Jump to content

  • Log in with Facebook Log in with Twitter Log In with Google      Sign In   
  • Create Account

Subscribe to HRA Now!

 



Are you a Google Analytics enthusiast?

Share and download Custom Google Analytics Reports, dashboards and advanced segments--for FREE! 

 



 

 www.CustomReportSharing.com 

From the folks who brought you High Rankings!



Photo
- - - - -

Is This Code Correct To Stop Referer Spam?


  • Please log in to reply
8 replies to this topic

#1 hegu

hegu

    HR 4

  • Active Members
  • PipPipPipPip
  • 118 posts

Posted 27 December 2011 - 07:29 PM

I am seeing plenty of urls like this in my logs.

CODE
http://83.133.124.250/?xurl=http://83.133.124.250/lzD2KDYD7R3JvRC5df7e5d00c2ac80539a405bd23c66885806g&xref=http://mysite.com

http://76.73.39.226/?xurl=http://76.73.39.226/IAR19tTE6R7M6lu3c2990f77aa8229cb50993b3c84185e3228x&xref=http://mysite.com


There is 'xurl' and 'xref' in urls constantly.

I can block these visitors by the following code in my root htaccess?

CODE
RewriteEngine On
RewriteCond %{HTTP_REFERER} (?xurl=) [NC,OR]
RewriteCond %{HTTP_REFERER} (&xref=) [NC]
RewriteRule .* - [F,L]


thanks.

#2 Michael Martinez

Michael Martinez

    HR 10

  • Active Members
  • PipPipPipPipPipPipPipPipPipPip
  • 5,012 posts
  • Location:Georgia

Posted 28 December 2011 - 04:38 PM

XURL is a URL shortening service. Are you SURE you're trying to block referrer spam?


#3 hegu

hegu

    HR 4

  • Active Members
  • PipPipPipPip
  • 118 posts

Posted 28 December 2011 - 10:55 PM

QUOTE(Michael Martinez @ Dec 28 2011, 06:38 PM) View Post
XURL is a URL shortening service. Are you SURE you're trying to block referrer spam?


Which url shortening service?

All these hits are pointing to index.php of the web site. Hundreds of them. Not even a single visitor goes from index.php to another page. every time 3 - 5 hits to index.php from an ip with in few seconds time.

#4 chrishirst

chrishirst

    A not so moderate moderator.

  • Moderator
  • 6,661 posts
  • Location:Blackpool UK

Posted 29 December 2011 - 10:23 AM

Well the IPs are from a German (Hessen) and a US (Chicago) DSL providers. So it is more likely to be "zombied" computers that are being used to seek out another victim.


Referrer spambots leave a real URI of the website that is being "promoted"

#5 hegu

hegu

    HR 4

  • Active Members
  • PipPipPipPip
  • 118 posts

Posted 29 December 2011 - 02:27 PM

QUOTE(chrishirst @ Dec 29 2011, 12:23 PM) View Post
Referrer spambots leave a real URI of the website that is being "promoted"

So they are not actually leaving any url of their website in my logs, they are not referer spambots?




#6 chrishirst

chrishirst

    A not so moderate moderator.

  • Moderator
  • 6,661 posts
  • Location:Blackpool UK

Posted 29 December 2011 - 05:17 PM

Probably not, on some of the sites we host, similar referrers were appearing which seemed to be a prelude to a couple of "mass meshing" and code injection attacks.
http://blog.armorize...sidenamejs.html

NB: The virus alert you may get on that page is a false positive so you may want to disable your AV first.

More info here.
http://sucuri.net/ma...idename-js.html
http://sucuri.net/ma...minibar-js.html

#7 hegu

hegu

    HR 4

  • Active Members
  • PipPipPipPip
  • 118 posts

Posted 04 January 2012 - 11:55 AM

If I want to block these referer urls, still the .htaccess code in my first post is correct?

#8 chrishirst

chrishirst

    A not so moderate moderator.

  • Moderator
  • 6,661 posts
  • Location:Blackpool UK

Posted 06 January 2012 - 10:42 AM

You should "escape" the ? with a backslash ie: \? to signify it is a literal character rather than a special or meta character in the expression.

#9 hegu

hegu

    HR 4

  • Active Members
  • PipPipPipPip
  • 118 posts

Posted 08 January 2012 - 09:22 AM

Thanks. Working perfectly. (need to check rewrite logs for any errors though, if any)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

SPAM FREE FORUM!
 
If you are just registering to spam,
don't bother. You will be wasting your
time as your spam will never see the
light of day!