Tuesday, July 12, 2011
Russian referral spammers
For the last month or so I've been getting a huge amount of referal spam from what appears to be a Russian run botnet. These morons have latched on to one of my web pages and send Get requests with faked originating links which point back to Russian sex sites and drug sale sites. This is clearly from a botnet as the IP address of the originator keeps constantly changing. The behavior of the botnet program is interesting. The initial link was: /Computers/StateMachineHierarchy.html and I changed that filename to something else. Now, rather than getting just a Get request to the initial link, I get requests for: /StateMachineHierarchy.html which, of course, returns a 404.
That particular page was a minor aside to my 2000 era computers pages and I'll restore it when the botnet looks for other targets. Maybe if I get particularly energetic, and find the time, I'll find the locations of all the botnet machines and write a script to send emails to their ISP's regarding the infected machines on their networks. Why these Russian idiots are engaged in this referal spam is unknown. Looking through my weblogs indicates I've been the target of referal spam in the past and it's most annoying when the target is a large file which wastes my bandwidth. Right now all these idiots get back for their Get request is a 404. I do periodically look at where accesses to my webserver come from and what the most commonly requested pages are. I don't post a page with the most frequent referral sites which is what the referal spammers are hoping I'll do. In any event, I would filter the list to remove requests for non-existent web pages which also gets rid of other types of spam.
What disturbs me about this, and other attacks on my webserver and mailserver is that there are an increasing number of morons with access to computers. I miss the days when the internet was an anarchic but civilized place and it's totally different now that the criminals have moved in. Botnets are only possible if clueless users have no idea that their machines have been infected. The solution is not antiviral software but rather a knowledge of what is normal on ones computer. My personal anti-virus software is primarily wetware based supplemented with ProcessExplorer, WireShark, various file hex editor programs, TCPview, Process Monitor and Rootkit Revealer. I'll be fighting back against these morons although it's going to have to be via attacks on their proxies as they're likely safely isolated controlling their botnet from afar. The other option is to simply refuse all accesses from Russian and Chinese IP addresses although the botnet appears to be worldwide.