Spam comes in may forms.
I had been noticing some odd traffic appearing in my referrer logs from “buttons-for-website.com”, and a few other places. Odd, I thought, but I wasn’t too concerned.
A client recently asked me about it, since similar traffic was starting to appear in their analytics for a brand new site. I did a little bit of research, and it turns out that this is actually a spam attack.
Basically, the spammer hits your site and sets a referrer header containing a url and their spam message (keywords + another url, usually). Since a small percentage of sites make their referrer logs public (either deliberately or through misconfiguration), when these are indexed, they can be used to game the search engine of the site they’re trying to boost.
Stopping the spam with mod_security
I don’t like spammers, and it was starting to make my logs (and those of my client’s) a little noisy. So, I decided to do something about it. So, using mod_security, I added a couple of simple rules, which would drop the traffic where the referrer contained certain keywords.
Simple, but effective:
SecRule REQUEST_HEADERS:Referer "^https?://(www\.)?buttons\-for\-website\.com/?" \ "phase:1,log,deny,status:503,msg:'Referer spam'" SecRule REQUEST_HEADERS:Referer "^https?://(www\.)?simple\-share\-buttons\.com/?" \ "phase:1,log,deny,status:503,msg:'Referer spam'" ... etc...
This seemed to put an end to the worst of it.
I also noticed that a few spammers were posting with obvious spam keywords in the referrer header, so I added a similar rule to block those for good measure:
SecRule REQUEST_HEADERS:Referer "(viagra|phentermine|cialis)" \ "phase:1,log,deny,status:503,msg:'Referer spam'" SecRule REQUEST_HEADERS:Referer "(poker|casino|holdem)" \ "phase:1,log,deny,status:503,msg:'Referer spam'"
To test your rules, you can use
curl to hit your site and send a triggering referrer, e.g.
curl --referer https://button-for-website.com/
curl --referer https://example.com/poker
Hope that helps!