Joe Maller.com

The last 24 hours have seen a massive onslaught of referer porn spam. Unlike last time, the current attack’s IP addresses are all coming from all over the world (yes, it’s still coming…). Either someone is spoofing IPs, some spyware-worm installed in Windows MSIE (all hits are identifying as flavors of Windows IE) or this is among the first exploits of the newest Microsoft security hole. I’m betting on distributed spyware.

Most of the IP addresses are from outside the US, so legal action or billing for exploited bandwidth aren’t really a practical options (as if I have the time). A few even came out of Saudi Arabia, where someone could probably get into a great deal of serious trouble/bodily harm for aiding the spread pornography, however unwittingly.

At first I tried doing what I did before, and went so far as to add an IP blacklist of spamming IPs to my referer log scripts. That worked for about 15 minutes, then different machines started hitting the server. This was also when I became convinced that this was a distributed spamstorm, and most likely individual computers were being exploited without their users’ knowledge. There was only a small set of URLS which were being repeated, so I switched to banning requests based on the contents of the referer string.

The banned sites were added to my root .htaccess like this:

RewriteCond %{HTTP_REFERER} ^http://www\.porn-site-hostname1.*$ [OR]<br />
RewriteCond %{HTTP_REFERER} ^http://www\.porn-site-hostname2.*$ [OR]<br />
RewriteCond %{HTTP_REFERER} ^http://www\.porn-site-hostname3.*$<br />
RewriteRule ^.* - [F,L]

I’m not posting the actual names because I don’t want to get banned in schools, but several of the sites use the word ‘mature’ in the URL. If anyone is having a similar problem, send me a note and I’ll email you my actual htaccess lines.

Anyway, I came up with a slightly goofy warning page for the slim possibility that an actual people was at their computer when this was happening. Here’s the warning page a person would see if their referer was in spoofed from the spam set. That created a nasty loop which was bogging the server. I switched to forbidding (403) access instead.

Dealing with this crap makes me feel dirty.

Update August 6: I found the source of the spam, and it’s not a distributed attack, not in the usual sense anyway. I’m looking into various ‘black-hat’ exploits to stop this, I’ll post details and results when I figure something out.

Share |
Leave a comment
link: Aug 03, 2003 4:17 am
posted in: misc.

Leave a Reply