I've seen a significant increase in referrer spam lately. Starting a few months back, I saw the referrer 'alti.asu.edu' rise to the top of my "Top Referrers in the past N days" logs - along with apparent automated account sign-ups by 'nareman' and comment spam with 'people' in the title.
Banning IP addresses was pointless - a waste of time, because the IP addresses used varied widely over time, and the access patterns seemed to ensure that the spammer wouldn't trigger any kind of flood control - the IP addresses shifted often enough that the IP addresses wouldn't rise to the top of the 'Top Visitors' log. It was like playing Whack-a-mole -- by the time the IP address was on the radar screen, it was too late, the bot was using a different IP address.
Then, about a month ago, the 'alti.asu.edu' referrer seemed to vanish suddenly - to be replaced by http://www.google.com/ (yeah, right, as if I've got an inbound link from Google's root web page - I wish!) Same access patterns, different referrer.
At that point, I was convinced that I was dealing with a Drupal-targeted bot (or bots) - not sure if it's a botnet, but it looks like one, based on the access patterns - unless the bot is spoofing IP addresses to appear to be coming from multiple IPs.
The worst part about the whole situation is that these visits were making up a significant percentage of my daily visits to my most popular sites - consuming bandwidth, CPU time, etc.
I've banned the referrers using a variety of techniques, in order to prevent Drupal from loading. I will be posting a separate thread describing some of the techniques I'm using to prevent this sort of resource abuse - I'm using add-in modules as well as a few custom bits to help eradicate this pest.
Questions for the community
- Have you seen this spam in your referrer logs?
- Have you been hit by 'nareman' user signups?
- Have you been hit by the 'people' comment spamer?
- What, if anything, have you done about the abuse?
- What modules are you using to block this sort of problem?
Resources
http://drupal.org/node/24302 - Block Referrer Spam using .htaccess and other techniques
http://drupal.org/node/27787 - Patch to add drupal-level referrer banning so you won't have to tweak .htaccess
Comments
I've been getting the
I've been getting the "people" spam, but spam module handled it well and it's now subsided. I believe spam module has some tricks to tie up the spammer's time but I've only just started using it and I'm not an expert in this area by any means.
"nareman" sounds familiar, but I can't say for sure where I've encountered it.
nareman
'nareman' seems to be comment spam targeting Drupal-based sites.
See:
http://www.google.com/search?q=nareman
http://www.google.com/search?q=site%3Adrupal.org+nareman
The spam module is very useful - would be even better if it operated on user account registration data.
Michael Curry
Exodus Development | Drupal and other developer info
Michael Curry
Drupal and Windows Tips
"People" Spam
I'm getting the "people" spam also. I'll try the spam module.
I even had at least one person manually signing up for one of my Drupal sites and leaving spam.
"people" spam + referred by Google
I'm getting both of these.
Some months ago, I set up my site so that any anonymous comments needed approving and new accounts need approval (and http://drupal.org/project/user_register_notify comes in handy). Interestingly, I've got a new and occasional spammer which seems to comment somewhat on topic, and calls themselves "celebrex" with a link to a viagra site or something.
I'm still not too happy with the approach I've taken.
I'm considering using Ted Serbinski's method:
http://tedserbinski.com/2007/06/01/reducing-drupal-blog-spam
but as I'm new to this group, I'll also review the other posts here too.
http://www.siliconmeadow.net
Richard Sheppard
http://uk.linkedin.com/in/richardsheppard
Spam is bad... mmmkay?
For the past few months, I too have been seeing a vast increase in referrer spam.
The captcha module was ineffective so I decided to take the "onion" approach to fighting spam... the more layers the better.
ModSecurity is a viable solution in the fight against referrer spam. I use mod_security and have significantly reduced the amount of comment spam on my Drupal sites.
As I write this, I see that in my servers' logs I have not received any attempts to spam my Drupal sites for the past 4 days. This is very positive considering that for a while, everyday, I was getting hit consistently with referrer spam attempts.
On a side note. Drupal 6 (coming soon!) has a great new feature / module included in core called "Actions". Actions are functions that Drupal can execute when certain events happen, such as when a post is added or a user logs in. For example, you could have a comment automatically unpublished if it contains certain keywords (e.g., the V pill, ringtones, etc). This will be a great layer to add to the "onion".