Loading ...
Sorry, an error occurred while loading the content.

Re: Webalizer Version 2.01 Strange referrer thingi...

Expand Messages
  • Enric Naval
    Hello, I answer in yahoo groups also. ... These are visits from spammers. This is because your stats page is public, and is getting indexed by google and by
    Message 1 of 2 , Aug 17, 2005
    • 0 Attachment
      Hello, I answer in yahoo groups also.


      --- tumugtog <tumugtog@...> wrote:

      > I have applied to have access into this forum but
      > there has been no
      > sign of the moderator to let me in since the sign up
      > page sais it's
      > pending approval... Anyway, I do try to ask you a
      > question here
      > after I saw your message here in the forum and
      > hopefully it would
      > reach you and other members and perhaps there is any
      > answer to
      > my 'Webalizer-Problem'. Your help is greatly
      > appreciated.
      >
      > 16.08.2005 01:14 CET by tumugtog
      >
      > I try my luck to ask you by e-mail about the
      > Webalizer which I am
      > using since years. Presently using it at
      > www.arj.at/logs and I am
      > most happy with it. Only what I observed since this
      > year - is
      > strange indeed... I give you a partial sample report
      > here taken at
      > this moment (August 2005):
      >
      > It's about the Referrers (exact url):
      > http://www.arj.at/logs/usage_200508.html#TOPREFS
      >
      > Top 30 of 2931 Total Referrers
      >
      > # Hits Referrer
      >
      > 1 62050 23.03% - (Direct Request)
      > 2 16438 6.10% http://www.arj.at/welcome.htm
      > 3 11990 4.45% http://www.arj.at/
      > 4 11122 4.13% http://www.arj.at/go.htm
      > 5 4450 1.65% http://sran.de.com/gay.html
      > 6 4446 1.65% http://rxmeds.afraid.org/paxil.html
      > 7 4440 1.65% http://kreza.hn.org/zoo.html
      > 8 4440 1.65%
      > http://mastercraft.rlights.com/incest.html
      > 9 4439 1.65% http://popa.dnsalias.org/fuck.html
      > 10 4439 1.65% http://popa.zenno.info/rape.html
      > 11 4439 1.65%
      > http://popadopulos.dnip.net/hentai.html
      > 12 4438 1.65% http://blevun.fw.nu/nude.html
      > 13 4438 1.65% http://jad.static.net/porno.html
      > 14 4438 1.65%
      > http://wakefly.findhere.org/mature.html
      > 15 4437 1.65% http://debeel.nerdcamp.net/gay/
      > 16 4437 1.65%
      > http://mitglied.lycos.de/klausm/files/
      > 17 4436 1.65%
      > http://california.afraid.org/en/porno.html
      > 18 4436 1.65%
      > http://yukka.serveuser.com/members/mature.html
      > 19 4435 1.65%
      > http://daideneg.byinter.net/zoo.html
      > 20 4435 1.65%
      > http://dengi.homeftp.org/pictures/fuck.html
      > 21 4435 1.65%
      > http://gothrasmus.do.sapo.pt/file/29.html
      > 22 4434 1.65%
      > http://emirates.chickenkiller.com/rape.html
      > 23 4433 1.65%
      > http://krestovsky.flnet.org/pics/gay.html
      > 24 4320 1.60% http://hernia.t28.net/incest.html
      > 25 3928 1.46%
      > http://kazaa-lite-sicher.download-kazaa-
      > lite-kaaza.info/
      > 26 3920 1.46%
      > http://kazaa-2-6-7.download-kazaa-lite-
      > kostenlos.info/
      > 27 2381 0.88% http://www.black-white.us/
      > 28 2059 0.76%
      > http://adult-incest-stories.macosnews.info/
      > 29 2051 0.76% http://murka.lamer.la/celebs/
      > 30 2048 0.76% http://www.arj.at/sitemap.htm
      >
      > With the exception of # 1,2,3,4,30 there is no clue
      > as to how all
      > these porn sites are listed as referrer... These
      > links can not be
      > followed up, there can be no linkage between these
      > porn sites and
      > mine, there has never been any contact to these porn
      > sites nor are
      > they known to me. I have absolutely no idea what's
      > going on with
      > these... Does anyone have any idea what may be
      > behind the whole
      > story? Strange even the hits - nearly all the same
      > with each 4400
      > hits something... Ours is only a private family
      > homepage and no
      > other stats is listing any such url as referrer as
      > listed above...
      > There just can't be no linkage with any of these
      > porn sites... Any
      > help would be apprecated to eliminate these
      > apparenty wrong
      > referrers.
      > tumugtog@...
      > If you post your answers here it's fine, after all I
      > can access
      > reading the messages until I hopefully can get in
      > here somehow.
      >
      >
      >
      >


