02/13 2005 – I’m mildly surprised that the nofollow link attribute doesn’t keep the referral spammers from using more and more domains for their strange kind of marketing attempts. I just keep adding them to my blacklist, whenever I find them. The only thing new is that there see to be more of them doing it.
2005-02-02 – A couple of new domains have been added to the blacklist (see below). And today you will notice that the referral spamming crowd has added a couple of features to their new ”report forms”. They even added an anti-robot feature, probably to prevent their own blogspamming robots to fill up their databases with their own domains…
1/30 2005 – A few new domains have been blocked, and today I noticed that these falsly terminated accounts are actually pretending to have feature for reporting unwanted referral spam activities. Weird. I’m actually not sure if it’s new, or if I missed it, since the form is below the fold of the page. The form reports to an IP address (64.234.220.141) registered to WebStream, Inc. in Fort Lauderdale, Florida. And even the landing page used for reporting uses methods for displaying a different layout each time it is accessed.
The new domains are included in the blocking script further down on this page. I also changed my php script a little. It’s fun to imagin the referral spambots going after their own pages…
1/27 2005 – More changes to the referral spammer blocking php script (I’m not saying how, but the last version didn’t really work at all). A few new domains added, but it actually looks as if most of the referral spammers have kicket it in. Googlebot has been out sidering thousands of pages on this site alone, probably in an attempt to catch the newly implemented nofollow link attribute. Fingers crossed. I hope it works.
1/24 2005 – I just changed the script locking out the referral spammers from this site. The old method (where I used the php eregi function) became much too slow, I have now changed it to the stristr function, and added a few referral spammers.
1/20 2005 – The referral spammers just won’t kick the habit of releasing a few new domains every other day. Tonight their practice is bordering to stupidity, since the major bots seem to have been taken off the web for implementation of the nofollow link attribute. The list of blocked domains (on display below) has been duly updated.
I sure hope this is the last surge of referral spam before search engine bots start implementing the nofollow attribute.
1/16 2005 – A new load of referral spammers using the same technique have today been spotted. The list of these domains is growing (se below), and I’m afraid my current technique will soon be unexeptable.
Today I read this Proposal of how to get rid of it by Tom Sherman and I must say I’m glad to see that more people have realised that referral spamming is in fact a technique for spamming search engines.
Jan 14, 2005 – My per-domain blocking technique of referral spammers (described in detail below) seems to work. But today I noticed 11 new domains using the same shady technique. All, suprisingly, .org domains: hometeaminspection.org, hdic.org, rifp.org, lvcpa.org, catchathief.org, tecrep-inc.org, mor-lite.org, krantas.org, atlanta2000.org, reservedining.org, rethyassociates.org.
I still believe that whoever’s doing this is trying a new kind of search engine spamming. All the bogus ”account closed” messages displayed at these sites are different, each containing a few carefully selected keywords.
