Weird things happen in real life and if your ex-wife is reporting you for the referral spam you are getting on your blog, well ... add that to the list.

I don't worry about referral spam, not because my wife is understanding (with regards to the blog), as she is not. No ... I just don't display the referral stats on our pages, so ... let the referral spam fill up. My only concern is how much room it takes up in the DB (only sightly).

Maybe I'll be humming a different tune in the future, but really ... just don't display your stats and you'll be humming a happier tune for sure!

Thing is, when it's not being abused by arsehats, I actually like the referrals block.

To me, the point is more that people are essentially vandalizing my website, and I'd like to prosecute/persecute them - it just got personal for me :>

So has anyone else seen a surge in refspamming over the past couple of weeks? I've noticed that the b2evo blacklist is updating a LOT more frequently...

there is an increase in referral spamming
that is true
that is why, at this point, it has no use any more unfortuanally to show those referrer hits on the homepage.

They can be handy, but they are abused.
I'm sorry to say, but you will have t o live with it...

gloin wrote:

[...]
So has anyone else seen a surge in refspamming over the past couple of weeks? I've noticed that the b2evo blacklist is updating a LOT more frequently...

I also noticed refspamming increased a lot, especially for the past few days. I believe summer holidays are something to have with that. I believe some geeks try to increase their pocket money. Doing a simple referer spam script is incredibly easy and can help to earn some money. Don't you check a referer before reporting it as spam?

I'm afraid the problem is some affiliation programs tend to promote page views. Once Google will set up such a thing, the web is going to become a real nightmarre... Their [url=http://www.google.com/domainpark/]AdSense for domains[/url] program appear to promote refspam:

Google AdSense for domains wrote:

If your sites generate more than 750,000 page views per month, AdSense for domains is for you.

I can't imagine any empty registered domain name geenerating 750,000 page views without refspam! Are they kidding? I'm afraid not. Who's going to point links to empty domains, but spammers?

With my personnal Internet connexion, I could refspam about 300 millions to one billion pages a month. How much could I earn by refspamming?

Sorry guys, I have to leave. I've got a script to write...
(Just kidding!)

gloin wrote:

Thing is, when it's not being abused by arsehats, I actually like the referrals block.

To me, the point is more that people are essentially vandalizing my website, and I'd like to prosecute/persecute them - it just got personal for me :>

Maybe the solution would be to create a whitelist of trusted sites in addition to the blacklist. All the blacklisted referrers are automatically rejected. All the whitelisted referrers would be automatically accepted. All other would require confirmation ("accepted", "rejected", "blacklisted", "whitelisted") before being added to the displayed referrers list.

Most personal sites have less than one houndred "trusted" referrers. It would be less harrassing to maintain a local whitelist than trying to fight thousands of referrer spammers...

In regard to who is behind the recent uptick in refspam: I've been checking out some of the sites that spam us, and about 25% of them are coming from here:

www[dot]globecorp[dot]net

That is to say, when you remove the spammy subdomain from the url to see what the main domain points to, about one out of four points right there. They even give an email address for reporting abuse, but they haven't responded to me. I've been trying to find out more about the company, but there's not much out there. Their site, along with all the keyword stuffing domains and subdomains they have spawned, all have a Google PageRank of 0. So, take comfort in the fact that their ploy is not working. I would love to be able to report them to some sort of authorities, or see them hit with a DDOS attack, but it's probably not much use.

kwa wrote:

Maybe the solution would be to create a whitelist of trusted sites in addition to the blacklist. All the blacklisted referrers are automatically rejected. All the whitelisted referrers would be automatically accepted. All other would require confirmation ("accepted", "rejected", "blacklisted", "whitelisted") before being added to the displayed referrers list.

Most personal sites have less than one houndred "trusted" referrers. It would be less harrassing to maintain a local whitelist than trying to fight thousands of referrer spammers...

That's an idea that I realy love!

