Killing referrer spam

Don’t want spammers in your referrer logs? Killing referrer spam at Caveat Lector explains how to stop them from attacking your site.

I’m taking a close look at this and other techniques, since lately there has been a marked increase in the number of spam attacks.

A note to any spammers that come across this post: it’s pointless for you to attack this site. My referrer logs are password protected, so they will not be picked up by search engines. All you’re doing is ruining my logs and pissing me off. In case that’s actually what you want, fine. You’re doing a good job. But if you’re looking for cheap PageRank, please go elsewhere. Thanks.

Posted on January 15, 2005 in Quicklinks


  1. I’m being hit hard by referral spam. They try to flood me with comment spam, but when that gets caught in the spam filter they resort to referral spam instead.

    There’s an entire mailing list set up at Textdrive with the sole purpose of combatting spam. We’ve been pretty successful so far, thanks to mod_security.

  2. That link recommends mod_rewrite. That’s usually a very poor solution; mod_rewrite is very CPU intensive.

    mod_security is written from scratch and takes the most common security tasks of mod_rewrite and implements them better and easier.

    I might make an article of this, now that I think about it.

  3. January 16, 2005 by Roger Johansson (Author comment)

    Hmm. I didn’t know about mod_rewrite being CPU intensive. I use it quite a bit for this site, and haven’t noticed any slowdowns. I’ll take a look at mod_security anyway.

    Oh, I just noticed that Markdown interpreted your underscores as the start and end of emphasised text. To insert literal underscores, escape them with a backslash: \_.

  4. I’ve avoided the mod_rewrite solution for the reasons of CPU usage as well. The big problem is that the spammers use disposable domains and change these on an almost daily basis.

    I analyzed my referrer spammers and I think that the spam is sent from compromised hosts located around the world. The spambot has probably got onto the host via a virus or worm (thank you Bill Gates!). The host names use bogus NY registration addresses but the sites are hosted by a Chinese server. Practically all the referrers I have go to a page written in poor English telling me the account is closed and that I should entire my URL (don’t do this!). Does anyone have further insights into this?

    I don’t think the spammers care whether your logs are visible or not, it is a scattergun approach, they rely on some logs being unprotected and some of the spam getting through. I have seen a huge increase in referrer spam this year. Will it end up killing websites like email? I don’t know but I pay for my hosting so it costs me money and effectively consumes resources that could be better used by my readers.

    Thanks for the heads up on mod_security, I will check this out.

  5. Hi, I don’t have a blog, but am getting slammed with referral spam.

    I dont’ understand all of this stuff. They use numerous IP addresses for the same url/domain name? I dont’ understand how this is done.

    If anyone can help me with this I would be so greatly thankful for it. I don’t know anything about htaccess or mod rewrites etc… Thanks in advance. Cssaddict

  6. December 6, 2005 by anish

    Please help

    When ever i visit any website .. it leave the below information in the log

    HTTPUSERAGENT: sent you a visitor today (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; sent you a visitor today) HTTP_REFERER:

    I found that in a log for a new domain which i hosted… and i confirmed that its my browser which is leaving that information

    I dont know what it is and from where it is getting that data and no domain is registred by that name… can you please help to rectify the same.

    from where i can remove that entry, so that my browser donot leave that in the logs of the site i visit.

    Its so frustrating when i dont know how to remove it and how do i ensure that it doesnot write on my browser again.

    Any help would be appreciated

    Thanx Anish

Comments are disabled for this post (read why), but if you have spotted an error or have additional info that you think should be in this post, feel free to contact me.