boakes.org

I’ve recently been getting “referrer spam”. What happens is this. A program, somewhere, on some zombie computer, visits my website and when it does so it wells my webserver that it was directed to the site from website-x.

Referrer spamming has become a problem because some (many) websites publish the list of their top referrers. This means that from the spammer’s perspective it’s possible to get a third party website to link to your own site just by visiting their site a few times. The benefit for them is that as the number of links to their website increases, so does their ranking among search engines.

The clever thing about the referral spam I’m getting at the moment is this: not only does “website-x” keep changing (because whoever is behind this scam has a lot of domain names to play with, e.g. “website y” and “website z“) but also when the initial referral is made, the website is configured to appear as if it has been disabled by it’s ISP - see Fig. 1.

In fact it’s not disabled at all. This is a clever ruse to subvert the attention of the astute and careful sysadmin who monitors his machines for malpractice or misdoings thereon.

After a few days, the site switches from the “Account Terminated” page, and it redirects to whichever credit card, loan, pharmecutical, mortgage (see Fig. 2) or other website the owner desires. The sysadmin (in this case me) has been duped into thinking the spam is old and that nothing need be done - it is consigned to the “dealt-with” pile.

Incidentally, the owner, according to the whois database is a Mr. Thomas Reece. After I started looking around the net I discovered that several other wordpress users were receiving the attentions of Mr. Reece and had started blogging about it, including ThePete and Ann Elisabeth.

I’m going to watch what happens with these spams over the next week or two and come up with a solution based on the behaviour pattern that emerges.