Interaction design • webdevelopment • web art • photography

March 2005

Killing referrer spam at the Apache level

Calm_Pear wrote on 2005/03/08:
he! :-) lol... but I'm not using apache and the link is down too... ;-)

Calm_Pear wrote on 2005/03/08:
google's cache works...

Milo wrote on 2005/03/08:
Strange, the original is working fine for me...
Anyway, the trick amounts to adding the following three lines to your .htaccess file:

SetEnvIfNoCase Referer ".*(word1|word2|etc).*" BadReferrer
order deny,allow
deny from env=BadReferrer

Mathieu 'P01' HENRI wrote on 2005/03/08:
Why would people make their stats public ? o_Ô

I doubt it really interrest someone else but the admin of the site, and it exposes their site to referrer spam.

Milo wrote on 2005/03/08:
I dunno, I kinda like seeing referrers at other sites... Also, referrers for specific weblog entries can be an interesting source of more information.

Mathieu 'P01' HENRI wrote on 2005/03/08:
Indeed. And your site is a great example of that. Have you ever had a case of referrer spam ?

BTW, I've got tricked 1 or 2 times by your referrer box when I checked the referrers in my stats. I clicked on a link and shazaam the URL of my stats appeared in full on your site :p Oops

Milo wrote on 2005/03/08:
Yeah, that's tricky... ;)
I am getting hundreds of attempts at comment- and referrer-spam every day. I filter a lot of it via php but this new .htaccess-based method saves some cpu-power.

huphtur wrote on 2005/03/08:
what about using trackback and/or pingback?

Milo wrote on 2005/03/08:
I have never seen a useful trackback or pingback.

Roel wrote on 2005/03/08:
The new Nucleus referrer plugin checks the referring webpage to see if there is really a link to your site. That is a very solid way for verifying if you are(n't) dealing with spam (though links accessed through a webmail or online rss aggregator cannot be verified).

Mathieu 'P01' HENRI wrote on 2005/03/08:
It could be a kind of magic bullet if in case of a fake referrer it send for approval an updated version of the .htaccess to the admin to filter referrer spams from/for similar domains.

However I fear such plugin put the server into a crawl during a spam fiesta with dozens/hundreds of spam attempts per minute.

Jan! wrote on 2005/03/09:
Actually, Roel, that still doesn't provide fool-proof protection. All it takes is one smart enough spammer to keep a bucket of [ip] => [hostname1..hostnameN] translations and dynamically insert a link to all hostnames for the IP doing the request.