WordPress.org

Ready to get started?Download WordPress

Forums

Referrer spammer caught (50 posts)

  1. DreamerFi
    Member
    Posted 9 years ago #

    I've been keeping an eye out on referrer-spammer attempts, and I've 'caught' a big one. You'll find this one under many domains, and he's quite succesful - here's a google search for one of his domains, but most texas-holdem spams are his as well. An interesting tactic (as you can see in above results page) is that ALL his referring domains, when you type them in the browser address bar, give a variant of an "this account is closed" page, to give you the feeling his hosting provider pulled the plug on him and you don't have to take any further action. In reality, ALL his domains run on a single IP address. It's useless trying to block the computers he's using for his spam runs, as he's using a zombie network that keeps growing.

    So, I wrote a little code that I put a the top of my index.php, and will redirect all his referer spam to his primary website. That way, you'll generate zero traffic for yourself, don't run the risk that you link to him, and play around with his zombie net at the same time. Here it is;

    if (strpos($HTTP_REFERER, 'ttp://') > 0)
    {
    $pieces=explode("/", $HTTP_REFERER);
    $lookup = gethostbyname($pieces[2]);
    if ($lookup == "161.58.59.8")
    {
    syslog(LOG_ALERT,"redirected $pieces[2]");
    header("Location: " . $HTTP_REFERER);
    exit();
    }

    }

  2. DreamerFi
    Member
    Posted 9 years ago #

    here, here and here are some other postings about this spammer.

  3. Mark (podz)
    Support Maven
    Posted 9 years ago #

    Thanks for the code :)

  4. gpshewan
    Member
    Posted 9 years ago #

    Nice, saved me a bit of time this weekend. Still going to try and get Verio to nuke that server though. MT sites are also being hit by that scumbag.

  5. MamaBeeyotch
    Member
    Posted 9 years ago #

    Obviously, I'm a moron; I put it at the top of my index.php, and the code actually displayed at the top of the Web page. Where in the index.php should I place the code?

    Thanks!

  6. DreamerFi
    Member
    Posted 9 years ago #

    You're no moron, no worries. Anywhere within <?php ?> tags early in the index.php will do.

  7. DreamerFi
    Member
    Posted 9 years ago #

    And here's another interesting twist. I modified wp-comments-post.php as well. Find the code that reads:

    $url = trim(strip_tags($_POST['url']));
    $url = ((!stristr($url, '://')) && ($url != '')) ? 'http://'.$url : $url;
    if (strlen($url) < 7)
    $url = '';

    and after that, add:

    if (strpos($url, 'ttp://') > 0)
    {
    $pieces=explode("/", $url);
    $lookup = gethostbyname($pieces[2]);
    if ($lookup == "161.58.59.8")
    {
    syslog(LOG_ALERT,"redirected $pieces[2]");
    header("Location: " . $url);
    exit();
    }
    if ($lookup == "68.167.234.66")
    {
    syslog(LOG_ALERT,"redirected $pieces[2]");
    header("Location: " . $url);
    exit();
    }
    }

    I could probably make a plugin for this if there's an interest - but Kitten's plugin(s) seems to catch most of them anyway...

  8. Glo
    Member
    Posted 9 years ago #

    Thank you, thank you, thank, you! I had already found the spammers main site and IP but didn't know how to keep him out of my referral logs. I've been looking for an apache rewrite mod but this code seems to be working, yeppie!

  9. DreamerFi
    Member
    Posted 9 years ago #

    Glo, my pleasure, thanks for the kind words! By the way, what plugin are you using for the "3 Users Reading" bit in your right column?

  10. Glo
    Member
    Posted 9 years ago #

    User Online @ http://www.lesterchan.net/portfolio/programming.php

    I have a question for you - can there be more than one IP in that referer code? or do you need to do a separate line of code for each IP?