      These are visits from spammers. This is because your
      stats page is public, and is getting indexed by google
      and by other search engines.

      The spammers are making fake visits to your server,
      putting their porn websites in the referrer field.
      They make lots of visits to make sure that their
      referrer appears in your top referrer list.

      They do this in lots of diferent servers.

      When their websites appear in lot of stats pages, the
      pagerank of their websites increases, and they get
      better results when searching for porn in google.



      Here I have placed some examples of visits made by
      spammers:

      http://griho.udl.es/naval/logs/spam/


      I was forced to make my stats pages private, because I
      was receiving so many visits from spammers that I
      couldn't see any more the real visits, and I was
      getting visited so many times that my server went down
      a pair of times.

      I also had to change the code of a weblog (based in
      b2evolution), so that it wouldn't show the stats,
      because it attracted spammers, and redirect the stats
      page in httpd.conf so that nobody could access the
      stats, and close the "order by month" feature because
      spammers were visiting every single month in the
      calendar:

      # say that the month(?m=) and stats(?disp=stats)
      # page are gone forever(G)
      RewriteCond %{QUERY_STRING} ^m= [OR]
      RewriteCond %{QUERY_STRING} disp=stats
      RewriteRule (.*) - [G]



      I only have one stats page left, and it is being
      constantly hammered by spammers. I have managed to
      clean a bit the logs by ignoring all visits to any
      stats page. Soon I'll also take down that page.


      You can put a password using the ".htaccess" file if
      you use apache. You will find tutorials on the
      internet.

      You can also move them to another URL, and ban that
      URL in the "robots.txt" file:

      User-agent: *
      Disallow: /usage


      Also, I use this script to clean my logfiles from spam
      visits. It's not perfect but it cleans most of the
      sh*t left by spammers. You can add your own websites
      to the lists inside the file:

      http://griho.udl.es/webalizer/clean_logs.sh



      You can see in your own stats that some referrers have
      exactly 4439 visits and have similar names ("popa.",
      "poapadopulos.". They are probably all owned by the
      same spammer, using the same program to fake visits.

      If you look at your Top Sites list, you will see that
      number 1 is "87.69-93-221.reverse.theplanet.com", with
      62327 hits, but strangely has 0 KBs and only 2 visits.
      This is probably because they are hammering your
      server with "HEAD / HTTP/1.1". This way, they can make
      fake visits faster, because HEAD uses less bandwith
      than GET. It you search your log files for
      "87.69-93-221.reverse.theplanet.com" you will probably
      find thousands of identical visits, one or two per
      minute, using porn websites in the referrers.

      That IP is from a machine hosting a spammer bot, which
      is a program designed specifically to polute our stats
      with porn referres.

      Lately, those spammer bots also simulate diferent User
      Agents, so you can find that they use hundreds of
      diferent user agents in only one hour. There are only
      two visits because during all the month the intervals
      between visits was less than 30 minutes, so webalizer
      is counting everything as a very long visit. Before
      they always visited at regular intervals, like "every
      minute", or "every minute and a half". Lately I have
      seen that make a few visits in 2 or 3 seconds, then
      wait a few seconds and make 4 or 5 visits. They seem
      to be using random number generators to decide when to
      visit, to prevent detection. Probably someone made a
      script that found and deleted those regular visits.


      They have probably a list of open stats pages. If you
      take your stats down, they will still go on visiting
      your server a few days, until they finally notice and
      take you off the list.


      Hope it was useful.

