Referrer spammer caught

  • I’ve been keeping an eye out on referrer-spammer attempts, and I’ve ‘caught’ a big one. You’ll find this one under many domains, and he’s quite succesful – here’s a google search for one of his domains, but most texas-holdem spams are his as well. An interesting tactic (as you can see in above results page) is that ALL his referring domains, when you type them in the browser address bar, give a variant of an “this account is closed” page, to give you the feeling his hosting provider pulled the plug on him and you don’t have to take any further action. In reality, ALL his domains run on a single IP address. It’s useless trying to block the computers he’s using for his spam runs, as he’s using a zombie network that keeps growing.

    So, I wrote a little code that I put a the top of my index.php, and will redirect all his referer spam to his primary website. That way, you’ll generate zero traffic for yourself, don’t run the risk that you link to him, and play around with his zombie net at the same time. Here it is;

    if (strpos($HTTP_REFERER, ‘ttp://’) > 0)
    {
    $pieces=explode(“/”, $HTTP_REFERER);
    $lookup = gethostbyname($pieces[2]);
    if ($lookup == “161.58.59.8”)
    {
    syslog(LOG_ALERT,”redirected $pieces[2]”);
    header(“Location: ” . $HTTP_REFERER);
    exit();
    }

    }

Viewing 4 replies - 46 through 49 (of 49 total)

  • I used a slightly modified code:

    /* Spam Guard */
    if (strpos($HTTP_REFERER, ‘ttp://’) > 0)
    {
    $pieces=explode(“/”, $HTTP_REFERER);
    $lookup = gethostbyname($pieces[2]);
    if ($lookup == “219.150.118.16” or $lookup == “161.58.59.8” or $lookup == “211.144.164.201” or $lookup =”216.34.38.81″)
    {
    syslog(LOG_ALERT,”redirected $pieces[2]”);
    header(“Location: ” . $HTTP_REFERER);
    exit();
    }
    }

    /* End Spam Guard */

    However I realized that it somehow prevented coming to my blog from any links! It is sending it back to itself. Now I understand that is what is being done for these particular IP’s only. Why is it being so generic?

    Moderator James Huff

    (@macmanx)

    Keep your eyes on Referrer Karma: https://unknowngenius.com/blog/wordpress/ref-karma/

    if ($lookup == “219.150.118.16” or $lookup == “161.58.59.8” or $lookup == “211.144.164.201” or $lookup =”216.34.38.81″)

    Ya need another ‘=’ sign on the last comparison. As it is its an assignment, which is always true…

    ??

    Thanks Jalal. That was a duh mistake ??

Viewing 4 replies - 46 through 49 (of 49 total)
  • The topic ‘Referrer spammer caught’ is closed to new replies.