Referer Spamming is Back!

It looks like referrer spamming is back and it’s more sophisticated than before.

I normally get a notification email from my stats package whenever I have had 100 visitors to the website. Note that’s 100 real visitors using browsers it doesn’t count crawlers or bots. I normally get two or three a day, I’m running at about 270 unique visitors per day.
I noticed yesterday that I was getting them about every three hours. That’s more than twice the normal rate and I don’t recall anything happening on the site to justify it. I was immediately suspicious and investigated.
On looking at my stats package (I use Power Phlogger) I noticed lots and lots of hits on my home page all with the same referer (an unsavoury site to which I shall not link!).
“Oh!” says I (to myself), they are at it again. “…Wait a minute! They never showed up here before!” And indeed they didn’t. You see I have my stats set up so that you need a browser with JavaScript enabled to log an entry in my stats. That way I get a count of real people and not bots, crawlers, and other automated visitors.
My next thought then, was that someone had come up with a referer spamming script that actually went so far as to decode the page and execute the JavaScript (loading another JavaScript file in the process). Hmmm… not likely really.
A closer look showed me that each visit was from a different IP address too. Again, I know that you can spoof IP addresses and even do it with automation, but then I noticed that some ‘visitors’ had visited the page more than once. In order for Power Phlogger to record that, you have to have accepted the cookie it sent and returned it with subsequent requests. I also saw that the user agent strings were spread across several different versions of Internet Explorer and on several different version of Windows. With different screen resolutions! Finally I saw that several visits seem to have come via legitimate ISP proxy servers.
No-one would write a referer spamming script that sophisticated would they?
The only conclusion I can draw is that this referral spamming is being done via trojan applications (or automated remote control), and is actually controlling Internet Explorer on the victims’ machines.
The implications for this are huge! Referral spamming is minor in comparison to what could be done.
Massive denial of service attacks that are indistinguishable from legitimate visitors? How about all those saved passwords on all those machines. If you have that much control of the victims machine then why not try to visit every single banking site you can think of and try to login. You may as well start with the favourites folder, the victims bank is probably already in there. Imagine someone with Passport configured! I could think of lots and lots more.

The mind boggles at the insecurity of Windows!

7 thoughts on “Referer Spamming is Back!

  1. Hi Paul, the intention is that sites which display their referers, e.g. in statistics pages, or as is often done on blogs, right there on the page, will lend ‘Page Rank’ to the spammers site. The irony in my case is two fold. I no longer display my referers and I have just lost all my page rank because of the URI change.

  2. Many web sites show a list of web sites that people visited just before visiting theirs – normally termed referal sites as they referred the user with a link. Such “recent referral” sections are a nice way of crosslinking websites and building a nice web of realted sites. My website has such a section (cheap plug!).

    Referral spamming is caused by a script/bot making fake site referals in an attempt to generate traffic to another site. Its basically a form of advertising and something thats annoying.

    Mike, could you email me the referral link and I’ll scan my logs. The referer page might have some javascript or image link causing the referal. Hmm, I think or just come up with a nice way of generating referrals 🙂

  3. Persactly. I pass-protected my referral logs [not from Apache, but from Dean Allen’s Refer script] so I was the only one seeing them; I really seemed to become a target only when I was making them public.

    :shrug:

  4. Didn’t I see somewhere during the last flood of referer spamming that some of them were doing it by making their visitors do the work? Just throw a 1×1 iframe in your page, with a random URL from a file of addresses to spam (oh, say, from the weblogs.com changes.xml file), and all your freeloading pr0n-seekers do your referer spamming for you. Not quite as slick as the “decode this CAPTCHA (which will get me another free spam email account somewhere) to get your free pr0n” scam, but still quite inventive, for slime.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.