Referrer Spam Attack

Referrer Spam. For myself and for anyone curious about my inbound traffic, my installation of Refer is public, but hidden from search engines by a robots exclusion <meta>. That, as many of you webmasters may have found by now, does nothing to deter referrer spam.

As of late, this site and many others have been under attack by a persistent referrer and blog comment spammer, with visits from just about every open proxy on the web, plus more than a few zombie machines, linking back to dozens, perhaps hundreds, of domains. Each of the domains uses fake whois info, and showed, until recently, a fake “suspension” notice to throw off any webmasters who followed the link, fooling them into thinking that the spammer had already been taken out. The jubilation was premature, of course: the sites are now flooded with links to all sorts of sleazy online scams, their pagerank artificially boosted by spam posted to unmaintained weblog comment threads and referrer logs. The flood of inbound traffic from this spammer’s zombie network is so heavy that it operates like a DOS attack: consuming bandwidth, sucking up server resources, and slowing — or even bringing down — the victim site. Witness the growing tide of spammed referrers, or see an untended referrer log taken over by pornographic links.

Myself, I’m keeping most of the flood at bay with an .htaccess blacklist. Amusingly, the spammer’s own comment spams, huge strings of domains inside <h1> tags, are an excellent way to generate a domain-based blacklist, since he seems quite intent on flooding comment threads with almost every domain he’s registered. Denying by IP is an exercise in futility, since the zombie network just keeps growing, most likely fed by trojans installed by the unsuspecting clicks of indiscriminate file sharers.

More info on this attack elsewhere:

Update, 25 Jan 2005: Ann Elisabeth seems to have discovered the culprits, and Photodude laments Verio’s poor response to the crisis.