  11. kyte
    Member
    Posted 9 years ago #

    I must be as thick as 2 short planks... i do not have the lines of code in wp-comments-post.php after which to place your code... (1.5b1)

    waaaaa! I have mislaid something!

  12. tomhanna
    Member
    Posted 9 years ago #

    Any idea why he would be spamming links to all these apparently dead sites? They don't even have links to other sites in the pages, what's the game?

  13. Thanks to the fast response to spam these days, and the utilization of dedicated "abuse" departments, most spammer URLs are taken down before we ever have a chance to "investigate" them.

  14. gpshewan
    Member
    Posted 9 years ago #

    Tactics which a few people are looking at.

    I would think they are trying to get around comment moderation. They use zombies or open proxies to initiate the attack (so you can't backtrack them) but the URL referring actually exists. This is probably an attempt to get through some form of DNS moderation. If you investigate the domain it seems as if it's breached TOS so you stop there...but now you know that any TOS statement is bogus and they all sit on one IP which seems to be co-located with Verio.

    If you've protected your blog using any of the available plugins and have moderation enabled then you're going to be okay. The problem is that a large number of requests and referrals are appearing n private referral logs - which is just plain annoying. But another downside is the attempts themselves are wasting bandwidth.

    This spammer is a bandwidth leech - but there are probably enough unprotected sites to still make it worthwhile. It's suspected that they are a group as it's been seen that changes to the approach have happened quick when certain measures have been put in place, and it's a pretty large zombie/proxy resource they have access to. It's also not specific to WP.

    But if you have plugins installed and you don't monitor server logs on an obsessive basis - ;) - you'd probably never notice it most of the time.

  15. gpshewan
    Member
    Posted 9 years ago #

    @Kyte - DreamerFi is probably referring to 1.2.2

  16. kyte
    Member
    Posted 9 years ago #

    Thanks gpshewan, I guessed as much but was hoping for a different response.

    My spammers are going at it by adding a simple comment like "wonderful site" and such, and not ever attempting to add URLs into the text of the comment. Just leaving the URL in connection with their ID and email. Its a pain in the ass and the addition to index.php isnt doing anything for my lot at all. ah well... back to moderation of all comments...

  17. Glo
    Member
    Posted 9 years ago #

    True, most do not care or notice referral spam. I didn't until my server slowed way down and I investigated. I found that some idiot tried to hack into my WP admin. That wasn't a part of the problem the server was having and the hacker didn't get in but it ticked me off and I have become much more diligent (yes, obsessive) at checking my logs. I didn't think much about referral spam since I don't publish my referral logs until I read something on the bandwidth issue and started getting more of the spam than actual referrer sites. That was annoying so I started doing some research. This particular person or persons, uses more than one legit IP (I know of one other) and they are spamming at an incredible rate. I've counted 56 tries since I put that referrer code in my index page this morning, all using a different domain name. Amazing!

    I still don't understand what they get from doing it. Even comment spam doesn't get them anything, not even a better PR from Google. It's just a waste of resources.

  18. Glo
    Member
    Posted 9 years ago #

    kyte, you might want to try this plugin. I'm not sure that it will work in you version of WP but it's worth a try. I haven't had a single one get through since I implemented it.

  19. gpshewan
    Member
    Posted 9 years ago #

    @kyte -Yeah, that's the guy. I'd suggest heavy moderation if you can't upgrade to 1.5 nightlies.

    @Glo - Are you tracking this correctly? All the spam will come from 'legitimate' IP's that are either proxies or zombie PC's. Backtrack the referral URL and you'll probably end up at the same IP (161.58.59.8) as everyone else. It's no good blocking the IP's it's coming from because believe me they have a lot. You'd be better off tracking down an abuse contact if it's not a proxy - but damn that's a full time job.

    The bogus TOS screen has probably kept that spammer box running for ages. Hopefully enough people gathering the correct evidence and reporting it to Verio will get it shut down.