January 8, 2005 – The list of domains now locked out from visiting this site is growing. Sad, but that’s the only way I can do it for now. The bots doing the referral spam, identifies themself as a user agent (Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)) also used by legitimate visitors (not many, but some), I cannot do the blocking based on this value. Instead, I’m adding domains to a conditional if at the beginning of the php code used for displaying pages on N!kkes Index (updated January 24, 2005):
if(stristr(getenv(”HTTP_USER_AGENT”),”LWP::Simple”) or stristr(getenv(”HTTP_USER_AGENT”),”lwp-trivial”) or stristr(getenv(”HTTP_REFERER”),”.yelucie.com”) or stristr(getenv(”HTTP_REFERER”),”.cegetel.net”) or stristr(getenv(”HTTP_REFERER”),”.future-2000.com”) or stristr(getenv(”HTTP_REFERER”),”.ronnieazza.com”) or stristr(getenv(”HTTP_REFERER”),”.gb.com”) or stristr(getenv(”HTTP_REFERER”),”.6q.com”) or stristr(getenv(”HTTP_REFERER”),”.flafeber.com”) or stristr(getenv(”HTTP_REFERER”),”.popwow.com”) or stristr(getenv(”HTTP_REFERER”),”.oiline.com”) or stristr(getenv(”HTTP_REFERER”),”.spoodles.com”) or stristr(getenv(”HTTP_REFERER”),”.royalmailhotel.com”) or stristr(getenv(”HTTP_REFERER”),”.newtruths.com”) or stristr(getenv(”HTTP_REFERER”),”.condodream.com”) or stristr(getenv(”HTTP_REFERER”),”.stmaryonline.org”) or stristr(getenv(”HTTP_REFERER”),”.thatwhichis.com”) or stristr(getenv(”HTTP_REFERER”),”.royalmailhotel.com”) or stristr(getenv(”HTTP_REFERER”),”.sportsparent.com”) or stristr(getenv(”HTTP_REFERER”),”.uaeecommerce.com”) or stristr(getenv(”HTTP_REFERER”),”.tmsathai.org”) or stristr(getenv(”HTTP_REFERER”),”.instant-quick-money-cash-advance-personal-loans-until-pay-day.com”) or stristr(getenv(”HTTP_REFERER”),”.houseofsevengables.com”) or stristr(getenv(”HTTP_REFERER”),”.crepesuzette.com”) or stristr(getenv(”HTTP_REFERER”),”.mediavisor.com”) or stristr(getenv(”HTTP_REFERER”),”.fidelityfunding.net”) or stristr(getenv(”HTTP_REFERER”),”.911easymoney.com”) or stristr(getenv(”HTTP_REFERER”),”.debt-help-bill-consolidation-elimination.com”) or stristr(getenv(”HTTP_REFERER”),”.canadianlabels.net”) or stristr(getenv(”HTTP_REFERER”),”.8gold.com”) or stristr(getenv(”HTTP_REFERER”),”.hometeaminspection.org”) or stristr(getenv(”HTTP_REFERER”),”.hometeaminspection.net”) or stristr(getenv(”HTTP_REFERER”),”.hometeaminspection.com”) or stristr(getenv(”HTTP_REFERER”),”.hdic.org”) or stristr(getenv(”HTTP_REFERER”),”.rifp.org”) or stristr(getenv(”HTTP_REFERER”),”.lvcpa.org”) or stristr(getenv(”HTTP_REFERER”),”.catchathief.org”) or stristr(getenv(”HTTP_REFERER”),”.tecrep-inc.org”) or stristr(getenv(”HTTP_REFERER”),”.mor-lite.org”) or stristr(getenv(”HTTP_REFERER”),”.krantas.org”) or stristr(getenv(”HTTP_REFERER”),”.atlanta2000.org”) or stristr(getenv(”HTTP_REFERER”),”.reservedining.org”) or stristr(getenv(”HTTP_REFERER”),”.rethyassociates.org”) or stristr(getenv(”HTTP_REFERER”),”.rethyassociates.org”) or stristr(getenv(”HTTP_REFERER”),”.livenet.pl”) or stristr(getenv(”HTTP_REFERER”),”.kylos.pl”) or stristr(getenv(”HTTP_REFERER”),”.kylos.net”) or stristr(getenv(”HTTP_REFERER”),”.roxtet.com”) or stristr(getenv(”HTTP_REFERER”),”.azian.org”) or stristr(getenv(”HTTP_REFERER”),”.ingyensms.org”) or stristr(getenv(”HTTP_REFERER”),”.twinky.org”) or stristr(getenv(”HTTP_REFERER”),”.devilofnights.org”) or stristr(getenv(”HTTP_REFERER”),”.parkviewsoccer.org”) or stristr(getenv(”HTTP_REFERER”),”.suttonjames.org”) or stristr(getenv(”HTTP_REFERER”),”.ansar-u-deen.org”) or stristr(getenv(”HTTP_REFERER”),”.psychexams.net”) or stristr(getenv(”HTTP_REFERER”),”.bigyonet.com”) or