Blocking Referrer Spam
This afternoon, I’ve noticed there’s a steady stream of HTTP referrer (aka referer) spam originating from a few IP addresses, so I’m finally getting around to making some updates to reduce the volume of spam traffic. In the past I’ve been getting a few spam referrers here and there, but today there are thousands in just a few hours, and these changes are a bit overdue.
Here are the IP addresses sending me spam today:
64.193.62.232 70.84.211.130 69.28.242.87
All of the HTTP requests are HEAD only, not GET. Here’s a typical one:
64.193.62.232 - - [02/Oct/2005:14:34:34 -0700]
\"HEAD / HTTP/1.1\" 403 - \"http://cheap-vicodin.none.pl\"
\"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\"
Notice the 403 Forbidden status code. That’s because I’ve added a section to .htaccess to block referrers with spammy keywords, and also to manually block IP addresses. Here’s an abbreviated version:
deny from 64.193.62.232
deny from 70.84.211.130
deny from 69.28.242.87
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?.*(-|.)vicodin(-|.).*$ [NC,OR]
< ...lots of other rules go here...>
RewriteRule .* - [F,L]
One convenient aspect of having non-stop incoming spam today is being able to make changes and immediately observe the effect. It’s modestly gratifying to see all the “200 OK” turn into “403 Forbidden” status.
The current block list I’m using for .htaccess is mostly from a list maintained by Aaron Logan.
I also looked through suggestions for .htaccess changes and block lists for referrer spam by Joe Maller, Dave Child, and Mike Healan.
Unfortunately, all of these approaches, especially the IP blocking, are manual processes. I’ve been meaning to get Bad Behavior implemented here, but this was a quick fix for today.
Update 10-06-2005 08:25 PDT: Still getting lots of incoming spam traffic, plus many new IP addresses showing up now. Here’s the revised block list, all of these addresses are actively sending spam.
deny from 64.193.62.232 deny from 70.84.211.130 deny from 69.28.242.87 deny from 66.246.218.114 deny from 71.57.133.162 deny from 67.186.112.106 deny from 84.139.88.151 deny from 172.202.144.111 deny from 172.206.206.111 deny from 210.213.132.240 deny from 195.252.85.29 deny from 200.116.118.149 deny from 83.109.41.39 deny from 68.228.171.28 deny from 71.57.17.237 deny from 211.30.20.3 deny from 65.1.135.21 deny from 200.116.118.149 deny from 85.140.26.144 deny from 60.228.205.13 deny from 172.195.205.18 deny from 218.111.180.243 deny from 194.158.220.138 deny from 24.239.174.55 deny from 84.110.62.170 deny from 84.58.193.189 deny from 221.97.4.165 deny from 85.140.26.144 deny from 220.137.197.52 deny from 201.8.242.11 deny from 202.81.183.165 deny from 201.240.21.13 deny from 211.223.170.139 deny from 82.229.255.13Tags: spam, security, sysadmin
