How Now Brownpau

Referrer Spam. For myself and for anyone curious about my inbound traffic, my installation of Refer is public, but hidden from search engines by a robots exclusion <meta>. That, as many of you webmasters may have found by now, does nothing to deter referrer spam.

As of late, this site and many others have been under attack by a persistent referrer and blog comment spammer, with visits from just about every open proxy on the web, plus more than a few zombie machines, linking back to dozens, perhaps hundreds, of domains. Each of the domains uses fake whois info, and showed, until recently, a fake “suspension” notice to throw off any webmasters who followed the link, fooling them into thinking that the spammer had already been taken out. The jubilation was premature, of course: the sites are now flooded with links to all sorts of sleazy online scams, their pagerank artificially boosted by spam posted to unmaintained weblog comment threads and referrer logs. The flood of inbound traffic from this spammer’s zombie network is so heavy that it operates like a DOS attack: consuming bandwidth, sucking up server resources, and slowing — or even bringing down — the victim site. Witness the growing tide of spammed referrers, or see an untended referrer log taken over by pornographic links.

Myself, I’m keeping most of the flood at bay with an .htaccess blacklist. Amusingly, the spammer’s own comment spams, huge strings of domains inside <h1> tags, are an excellent way to generate a domain-based blacklist, since he seems quite intent on flooding comment threads with almost every domain he’s registered. Denying by IP is an exercise in futility, since the zombie network just keeps growing, most likely fed by trojans installed by the unsuspecting clicks of indiscriminate file sharers.

More info on this attack elsewhere:

• Norweigan blogger Ann Elisabeth has been very much on top of the problem, getting info from open proxies, complaining to the FTC, emailing and calling the colo/hosting services used by the spammer.
• Caveat Lector has .htaccess tips for domain-based blocking. Also watch his her Spam category.
• JLuster wonders about “Thomas Reece,” one of the [most likely] fake identities used in the spammer’s whois info. A very annoyed Tim Bray tried calling, but didn’t get too far. I might try calling too, if no one else has tried? Anyone?
• Arve Bersvendsen and ThePete comment on the fake “suspended” pages and the spammer’s webhost.
• John Sinteur has a quick PHP code block which redirects the referrer spam right back to the spammer.
• Track this story on Technorati through the spam tag and links to Ann Elisabeth’s efforts.
• And remember this from the not-too-distant past: Mark Pilgrim on weblog spam. War is hell.

Update, 25 Jan 2005: Ann Elisabeth seems to have discovered the culprits, and Photodude laments Verio’s poor response to the crisis.