stristr(getenv(”HTTP_REFERER”),”.ingyensms.net”) or stristr(getenv(”HTTP_REFERER”),”.jfcadvocacy.net”) or stristr(getenv(”HTTP_REFERER”),”.tclighting.net”) or stristr(getenv(”HTTP_REFERER”),”.suttonjames.net”) or stristr(getenv(”HTTP_REFERER”),”.mp-forum.com”) or stristr(getenv(”HTTP_REFERER”),”.1a1merchantaccounts.com”) or stristr(getenv(”HTTP_REFERER”),”.stories-on-cd.net”) or stristr(getenv(”HTTP_REFERER”),”.mor-lite.net”) or stristr(getenv(”HTTP_REFERER”),”.htinspection.com”) or stristr(getenv(”HTTP_REFERER”),”.parkviewsoccer.net”) or stristr(getenv(”HTTP_REFERER”),”.zalaszentgrot.com”) or stristr(getenv(”HTTP_REFERER”),”.darkangelclan.com”) or stristr(getenv(”HTTP_REFERER”),”.gargzdai.net”) or stristr(getenv(”HTTP_REFERER”),”.lvcpa.net”) or stristr(getenv(”HTTP_REFERER”),”.hasslerenterprises.net”) or stristr(getenv(”HTTP_REFERER”),”.jmsimonr.com”) or stristr(getenv(”HTTP_REFERER”),”.middlecay.net”) or stristr(getenv(”HTTP_REFERER”),”.hdic.net”) or stristr(getenv(”HTTP_REFERER”),”.zone-b51.com”) or stristr(getenv(”HTTP_REFERER”),”.neweighweb.net”) or stristr(getenv(”HTTP_REFERER”),”.mcdortaklar.com”) or stristr(getenv(”HTTP_REFERER”),”.devilofnights.net”) or stristr(getenv(”HTTP_REFERER”),”.reservedining.net”) or stristr(getenv(”HTTP_REFERER”),”.targetindustries.net”) or stristr(getenv(”HTTP_REFERER”),”.online-deals-4u.info”) or stristr(getenv(”HTTP_REFERER”),”.fidelityfunding.net”) or stristr(getenv(”HTTP_REFERER”),”.123-home-improvement-equity-loans.com”) or stristr(getenv(”HTTP_REFERER”),”.firstchoicebanksandpremiercredit.com”) or stristr(getenv(”HTTP_REFERER”),”.alumnicards.com”) or stristr(getenv(”HTTP_REFERER”),”.reachcasino.com”) or stristr(getenv(”HTTP_REFERER”),”.mortgagequestaz.com”) or stristr(getenv(”HTTP_REFERER”),”.consolidate-debt-usa.net”) or stristr(getenv(”HTTP_REFERER”),”.fast-cash-quick-money-easy-loan.com”) or stristr(getenv(”HTTP_REFERER”),”.all-calmortgage.com”) or stristr(getenv(”HTTP_REFERER”),”.repaircreditonline.net”) or stristr(getenv(”HTTP_REFERER”),”.creditsharpie.com”) or stristr(getenv(”HTTP_REFERER”),”.fast-cash-quick-money-easy-loan.com”) or stristr(getenv(”HTTP_REFERER”),”.internet-merchant-account-pro.com”) or stristr(getenv(”HTTP_REFERER”),”.lowinterestratecreditcards.net”) or stristr(getenv(”HTTP_REFERER”),”.mortgagemarketinginc.com”) or stristr(getenv(”HTTP_REFERER”),”.cheat-elite.com”) or stristr(getenv(”HTTP_REFERER”),”.ps2cool.com”) or stristr(getenv(”HTTP_REFERER”),”.rulo.biz”) or stristr(getenv(”HTTP_REFERER”),”.best-buy-site-4u.info”) or stristr(getenv(”HTTP_REFERER”),”.tecrep-inc.net”) or stristr(getenv(”HTTP_REFERER”),”.kylos.net”) or stristr(getenv(”HTTP_REFERER”),”.learnhowtoplay.com”) or stristr(getenv(”HTTP_REFERER”),”.psxtreme.com”) or stristr(getenv(”HTTP_REFERER”),”.freakycheats.com”) or stristr(getenv(”HTTP_REFERER”),”.chat-nett.com”) or stristr(getenv(”HTTP_REFERER”),”.terashells.com”) or stristr(getenv(”HTTP_REFERER”),”.crescentarian.net”) or stristr(getenv(”HTTP_REFERER”),”.crescentarian.com”) or stristr(getenv(”HTTP_REFERER”),”.adult-dvds.tk”) or stristr(getenv(”HTTP_REFERER”),”.uk18dvd.com”) or stristr(getenv(”HTTP_REFERER”),”.69-review.com”) or stristr(getenv(”HTTP_REFERER”),”.adult-reviews.co.uk”) or stristr(getenv(”HTTP_REFERER”),”.exotic-uk.com”) or stristr(getenv(”HTTP_REFERER”),”.4indiansex.com”) or stristr(getenv(”HTTP_REFERER”),”.adults.com”) or stristr(getenv(”HTTP_REFERER”),”.6q.org”) or stristr(getenv(”HTTP_REFERER”),”.smsportali.net”) or stristr(getenv(”HTTP_REFERER”),”.skip.pl”)) {
print(”It appears your browser is used for referral spamming.
