Get, I do, a lot of referrer spam on my site. I’m pretty sure that every site gets referrer spam, they are ubiquitous. Usually I have already banned them and they are usually from Russia, such as xrus, dealing with lovely, nubile, young Russian women. These I treat like background noise: I glance at the error 403 and move on. Then occasionally, about once a month, I get a bona fide referrer spam marketing campaign, where someone really wants to make a negative impression on both my Google Analytics and myself. I then find and ban them.
My worst referrer spammer is actually Google, which runs blogspot. They are extremely persistent and somehow can evade my htaccess. With great power comes responsibility, Google. I have tried in the past to contact Google User Content, who runs Blogspot, to try to stop the referrer spam and illegal hotlinking, but to no avail. Referrer spam is very difficult to ban programatically as they do a GET, or simply read content from your site, masquerading as a regular site visitor. The referrer domain changes daily. Who runs these campaigns is difficult to say, but for sure these referrer domains have paid someone to try to goose their popularity.
Here I will document my most recent referrer spam campaign, which arrived today. Please note that with any referrer spam, do not click on the link, as many links will try to download malware to your computer. Referrer spam is somewhat like a venereal disease: You need to know enough to detect and prevent it, but no more.
Documenting a referrer spam marketing campaign, 2016/11 Toronto, Canada. This is an excerpt from my raw access log. i have blocked their referrer domains to protect the world from their filth.
Referrer spam is certainly not subtle. It will smack you across the face while you read your access log. You might see screens full of someone accessing your site, amidst a variety of 404,500, 200 return codes. Look in the 6th or the “F” column. If you see a lot, and I mean a lot of entries, such as over 100 server entries, then you have a referrer spam marketing campaign. Today’s referrer spam marketing campaign was about 100 entries. If you do not ban them they will return daily, chew up your server resources and really mess up your Google Analytics numbers.
Today I was hit by the following IPs, and yes, they usually visit in packs:
107.190.163.123 OppoBox 107.190.160.0 – 107.190.175.255
109.73.79.200 Redstation GB 109.73.64.0 – 109.73.79.255
130.185.153.40 Interconnects 130.185.152.0 – 130.185.159.255
165.231.168.150 Fiber Grid Sc 165.231.0.0 – 165.231.255.255
185.158.104.147 Digital Energy 185.158.104.0 – 185.158.107.255
191.96.251.114 Digital Energy 191.96.0.0 – 191.96.255.255
192.186.150.13 B2NET
192.186.150.19 B2NET
Of these spammers no doubt the worst is B2Net. They are so prolific and persistent that I have banned all their IP ranges. For today’s referrer spam campaign, all but one has spammed me before, so no surprise there. I simply add them to their banned ranges.
So what should a girl do with this info? Ban them, specifically replace the last IP octet with 0/24 in order to include their neighbours. For “109.73.79.200 Redstation” example I ban 109.73.79.0/24 and this includes all IP from 109.73.79.0 to 109.73.79.255. These spammers often use their neighbourhood IPs to help them. Take a look at B2Net.
And speaking of B2Net, I ban their whole IP range, 192.186.128.0/18, 192.186.128.0 – 192.186.191.255, which takes care of the 192.186.150.0/24 nicely. In fact because of my previous IP range ban they are the only spammers that received all 500s and 403s.
We’ll never get rid of referrer spam, but we can discourage their use. When they appear, ban them. If the behaviour persists, ban their IP ranges. We can all live better without referrer spam.
