Referrer spammer caught

  • I’ve been keeping an eye out on referrer-spammer attempts, and I’ve ‘caught’ a big one. You’ll find this one under many domains, and he’s quite succesful – here’s a google search for one of his domains, but most texas-holdem spams are his as well. An interesting tactic (as you can see in above results page) is that ALL his referring domains, when you type them in the browser address bar, give a variant of an “this account is closed” page, to give you the feeling his hosting provider pulled the plug on him and you don’t have to take any further action. In reality, ALL his domains run on a single IP address. It’s useless trying to block the computers he’s using for his spam runs, as he’s using a zombie network that keeps growing.

    So, I wrote a little code that I put a the top of my index.php, and will redirect all his referer spam to his primary website. That way, you’ll generate zero traffic for yourself, don’t run the risk that you link to him, and play around with his zombie net at the same time. Here it is;

    if (strpos($HTTP_REFERER, ‘ttp://’) > 0)
    {
    $pieces=explode(“/”, $HTTP_REFERER);
    $lookup = gethostbyname($pieces[2]);
    if ($lookup == “161.58.59.8”)
    {
    syslog(LOG_ALERT,”redirected $pieces[2]”);
    header(“Location: ” . $HTTP_REFERER);
    exit();
    }

    }

Viewing 15 replies - 1 through 15 (of 49 total)
  • Thread Starter dreamerfi

    (@dreamerfi)

    here, here and here are some other postings about this spammer.

    Thanks for the code ??

    Nice, saved me a bit of time this weekend. Still going to try and get Verio to nuke that server though. MT sites are also being hit by that scumbag.

    Obviously, I’m a moron; I put it at the top of my index.php, and the code actually displayed at the top of the Web page. Where in the index.php should I place the code?

    Thanks!

    Thread Starter dreamerfi

    (@dreamerfi)

    You’re no moron, no worries. Anywhere within <?php ?> tags early in the index.php will do.

    Thread Starter dreamerfi

    (@dreamerfi)

    And here’s another interesting twist. I modified wp-comments-post.php as well. Find the code that reads:

    $url = trim(strip_tags($_POST[‘url’]));
    $url = ((!stristr($url, ‘://’)) && ($url != ”)) ? ‘https://&#8217;.$url : $url;
    if (strlen($url) < 7)
    $url = ”;

    and after that, add:

    if (strpos($url, ‘ttp://’) > 0)
    {
    $pieces=explode(“/”, $url);
    $lookup = gethostbyname($pieces[2]);
    if ($lookup == “161.58.59.8”)
    {
    syslog(LOG_ALERT,”redirected $pieces[2]”);
    header(“Location: ” . $url);
    exit();
    }
    if ($lookup == “68.167.234.66”)
    {
    syslog(LOG_ALERT,”redirected $pieces[2]”);
    header(“Location: ” . $url);
    exit();
    }
    }

    I could probably make a plugin for this if there’s an interest – but Kitten’s plugin(s) seems to catch most of them anyway…

    Thank you, thank you, thank, you! I had already found the spammers main site and IP but didn’t know how to keep him out of my referral logs. I’ve been looking for an apache rewrite mod but this code seems to be working, yeppie!

    Thread Starter dreamerfi

    (@dreamerfi)

    Glo, my pleasure, thanks for the kind words! By the way, what plugin are you using for the “3 Users Reading” bit in your right column?

    User Online @ https://www.lesterchan.net/portfolio/programming.php

    I have a question for you – can there be more than one IP in that referer code? or do you need to do a separate line of code for each IP?

    I must be as thick as 2 short planks… i do not have the lines of code in wp-comments-post.php after which to place your code… (1.5b1)

    waaaaa! I have mislaid something!

    Any idea why he would be spamming links to all these apparently dead sites? They don’t even have links to other sites in the pages, what’s the game?

    Moderator James Huff

    (@macmanx)

    Thanks to the fast response to spam these days, and the utilization of dedicated “abuse” departments, most spammer URLs are taken down before we ever have a chance to “investigate” them.

    Tactics which a few people are looking at.

    I would think they are trying to get around comment moderation. They use zombies or open proxies to initiate the attack (so you can’t backtrack them) but the URL referring actually exists. This is probably an attempt to get through some form of DNS moderation. If you investigate the domain it seems as if it’s breached TOS so you stop there…but now you know that any TOS statement is bogus and they all sit on one IP which seems to be co-located with Verio.

    If you’ve protected your blog using any of the available plugins and have moderation enabled then you’re going to be okay. The problem is that a large number of requests and referrals are appearing n private referral logs – which is just plain annoying. But another downside is the attempts themselves are wasting bandwidth.

    This spammer is a bandwidth leech – but there are probably enough unprotected sites to still make it worthwhile. It’s suspected that they are a group as it’s been seen that changes to the approach have happened quick when certain measures have been put in place, and it’s a pretty large zombie/proxy resource they have access to. It’s also not specific to WP.

    But if you have plugins installed and you don’t monitor server logs on an obsessive basis – ?? – you’d probably never notice it most of the time.

    @kyte – DreamerFi is probably referring to 1.2.2

    Thanks gpshewan, I guessed as much but was hoping for a different response.

    My spammers are going at it by adding a simple comment like “wonderful site” and such, and not ever attempting to add URLs into the text of the comment. Just leaving the URL in connection with their ID and email. Its a pain in the ass and the addition to index.php isnt doing anything for my lot at all. ah well… back to moderation of all comments…

Viewing 15 replies - 1 through 15 (of 49 total)
  • The topic ‘Referrer spammer caught’ is closed to new replies.