\nYou can read more about this at
\nwww.lindqvist.com/spam/
\n
\nThe page you appear to be coming from is
\n”.getenv(”HTTP_REFERER”).”. That domain has now been reported to the growing blacklist of Referral spammers, which is submitted to officials from the major search engines at the end of the month.
If you actually come from that page, and it contains a reall link, please reload this page to see some content.”);
exit;
}
The first ifs (where user agent is either LWP:Simple or lwp-trivial) is used to get rid of the phpInclude.worm. The rest is to get rid of recent referral spammers. I must say that would likt to take a closer look at the mind that thought up the instant-quick-money-cash domain…
The PHP script is a bit crude, I know, but it’s the best I can come up with for now.
As to why someone is doing this, I have some theories about future search engine placement. See my page about this here.
It also looks as if the referral spam bots use spoofed IP addresses, at least there are too many to block them out based IP. Some look as if they originate from Egypt, which others from the US… Anyway. Since these addresses are used to waist bandwidth on this site I dont feel bad about publishing them. Here goes:
+----------------+ | IP | +----------------+ | 148.244.150.58 | | 195.144.131.2 | | 202.134.0.136 | | 203.177.51.237 | | 203.64.173.228 | | 205.208.226.59 | | 207.127.0.2 | | 207.250.10.170 | | 208.31.142.13 | | 209.88.128.9 | | 212.203.71.247 | | 213.172.36.62 | | 213.186.83.3 | | 213.56.68.29 | | 217.57.78.70 | | 217.59.135.138 | | 62.231.50.79 | | 66.237.84.20 | | 68.47.42.60 | | 80.200.243.151 | | 80.227.56.46 | | 80.58.33.46 | | 82.201.187.136 | +----------------+
Older version of this page:
2005-01-01 – I just don’t understand the consept of referral spamming. Right now my logs are full of faked referrals from non-existant sites that all are subdomains to gb.com. And the sites don’t even exist! The domains have really spammy urls that I won’t even publish, but they go under the theme of ”poker rules”, ”better mortgages”, and various medication for broken souls…
Am I supposed to visit these sites out of curiosity? Or do they hope that I list every referring site somwhere? (I used to, but that page got too popular with some bots so I took it off.) Probably both. If some thousand curious site owners visit a site that looks as if it has given a lot of referals, you could earn a small sum by displaying CPM ads and pop-ups on the landing page. And if your site gets listed on pages with referral links, it would help these spammy sites to gain positions in the Search Engine Result Pages (SERPs)…
However, I just took care of them in pretty much the same manner as I took care of the PHPinclude.worm last week, by not showing any content. It won’t stop them, but at least they won’t waist any of my sites resources and bandwidth.
Here’s the php code used at the moment:
if(eregi(”4free.gb.com”,getenv(”HTTP_REFERER”),$regs)) {
print(” ”); exit;
}
Ha! Now there are lots more like this, but since the 4free stuff is so frequent in my logs they are the first to go.