I've been seeing the webserver here getting actively referer-spammed (that is, connections come in with obviously fake referring URLs) by a whole cloud of machines out on the 'net, something that I assume is pretty common. The requests come in from IPs that haven't looked at other pages and don't look at other pages (at least not with a valid referrer), and given that they all refer back to a single site I'm working on the assumption that someone's bought a whole wad of compromised machines and is working on spamming log files so that their URL shows up when people run analog and tools like it to up their pagerank.
This, needless to say, pisses me off. It also eats up some of my bandwidth and, while I'm not paying for it, it makes other things on the server sluggish.
So, in the spirit of sysadmin bastardy, I'm black-holing these hosts. They're either compromised machines or open proxies, and either way... pfui to them.
If for some reason you suddenly find there's no route to the webserver here then that's likely why. (Or we've been hit with a power failure that's lasted longer than an hour, but those are pretty rare for me)
Welcome to the shub-internet -- you'll not find a more wretched hive of scum and villainy. Enjoy your stay!
Posted by Dan at July 13, 2005 04:08 PM | TrackBack (0)I don't know how you're implementing your blackhole, but it might be fun to implement something akin to OpenBSD's spamd
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd
I imagine it would just be some mod_rewrite with an internal redirect to a script that just slept for 60 seconds or so. I don't know how that would speak to resource usage on your server though, but it'd be nice to make them wait :)
I take an easier way out -- /sbin/route reject :) Granted, not exactly automatic, but works OK, at least as long as the routing table isn't that big. (Snort adds entries too)
Posted by: Dan at July 14, 2005 06:06 PM