WWW - Blocking spam referer zombie attacks (Andrewsaluk)

Lately, I’ve been regulary spammed by BS sites trying to gain some google rank popularity by adding their referal to ppl’s referer list (Is that “Referer” or “Referrer” by the way?).
Depending on the quality of the spam, it’s accessing the site (generating random url sources and platforms or not) and refering to the same base url.

I started by filtering out the spamer’s url in the referer, which is “Adrewsaluk”, but it didn’t stopped the massive amount of ping against the server. And of course, bbclone kept logging every single one, bugging the stats. After some slight searchs, I found that blocking access by referer was possible using .htaccess. That was exactly what I was looking for, as every single access was logged as a different source but refering to the same url.

Here are the lines I’ve added to mine. Beware of the carriage returns. Your file must be in ascii format.

  • RewriteEngine On
  • RewriteCond %{HTTP_REFERER} (texas-holdem\.andrewsaluk\.com) [NC,OR]
  • RewriteCond %{HTTP_REFERER} (www\.andrewsaluk\.com) [NC]
  • RewriteRule .* - [F,L]

The 403 error that will be generated can be a problem by itself because of the denial of service it generates (if the spam is huge).
I’ve read somewhere something about setting a custom 403 page in order to let “real human being” to link to the right page, instead of outputing a single 403 error page.
By the way, do not forget that a single error when editing your .htaccess file can result in forbidding the access to yourself, which can be embarrassing. ;)

If you wish to explore more rules and syntax, you should read this example of file (source here) :
[… read in extended]

 ### Block "referer spam" # # All rules are based on my everyday experience fighting referer-, # trackback- and comment spammers. These rules may or may not be # useful for third parties, but they certainly can be an example # of how to deal with illegitimate traffic. # # Be aware that these rules may cause a significant slowdown on # high traffic production sites. # # See also http://www.aaronlogan.com/downloads/htaccess.php for # more rulesets and keywords. # RewriteEngine On # # These lines block agents commonly used to harvest URLs and email # addresses. RewriteCond %{HTTP_USER_AGENT} ^Microsoft\ URL\ Control.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^Mozilla/4\.0\ .*Win\ 9x\ 4\.90.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Indy\ Library.*$ [NC,OR] # These lines block bots that use your bandwidth for their own # commercial reasons. RewriteCond %{HTTP_USER_AGENT} ^Linkwalker$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^NPBot.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*TurnitinBot.*$ [NC,OR] # These lines block IP ranges which caused a huge amount of # different spam in the past. Yes, I know that's ugly. RewriteCond %{REMOTE_ADDR} ^206\.161\.124\.66 [OR] RewriteCond %{REMOTE_ADDR} ^212\.253\.2\.(20[0-9]) [OR] RewriteCond %{REMOTE_ADDR} ^66\.252\.30\.201 [OR] # These lines block referers by keywords such as 'anal' or 'gay'. # I don't really expect legitimate traffic from on of those. RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*-ass(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*-model(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*absolutely-male(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*adult(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*amateur(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*anal(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*anime(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*ass-picture(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*babes(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*barely(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*britney-spears(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*casino(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*credit(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*deprivation(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*disorder(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*ebony(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*erotic(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*female(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*fetish(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*ficken(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*freeonlinesingles(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*freetaboo(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*fuck-(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*gay(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*hardcore(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*heimverdienst(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*hentai(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*herbal(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*hustler(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*incest(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*insomnia(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*kontaktparadies(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*lesbian(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*loan(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*massearch(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*mature(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*mikeinbrazil(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*movie(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*naked(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*nude(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*pamela(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*paris-hilton(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*pics4(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*phentermine(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*playboy(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*playweb(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*poker(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*porn(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*pus*y(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*rape(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*sex(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*sleeping(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*teen(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*tits(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*video(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*wixen(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*xrate(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*xxx(-|.).*$ [NC,OR] # These lines block domains known to spam or to let spam. RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*2pursuit(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*3333\.ws(-|.)$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*axiomltd(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*chat-nett(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*crescentarian(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*cxa\.de$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*dydrom(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*dvdsqueeze(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*easythumbs(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*escorts2(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*freakycheats(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*hotgoth(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*hurricane-jeanne-pictures(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*hq-inform(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*i-shopping24(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*karupp(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*khmercity(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*kylos\.pl$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*kylos\.net$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*learnhowtoplay(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*legworld(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*livenet\.pl$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*nadinek(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*obrkweb(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*orospu(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*psxtreme(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*referer-script(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*roxtet(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*scat-only(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*seventwentyfour(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*shoesdiscount(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*skip\.pl$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*tecrep-inc(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*terashells(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*tower.ws(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*trueuninstall(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*tugbakoca(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*yellowbrick(-|.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*yelucie(-|.).*$  [NC] # These lines allow "dirty" referers from searchengines (no matter # what they are here for) as well as self references. RewriteCond %{HTTP_REFERER} !^http://(www\.)?.*aol(-|.).*$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?.*basquiat\.de(-|.).*$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?.*google(-|.).*$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?.*msn\.com(-|.).*$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?.*web\.de(-|.).*$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?.*yahoo(-|.).*$ # RewriteRule .* - [F,L]

4 Comments

  1. Clara said,

    March 13, 2005 @ 1:42 pm

    I’m not sure what’s happening, wiht your "spam referer zombie attacks."

    Your URLs show up twice in my Webalizer report for March through the 12th: 103 hits from andrewsaluk.com and 67 from texas-holdem.andrewsaluk [Edited to avoid more links to it]…. I clicked ‘back’ to your URLs - me, human being not robot - because I was curious who you were and what you’d said about a website focusing mostly on Indigenous philosophy and Ojibwe historical materials.

  2. Gwen Heliou said,

    March 14, 2005 @ 4:27 am

    Hi Clara,

    Huh, I’ve nothing to do with “Andrewsaluk”, except that some chinese site tried to log a huge amount of times to my website, using “Andrewsaluk” as referer information (Everything from this bot is a forgery). As many bloggers use to log automatically on their page the “referers” visiting their pages, it creates many erroneously “links back” to “Andrewsaluk”. And you need to know that “Links back” is the way Goggle rank pages over the internet. I’m not sure if you’re confusing me with the source of these abusive visits on your site or not, but I hope my explanations were helpfull.

    By the way, as a follow up to the article, I’ve discovered another easy way to avoid logging annoying bots. BBclone uses a very handfull and well described configuration file. It’s awaiting your own filters. For my own, I’ve just set something like ” .andrewsaluk. “, et voila. :)

  3. RFL said,

    May 17, 2005 @ 9:12 pm

    Julia Savicheva

    WWW - Blocking spam re…

  4. UAT said,

    May 18, 2005 @ 6:01 pm

    WWW - Blocking spam referer zombie attacks (Andrewsaluk)

    WWW - Blocking spam re…

RSS feed for comments on this post · TrackBack URI