I’ve gotten a few suspicious URLs in my website referrer logs today, but the number this morning was much higher than usual. For those unfamiliar with the personal website egomania revelry of scanning your referrer logs for evidence that people like you, they really like you, … here’s the scoop. Of course, the real world is more complicated than what I am about to explain, but I don’t have time to write a book and you wouldn’t read it anyway.
When you click on a link on a web page, your web browser sends a request for a resource to a server. For example, when you click on the Wombat Nation banner on this page, your web browser sends a request for a resource identified by the URL “https://www.wombatnation.com/” to the web server that hosts my website. Typically, the resource is a web page.
The request (technically, an HTTP request) that your browser sends includes a couple pieces of identifying info. One bit is called the user agent. The user agent string can be used to identify the type of web browser you are using, for example, IE, Mozilla, Mozilla Firebird, Konqueror, Safari, Opera, etc. The user agent often includes info about what operating system you are using. Here’s the user agent for my favorite browser on my Linux system. Try to use it to determine my astrological sign.User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 Firebird/0.7
Another bit of info in the request is the referrer. The referrer is the URL for the page you were on when you clicked the link. So, unless your web browser allows you to disable this, the webmaster of a site can tell how you got to her website. She can also use it to track how you move around her website.
Yes, I also immediately thought of Poindexter and Cheney. No, they didn’t think this scheme up, though they wish they did. And, no, referrers aren’t pure evil, unlike those two. Referrers can be used for good or for evil, so they’re sort of like nuclear reactions.
Back to the egomania. Every day I briefly check out my referrers log. That report tells me what links on other websites people have followed to get to my website. This is how I found out about a story in German at Der Spiegel Online that linked to PhoneBlogger.
Every now and then I check out a URL in my referrer log only to discover that it points to a page that contains no links to my website. Usually, it’s some kind of fly-by-night online retailer.
Since the bit of code in a web browser that sends an HTTP request isn’t exactly rocket science, obviously it’s possible for a knuckle dragging spammer to write a program that requests web pages, but sends a phony referrer. Okay, the spammers probably pay a college intern to write the code, but it gets written somehow. So, the spammer could then use such a program to send a request for a page from my site and fill in the referrer section of the HTTP request with a URL for the spammer’s site. I see the URL in my referrer log, I’m overcome with curiousity, and I go check out the site. The spammer now has her foot in the door.
So, what happened today that was different? I saw a bunch of phony referrers in my log that looked very suspicious. Each URL led to a weblog with a different layout. But, there were a couple striking similarities.
- Each blog is brand new
- Each blog consists of a series of short posts, usually summarizing other news articles from legitimate news sources
- Each post is on the same day at the same time, or offset by a repeating time interval
- When you view the page source, one of the last lines is something like
<a href="http://www.example.com/adult-webcam/"><img src="/adult-webcam.gif" width="78" height="24" border="0">
with example.com replaced with the domain name for each site - Every link includes
onMouseOver='window.status=" ";return true;
in the <a href>, so the status bar won’t show the URL - Each site has a list of links or referrers. Some of the referrers are legitimate websites and some are ad tracking sites or porn sites
- Some of the sites have a small blogroll. Many of the blogroll entries are popular, legitimate weblogs.
Here’s a couple of the URLs of the spammer blogs that showed up in my referrer logs today.
- www.jennifersblog.com – Jennifer’s blog
- www.saulem.com – Saulem.com
- www.wr18.com – UFO blog
- www.bongohome.com – Art News
A little research at my favorite sites for quick, basic domain name research, Whois Source and InterNic Whois Search led to the discovery that all the sites are hosted at stargate.com and the domain name registry entries were created on November 8 and updated on November 10.
I’m amazed by the detail put into creating these phony weblogs, but I should probably be more amazed that I spent so much time writing about it.
I was checking my website logs last night and noticed the same large increase in fake referrers. Jennifersblog was in my logs, and a quick surf there revealed a boring blog with several brief comments but nothing more. I saw the URL of my log-viewing page in the links page along with several similar URLs so it was pretty clear what was going on.
Very sophisticated. It’s interesting to watch how spammers’ techniques advance over time. A lot more email spam gets through my ISP’s SpamAssassin filters these days, and many of them are barely distinguishable from real email.
Maybe it’s time for a “BlogAssassin” to detect these fake blogs and remove them from your referrer logs. The escalation continues.
I’ve had several SPAM comments lately but they’re less sophisticated… I almost approved them! Check this post on my site. Hey, now I sound like one of them 😀