rakaz

about standards, webdesign, usability and open source

What the hack?

If you publish a list of referring pages on your website you are going to have to deal with a problem: referrer spam. Apparently some shady companies like to advertise their pills, gambling scams, warez and pr0n using the websites of innocent bystanders. This is off-course completely unacceptable. Many people consider their weblog their home on the net. Now imagine somebody breaking into your house and covering up all your wall with large obnoxious advertising billboards.

The Referrer plugin for Nucleus has a couple of methods to defeat referrer spam. First of all, if the NP_Blacklist plugin is installed it will check all referrers against a list of known spammers. This is usually working pretty good, but the spammers have found a workaround for this methods. If you simply switch domain names often you can spam without being blocked, because it takes some time before the master blacklist is updated and distributed to every weblog. Twenty-four hours between the first spamming attempt using a fresh domain and having an updated blacklist isn’t unusual. That leaves enough room for most spammers to frequently do at least some damage.

The latest release of the plugin also contains a completely new method of checking for referrer spam. The method is actually very simple if you think about it. So far is has proven to be 100% effective. It is based on the principle that every referrer page must have a link to your website, because otherwise it could not have referred the visitor to your website. If there is no link, it is probably spam, or alternatively the referring page is not directly accessible to the public (for example a private forum or webmail). So, the plugin fetches the referring URL and detects if there is a link to your website. If not, the plugin will block the referrer.

A week or so ago I started to notice something unusual. My plugin isn’t able to reach the spamming URLs anymore. Take for example the following URL: which was spammed not more than 6 hours ago: http://how-to-play-poker.samiuls.com/

This URL is simply not reachable. Not from my server, but also not from other locations. So I am starting to think the server is actually down. If so, I really would like to know why. A hacker who is simply fed up with their practices. Forgot to pay the bills. Or something else. I am very curious. But I am even more curious why these people continue to spam URLs that simply do not work.

20050317-hack

For those who think I am being unrealistic about hackers taking down a spammer. Take a look at the following URL: http://www.covertcall.com/118373

4 Responses to “What the hack?”

  1. Aaron wrote on March 18th, 2005 at 10:01 am

    Yes, referrer spam is the worst thing next to comment spam and I hope those hackers take down more spammers!

  2. Tristor wrote on March 19th, 2005 at 8:01 am

    I couldn’t seem to find any sort of contact information for you, so I am just
    going to leave a comment here, feel free to email me at the address left on this
    comment.

    I am having an issue with the Gravatar plugin causing my page not not be valid
    XHTML 1.0 Strict because it doesn’t encode the ampersands in the gravatar urls,
    just one gravatar causes something like 30 errors to be shown in the validator
    on one page. This also causes pages to not render in strict XML rendering
    engines like Gecko. For the purposes of fixing the problem, I figured I would
    leave it as is for now, and here is a validator link to a page on my blog where
    the error occurs, it shouldn’t render because of the error if you are using
    Gecko for your rendering engine (Firefox/Mozilla/Netscape)

    title="Validate Item 180 on Tristor's Blog" rel="nofollow">link

    I would try and fix it myself but my PHP skills suck, and the code wasn’t
    exactly commented heavily. (not that is really took alot of thought to figure
    out what it did, I read through it and understood it in the logical sense, but
    not in the "I know PHP well enough to do anything" sense).

  3. RB wrote on May 15th, 2005 at 10:11 am

    About spamming URLs that don’t work: people can spam with URLs that don’t work at the time of spamming. However, by activating the URL at a later point in time, they can be sure there are hundreds of sites already conatining the spammed URL. If you check your example, you see that this appears what happened. [that site] simply activated its subdomain. Either that, or spammers sometimes use completely bogus domains to spam, and then buy/activate the domain. Nobody is going to buy sfsdjdiogudfgouweugdsjsf.com, so you can safely spam that :)

  4. cire wrote on August 1st, 2005 at 10:35 am

    I am a member of the Defonic Crew. Known for hacking both camophone and covertcall. We attacked these sites because we feel that them trying to make money off a free service is nothing short of pathetic. We released their spoofing method free of charge with the expectation of absolutely nothing in return.