^http://www.malixya.com [OR]
RewriteCond %{HTTP_REFERER} ^http://www.websearchus.com [OR]
RewriteCond %{HTTP_REFERER} ^http://www.saulem.com [OR]
RewriteCond %{HTTP_REFERER} ^http://www.wr18.com [OR]
RewriteCond %{HTTP_REFERER} ^http://www.worldnewslog.com [OR]
RewriteCond %{HTTP_REFERER} ^http://www.a-b-l-o-g.com [OR]
RewriteCond %{HTTP_REFERER} ^http://www.kwlablog.com [OR]
RewriteCond %{HTTP_REFERER} ^http://www.mikesspot.com [OR]
RewriteCond %{HTTP_REFERER} ^http://www.teoras.com [OR]
RewriteCond %{HTTP_REFERER} ^http://www.akksess.com
RewriteRule .* - [F]

(Triggering on the user-agent string is unlikely to work in the long term, since the spammers can easily change this at zero cost)

The file needs to be updated each time they register a new domain name, of course; but this small amount of effort provides the satisfaction of knowing that you just cost your spammer the price of another domain name.

We’ll keep this story updated with new domain names as they become known. [19 Nov – looks like they’re still active. Added a-b-l-o-g.com, mikesspot.com, kwlablog.com and teoras.com to the list]

update: rossz suggests this Linux iptables approach to blocking the referrer bots:

On a Linux system with iptables support (requires a 2.4.x kernel), type this at the command line (as root):

	
iptables -I INPUT 1 --source 141.85.3.130 -j DROP
iptables -I INPUT 1 --source 217.73.164.106 -j DROP

update Nov 23: Again from rossz, here’s a neater way of implementing the referer blacklist:

RewriteEngine on
RewriteMap  referer-deny  txt:/path/to/referer.deny
RewriteCond ${referer-deny:%{HTTP_REFERER}|NOT-FOUND} !=NOT-FOUND
RewriteRule  ^/.*  -  [F]

	
The contents of the file referer.deny is a simple text file (the - is 
absolutely necessary!):


	
http://www.bongohome.com -
http://www.malixya.com -
http://www.websearchus.com -
http://www.saulem.com -
http://www.wr18.com -
http://www.worldnewslog.com -
http://www.a-b-l-o-g.com -
http://www.kwlablog.com -
http://www.mikesspot.com -
http://www.teoras.com -
http://www.akksess.com -

The Bucharest bot traffic appears to have stopped, but we are seeing increased traffic from some (presumably) unrelated bots, many of which are advertising the Paris Hilton video. The same blocking techniques apply.