More on Strange Referrers Referrer Spam

Every once and a while I check out my webstats or watch my apache logs. Just for fun…. there’s kind of a cool feeling to see when other peole are viewing your stuff (all 12 of you). I noticed (not for the first time) a couple of sites that seemed to be doing far more hits than the others, but I’m pretty sure they aren’t real people.


66.250.74.130 – – [24/Jul/2003:12:53:55 -0700] “GET / HTTP/1.0” 200 6557 “http://www.xrenosearch.com/” “Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)”

66.250.74.130 – – [24/Jul/2003:12:56:15 -0700] “GET / HTTP/1.0” 200 6557 “http://www.maturewomengallery.net/” “Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)”

66.250.74.130 – – [24/Jul/2003:13:00:37 -0700] “GET / HTTP/1.0” 200 6557 “http://www.mature-women-gallery.net/” “Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)”

66.250.74.130 – – [24/Jul/2003:13:02:57 -0700] “GET / HTTP/1.0” 200 6557 “http://www.xrenosearch.com/” “Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)”

66.250.74.130 – – [24/Jul/2003:13:05:06 -0700] “GET / HTTP/1.0” 200 6557 “http://www.maturewomengallery.net/” “Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)”

66.250.74.130 – – [24/Jul/2003:13:07:19 -0700] “GET / HTTP/1.0” 200 6557 “http://www.theinceststories.com/” “Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)”

66.250.74.130 – – [24/Jul/2003:13:11:51 -0700] “GET / HTTP/1.0” 200 6557 “http://www.xrenosearch.com/” “Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)”

66.250.74.130 – – [24/Jul/2003:13:13:54 -0700] “GET / HTTP/1.0” 200 6557 “http://www.maturewomengallery.net/” “Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)”

66.250.74.130 – – [24/Jul/2003:13:16:03 -0700] “GET / HTTP/1.0” 200 6557 “http://www.theinceststories.com/” “Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)”



It seems that others have this as well. So what to do? The IP making the requests is the same IP (or at least, one or two off…. the sites are .131, .136, .138, .140 ) that is on the webservers acting as it’s referencing site. I have 4864 hits in the weblogs since May 10 of this year.


So is this some webbug gone bad? Referrer spam? Something else?


I emailed webmaster@ each of these sites asking, but as the WHOIS entry shows that registered owner is out of the .ru domain, I’m not holding my breath.


The search site is only site in the list that I’ve been brave enough to visit (in a text browser, links). Basically whatever you put in to the search field you get back 15 results each with a normal enough header and description, but each result goes to a different site of theirs (the ones in the logs above). Amusing. I’d be scared to visit any of these in IE though, who knows what they’d do to my system if I did.


I have no problem putting in a DROP firewall rule here, but I’d like to know why my site is targetted. Anyone else seen this? Grepping your webserver logs for “66.250.74” should yeild you an answer.


Update Looks like referrer spam, plain and simple. Firewall rule added, topic changed. Oh, and all my webmaster@ emails bounced. Big surprise..