What the hack?
Thursday, 17 March 2005
If you publish a list of referring pages on your website you are going to have to deal with a problem: referrer spam. Apparently some shady companies like to advertise their pills, gambling scams, warez and pr0n using the websites of innocent bystanders. This is off-course completely unacceptable. Many people consider their weblog their home on the net. Now imagine somebody breaking into your house and covering up all your wall with large obnoxious advertising billboards.
The Referrer plugin for Nucleus has a couple of methods to defeat referrer spam. First of all, if the NP_Blacklist plugin is installed it will check all referrers against a list of known spammers. This is usually working pretty good, but the spammers have found a workaround for this methods. If you simply switch domain names often you can spam without being blocked, because it takes some time before the master blacklist is updated and distributed to every weblog. Twenty-four hours between the first spamming attempt using a fresh domain and having an updated blacklist isn’t unusual. That leaves enough room for most spammers to frequently do at least some damage.
The latest release of the plugin also contains a completely new method of checking for referrer spam. The method is actually very simple if you think about it. So far is has proven to be 100% effective. It is based on the principle that every referrer page must have a link to your website, because otherwise it could not have referred the visitor to your website. If there is no link, it is probably spam, or alternatively the referring page is not directly accessible to the public (for example a private forum or webmail). So, the plugin fetches the referring URL and detects if there is a link to your website. If not, the plugin will block the referrer.
A week or so ago I started to notice something unusual. My plugin isn’t able to reach the spamming URLs anymore. Take for example the following URL: which was spammed not more than 6 hours ago: http://how-to-play-poker.samiuls.com/
This URL is simply not reachable. Not from my server, but also not from other locations. So I am starting to think the server is actually down. If so, I really would like to know why. A hacker who is simply fed up with their practices. Forgot to pay the bills. Or something else. I am very curious. But I am even more curious why these people continue to spam URLs that simply do not work.
For those who think I am being unrealistic about hackers taking down a spammer. Take a look at the following URL: http://www.covertcall.com/118373