Focal Curve

New Breed of Referrer Spam

There’s a new spambot which seems to be targeting WordPress blogs. It passes along a forged referrer which appears to come from a legitimate source, invariably another WordPress blog, and always from a permalink to an older post on said blog (rather than just the main site URL). How I’ve dealt with referrer spam in the past is to block it in my .htaccess file thusly:

RewriteCond %{HTTP_REFERER} ^http://(www\.)?adminshop.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)poker(-|.).*$
RewriteRule .* - [F,L]

In the example, the first condition blocks traffic from a specific domain, while the second blocks any domain containing the keyword “poker”. Any hit that meets either of those conditions will get a 403 Forbidden error. I’ve got a pretty robust list but since the domains never seem to stay active for long I can regularly retire older rules. And, because comment spambots often bring along a forged referrer, this method effectively blocks both types of spam. The downside is that you can’t make the expressions too broad for fear of blocking legitimate links — e.g. it would be a very bad idea to blacklist referrers with the string “goo*”.

But this new dirty trick isn’t easily blockable because they’re legitimate blogs, not spam sites, and a random selection of them to boot. The IPs are always different (spoofed or open proxies no doubt) and the “browser” used seems to always be IE6 on Windows XP, so that rules out blocking the user-agent string. So I’m pretty much left to suffer the annoyance until it goes away.

What I don’t get is WHY??? What good can this possibly do? How does the spammer benefit from this in any way? I don’t post referrers publicly so they’re not getting traffic or googlejuice. I caught onto the trick after the second bogus link I saw in my logs, so I’m not even visiting the referring sites myself. I’ve only come up with two feasable theories:

  1. The bot drops comment spam on someone else’s blog, then comes to my site passing along the previously comment-spammed URL in hopes that I’ll visit the referrer and see the spam comments. Tough luck, spammy, I’m not that dim.
  2. The spammer has caught wise to the fact that blocking their spam referrers also blocks their comment spam, so they’re using this new approach to get their comment spambots through. And indeed I have had a sudden surge in comment spam, roughly coinciding with the referrer spam.

Hopefully it’ll die down soon when the spammer either tires of it or gets caught by a lynchmob who will string him up by the testicles and funnel sulfuric acid up his nose. With any luck he won’t get off that lightly.

Comments are closed.