Here's the person responsible for the current shitstorm of porn refspam:

Domain Name: TOP07.COM

Registrant:
Zenal
Vasiliy Bobrov (krin@krovatka.net)
Naberejnaya Kosmonavtov 127-39
Tula
,547002
RU
Tel. +7.9053204170

Creation Date: 28-Feb-2005
Expiration Date: 28-Feb-2006

Domain servers in listed order:
ns1.winscorp.com
ns2.winscorp.com

Administrative Contact:
Zenal
Vasiliy Bobrov (krin@krovatka.net)
Naberejnaya Kosmonavtov 127-39
Tula
,547002
RU
Tel. +7.9053204170

Technical Contact:
Zenal
Vasiliy Bobrov (krin@krovatka.net)
Naberejnaya Kosmonavtov 127-39
Tula
,547002
RU
Tel. +7.9053204170

Billing Contact:
Zenal
Vasiliy Bobrov (krin@krovatka.net)
Naberejnaya Kosmonavtov 127-39
Tula
,547002
RU
Tel. +7.9053204170

I doubt that any of that info is real, but it al leat gives you someone to direct your hate toward.

Yeah, whitelisting won't work, as I've got some software that's rather widely-distributed and discussed, which is the source of most of my referrals. I'll probably just take the referral blocks out.

Is there a way to turn off referral recording as well as take the block out? I'm wanting to avoid having the database log stuff that isn't going anywhere...

And I'm too far from Russia to LART the guy mentioned above. Anyone live there or have large, well-connected relatives who would be willing to respectfully remind the punk that he needs to find productive work?

I'm not crazy about the idea of a whitelist. Sure, my site usually just has a handful of legitimate referers, but when someone out of the ordinary links to me, the stats page tells me. That's the whole idea of refstats for me.

My idea of the white list is :
you can show the whitelist on your webpage
but alle referrers are still recorded for you to view in the admin section.
You can see everybody (except the blacklisted guys)
you can make your own whitelist...
have I misunderstood ?

Ok, so if I got a new referer that I like, I would see it in the admin section, add it to my local blacklist and then it would be shown publicly. That sounds good.

Hmm, that might just work. Maybe use the checkbox graphic or something to whitelist the referrer...

The idea of a whitelist is being talked about by the dev team.

Definitely a lot more referral spam recently...

And one thing I just noticed starting today - my search hits are showing unusual activity. I've had a couple of search spams before, but today I'm getting a ton of hits from Google, all with no parameters (no actual search terms, just directed from the main google page)
And all of these lead to my stats pages. This is impossible - links from google with no search terms to my stats page? By the dozens? Simply not possible.

I know nothing about programming, hacking, what have you, but what I suspect is happening is that spammers are somehow hitting my stats page with bots to check it to see if their referral spam is sticking, and the bots are faking it to look like they are coming from google.

Well, I've managed to knock most of it down, via a rather horrible but simple method. I've got a nifty firefox extension that does an ARIN search when I right-click on an IP address. One of the common threads to >most< of the referral spamming I've been getting is that it originates from one of the APNIC nodes (there are several). Well, I have no bloody idea why so much garbage is being directed to my site from compromised hosts in APNIC address space - we're not talking about countries that just recently got onto the internet here - but since the site isn't run to be a business, and I don't have a lot of correspondence with people from countries in that part of the world, it was then only a matter of adding a few rules to my iptables INPUT chain. BAM! Instant cessation of bullshtt.

For those interested, here are the CIDR entries I've set to -j DROP. They are rather huge swaths of the internet, so use with due caution, and make sure you think of who the audience for your website is - if you have dealings with people in East Asia, Oceanea, or Australia, the following three entries are not for you:
218.0.0.0/8
219.0.0.0/8
202.0.0.0/7

That really worked. Also, you might consider banning these ranges, as they're pretty damn infested as well (or in one case, actually owned by spammers):
80.77.81.0/24
205.234.132.0/24
63.79.140.0/22

To those who would make the complaint that the internet should be open, I agree, up to and not including the point where my website is being vandalized by people wanting to put links on it to "Best Rape Sites!" At that point, I will most assuredly slam the door shut. And yes, this does harken back to the old practice of email servers dropping all email from China into /dev/null, which does suck, but at this point it does work for me. I really don't understand why this is the case, and I'm not happy that this is the case, but there it is: almost all the ref-spamming I've been getting during the past surge came from one part of the world. When I block access, the problem went away. I don't like it, but something had to give.

