Published on 04/27/2006

If you're a webmaster and you've recently looked through your access logs and noticed some referrals from what appear to be weblog sites then don't be fooled. Believe it or not it could be that you are being spammed and these aren't blogs at all... They could actually be legitimate-looking fronts for porn sites!

Webmasters: Blog Spam Referrers in your Logs

Referrer values are passed by web browsers and show how a page was come by. Let's say you search on Google for websites about a particular subject. If you click on a search result from a to visit a website then the destination website will have an entry in its access logs showing a referral from the originating website, Google. Referrer values can be very useful in applications such as security and are essential to webmasters as they show how their site is being linked to.

Here are some sample entries from a web access log of a website that has been spammed. From them you can see the timestamps of the visits to the site as well as the IP address of the visitor and the referrer value that was passed along with the visitor showing where the visit originated.

The most interesting website in this list is potentially www.websearchus.com as seems to be a fully functional web search engine. One could hypothesise that the spammers are using this search engine as a possible means to get innocent bystanders to generate suitable spam-targets and then visit them only the referral values passed to the destination websites will be tampered with to include the likes of the above.

I visited www.a-b-l-o-g.com and viewed the source of the website to find this at the bottom of it:

< a href="http://www.a-b-l-o-g.com/adult-webcam/">
< img src="/adult-webcam.gif" border="0" height="24" width="78"/>< /a>

With this in mind, selecting all of the content on the webpage and then scrolling down to the bottom reveals the link in all it's glory:

Can you see the small, highlighted dot in the bottom-left hand corner of the webpage? That's the link manifestation of the HTML source code above.

Webmasters: Blog Spam Referrers in your Logs [continued]

If you do decide to visit any of these pages and/or click on any of these links then be prepared for a barrage of pop-up windows!

What appears to be happening is links to target, legitimate websites are being generated and displayed on these fake blog sites. The spammer then visits the target sites, causing an entry to appear in the legitimate websites access log with a referrer value pointing to the fake blog site. When the webmaster visits the fake site to see why they've been linked then they unwittingly provide another incoming link for the spammer.

As an experiment I uploaded a webpage to some free webhosting space. On the webpage was a single link to one of the fake blog sites. I visited the webpage and clicked on the link. Lo and behold, my webpage address had been added to the list of incoming links.

I then also visited the same fake blog site by entering its URL manually into my browser. By visiting a website in this manner you don't provide a referrer value. I noticed that this caused the list of incoming links to decrease by one. I refreshed the webpage and noticed another link had gone from the list. I continued to refresh the webpage until there was only one link left. Each of my visits was providing an empty referrer value and this was taking the place of one of the existing links! However, after a few minutes had passed I refreshed the webpage and noticed the incoming link list had grown again. This time it was showing URLs that clearly indicated that it was due to someone viewing their access logs online and clicking on the link to visit the webpage in the referrer value.

All of these efforts by the spammer seem to be to attract incoming links and traffic. Current PageRank values for these fake blogs remains low. Whether or not they will be successful remains to be seen.