      P.D: Another very long post. :)


      Enric Naval
      Estudiante de Informática de Gestión en la Udl (Lleida)
      GRIHO webalizer.conf
      http://griho.udl.es/webalizer/webalizer.conf.txt

      __________________________________________________
      Do You Yahoo!?
      Tired of spam? Yahoo! Mail has the best spam protection around
      http://mail.yahoo.com
    • Colonel Angel
      I ve pretty much already did what Enric has said on my own server that I host off of. I created an .htaccess and .htpasswd (located outside of my public_html
      Message 2 of 2 , Aug 17, 2005
      • 0 Attachment
        I've pretty much already did what Enric has said on my
        own server that I host off of.

        I created an .htaccess and .htpasswd (located outside
        of my public_html folder) so that if I want to see
        stats or give someone else access to the stats outside
        of my LAN, I have to login to access that area.

        I found that this is very useful to do, because
        visitors do not need access to that information.

        If you can, once you figure out the IP addresses, you
        should be able to block them at your firewall,
        depending on the OS and firewall you are using.

        There are plenty of .htaccess tutorials around for
        your Apache Web Server. Take a look at them and
        figure out your best solution to keep the spammers
        out.

        Pat M.
        Net Design Conceptions
        www.netdesignconceptions.com



        --- Enric Naval <enventa2000@...> wrote:

