Focal Curve

Noteworthy Referral Flood

Checking my shortstats this evening, I see I’ve been slammed with another referrer spam attack. 111 hits in the space of a few minutes, seemingly coming from a website which did not, in fact, link to mine. Not only did they hit my home page, but they crawled all the various links on it, finding the archives page which they then crawled further, hitting the permalink of every single post. If they did indeed crawl every link, they no doubt got to my blogroll and I must apologize to those I link to if these asshats have soiled your logs.

All 111 hits originated from the same IP, which falls in a range owned by an ISP in China. No surprise there. Each hit was aimed at a different URI, most of which exist but many of which do not. Made-up pages like “canon_ink_cartridges.asp” and “inkjet_cartridges.htm.” I would laugh if I wasn’t so concerned about choking on bile.

This is not my first referral attack, but to date this is the largest by one hit (some site in Norway pounded me with 110 spoofed referrals a couple of weeks ago). But what really sets this deluge apart is that the site they’re claiming to link from seems almost respectable. I won’t name the company quite yet, but I’ll just say it’s a company which publishes several notable and respected IT magazines, and the site in question is the branch of said company which organizes various high-profile tech industry events.

Which raises a question: is this seemingly legitimate and respectable company indeed engaging in sleazy referral spamming, or is this a new flavor of Joe Job and the unnamed company in question is an innocent victim? I’ve sent an email to the site’s point of contact and will keep you posted of the results. Of course, if they’re responsible for it I sincerely doubt they’d admit to it, but I’ll be interested to see what sort of response I get, if any.

Meanwhile, I’ve updated my .htaccess file to deny the offending IP block and deflect further traffic containing the offending site in the referrer string. This article at Spywareinfo.com provides the sample code along with a nice overview of the problem, but I wonder if someone out there has a good up-to-date blacklist in addition to this one from Joe Maller. Preventing repeat attacks is easy, but I’m looking to pre-empt them if possible.

Update: I got a response from one of their techies. As expected, they denied having any hand in the spamming and assured me that their company is a responsible netizen and never engages in such filthy marketing practices. Honestly, I thought it very unlikely that they would need to stoop as low as referrer spamming an obscure and unnoticable blog like mine, so I never really suspected they were behind it. What puzzles me is why a malicious hacker/spammer would go to such trouble to make them look bad. Routing the attack through a server in China, while a common practice for professional spammers, seems a little too complex for a mere disgruntled employee. There’s something deeper going on here. I’m curious to know if anyone else has seen referral spam alleging to come from this company, to know if this is a large shock-and-awe style onslaught on the global Internet, or simply a random glitchy occurrance that only hit my own site. The whole thing is quite a noodler.

Comments are closed.