Alexandre Krouglov
New (for me) referrer spammer today.
He’s like a terrier, keeps shaking the same pages. Better block him fast if you have the misfortune of receiving his attention:
216.255.178.130
New (for me) referrer spammer today.
He’s like a terrier, keeps shaking the same pages. Better block him fast if you have the misfortune of receiving his attention:
216.255.178.130
November 21st, 2005 at 6:05 pm
Doumo origatou, Ann-Elisabeth.
Funny incedence, I’ve just been wondering about that idiot hammering one of my articles like insane. Got 13 times humidifier.nebenjob.spb.ru. If you say it’s always the same ip address, then it’s alright with me. Saves a lot of work
November 22nd, 2005 at 2:33 am
Seems that these aren’t exactly subdomains. That’s ugly. spb.ru, according to the whois information, is the “geographical domain for St. Petersburg”.
Of course, I have no idea how to get one of those domains, whether they have some sort of whois information on them, and whether a complaint is worth the effort.
November 22nd, 2005 at 6:08 am
Well, consider how often someone has linked to you from a spb.ru domain.Speaking of me and the sites I administer the amount has been zero so far. In this case blocking spb.ru may be an option until these accounts are dead. But if the spam originates from the same address anyway, blocking the ip should already do the trick.
Maybe something to consider for spammers: Either use the same address or a stupid user agent, then anyone who doesn’t want to have this sort of advertisement (or “rich content” as they call it in New Speech) can easily opt out by means of mod_setenvif/mod_rewrite.
November 22nd, 2005 at 7:20 am
Good point, Olliver. On my wiki I simply block the display of the spammy referrers, not the page accesses themselves, so the damage done by blocking all of spb.ru should be minimal
Looks like this spammer actually does have an interesting signature: “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040804 Firefox/0.9.3″
That’s the first spammer I’ve seen using Linux. Guess it’s time to get worried.
November 22nd, 2005 at 3:56 pm
Manni, what you see isn’t quite what you get
you’d be surprised how many of them do use Linux or FreeBSD. For instance I once had to do with a Ukrainian spammer that occasionally checked whether his spam actually reach the target by faking the Internet Explorer, but looking at the machine with Nmap revealed the requests actually came from a full fledged Linux server. A couple of spammers use Curl because it doesn’t obey any redirects (for instance to Linux kernels 
) and comes with a couple of options that can be specified at runtime, thus safe to use and highly comfortable for scripting.
In general you can immediately recognize a spoofed browser by its appearance in your logfiles: Because it doesn’t know how to deal with html, css or javascript, it wouldn’t load any further components except the requested document. So you’d actually see only one connection, while a genuine browser would request things embedded into the page as well: frames of a frameset, Images, css/js files and everything.
If you captured the HTTP headers sent, you’d spot another difference: Missing or mismatching headers. Each browser has its own unique blend of headers and values assigned to them, which the bot wouldn’t provide in most cases. Often there’s even nothing more but the user agent, referer and in case it’s HTTP/1.1 a host header. So looking for differences and formulating them to mod_rewrite rules could be another strategy to get rid of spammers without the hassle of adding tons of user agents, referred domains and ip addresses/ranges.