Care to share the name/url of that FF extension?

I have been having to do the same as you and now have entire countries banned. Shame, but my target readers aren't in those areas and I would rather do without the hassles!

The extension is called [url=http://tinyurl.com/a3o25]ARIN Search[/url] and you can get it the normal way you get firefox extensions :D

I've analyzed my web server logs for occurances of spams against my blog. I used the current up-to-date b2evolution blacklist and collected every IP address spamming my blog via blacklist host references.

I've added everyone of these IP addresses to my iptables INPUT DROP list. There's 393 IP addresses in the list. Should I post them here?

gloin wrote:

The extension is called [url=http://tinyurl.com/a3o25]ARIN Search[/url] and you can get it the normal way you get firefox extensions :D

Yep, managed to find that - thanks. What a handy little tool! :)

pespen wrote:

I've analyzed my web server logs for occurances of spams against my blog. I used the current up-to-date b2evolution blacklist and collected every IP address spamming my blog via blacklist host references.

I've added everyone of these IP addresses to my iptables INPUT DROP list. There's 393 IP addresses in the list. Should I post them here?

--

Oh, the absolute worst offender at the moment is:

206.161.192.2

pespen wrote:

pespen wrote:

I've analyzed my web server logs for occurances of spams against my blog. I used the current up-to-date b2evolution blacklist and collected every IP address spamming my blog via blacklist host references.

I've added everyone of these IP addresses to my iptables INPUT DROP list. There's 393 IP addresses in the list. Should I post them here?

--

Oh, the absolute worst offender at the moment is:

206.161.192.2

linux:~ # nslookup 206.161.192.2

Non-authoritative answer:
2.192.161.206.in-addr.arpa name = ah1-p4id-56.advancedhosters.com.

Authoritative answers can be found from:
2.192.161.206.in-addr.arpa nameserver = ns1.advancedhosters.com.
2.192.161.206.in-addr.arpa nameserver = ns2.advancedhosters.com.

pespen wrote:

I've added everyone of these IP addresses to my iptables INPUT DROP list. There's 393 IP addresses in the list. Should I post them here?

I wouldn't, but others might disagree :)
I'm not sure why you would want to add the IP's for all the blacklisted spammers when they are already being taken care of by the list.
393 is a lot to have in iptables, especially when its a never-ending job of tracking spammers.

Elpie wrote:

pespen wrote:

I've added everyone of these IP addresses to my iptables INPUT DROP list. There's 393 IP addresses in the list. Should I post them here?

I wouldn't, but others might disagree :)
I'm not sure why you would want to add the IP's for all the blacklisted spammers when they are already being taken care of by the list.
393 is a lot to have in iptables, especially when its a never-ending job of tracking spammers.

My own personal satisfaction, I suppose. At least with iptables they get no response of anykind. The b2evolution blacklist just prevents logging, comments, etc. The spammers still get data back from your blog, unless you completely drop em for all access with IP filtering.

Actually 393 is not that much of a load on the IP filtering, iptables deals with them just fine.

Well, after banning most of Asia and the Carribean, I haven't had a single referral spam in about four days. I'm still getting email spam sent to the same server, but those are primarily coming from compromised computers in the US - the target audience for my website. I'd expect to see the jerk-off referral spammers starting to use this route soon...

An interesting page to check if an IP is known to be a spammer:
[url=http://www.dnsstuff.com/tools/ip4r.ch?ip=66.102.9.147]Spam Database Lookup - 66.102.9.147 (testing a Google server)[/url]

See also [url=http://forums.b2evolution.net/viewtopic.php?p=21690#21690]Antispam Bandwidth, BlockUntrustedVisitors()[/url]