Google Sign in options
Remember me
This is not recommended for shared computers

Privacy Policy
Sign In
Create Account

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Subscribe to HRA Now!

Are you a Google Analytics enthusiast?

Share and download Custom Google Analytics Reports, dashboards and advanced segments--for FREE!

www.CustomReportSharing.com

From the folks who brought you High Rankings!

Is This Code Correct To Stop Referer Spam?

Started by hegu , Dec 27 2011 07:29 PM

Please log in to reply

8 replies to this topic

#1 hegu

HR 4

Active Members
118 posts

Posted 27 December 2011 - 07:29 PM

I am seeing plenty of urls like this in my logs.

CODE

http://83.133.124.250/?xurl=http://83.133.124.250/lzD2KDYD7R3JvRC5df7e5d00c2ac80539a405bd23c66885806g&xref=http://mysite.com

http://76.73.39.226/?xurl=http://76.73.39.226/IAR19tTE6R7M6lu3c2990f77aa8229cb50993b3c84185e3228x&xref=http://mysite.com

There is 'xurl' and 'xref' in urls constantly.

I can block these visitors by the following code in my root htaccess?

CODE

RewriteEngine On
RewriteCond %{HTTP_REFERER} (?xurl=) [NC,OR]
RewriteCond %{HTTP_REFERER} (&xref=) [NC]
RewriteRule .* - [F,L]

thanks.

Back to top

#2 Michael Martinez

HR 9

Active Members
4,805 posts

Location:Georgia

Posted 28 December 2011 - 04:38 PM

XURL is a URL shortening service. Are you SURE you're trying to block referrer spam?

Back to top

#3 hegu

HR 4

Active Members
118 posts

Posted 28 December 2011 - 10:55 PM

QUOTE(Michael Martinez @ Dec 28 2011, 06:38 PM)

XURL is a URL shortening service. Are you SURE you're trying to block referrer spam?

Which url shortening service?

All these hits are pointing to index.php of the web site. Hundreds of them. Not even a single visitor goes from index.php to another page. every time 3 - 5 hits to index.php from an ip with in few seconds time.

Back to top

#4 chrishirst

A not so moderate moderator.

Moderator
5,882 posts

Location:Blackpool UK

Posted 29 December 2011 - 10:23 AM

Well the IPs are from a German (Hessen) and a US (Chicago) DSL providers. So it is more likely to be "zombied" computers that are being used to seek out another victim.

Referrer spambots leave a real URI of the website that is being "promoted"

Back to top

#5 hegu

HR 4

Active Members
118 posts

Posted 29 December 2011 - 02:27 PM

QUOTE(chrishirst @ Dec 29 2011, 12:23 PM)

Referrer spambots leave a real URI of the website that is being "promoted"

So they are not actually leaving any url of their website in my logs, they are not referer spambots?

Back to top

#6 chrishirst

A not so moderate moderator.

Moderator
5,882 posts

Location:Blackpool UK

Posted 29 December 2011 - 05:17 PM

Probably not, on some of the sites we host, similar referrers were appearing which seemed to be a prelude to a couple of "mass meshing" and code injection attacks.
http://blog.armorize...sidenamejs.html

NB: The virus alert you may get on that page is a false positive so you may want to disable your AV first.

More info here.
http://sucuri.net/ma...idename-js.html
http://sucuri.net/ma...minibar-js.html