Temporary Fix for Referrer Spam
I have a temporary fix for blocking the referrer spam that started a couple of weeks ago. The volume of referrer spam here has steadily been increasing since then, and the number of source IP addresses is also continuing to expand.
The main problem I’m having is that the conditional rewrite rules I want to use in .htaccess don’t seem to be working on my current Wordpress setup at Dreamhost. Regular rewrites seem to work fine, but none of the conditional ones are working for me. The initial IP blocklists stopped most of it for a few days, but new spam IP addresses are appearing more quickly now than a few days ago.
In the meantime, the Dreamhost support knowledge base suggests using SetEnvIfNoCase to define patterns to be blocked. This does work at Dreamhost, and I’ve blocked most of the current spam run with the following:
SetEnvIfNoCase Referer \".*\.get\.to\" BadReferrer SetEnvIfNoCase Referer \".*\.drop\.to\" BadReferrer SetEnvIfNoCase Referer \".*\.hey\.to\" BadReferrer SetEnvIfNoCase Referer \".*\.go\.to\" BadReferrer SetEnvIfNoCase Referer \".*\.dive\.to\" BadReferrer SetEnvIfNoCase Referer \".*\.switch\.to\" BadReferrer SetEnvIfNoCase Referer \".*\.come\.to\" BadReferrer SetEnvIfNoCase Referer \".*\.mysite\.de\" BadReferrer order deny,allow deny from env=BadReferrer
Combined with the IP blocklist from a few days ago, this has made a huge reduction in the outgoing bandwidth. For a while the spam was all HEAD requests, but lately they have all been GET requests on full pages. A few days ago it passed 10,000 spam requests for the day.
Today it looks like we’ll end up around 35,000 blocked referrer spam requests.
I’m a little busy lately so I haven’t tried chasing down the reason the conditional rewrites aren’t working. In the meantime, this is keeping the spam overhead down a bit.
See also: Blocking Referrer Spam, Referrer Spammer IP Blocklist
Tags: spam, security, dreamhost