  20. error
    Member
    Posted 9 years ago #

    I just had a thought. Maybe people reading these blogs are actually clicking through to the spamvertised sites! Spam still exists because there are just enough stupid people on the Internet to make it worthwhile for them to inconvenience the vast majority of us. Suppose these stupid people are reading blogs, and decide they want to play some video poker or buy some Levitra from a Canadian pharmacy. Maybe this is what the spammers are thinking.

    Of course, it doesn't work very well. Bloggers are some of the least likely people to click on a legitimate ad, let alone a comment spam. But it must be getting the spammers something or they wouldn't bother.

    Oh, and shameless plug for my plugin.

  21. gpshewan
    Member
    Posted 9 years ago #

    @ Error - It's all about ranking, but of course there are people clicking through. It makes sense when comparing cost + effort against reward.

    That's spam 101 mate.

  22. zeeg
    Member
    Posted 9 years ago #

    Is there a plugin that lets you basically add addresses to it?

  23. Glo
    Member
    Posted 9 years ago #

    gpshewan, yes I understand what is happening and I do know how to track a spammer and I do realize the IPs that show up in my logs are spoofed. There is at least one other IP and it is connected with 161.58.59.8 which resolves to blackjack-123.com but if you trace blackjack-123.com it will resolve to 64.234.220.141 which resolves to shetef.com and it resolves to 67.18.52.66 which ends up at escape.websitewelcome.com which is a whois privacy protection service.

    Each one of those IPs are connected to the domains the spammers use for their referral spam. Some are sub-domains ending with 4free.gb.com and web4u.gb.com (64.234.220.141). Unfortunately, I didn't save them all since they were all coming from the above sources.

  24. gpshewan
    Member
    Posted 9 years ago #

    Sorry glo, didn't mean to sound patronising...missed out a smiley on my post there ;)

    I've tracked all those little so-and-sos down but just being in the contact info can't get it shut down for spamming (unfortunately). I had somebody referral spam me from his works network (as he thought it was a legitimate way to get traffic...uh-huh...) so there's a defence there. It's the 161.58.59.8 IP which is at the centre of it. Document what you have and suvmit it to Verio...the more that do that the better,

  25. Glo
    Member
    Posted 9 years ago #

    gpshewan, no worries, I wasn't offended and just for clarity ... the shetef.com Ip (64.234.220.141) was not in the contact info. It is the IP of the 4free.gb.com and web4u.gb.com domains (which names only 2, there are others) and they have been in my referral logs in massive amounts. Because blackjack-123.com can be traced/routed to 64.234.220.141 and that IP has domains spamming my referral logs, I believe that to be too much of a coincidence to ignore.

    I should add that the contact info for these IPs are different and probably spoofed as well.

  26. kyte
    Member
    Posted 9 years ago #

    Thanks Glo and error.

    @Glo: couldnt make that plugin work, i have the 1/16 nightly, dunno why, but it doesnt even show up as an option to activate it

    @error: trying spamassassin as we speak. so to speak.

  27. DreamerFi
    Member
    Posted 9 years ago #

    Well, get a good night of sleep, and look at the discussion! Indeed, I'm talking about wordpress 1.2.2 for this fix. Multiple IP addresses is simple, just duplicate the if-statement. glo, thanks for the reference to "users online"!

  28. JonRosebaugh
    Member
    Posted 9 years ago #

    I set my blog to require moderation for all comments and I found out how 161.58.59.8 was slipping through the spamwords filter. Instead of using 'phentermine', for example, he types in 'ph&#101;nt&#101;rm&#105;n&#101;', which looks exactly the same in a web browser. It's a variant of one of the common email-munging tactics. Any ideas on how to deal with this fellow's tactic?

  29. Add the ASCII code he posts with to your blacklist.

  30. omar
    Member
    Posted 9 years ago #

    I was being SWAMPED in spam until I implimented Spam Stopgap Extreme. Since then, not even one spam attack. Period.

    Either it really works, or I'm missing some other form of attack all together.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.