        > Hello, I answer in yahoo groups also.
        >
        >
        > --- tumugtog <tumugtog@...> wrote:
        >
        > > I have applied to have access into this forum but
        > > there has been no
        > > sign of the moderator to let me in since the sign
        > up
        > > page sais it's
        > > pending approval... Anyway, I do try to ask you a
        > > question here
        > > after I saw your message here in the forum and
        > > hopefully it would
        > > reach you and other members and perhaps there is
        > any
        > > answer to
        > > my 'Webalizer-Problem'. Your help is greatly
        > > appreciated.
        > >
        > > 16.08.2005 01:14 CET by tumugtog
        > >
        > > I try my luck to ask you by e-mail about the
        > > Webalizer which I am
        > > using since years. Presently using it at
        > > www.arj.at/logs and I am
        > > most happy with it. Only what I observed since
        > this
        > > year - is
        > > strange indeed... I give you a partial sample
        > report
        > > here taken at
        > > this moment (August 2005):
        > >
        > > It's about the Referrers (exact url):
        > > http://www.arj.at/logs/usage_200508.html#TOPREFS
        > >
        > > Top 30 of 2931 Total Referrers
        > >
        > > # Hits Referrer
        > >
        > > 1 62050 23.03% - (Direct Request)
        > > 2 16438 6.10% http://www.arj.at/welcome.htm
        > > 3 11990 4.45% http://www.arj.at/
        > > 4 11122 4.13% http://www.arj.at/go.htm
        > > 5 4450 1.65% http://sran.de.com/gay.html
        > > 6 4446 1.65%
        > http://rxmeds.afraid.org/paxil.html
        > > 7 4440 1.65% http://kreza.hn.org/zoo.html
        > > 8 4440 1.65%
        > > http://mastercraft.rlights.com/incest.html
        > > 9 4439 1.65% http://popa.dnsalias.org/fuck.html
        >
        > > 10 4439 1.65% http://popa.zenno.info/rape.html
        > > 11 4439 1.65%
        > > http://popadopulos.dnip.net/hentai.html
        > > 12 4438 1.65% http://blevun.fw.nu/nude.html
        > > 13 4438 1.65% http://jad.static.net/porno.html
        > > 14 4438 1.65%
        > > http://wakefly.findhere.org/mature.html
        > > 15 4437 1.65% http://debeel.nerdcamp.net/gay/
        > > 16 4437 1.65%
        > > http://mitglied.lycos.de/klausm/files/
        > > 17 4436 1.65%
        > > http://california.afraid.org/en/porno.html
        > > 18 4436 1.65%
        > > http://yukka.serveuser.com/members/mature.html
        > > 19 4435 1.65%
        > > http://daideneg.byinter.net/zoo.html
        > > 20 4435 1.65%
        > > http://dengi.homeftp.org/pictures/fuck.html
        > > 21 4435 1.65%
        > > http://gothrasmus.do.sapo.pt/file/29.html
        > > 22 4434 1.65%
        > > http://emirates.chickenkiller.com/rape.html
        > > 23 4433 1.65%
        > > http://krestovsky.flnet.org/pics/gay.html
        > > 24 4320 1.60% http://hernia.t28.net/incest.html
        >
        > > 25 3928 1.46%
        > > http://kazaa-lite-sicher.download-kazaa-
        > > lite-kaaza.info/
        > > 26 3920 1.46%
        > > http://kazaa-2-6-7.download-kazaa-lite-
        > > kostenlos.info/
        > > 27 2381 0.88% http://www.black-white.us/
        > > 28 2059 0.76%
        > > http://adult-incest-stories.macosnews.info/
        > > 29 2051 0.76% http://murka.lamer.la/celebs/
        > > 30 2048 0.76% http://www.arj.at/sitemap.htm
        > >
        > > With the exception of # 1,2,3,4,30 there is no
        > clue
        > > as to how all
        > > these porn sites are listed as referrer... These
        > > links can not be
        > > followed up, there can be no linkage between these
        > > porn sites and
        > > mine, there has never been any contact to these
        > porn
        > > sites nor are
        > > they known to me. I have absolutely no idea what's
        > > going on with
        > > these... Does anyone have any idea what may be
        > > behind the whole
        > > story? Strange even the hits - nearly all the same
        > > with each 4400
        > > hits something... Ours is only a private family
        > > homepage and no
        > > other stats is listing any such url as referrer as
        > > listed above...
        > > There just can't be no linkage with any of these
        > > porn sites... Any
        > > help would be apprecated to eliminate these
        > > apparenty wrong
        > > referrers.
        > > tumugtog@...
        > > If you post your answers here it's fine, after all
        > I
        > > can access
        > > reading the messages until I hopefully can get in
        > > here somehow.
        > >
        > >
        > >
        > >
        >
        >
        > These are visits from spammers. This is because your
        > stats page is public, and is getting indexed by
        > google
        > and by other search engines.
        >
        > The spammers are making fake visits to your server,
        > putting their porn websites in the referrer field.
        > They make lots of visits to make sure that their
        > referrer appears in your top referrer list.
        >
        > They do this in lots of diferent servers.
        >
        > When their websites appear in lot of stats pages,
        > the
        > pagerank of their websites increases, and they get
        > better results when searching for porn in google.
        >
        >
        >
        > Here I have placed some examples of visits made by
        > spammers:
        >
        > http://griho.udl.es/naval/logs/spam/
        >
        >
        > I was forced to make my stats pages private, because
        > I
        > was receiving so many visits from spammers that I
        > couldn't see any more the real visits, and I was
        > getting visited so many times that my server went
        > down
        > a pair of times.
        >
        > I also had to change the code of a weblog (based in
        > b2evolution), so that it wouldn't show the stats,
        > because it attracted spammers, and redirect the
        > stats
        > page in httpd.conf so that nobody could access the
        > stats, and close the "order by month" feature
        > because
        > spammers were visiting every single month in the
        > calendar:
        >
        > # say that the month(?m=) and stats(?disp=stats)
        > # page are gone forever(G)
        > RewriteCond %{QUERY_STRING} ^m= [OR]
        > RewriteCond %{QUERY_STRING} disp=stats
        > RewriteRule (.*) - [G]
        >
        >
        >
        > I only have one stats page left, and it is being
        > constantly hammered by spammers. I have managed to
        > clean a bit the logs by ignoring all visits to any
        > stats page. Soon I'll also take down that page.
        >
        >
        > You can put a password using the ".htaccess" file if
        > you use apache. You will find tutorials on the
        > internet.
        >
        > You can also move them to another URL, and ban that
        > URL in the "robots.txt" file:
        >
        > User-agent: *
        > Disallow: /usage
        >
        >
        > Also, I use this script to clean my logfiles from
        > spam
        > visits. It's not perfect but it cleans most of the
        > sh*t left by spammers. You can add your own websites
        > to the lists inside the file:
        >
        === message truncated ===




        __________________________________
        Yahoo! Mail
        Stay connected, organized, and protected. Take the tour:
        http://tour.mail.yahoo.com/mailtour.html
      Your message has been successfully submitted and would be delivered to recipients shortly.